Merge "Add option to enforce auth with IdP on session expiration"

commit: ff160213fc875ae6a08e49ce18296dc5eb485922 [log] [tgz]
author: Thomas Dräbing <thomas.draebing@sap.com> Wed Jul 17 08:53:17 2024 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Jul 17 08:53:17 2024 +0000
tree: e07aacdaca6d09d3b8e941d5f8dbca379947a270
parent: 370227f79e3b0e21f65d1819ed2d278daeb35dc9 [diff]
parent: 766552f922b9bbb096145cca3f68fb0fb27cb586 [diff]
diff --git a/README.md b/README.md
index f7df7d7..73927aa 100644
--- a/README.md
+++ b/README.md

@@ -145,6 +145,11 @@
 
 Default is `86400`
 
+**saml.forceAuth**: (Optional) Whether to force authentication with the IdP, when
+the session in Gerrit expires.
+
+Default is `false`
+
 **saml.displayNameAttr**: Gerrit will look for an attribute with this name in
 the assertion to find a display name for the user. If the attribute is not
 found, the NameId from the SAML assertion is used instead.

diff --git a/src/main/java/com/googlesource/gerrit/plugins/saml/SamlClientProvider.java b/src/main/java/com/googlesource/gerrit/plugins/saml/SamlClientProvider.java
index 9d5d047..4bb32a2 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/saml/SamlClientProvider.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/saml/SamlClientProvider.java

@@ -67,6 +67,8 @@
       }
     }
 
+    samlClientConfig.setForceAuth(samlConfig.getForceAuthAttr());
+
     samlClientConfig.setUseNameQualifier(samlConfig.useNameQualifier());
     samlClientConfig.setMaximumAuthenticationLifetime(samlConfig.getMaxAuthLifetimeAttr());
 

diff --git a/src/main/java/com/googlesource/gerrit/plugins/saml/SamlConfig.java b/src/main/java/com/googlesource/gerrit/plugins/saml/SamlConfig.java
index 96c591c..ca6c45e 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/saml/SamlConfig.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/saml/SamlConfig.java

@@ -38,6 +38,7 @@
   private final String firstNameAttr;
   private final String lastNameAttr;
   private final int maxAuthLifetimeDefault = 24 * 60 * 60; // 24h;
+  private final boolean forceAuth;
   private final boolean useNameQualifier;
   private final String memberOfAttr;
 
@@ -54,6 +55,7 @@
     userNameAttr = getStringWithDefault(cfg, "userNameAttr", "UserName");
     emailAddressAttr = getStringWithDefault(cfg, "emailAddressAttr", "EmailAddress");
     maxAuthLifetimeAttr = cfg.getInt("saml", "maxAuthLifetime", maxAuthLifetimeDefault);
+    forceAuth = cfg.getBoolean(SAML_SECTION, "forceAuth", false);
     computedDisplayName = cfg.getBoolean(SAML_SECTION, "computedDisplayName", false);
     firstNameAttr = getStringWithDefault(cfg, "firstNameAttr", "FirstName");
     lastNameAttr = getStringWithDefault(cfg, "lastNameAttr", "LastName");
@@ -93,6 +95,10 @@
     return maxAuthLifetimeAttr;
   }
 
+  public boolean getForceAuthAttr() {
+    return forceAuth;
+  }
+
   private static String getString(Config cfg, String name) {
     return cfg.getString(SAML_SECTION, null, name);
   }
commit	ff160213fc875ae6a08e49ce18296dc5eb485922	[log] [tgz]
author	Thomas Dräbing <thomas.draebing@sap.com>	Wed Jul 17 08:53:17 2024 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Wed Jul 17 08:53:17 2024 +0000
tree	e07aacdaca6d09d3b8e941d5f8dbca379947a270
parent	370227f79e3b0e21f65d1819ed2d278daeb35dc9 [diff]
parent	766552f922b9bbb096145cca3f68fb0fb27cb586 [diff]