Add an option to enable IDP initiated SSO for a SP (#208)

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm

@@ -227,10 +227,14 @@ sub cstruct {
                         },
                         samlSPMetaDataOptionsSecurity => {
 
-                            _nodes => [qw(samlSPMetaDataOptionsEncryptionMode)],
+                            _nodes => [
+                                qw(samlSPMetaDataOptionsEncryptionMode samlSPMetaDataOptionsEnableIDPInitiatedURL)
+                            ],
 
                             samlSPMetaDataOptionsEncryptionMode =>
 "text:/samlSPMetaDataOptions/$k2/samlSPMetaDataOptionsEncryptionMode:samlSPOptions:encryptionModeParams",
+                            samlSPMetaDataOptionsEnableIDPInitiatedURL =>
+"bool:/samlSPMetaDataOptions/$k2/samlSPMetaDataOptionsEnableIDPInitiatedURL",
                         },
                     },
                 }
@@ -2124,6 +2128,7 @@ sub defaultConf {
         samlSPMetaDataOptionsSignSLOMessage            => '1',
         samlSPMetaDataOptionsCheckSLOMessageSignature  => '1',
         samlSPMetaDataOptionsEncryptionMode            => 'none',
+        samlSPMetaDataOptionsEnableIDPInitiatedURL     => '0',
         samlSPSSODescriptorAuthnRequestsSigned         => '1',
         samlSPSSODescriptorWantAssertionsSigned        => '1',
         samlSPSSODescriptorSingleLogoutServiceHTTPRedirect =>

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm

@@ -452,13 +452,15 @@ sub en {
         samlSPMetaDataOptionsAuthnResponse  => 'Authentication response',
         samlSPMetaDataOptionsSignature      => 'Signature',
         samlSPMetaDataOptionsSecurity       => 'Security',
-        samlServiceMetaData                 => 'SAML 2 Service',
+        samlSPMetaDataOptionsEnableIDPInitiatedURL =>
-        samlEntityID                        => 'Entity Identifier',
+          'Enable use of IDP initiated URL',
-        samlOrganization                    => 'Organization',
+        samlServiceMetaData         => 'SAML 2 Service',
-        samlOrganizationDisplayName         => 'Display Name',
+        samlEntityID                => 'Entity Identifier',
-        samlOrganizationName                => 'Name',
+        samlOrganization            => 'Organization',
-        samlOrganizationURL                 => 'URL',
+        samlOrganizationDisplayName => 'Display Name',
-        samlSPSSODescriptor                 => 'Service Provider',
+        samlOrganizationName        => 'Name',
+        samlOrganizationURL         => 'URL',
+        samlSPSSODescriptor         => 'Service Provider',
         samlSPSSODescriptorAuthnRequestsSigned =>
           'Signed Authentication Request',
         samlSPSSODescriptorWantAssertionsSigned => 'Want Assertions Signed',
@@ -937,13 +939,15 @@ sub fr {
         samlSPMetaDataOptionsAuthnResponse  => 'Réponse d\'authentification',
         samlSPMetaDataOptionsSignature      => 'Signature',
         samlSPMetaDataOptionsSecurity       => 'Sécurité',
-        samlServiceMetaData                 => 'Service SAML 2',
+        samlSPMetaDataOptionsEnableIDPInitiatedURL =>
-        samlEntityID                        => 'Identifiant d\'entité',
+          'Enable use of IDP initiated URL',
-        samlOrganization                    => 'Organisation',
+        samlServiceMetaData         => 'Service SAML 2',
-        samlOrganizationDisplayName         => 'Nom affiché',
+        samlEntityID                => 'Identifiant d\'entité',
-        samlOrganizationName                => 'Nom',
+        samlOrganization            => 'Organisation',
-        samlOrganizationURL                 => 'URL',
+        samlOrganizationDisplayName => 'Nom affiché',
-        samlSPSSODescriptor                 => 'Fournisseur de service',
+        samlOrganizationName        => 'Nom',
+        samlOrganizationURL         => 'URL',
+        samlSPSSODescriptor         => 'Fournisseur de service',
         samlSPSSODescriptorAuthnRequestsSigned =>
           'Requêtes d\'authentification signées',
         samlSPSSODescriptorWantAssertionsSigned =>

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm

@@ -1225,6 +1225,15 @@ sub issuerForAuthUser {
             # Create fake request if IDP initiated mode
             if ($idp_initiated) {
 
+                # Need sp or spConfKey parameter
+                unless ( $idp_initiated_sp or $idp_initiated_spConfKey ) {
+                    $self->lmLog(
+"sp or spConfKey parameter needed to make IDP initiated SSO",
+                        'error'
+                    );
+                    return PE_SAML_SSO_ERROR;
+                }
+
                 unless ($idp_initiated_sp) {
 
                     # Get SP from spConfKey
@@ -1237,6 +1246,28 @@ sub issuerForAuthUser {
                         }
                     }
                 }
+                else {
+                    unless ( defined $self->{_spList}->{$idp_initiated_sp} ) {
+                        $self->lmLog( "SP $idp_initiated_sp not known",
+                            'error' );
+                        return PE_SAML_UNKNOWN_ENTITY;
+                    }
+                    $idp_initiated_spConfKey =
+                      $self->{_spList}->{$idp_initiated_sp}->{confKey};
+                }
+
+                # Check if IDP Initiated SSO is allowed
+                unless (
+                    $self->{samlSPMetaDataOptions}->{$idp_initiated_spConfKey}
+                    ->{samlSPMetaDataOptionsEnableIDPInitiatedURL} )
+                {
+                    $self->lmLog(
+"IDP Initiated SSO not allowed for SP $idp_initiated_spConfKey",
+                        'error'
+                    );
+                    return PE_SAML_SSO_ERROR;
+                }
+
                 $result =
                   $self->initIdpInitiatedAuthnRequest( $login,
                     $idp_initiated_sp );