Fix for SAML SP-initiated flow bug #685

javuto · javuto · commit 5259142b4d24 · 2025-08-23T11:33:35.000+02:00
diff --git a/cmd/admin/auth.go b/cmd/admin/auth.go
@@ -40,6 +40,10 @@ func handlerAuthCheck(h http.Handler, auth string) http.Handler {
 		case config.AuthSAML:
 			samlSession, err := samlMiddleware.Session.GetSession(r)
 			if err != nil {
+				if samlConfig.SPInitiated {
+					samlMiddleware.HandleStartAuthFlow(w, r)
+					return
+				}
 				http.Redirect(w, r, samlConfig.LoginURL, http.StatusFound)
 				return
 			}
@@ -89,6 +93,10 @@ func handlerAuthCheck(h http.Handler, auth string) http.Handler {
 				session, err = sessionsmgr.Save(r, w, u)
 				if err != nil {
 					log.Err(err).Msgf("session error")
+					if samlConfig.SPInitiated {
+						samlMiddleware.HandleStartAuthFlow(w, r)
+						return
+					}
 					http.Redirect(w, r, samlConfig.LoginURL, http.StatusFound)
 					return
 				}
@@ -103,7 +111,7 @@ func handlerAuthCheck(h http.Handler, auth string) http.Handler {
 			if err != nil {
 				log.Err(err).Msgf("error updating metadata for user %s", session.Username)
 			}
-			// Access granted
+			// Access granted, use SAML middleware to set context
 			samlMiddleware.RequireAccount(h).ServeHTTP(w, r.WithContext(ctx))
 		}
 	})
diff --git a/cmd/admin/saml.go b/cmd/admin/saml.go
@@ -24,6 +24,7 @@ type JSONConfigurationSAML struct {
 	LoginURL     string `json:"loginurl"`
 	LogoutURL    string `json:"logouturl"`
 	JITProvision bool   `json:"jitprovision"`
+	SPInitiated  bool   `json:"spinitiated"`
 }
 
 // Structure to keep all SAML related data

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,7 @@ type JSONConfigurationSAML struct {`
`24`	`24`	LoginURL string `json:"loginurl"`
`25`	`25`	LogoutURL string `json:"logouturl"`
`26`	`26`	JITProvision bool `json:"jitprovision"`
	`27`	+ SPInitiated bool `json:"spinitiated"`
`27`	`28`	`}`
`28`	`29`
`29`	`30`	`// Structure to keep all SAML related data`