Google Git
Sign in
gerrit / plugins / saml / 766552f922b9bbb096145cca3f68fb0fb27cb586^! / .
commit766552f922b9bbb096145cca3f68fb0fb27cb586[log] [tgz]
authorThomas Dräbing <thomas.draebing@sap.com>Wed Jul 10 15:42:42 2024 +0200
committerThomas Dräbing <thomas.draebing@sap.com>Wed Jul 10 15:47:27 2024 +0200
tree28e1ecd16f88365e65b5324eed93b16ff9820778
parent225e59ceeb096d5f335e03217af5925fad07b181 [diff]
Add option to enforce auth with IdP on session expiration

If the session in Gerrit expires, it will cause Gerrit to log in with
the SAML IdP again. However, not every IdP will require the user to
authenticate again, e.g. if the auth session in the IdP is longer than
incGerrit. This might especially be the case, if the IdP is used for
multiple applications, where some require less strict authentication.

This change adds an option to enforce authentication on login, i.e. if
the session in Gerrit has expired, users will have to authenticate
again.

Change-Id: Ib558e2b3a896b0e096b7b3ca9593e0d2b5d7b88f

diff --git a/README.md b/README.md
index f7df7d7..73927aa 100644
--- a/README.md
+++ b/README.md

@@ -145,6 +145,11 @@
 
 Default is `86400`
 
+**saml.forceAuth**: (Optional) Whether to force authentication with the IdP, when
+the session in Gerrit expires.
+
+Default is `false`
+
 **saml.displayNameAttr**: Gerrit will look for an attribute with this name in
 the assertion to find a display name for the user. If the attribute is not
 found, the NameId from the SAML assertion is used instead.

diff --git a/src/main/java/com/googlesource/gerrit/plugins/saml/SamlClientProvider.java b/src/main/java/com/googlesource/gerrit/plugins/saml/SamlClientProvider.java
index 9d5d047..4bb32a2 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/saml/SamlClientProvider.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/saml/SamlClientProvider.java

@@ -67,6 +67,8 @@
       }
     }
 
+    samlClientConfig.setForceAuth(samlConfig.getForceAuthAttr());
+
     samlClientConfig.setUseNameQualifier(samlConfig.useNameQualifier());
     samlClientConfig.setMaximumAuthenticationLifetime(samlConfig.getMaxAuthLifetimeAttr());
 

diff --git a/src/main/java/com/googlesource/gerrit/plugins/saml/SamlConfig.java b/src/main/java/com/googlesource/gerrit/plugins/saml/SamlConfig.java
index 96c591c..ca6c45e 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/saml/SamlConfig.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/saml/SamlConfig.java

@@ -38,6 +38,7 @@
   private final String firstNameAttr;
   private final String lastNameAttr;
   private final int maxAuthLifetimeDefault = 24 * 60 * 60; // 24h;
+  private final boolean forceAuth;
   private final boolean useNameQualifier;
   private final String memberOfAttr;
 
@@ -54,6 +55,7 @@
     userNameAttr = getStringWithDefault(cfg, "userNameAttr", "UserName");
     emailAddressAttr = getStringWithDefault(cfg, "emailAddressAttr", "EmailAddress");
     maxAuthLifetimeAttr = cfg.getInt("saml", "maxAuthLifetime", maxAuthLifetimeDefault);
+    forceAuth = cfg.getBoolean(SAML_SECTION, "forceAuth", false);
     computedDisplayName = cfg.getBoolean(SAML_SECTION, "computedDisplayName", false);
     firstNameAttr = getStringWithDefault(cfg, "firstNameAttr", "FirstName");
     lastNameAttr = getStringWithDefault(cfg, "lastNameAttr", "LastName");
@@ -93,6 +95,10 @@
     return maxAuthLifetimeAttr;
   }
 
+  public boolean getForceAuthAttr() {
+    return forceAuth;
+  }
+
   private static String getString(Config cfg, String name) {
     return cfg.getString(SAML_SECTION, null, name);
   }