feat: SAML

CHANGELOG.md

@@ -7,6 +7,65 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [11.3.0]
+
+- Adds SAML features
+
+### Migration
+
+```sql
+CREATE TABLE IF NOT EXISTS saml_clients (
+    app_id VARCHAR(64) NOT NULL DEFAULT 'public',
+    tenant_id VARCHAR(64) NOT NULL DEFAULT 'public',
+    client_id VARCHAR(256) NOT NULL,
+    client_secret TEXT,
+    sso_login_url TEXT NOT NULL,
+    redirect_uris TEXT NOT NULL,
+    default_redirect_uri TEXT NOT NULL,
+    idp_entity_id VARCHAR(256) NOT NULL,
+    idp_signing_certificate TEXT NOT NULL,
+    allow_idp_initiated_login BOOLEAN NOT NULL DEFAULT FALSE,
+    enable_request_signing BOOLEAN NOT NULL DEFAULT FALSE,
+    created_at BIGINT NOT NULL,
+    updated_at BIGINT NOT NULL,
+    CONSTRAINT saml_clients_pkey PRIMARY KEY(app_id, tenant_id, client_id),
+    CONSTRAINT saml_clients_idp_entity_id_key UNIQUE (app_id, tenant_id, idp_entity_id),
+    CONSTRAINT saml_clients_app_id_fkey FOREIGN KEY(app_id) REFERENCES apps (app_id) ON DELETE CASCADE,
+    CONSTRAINT saml_clients_tenant_id_fkey FOREIGN KEY(app_id, tenant_id) REFERENCES tenants (app_id, tenant_id) ON DELETE CASCADE
+);
+
+CREATE INDEX IF NOT EXISTS saml_clients_app_id_tenant_id_index ON saml_clients (app_id, tenant_id);
+
+CREATE TABLE IF NOT EXISTS saml_relay_state (
+    app_id VARCHAR(64) NOT NULL DEFAULT 'public',
+    tenant_id VARCHAR(64) NOT NULL DEFAULT 'public',
+    relay_state VARCHAR(256) NOT NULL,
+    client_id VARCHAR(256) NOT NULL,
+    state TEXT NOT NULL,
+    redirect_uri TEXT NOT NULL,
+    created_at BIGINT NOT NULL,
+    CONSTRAINT saml_relay_state_pkey PRIMARY KEY(app_id, tenant_id, relay_state),
+    CONSTRAINT saml_relay_state_app_id_fkey FOREIGN KEY(app_id) REFERENCES apps (app_id) ON DELETE CASCADE,
+    CONSTRAINT saml_relay_state_tenant_id_fkey FOREIGN KEY(app_id, tenant_id) REFERENCES tenants (app_id, tenant_id) ON DELETE CASCADE
+);
+
+CREATE INDEX IF NOT EXISTS saml_relay_state_app_id_tenant_id_index ON saml_relay_state (app_id, tenant_id);
+
+CREATE TABLE IF NOT EXISTS saml_claims (
+    app_id VARCHAR(64) NOT NULL DEFAULT 'public',
+    tenant_id VARCHAR(64) NOT NULL DEFAULT 'public',
+    client_id VARCHAR(256) NOT NULL,
+    code VARCHAR(256) NOT NULL,
+    claims TEXT NOT NULL,
+    created_at BIGINT NOT NULL,
+    CONSTRAINT saml_claims_pkey PRIMARY KEY(app_id, tenant_id, code),
+    CONSTRAINT saml_claims_app_id_fkey FOREIGN KEY(app_id) REFERENCES apps (app_id) ON DELETE CASCADE,
+    CONSTRAINT saml_claims_tenant_id_fkey FOREIGN KEY(app_id, tenant_id) REFERENCES tenants (app_id, tenant_id) ON DELETE CASCADE
+);
+
+CREATE INDEX IF NOT EXISTS saml_claims_app_id_tenant_id_index ON saml_claims (app_id, tenant_id);
+```
+
 ## [11.2.0]
 
