-
Notifications
You must be signed in to change notification settings - Fork 8.2k
/
saml.ts
126 lines (117 loc) · 3.68 KB
/
saml.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
import { schema } from '@kbn/config-schema';
import { SAMLLoginStep } from '../../authentication';
import { createCustomResourceResponse } from '.';
import { RouteDefinitionParams } from '..';
/**
* Defines routes required for SAML authentication.
*/
export function defineSAMLRoutes({ router, logger, authc, csp, basePath }: RouteDefinitionParams) {
router.get(
{
path: '/api/security/saml/capture-url-fragment',
validate: false,
options: { authRequired: false },
},
(context, request, response) => {
// We're also preventing `favicon.ico` request since it can cause new SAML handshake.
return response.custom(
createCustomResourceResponse(
`
<!DOCTYPE html>
<title>Kibana SAML Login</title>
<link rel="icon" href="data:,">
<script src="${basePath.serverBasePath}/api/security/saml/capture-url-fragment.js"></script>
`,
'text/html',
csp.header
)
);
}
);
router.get(
{
path: '/api/security/saml/capture-url-fragment.js',
validate: false,
options: { authRequired: false },
},
(context, request, response) => {
return response.custom(
createCustomResourceResponse(
`
window.location.replace(
'${basePath.serverBasePath}/api/security/saml/start?redirectURLFragment=' + encodeURIComponent(window.location.hash)
);
`,
'text/javascript',
csp.header
)
);
}
);
router.get(
{
path: '/api/security/saml/start',
validate: {
query: schema.object({ redirectURLFragment: schema.string() }),
},
options: { authRequired: false },
},
async (context, request, response) => {
try {
const authenticationResult = await authc.login(request, {
provider: 'saml',
value: {
step: SAMLLoginStep.RedirectURLFragmentCaptured,
redirectURLFragment: request.query.redirectURLFragment,
},
});
// When authenticating using SAML we _expect_ to redirect to the SAML Identity provider.
if (authenticationResult.redirected()) {
return response.redirected({ headers: { location: authenticationResult.redirectURL! } });
}
return response.unauthorized();
} catch (err) {
logger.error(err);
return response.internalError();
}
}
);
router.post(
{
path: '/api/security/saml/callback',
validate: {
body: schema.object({
SAMLResponse: schema.string(),
RelayState: schema.maybe(schema.string()),
}),
},
options: { authRequired: false },
},
async (context, request, response) => {
try {
// When authenticating using SAML we _expect_ to redirect to the SAML Identity provider.
const authenticationResult = await authc.login(request, {
provider: 'saml',
value: {
step: SAMLLoginStep.SAMLResponseReceived,
samlResponse: request.body.SAMLResponse,
},
});
if (authenticationResult.redirected()) {
return response.redirected({
headers: { location: authenticationResult.redirectURL! },
});
}
return response.unauthorized({ body: authenticationResult.error });
} catch (err) {
logger.error(err);
return response.internalError();
}
}
);
}