From d1af443929147c5fa7f44297e869bf1849486c12 Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Thu, 14 Sep 2023 12:31:00 -0400
Subject: [PATCH 1/4] fix new saml provider form, add fields for specifying
 assertion keys

---
 options/locale/locale_en-US.ini             | 13 ++++++-----
 routers/web/admin/auths.go                  |  3 +++
 services/auth/source/saml/source.go         |  9 +++++++-
 services/auth/source/saml/source_callout.go | 16 +++++--------
 services/forms/auth_form.go                 |  3 +++
 templates/admin/auth/edit.tmpl              | 25 ++++++++++++++++-----
 templates/admin/auth/source/saml.tmpl       | 19 ++++++++++++++--
 web_src/js/features/admin/common.js         |  4 ++++
 8 files changed, 69 insertions(+), 23 deletions(-)

diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index bb808571a512..6721e21c5126 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -2967,12 +2967,15 @@ auths.sspi_separator_replacement_helper = The character to use to replace the se
 auths.sspi_default_language = Default user language
 auths.sspi_default_language_helper = Default language for users automatically created by SSPI auth method. Leave empty if you prefer language to be automatically detected.
 auths.saml_nameidformat = SAML NameID Format
-auths.saml_IdentityProviderMetadataURL = Identity Provider Metadata URL
-auths.saml_IdentityProviderMetadata = Identity Provider Metadata XML
+auths.saml_identity_provider_metadata_url = Identity Provider Metadata URL
+auths.saml_identity_provider_metadata = Identity Provider Metadata XML
 auths.saml_insecure_skip_assertion_signature_validation = [Insecure] Skip Assertion Signature Validation
-auths.saml_ServiceProviderCertificate = Service Provider Certificate
-auths.saml_ServiceProviderPrivateKey = Service Provider Private Key
-auths.saml_SignRequests = Sign SAML Requests
+auths.saml_service_provider_certificate = Service Provider Certificate
+auths.saml_service_provider_private_key = Service Provider Private Key
+auths.saml_sign_requests = Sign SAML Requests
+auths.saml_identity_provider_email_assertion_key = Email Assertion Key
+auths.saml_identity_provider_name_assertion_key = Name Assertion Key
+auths.saml_identity_provider_username_assertion_key = Username Assertion Key
 auths.tips = Tips
 auths.tips.oauth2.general = OAuth2 Authentication
 auths.tips.oauth2.general.tip = When registering a new OAuth2 authentication, the callback/redirect URL should be:
diff --git a/routers/web/admin/auths.go b/routers/web/admin/auths.go
index de4775dc6836..b2cf7f2ed24f 100644
--- a/routers/web/admin/auths.go
+++ b/routers/web/admin/auths.go
@@ -287,6 +287,9 @@ func parseSAMLConfig(ctx *context.Context, form forms.AuthenticationForm) (*saml
 		ServiceProviderCertificate:               form.ServiceProviderCertificate,
 		ServiceProviderPrivateKey:                form.ServiceProviderPrivateKey,
 		SignRequests:                             form.SignRequests,
+		EmailAssertionKey:                        form.EmailAssertionKey,
+		NameAssertionKey:                         form.NameAssertionKey,
+		UsernameAssertionKey:                     form.UsernameAssertionKey,
 	}, nil
 }
 
diff --git a/services/auth/source/saml/source.go b/services/auth/source/saml/source.go
index 629ef47a45d5..1e38e924e1f3 100644
--- a/services/auth/source/saml/source.go
+++ b/services/auth/source/saml/source.go
@@ -14,7 +14,7 @@ import (
 // /   _____/  /  _  \    /     \ |    |
 // \_____  \  /  /_\  \  /  \ /  \|    |
 // /        \/    |    \/    Y    \    |___
-///_______  /\____|__  /\____|__  /_______ \
+// /_______  /\____|__  /\____|__  /_______ \
 //        \/         \/         \/        \/
 