 - Adds opentelemetry-javaagent to the core distribution

build.gradle

@@ -27,10 +27,12 @@ java {
     }
 }
 
-version = "11.2.0"
+version = "11.3.0"
 
 repositories {
     mavenCentral()
+
+    maven { url 'https://build.shibboleth.net/nexus/content/repositories/releases/' }
 }
 
 dependencies {
@@ -86,11 +88,16 @@ dependencies {
 
     implementation platform("io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha:2.17.0-alpha")
 
+    // Open SAML
+    implementation group: 'org.opensaml', name: 'opensaml-core', version: '4.3.1'
+    implementation group: 'org.opensaml', name: 'opensaml-saml-impl', version: '4.3.1'
+    implementation group: 'org.opensaml', name: 'opensaml-security-impl', version: '4.3.1'
+    implementation group: 'org.opensaml', name: 'opensaml-profile-impl', version: '4.3.1'
+    implementation group: 'org.opensaml', name: 'opensaml-xmlsec-impl', version: '4.3.1'
 
     implementation("ch.qos.logback:logback-core:1.5.18")
     implementation("ch.qos.logback:logback-classic:1.5.18")
 
-
     // OpenTelemetry core
     implementation("io.opentelemetry:opentelemetry-sdk")
     implementation("io.opentelemetry:opentelemetry-exporter-otlp")

config.yaml

@@ -186,3 +186,9 @@ core_config_version: 0
 # (OPTIONAL | Default: null) string value. The URL of the OpenTelemetry collector to which the core
 # will send telemetry data. This should be in the format http://<host>:<port> or https://<host>:<port>.
 # otel_collector_connection_uri:
+
+# (OPTIONAL | Default: null) string value. If specified, uses this URL as ACS URL for handling legacy SAML clients
+# saml_legacy_acs_url:
+
+# (OPTIONAL | Default: https://saml.supertokens.com) string value. Service provider's entity ID.
+# saml_sp_entity_id:

coreDriverInterfaceSupported.json

@@ -22,6 +22,7 @@
     "5.0",
     "5.1",
     "5.2",
-    "5.3"
+    "5.3",
+    "5.4"
   ]
 }

devConfig.yaml

@@ -185,4 +185,10 @@ disable_telemetry: true
 
 # (OPTIONAL | Default: null) string value. The URL of the OpenTelemetry collector to which the core
 # will send telemetry data. This should be in the format http://<host>:<port> or https://<host>:<port>.
-# otel_collector_connection_uri:
+# otel_collector_connection_uri:
+
+# (OPTIONAL | Default: null) string value. If specified, uses this URL as ACS URL for handling legacy SAML clients
+saml_legacy_acs_url: "http://localhost:5225/api/oauth/saml"
+
+# (OPTIONAL | Default: https://saml.supertokens.com) string value. Service provider's entity ID.
+# saml_sp_entity_id:

ee/src/main/java/io/supertokens/ee/EEFeatureFlag.java

@@ -34,6 +34,7 @@
 import io.supertokens.pluginInterface.multitenancy.ThirdPartyConfig;
 import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
 import io.supertokens.pluginInterface.oauth.OAuthStorage;
+import io.supertokens.pluginInterface.saml.SAMLStorage;
 import io.supertokens.pluginInterface.session.sqlStorage.SessionSQLStorage;
 import io.supertokens.storageLayer.StorageLayer;
 import io.supertokens.utils.Utils;
@@ -386,6 +387,34 @@ private JsonArray getMAUs() throws StorageQueryException, TenantOrAppNotFoundExc
         return mauArr;
     }
 
