Merge branch 'stable-2.16' into master * stable-2.16: Respect auth.userNameToLowerCase configuration Change-Id: I454683f72f52fbc2235ff2c1f79dca457047332a

diff --git a/README.md b/README.md
index bb9c949..0425eaf 100644
--- a/README.md
+++ b/README.md

@@ -179,7 +179,14 @@
 
 Default is `UserName`
 
-**saml.serviceProviderEntityId**: Saml service provider entity id
+**saml.serviceProviderEntityId**: SAML service provider entity id.
+
+Default is not set.
+
+**saml.identityProviderEntityId**: SAML identity provider entity id.  When present
+a `IDPSSODescriptor` is expected in the SAML metadata document.  When absent a
+saml service provider with its `SPSSODescriptor` is assumed.
+This value takes precedence over the value in **saml.serviceProviderEntityId**.
 
 Default is not set.
 

diff --git a/src/main/java/com/googlesource/gerrit/plugins/saml/SamlConfig.java b/src/main/java/com/googlesource/gerrit/plugins/saml/SamlConfig.java
index d5aae19..98f09ea 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/saml/SamlConfig.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/saml/SamlConfig.java

@@ -23,7 +23,7 @@
 @Singleton
 public class SamlConfig {
   private static final String SAML_SECTION = "saml";
-
+  private final String identityProviderEntityId;
   private final String serviceProviderEntityId;
   private final String metadataPath;
   private final String keystorePath;
@@ -42,6 +42,7 @@
   @Inject
   SamlConfig(@GerritServerConfig Config cfg) {
     serviceProviderEntityId = getString(cfg, "serviceProviderEntityId");
+    identityProviderEntityId = getString(cfg, "identityProviderEntityId");
     metadataPath = getString(cfg, "metadataPath");
     keystorePath = getString(cfg, "keystorePath");
     privateKeyPassword = getString(cfg, "privateKeyPassword");
@@ -119,4 +120,8 @@
   public boolean useNameQualifier() {
     return useNameQualifier;
   }
+
+  public String getIdentityProviderEntityId() {
+    return identityProviderEntityId;
+  }
 }

diff --git a/src/main/java/com/googlesource/gerrit/plugins/saml/SamlWebFilter.java b/src/main/java/com/googlesource/gerrit/plugins/saml/SamlWebFilter.java
index dddb17a..b91f539 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/saml/SamlWebFilter.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/saml/SamlWebFilter.java

@@ -81,14 +81,23 @@
         new SAML2Configuration(
             samlConfig.getKeystorePath(), samlConfig.getKeystorePassword(),
             samlConfig.getPrivateKeyPassword(), samlConfig.getMetadataPath());
-    samlClientConfig.setMaximumAuthenticationLifetime(samlConfig.getMaxAuthLifetimeAttr());
-    samlClientConfig.setServiceProviderMetadataPath(
-        ensureExists(sitePaths.data_dir).resolve("sp-metadata.xml").toString());
-    if (!Strings.isNullOrEmpty(samlConfig.getServiceProviderEntityId())) {
-      samlClientConfig.setServiceProviderEntityId(samlConfig.getServiceProviderEntityId());
+
+    if (!Strings.isNullOrEmpty(samlConfig.getIdentityProviderEntityId())) {
+      if (!Strings.isNullOrEmpty(samlConfig.getServiceProviderEntityId())) {
+        log.warn(
+            "Both identityProviderEntityId as serviceProviderEntityId are set, ignoring serviceProviderEntityId.");
+      }
+      samlClientConfig.setIdentityProviderEntityId(samlConfig.getIdentityProviderEntityId());
+    } else {
+      samlClientConfig.setServiceProviderMetadataPath(
+          ensureExists(sitePaths.data_dir).resolve("sp-metadata.xml").toString());
+      if (!Strings.isNullOrEmpty(samlConfig.getServiceProviderEntityId())) {
+        samlClientConfig.setServiceProviderEntityId(samlConfig.getServiceProviderEntityId());
+      }
     }
 
     samlClientConfig.setUseNameQualifier(samlConfig.useNameQualifier());
+    samlClientConfig.setMaximumAuthenticationLifetime(samlConfig.getMaxAuthLifetimeAttr());
 
     saml2Client = new SAML2Client(samlClientConfig);
     String callbackUrl = gerritConfig.getString("gerrit", null, "canonicalWebUrl") + SAML_CALLBACK;