 // Source holds configuration for the SAML login source.
@@ -38,6 +38,13 @@ type Source struct {
 
 	CallbackURL string
 
+	// EmailAssertionKey description: Assertion key for user.Email
+	EmailAssertionKey string
+	// NameAssertionKey description: Assertion key for user.NickName
+	NameAssertionKey string
+	// UsernameAssertionKey description: Assertion key for user.Name
+	UsernameAssertionKey string
+
 	// reference to the authSource
 	authSource *auth.Source
 
diff --git a/services/auth/source/saml/source_callout.go b/services/auth/source/saml/source_callout.go
index 63cc0c432fbe..171c355d7341 100644
--- a/services/auth/source/saml/source_callout.go
+++ b/services/auth/source/saml/source_callout.go
@@ -60,22 +60,18 @@ func (source *Source) Callback(request *http.Request, response http.ResponseWrit
 		return user, fmt.Errorf("no nameID found in SAML response")
 	}
 
-	// TODO: rather than hardcoding assertion keys, we should allow setting them in the UI
-
 	// email
-	if _, ok := samlMap["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddres"]; !ok {
-		user.Email = samlMap["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddres"]
+	if _, ok := samlMap[source.EmailAssertionKey]; !ok {
+		user.Email = samlMap[source.EmailAssertionKey]
 	}
 	// name
-	if _, ok := samlMap["http://schemas.xmlsoap.org/claims/CommonName"]; !ok {
-		user.NickName = samlMap["http://schemas.xmlsoap.org/claims/CommonName"]
+	if _, ok := samlMap[source.NameAssertionKey]; !ok {
+		user.NickName = samlMap[source.NameAssertionKey]
 	}
 	// username
-	if _, ok := samlMap["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"]; !ok {
-		user.Name = samlMap["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"]
+	if _, ok := samlMap[source.UsernameAssertionKey]; !ok {
+		user.Name = samlMap[source.UsernameAssertionKey]
 	}
 
-	// TODO: utilize groups later on
-
 	return user, nil
 }
diff --git a/services/forms/auth_form.go b/services/forms/auth_form.go
index deb10e961816..1d00e93a9976 100644
--- a/services/forms/auth_form.go
+++ b/services/forms/auth_form.go
@@ -92,6 +92,9 @@ type AuthenticationForm struct {
 	ServiceProviderCertificate               string
 	ServiceProviderPrivateKey                string
 	SignRequests                             bool
+	EmailAssertionKey                        string
+	NameAssertionKey                         string
+	UsernameAssertionKey                     string
 }
 
 // Validate validates fields
diff --git a/templates/admin/auth/edit.tmpl b/templates/admin/auth/edit.tmpl
index 05c2ffc0afa9..be4c98d19624 100644
--- a/templates/admin/auth/edit.tmpl
+++ b/templates/admin/auth/edit.tmpl
@@ -385,11 +385,11 @@
 					</div>
 
 					<div class="field">
-						<label for="identity_provider_metadata_url">{{.locale.Tr "admin.auths.saml_IdentityProviderMetadataURL"}}</label>
+						<label for="identity_provider_metadata_url">{{.locale.Tr "admin.auths.saml_identity_provider_metadata_url"}}</label>
 						<input id="identity_provider_metadata_url" name="identity_provider_metadata_url" value="{{$cfg.IdentityProviderMetadataURL}}">
 					</div>
 					<div class="field">
-						<label for="identity_provider_metadata">{{.locale.Tr "admin.auths.saml_IdentityProviderMetadata"}}</label>
+						<label for="identity_provider_metadata">{{.locale.Tr "admin.auths.saml_identity_provider_metadata"}}</label>
 						<textarea rows=2 id="identity_provider_metadata" name="identity_provider_metadata">{{$cfg.IdentityProviderMetadata}}</textarea>
 					</div>
 