+    private JsonObject getSAMLStats() throws TenantOrAppNotFoundException, StorageQueryException {
+        JsonObject stats = new JsonObject();
+
+        stats.addProperty("connectionUriDomain", this.appIdentifier.getConnectionUriDomain());
+        stats.addProperty("appId", this.appIdentifier.getAppId());
+
+        JsonArray tenantStats = new JsonArray();
+
+        TenantConfig[] tenantConfigs = Multitenancy.getAllTenantsForApp(this.appIdentifier, main);
+        for (TenantConfig tenantConfig : tenantConfigs) {
+            JsonObject tenantStat = new JsonObject();
+            tenantStat.addProperty("tenantId", tenantConfig.tenantIdentifier.getTenantId());
+
+            {
+                Storage storage = StorageLayer.getStorage(tenantConfig.tenantIdentifier, main);
+                SAMLStorage samlStorage = StorageUtils.getSAMLStorage(storage);
+
+                JsonObject stat = new JsonObject();
+                stat.addProperty("numberOfSAMLClients", samlStorage.countSAMLClients(tenantConfig.tenantIdentifier));
+                stat.add(tenantConfig.tenantIdentifier.getTenantId(), stat);
+            }
+        }
+
+        stats.add("tenants", tenantStats);
+
+        return stats;
+    }
+
     @Override
     public JsonObject getPaidFeatureStats() throws StorageQueryException, TenantOrAppNotFoundException {
         JsonObject usageStats = new JsonObject();
@@ -433,6 +462,10 @@ public JsonObject getPaidFeatureStats() throws StorageQueryException, TenantOrAp
             if (feature == EE_FEATURES.OAUTH) {
                 usageStats.add(EE_FEATURES.OAUTH.toString(), getOAuthStats());
             }
+
+            if (feature == EE_FEATURES.SAML) {
+                usageStats.add(EE_FEATURES.SAML.toString(), getSAMLStats());
+            }
         }
 
         usageStats.add("maus", getMAUs());

