SAML Improvements

[wezell]

This is a list to capture a number of improvements that can be made to our dotSAML implementation

• 22156 redirect is not working for front end login. Maybe we need to add a redirect after login field to our saml secrets and use that if a redirect is not provided?

We figured this out - the issue was that we needed to hit the SAMLWebInterceptor in order to login. What needs to happen is to add include.path.values=* where * is a regex for the path where you want to force/redirect your saml logins and you add that access.filter.values=/api to exclude /api calls from redirecting to SAML. You can see a working example on our intranet

• 21430 roles causing an NPE

• Make sure that the "Service Provider Endpoint Hostname/Port" field is normalized - this can be done under the covers
  • The field should only expect hostname:port here, where port is optional.
  • The value should not have http:// or https:// in it as we will automatically prepend https
  • we should automatically add the whole dotSAML path to whatever is provided here /api/v1/dotsaml/login
• Fix the MessageBodyProviderNotFoundException: MessageBodyReader not found for media type=application/text errors that eat/obfuscate any original SAML error. My guess is we can add the jersey-media-json-jackson to the dotSAML plugin or make sure it is exported?
• Try to map common fields without configuration. We should have a list of aliases for each field that we expect back from the idp and try to use those before giving up

• 22124 this does not work if the user has logged in using SAML

• We need to try to log the user in on the /api/v1/dotsaml/login/* endpoint. That way, when they redirect, they will already be logged in.

[swicken-dotcms]

• Report the errors to the browser when attempting login and receiving a 500, rather than just putting a generic '500' error screen
• Add all of our config properties to a dropdown in the UI, rather than having users type them out
• Add the ability to generate a server cert to the UI, so the users don't have to generate one separately and cut/paste
• Make the Metadata URL not require authentication so users can point their IDP to it and consume changes automatically
• Default the individual site forms to have 'Enabled' unchecked. Currently it shows as checked before configuring the site, which can lead to confusion
• Provide a proper error message when logging in to the backend with a frontend account, currently does an infinite loop.

[jdotcms]

Add the ability to include relay state

[bryanboza]

Fixed, this was tested in some prod environments and this is working as expected

[swicken-dotcms]

Re-opening as the only thing 'fixed' on this was relay state.

When picking issues off of this, individual issues should be created