Skip to content

[ADD] auth_saml: Support for unsolicited SAML requests #836

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 9 commits into
base: 18.0
Choose a base branch
from
Open

[ADD] auth_saml: Support for unsolicited SAML requests #836

wants to merge 9 commits into from

Conversation

@bringsvor
Copy link

Add configurable feature to allow unsolicited SAML requests. This is for example useful to allow IdP to initiate.

@OCA-git-bot
Copy link
Contributor

Hi @vincent-hatakeyama,
some modules you are maintaining are being modified, check this out!

vincent-hatakeyama
vincent-hatakeyama suggested changes Sep 11, 2025
View reviewed changes
Copy link
Contributor

@vincent-hatakeyama vincent-hatakeyama left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the pull request.

A couple of additional review elements:

I also have a question about testing this: is there a way to test this feature with keycloak?

auth_saml/models/auth_saml_provider.py
Comment on lines +140 to +145
allow_saml_unsolicited_req = fields.Boolean(
compute="_compute_allow_saml_unsolicited",
string="Allow Unsolicited Requests",
help="Allow IdP-initiated authentication requests",
)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why make this a company dependent value and not a provider dependant one?

If it is company dependent, it should only be in the configuration panel.

auth_saml/models/auth_saml_provider.py
Comment on lines -222 to +228
"allow_unsolicited": False,
"allow_unsolicited": self.allow_saml_unsolicited_req,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I’m not confident the company is correct at this place, I believe it might be using the superuser company instead of any company.

auth_saml/tests/test_unsolicited_requests.py
@@ -0,0 +1,82 @@
# Copyright (C) 2010-2016, 2022 XCG Consulting <http://odoo.consulting>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# Copyright (C) 2010-2016, 2022 XCG Consulting <http://odoo.consulting>
# Copyright (C) 2010-2016, 2022 XCG SAS <https://orbeet.io/>

No need to keep the copyright unless you copied something from another test.
You should add your name or your company’s.

auth_saml/views/res_config_settings.xml
Comment on lines +16 to +18
<!-- Allow IdP-initiated authentication without prior AuthnRequest from SP.
Security Note: Only enable if your IdP requires unsolicited requests
and you trust the IdP to properly validate user sessions. -->
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should not be a comment, it should be displayed in the configuration page.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@vincent-hatakeyama vincent-hatakeyama vincent-hatakeyama requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bringsvor @OCA-git-bot @vincent-hatakeyama