implementationDependencies.json

@@ -101,6 +101,146 @@
 		"name":"webauthn4j-core 0.28.6.RELEASE",
 		"src":"https://repo.maven.apache.org/maven2/com/webauthn4j/webauthn4j-core/0.28.6.RELEASE/webauthn4j-core-0.28.6.RELEASE-sources.jar"
 	},
+	{
+		"jar":"https://build.shibboleth.net/nexus/content/repositories/releases/org/opensaml/opensaml-core/4.3.1/opensaml-core-4.3.1.jar",
+		"name":"opensaml-core 4.3.1",
+		"src":"https://build.shibboleth.net/nexus/content/repositories/releases/org/opensaml/opensaml-core/4.3.1/opensaml-core-4.3.1-sources.jar"
+	},
+	{
+		"jar":"https://build.shibboleth.net/nexus/content/repositories/releases/net/shibboleth/utilities/java-support/8.4.1/java-support-8.4.1.jar",
+		"name":"java-support 8.4.1",
+		"src":"https://build.shibboleth.net/nexus/content/repositories/releases/net/shibboleth/utilities/java-support/8.4.1/java-support-8.4.1-sources.jar"
+	},
+	{
+		"jar":"https://repo.maven.apache.org/maven2/com/google/guava/guava/31.1-jre/guava-31.1-jre.jar",
+		"name":"guava 31.1-jre",
+		"src":"https://repo.maven.apache.org/maven2/com/google/guava/guava/31.1-jre/guava-31.1-jre-sources.jar"
+	},
+	{
+		"jar":"https://repo.maven.apache.org/maven2/com/google/guava/failureaccess/1.0.1/failureaccess-1.0.1.jar",
+		"name":"failureaccess 1.0.1",
+		"src":"https://repo.maven.apache.org/maven2/com/google/guava/failureaccess/1.0.1/failureaccess-1.0.1-sources.jar"
+	},
+	{
+		"jar":"https://repo.maven.apache.org/maven2/com/google/guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar",
+		"name":"listenablefuture 9999.0-empty-to-avoid-conflict-with-guava",
+		"src":"https://repo.maven.apache.org/maven2/com/google/guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava-sources.jar"
+	},
+	{
+		"jar":"https://repo.maven.apache.org/maven2/com/google/j2objc/j2objc-annotations/1.3/j2objc-annotations-1.3.jar",
+		"name":"j2objc-annotations 1.3",
+		"src":"https://repo.maven.apache.org/maven2/com/google/j2objc/j2objc-annotations/1.3/j2objc-annotations-1.3-sources.jar"
+	},
+	{
+		"jar":"https://repo.maven.apache.org/maven2/io/dropwizard/metrics/metrics-core/4.2.25/metrics-core-4.2.25.jar",
+		"name":"metrics-core 4.2.25",
+		"src":"https://repo.maven.apache.org/maven2/io/dropwizard/metrics/metrics-core/4.2.25/metrics-core-4.2.25-sources.jar"
+	},
+	{
+		"jar":"https://build.shibboleth.net/nexus/content/repositories/releases/org/opensaml/opensaml-saml-impl/4.3.1/opensaml-saml-impl-4.3.1.jar",
+		"name":"opensaml-saml-impl 4.3.1",
+		"src":"https://build.shibboleth.net/nexus/content/repositories/releases/org/opensaml/opensaml-saml-impl/4.3.1/opensaml-saml-impl-4.3.1-sources.jar"
+	},
+	{
+		"jar":"https://build.shibboleth.net/nexus/content/repositories/releases/org/opensaml/opensaml-xmlsec-impl/4.3.1/opensaml-xmlsec-impl-4.3.1.jar",
+		"name":"opensaml-xmlsec-impl 4.3.1",
+		"src":"https://build.shibboleth.net/nexus/content/repositories/releases/org/opensaml/opensaml-xmlsec-impl/4.3.1/opensaml-xmlsec-impl-4.3.1-sources.jar"
+	},
+	{
+		"jar":"https://build.shibboleth.net/nexus/content/repositories/releases/org/opensaml/opensaml-security-impl/4.3.1/opensaml-security-impl-4.3.1.jar",
+		"name":"opensaml-security-impl 4.3.1",
+		"src":"https://build.shibboleth.net/nexus/content/repositories/releases/org/opensaml/opensaml-security-impl/4.3.1/opensaml-security-impl-4.3.1-sources.jar"
+	},
+	{
+		"jar":"https://build.shibboleth.net/nexus/content/repositories/releases/org/opensaml/opensaml-security-api/4.3.1/opensaml-security-api-4.3.1.jar",
+		"name":"opensaml-security-api 4.3.1",
+		"src":"https://build.shibboleth.net/nexus/content/repositories/releases/org/opensaml/opensaml-security-api/4.3.1/opensaml-security-api-4.3.1-sources.jar"
+	},
+	{
+		"jar":"https://build.shibboleth.net/nexus/content/repositories/releases/org/opensaml/opensaml-messaging-api/4.3.1/opensaml-messaging-api-4.3.1.jar",
+		"name":"opensaml-messaging-api 4.3.1",
+		"src":"https://build.shibboleth.net/nexus/content/repositories/releases/org/opensaml/opensaml-messaging-api/4.3.1/opensaml-messaging-api-4.3.1-sources.jar"
+	},
+	{
+		"jar":"https://repo.maven.apache.org/maven2/org/apache/httpcomponents/httpclient/4.5.14/httpclient-4.5.14.jar",
+		"name":"httpclient 4.5.14",
+		"src":"https://repo.maven.apache.org/maven2/org/apache/httpcomponents/httpclient/4.5.14/httpclient-4.5.14-sources.jar"
+	},
+	{
+		"jar":"https://repo.maven.apache.org/maven2/org/apache/httpcomponents/httpcore/4.4.16/httpcore-4.4.16.jar",
+		"name":"httpcore 4.4.16",