@@ -401,20 +401,35 @@
 					</div>
 
 					<div class=" field">
-						<label for="service_provider_certificate">{{.locale.Tr "admin.auths.saml_ServiceProviderCertificate"}}</label>
+						<label for="service_provider_certificate">{{.locale.Tr "admin.auths.saml_service_provider_certificate"}}</label>
 						<textarea rows=2 id="service_provider_certificate" name="service_provider_certificate">{{$cfg.ServiceProviderCertificate}}</textarea>
 					</div>
 					<div class=" field">
-						<label for="service_provider_private_key">{{.locale.Tr "admin.auths.saml_ServiceProviderPrivateKey"}}</label>
+						<label for="service_provider_private_key">{{.locale.Tr "admin.auths.saml_service_provider_private_key"}}</label>
 						<textarea rows=2 id="service_provider_private_key" name="service_provider_private_key">{{$cfg.ServiceProviderPrivateKey}}</textarea>
 					</div>
 
 					<div class="inline field">
 						<div class="ui checkbox">
-							<label><strong>{{.locale.Tr "admin.auths.saml_SignRequests"}}</strong></label>
+							<label><strong>{{.locale.Tr "admin.auths.saml_sign_requests"}}</strong></label>
 							<input name="sign_requests" type="checkbox" {{if $cfg.SignRequests}}checked{{end}}>
 						</div>
 					</div>
+
+					<div class="field">
+						<label for="email_assertion_key">{{.locale.Tr "admin.auths.saml_identity_provider_email_assertion_key"}}</label>
+						<input id="email_assertion_key" name="email_assertion_key" value="{{if not $cfg.EmailAssertionKey}}http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress{{else}}{{$cfg.EmailAssertionKey}}{{end}}">
+					</div>
+
+					<div class="field">
+						<label for="name_assertion_key">{{.locale.Tr "admin.auths.saml_identity_provider_name_assertion_key"}}</label>
+						<input id="name_assertion_key" name="name_assertion_key" value="{{if not $cfg.NameAssertionKey}}http://schemas.xmlsoap.org/claims/CommonName{{else}}{{$cfg.NameAssertionKey}}{{end}}">
+					</div>
+
+					<div class="field">
+						<label for="username_assertion_key">{{.locale.Tr "admin.auths.saml_identity_provider_username_assertion_key"}}</label>
+						<input id="username_assertion_key" name="username_assertion_key" value="{{if not $cfg.UsernameAssertionKey}}http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name{{else}}{{$cfg.UsernameAssertionKey}}{{end}}">
+					</div>
 				{{end}}
 
 				<!-- SSPI -->
diff --git a/templates/admin/auth/source/saml.tmpl b/templates/admin/auth/source/saml.tmpl
index 09f0c5b3fbce..f99f41b6efda 100644
--- a/templates/admin/auth/source/saml.tmpl
+++ b/templates/admin/auth/source/saml.tmpl
@@ -1,4 +1,4 @@
-<div class="saml field {{if not (eq .type 99)}}gt-hidden{{end}}">
+<div class="saml field {{if not (eq .type 8)}}gt-hidden{{end}}">
 
 	<div class="inline required field">
 		<label>{{.locale.Tr "admin.auths.saml_nameidformat"}}</label>
@@ -41,9 +41,24 @@
 
 	<div class="inline field">
 		<div class="ui checkbox">
-			<label><strong>{{.locale.Tr "admin.auths.sign_requests"}}</strong></label>
+			<label><strong>{{.locale.Tr "admin.auths.saml_sign_requests"}}</strong></label>
 			<input name="sign_requests" type="checkbox" {{if .SignRequests}}checked{{end}}>
 		</div>
 	</div>
 