+		"src":"https://repo.maven.apache.org/maven2/org/apache/httpcomponents/httpcore/4.4.16/httpcore-4.4.16-sources.jar"
+	},
+	{
+		"jar":"https://repo.maven.apache.org/maven2/org/cryptacular/cryptacular/1.2.5/cryptacular-1.2.5.jar",
+		"name":"cryptacular 1.2.5",
+		"src":"https://repo.maven.apache.org/maven2/org/cryptacular/cryptacular/1.2.5/cryptacular-1.2.5-sources.jar"
+	},
+	{
+		"jar":"https://repo.maven.apache.org/maven2/org/bouncycastle/bcprov-jdk18on/1.72/bcprov-jdk18on-1.72.jar",
+		"name":"bcprov-jdk18on 1.72",
+		"src":"https://repo.maven.apache.org/maven2/org/bouncycastle/bcprov-jdk18on/1.72/bcprov-jdk18on-1.72-sources.jar"
+	},
+	{
+		"jar":"https://repo.maven.apache.org/maven2/org/bouncycastle/bcpkix-jdk18on/1.72/bcpkix-jdk18on-1.72.jar",
+		"name":"bcpkix-jdk18on 1.72",
+		"src":"https://repo.maven.apache.org/maven2/org/bouncycastle/bcpkix-jdk18on/1.72/bcpkix-jdk18on-1.72-sources.jar"
+	},
+	{
+		"jar":"https://repo.maven.apache.org/maven2/org/bouncycastle/bcutil-jdk18on/1.72/bcutil-jdk18on-1.72.jar",
+		"name":"bcutil-jdk18on 1.72",
+		"src":"https://repo.maven.apache.org/maven2/org/bouncycastle/bcutil-jdk18on/1.72/bcutil-jdk18on-1.72-sources.jar"
+	},
+	{
+		"jar":"https://build.shibboleth.net/nexus/content/repositories/releases/org/opensaml/opensaml-xmlsec-api/4.3.1/opensaml-xmlsec-api-4.3.1.jar",
+		"name":"opensaml-xmlsec-api 4.3.1",
+		"src":"https://build.shibboleth.net/nexus/content/repositories/releases/org/opensaml/opensaml-xmlsec-api/4.3.1/opensaml-xmlsec-api-4.3.1-sources.jar"
+	},
+	{
+		"jar":"https://repo.maven.apache.org/maven2/org/apache/santuario/xmlsec/2.3.4/xmlsec-2.3.4.jar",
+		"name":"xmlsec 2.3.4",
+		"src":"https://repo.maven.apache.org/maven2/org/apache/santuario/xmlsec/2.3.4/xmlsec-2.3.4-sources.jar"
+	},
+	{
+		"jar":"https://build.shibboleth.net/nexus/content/repositories/releases/org/opensaml/opensaml-saml-api/4.3.1/opensaml-saml-api-4.3.1.jar",
+		"name":"opensaml-saml-api 4.3.1",
+		"src":"https://build.shibboleth.net/nexus/content/repositories/releases/org/opensaml/opensaml-saml-api/4.3.1/opensaml-saml-api-4.3.1-sources.jar"
+	},
+	{
+		"jar":"https://build.shibboleth.net/nexus/content/repositories/releases/org/opensaml/opensaml-profile-api/4.3.1/opensaml-profile-api-4.3.1.jar",
+		"name":"opensaml-profile-api 4.3.1",
+		"src":"https://build.shibboleth.net/nexus/content/repositories/releases/org/opensaml/opensaml-profile-api/4.3.1/opensaml-profile-api-4.3.1-sources.jar"
+	},
+	{
+		"jar":"https://build.shibboleth.net/nexus/content/repositories/releases/org/opensaml/opensaml-soap-api/4.3.1/opensaml-soap-api-4.3.1.jar",
+		"name":"opensaml-soap-api 4.3.1",
+		"src":"https://build.shibboleth.net/nexus/content/repositories/releases/org/opensaml/opensaml-soap-api/4.3.1/opensaml-soap-api-4.3.1-sources.jar"
+	},
+	{
+		"jar":"https://build.shibboleth.net/nexus/content/repositories/releases/org/opensaml/opensaml-soap-impl/4.3.1/opensaml-soap-impl-4.3.1.jar",
+		"name":"opensaml-soap-impl 4.3.1",
+		"src":"https://build.shibboleth.net/nexus/content/repositories/releases/org/opensaml/opensaml-soap-impl/4.3.1/opensaml-soap-impl-4.3.1-sources.jar"
+	},
+	{
+		"jar":"https://build.shibboleth.net/nexus/content/repositories/releases/org/opensaml/opensaml-storage-api/4.3.1/opensaml-storage-api-4.3.1.jar",
+		"name":"opensaml-storage-api 4.3.1",
+		"src":"https://build.shibboleth.net/nexus/content/repositories/releases/org/opensaml/opensaml-storage-api/4.3.1/opensaml-storage-api-4.3.1-sources.jar"
+	},
+	{
+		"jar":"https://repo.maven.apache.org/maven2/org/apache/velocity/velocity-engine-core/2.3/velocity-engine-core-2.3.jar",
+		"name":"velocity-engine-core 2.3",
+		"src":"https://repo.maven.apache.org/maven2/org/apache/velocity/velocity-engine-core/2.3/velocity-engine-core-2.3-sources.jar"
+	},
+	{
+		"jar":"https://repo.maven.apache.org/maven2/org/apache/commons/commons-lang3/3.11/commons-lang3-3.11.jar",
+		"name":"commons-lang3 3.11",
+		"src":"https://repo.maven.apache.org/maven2/org/apache/commons/commons-lang3/3.11/commons-lang3-3.11-sources.jar"
+	},
+	{
+		"jar":"https://build.shibboleth.net/nexus/content/repositories/releases/org/opensaml/opensaml-profile-impl/4.3.1/opensaml-profile-impl-4.3.1.jar",
+		"name":"opensaml-profile-impl 4.3.1",
+		"src":"https://build.shibboleth.net/nexus/content/repositories/releases/org/opensaml/opensaml-profile-impl/4.3.1/opensaml-profile-impl-4.3.1-sources.jar"
+	},
 	{
 		"jar":"https://repo.maven.apache.org/maven2/ch/qos/logback/logback-core/1.5.18/logback-core-1.5.18.jar",
 		"name":"logback-core 1.5.18",