+	<div class="field">
+		<label for="email_assertion_key">{{.locale.Tr "admin.auths.saml_identity_provider_email_assertion_key"}}</label>
+		<input id="email_assertion_key" name="email_assertion_key" value="{{if not .EmailAssertionKey}}http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress{{else}}{{.EmailAssertionKey}}{{end}}">
+	</div>
+
+	<div class="field">
+		<label for="name_assertion_key">{{.locale.Tr "admin.auths.saml_identity_provider_name_assertion_key"}}</label>
+		<input id="name_assertion_key" name="name_assertion_key" value="{{if not .NameAssertionKey}}http://schemas.xmlsoap.org/claims/CommonName{{else}}{{.NameAssertionKey}}{{end}}">
+	</div>
+
+	<div class="field">
+		<label for="username_assertion_key">{{.locale.Tr "admin.auths.saml_identity_provider_username_assertion_key"}}</label>
+		<input id="username_assertion_key" name="username_assertion_key" value="{{if not .UsernameAssertionKey}}http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name{{else}}{{.UsernameAssertionKey}}{{end}}">
+	</div>
+
 </div>
diff --git a/web_src/js/features/admin/common.js b/web_src/js/features/admin/common.js
index c1ebc1480b7b..a0638e09f899 100644
--- a/web_src/js/features/admin/common.js
+++ b/web_src/js/features/admin/common.js
@@ -137,6 +137,10 @@ export function initAdminCommon() {
           showElem($('.sspi'));
           $('.sspi div.required input').attr('required', 'required');
           break;
+        case '8': // SAML
+          showElem($('.saml'));
+          $('.saml div.required input').attr('required', 'required');
+          break;
       }
       if (authType === '2' || authType === '5') {
         onSecurityProtocolChange();

From 36219f8c605f57d3fae21ee209e40c8352636559 Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Thu, 14 Sep 2023 12:34:18 -0400
Subject: [PATCH 2/4] fix whitespace change

---
 services/auth/source/saml/source.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/services/auth/source/saml/source.go b/services/auth/source/saml/source.go
index 1e38e924e1f3..871fca8cbd97 100644
--- a/services/auth/source/saml/source.go
+++ b/services/auth/source/saml/source.go
@@ -14,7 +14,7 @@ import (
 // /   _____/  /  _  \    /     \ |    |
 // \_____  \  /  /_\  \  /  \ /  \|    |
 // /        \/    |    \/    Y    \    |___
-// /_______  /\____|__  /\____|__  /_______ \
+///_______  /\____|__  /\____|__  /_______ \
 //        \/         \/         \/        \/
 
 // Source holds configuration for the SAML login source.

From 5c7d549d29a8c73a4c682e778d80f3f0798ead6a Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Thu, 14 Sep 2023 12:34:58 -0400
Subject: [PATCH 3/4] revert comment change

---
 services/auth/source/saml/source_callout.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/services/auth/source/saml/source_callout.go b/services/auth/source/saml/source_callout.go
index 171c355d7341..301cadd16e12 100644
--- a/services/auth/source/saml/source_callout.go
+++ b/services/auth/source/saml/source_callout.go
@@ -73,5 +73,7 @@ func (source *Source) Callback(request *http.Request, response http.ResponseWrit
 		user.Name = samlMap[source.UsernameAssertionKey]
 	}
 
+	// TODO: utilize groups later on
+
 	return user, nil
 }

From f5466c97ea9443bb0cf860dd90116b0814919658 Mon Sep 17 00:00:00 2001
From: jackHay22 <jack@allspice.io>
Date: Thu, 14 Sep 2023 14:06:56 -0400
Subject: [PATCH 4/4] remove extra character

---
 templates/admin/auth/new.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/admin/auth/new.tmpl b/templates/admin/auth/new.tmpl
index 9e8fec8e911f..3b2516f06059 100644
--- a/templates/admin/auth/new.tmpl
+++ b/templates/admin/auth/new.tmpl
@@ -54,7 +54,7 @@
 				{{template "admin/auth/source/sspi" .}}
 
 				<!-- SAML -->
-+				{{template "admin/auth/source/saml" .}}
+				{{template "admin/auth/source/saml" .}}
 
 				<div class="ldap field">
 					<div class="ui checkbox">