pluginInterfaceSupported.json

@@ -1,6 +1,6 @@
 {
   "_comment": "contains a list of plugin interfaces branch names that this core supports",
   "versions": [
-    "8.2"
+    "8.3"
   ]
 }

src/main/java/io/supertokens/Main.java

@@ -22,6 +22,7 @@
 import io.supertokens.cronjobs.Cronjobs;
 import io.supertokens.cronjobs.bulkimport.ProcessBulkImportUsers;
 import io.supertokens.cronjobs.cleanupOAuthSessionsAndChallenges.CleanupOAuthSessionsAndChallenges;
+import io.supertokens.cronjobs.cleanupSAMLCodes.CleanupSAMLCodes;
 import io.supertokens.cronjobs.cleanupWebauthnExpiredData.CleanUpWebauthNExpiredDataCron;
 import io.supertokens.cronjobs.deleteExpiredAccessTokenSigningKeys.DeleteExpiredAccessTokenSigningKeys;
 import io.supertokens.cronjobs.deleteExpiredDashboardSessions.DeleteExpiredDashboardSessions;
@@ -42,6 +43,7 @@
 import io.supertokens.pluginInterface.exceptions.InvalidConfigException;
 import io.supertokens.pluginInterface.exceptions.StorageQueryException;
 import io.supertokens.pluginInterface.multitenancy.TenantIdentifier;
+import io.supertokens.saml.SAMLBootstrap;
 import io.supertokens.storageLayer.StorageLayer;
 import io.supertokens.telemetry.TelemetryProvider;
 import io.supertokens.version.Version;
@@ -182,6 +184,9 @@ private void init() throws IOException, StorageQueryException {
         // init file logging
         Logging.initFileLogging(this);
 
+        // Required for SAML related stuff
+        SAMLBootstrap.initialize();
+
         // initialise cron job handler
         Cronjobs.init(this);
 
@@ -278,6 +283,8 @@ private void init() throws IOException, StorageQueryException {
 
         Cronjobs.addCronjob(this, CleanUpWebauthNExpiredDataCron.init(this, uniqueUserPoolIdsTenants));
 
+        Cronjobs.addCronjob(this, CleanupSAMLCodes.init(this, uniqueUserPoolIdsTenants));
+
         // this is to ensure tenantInfos are in sync for the new cron job as well
         MultitenancyHelper.getInstance(this).refreshCronjobs();