From db7383fd35d25a24cab4526198c49c2915e9650e Mon Sep 17 00:00:00 2001
From: Musa Nasrullah <musa.nasrullah@agoda.com>
Date: Wed, 1 Jun 2022 21:03:41 +0700
Subject: [PATCH 1/2] add group and email attribute

---
 config/samlConfig/README.md             |  6 +++++-
 config/samlConfig/SamlConfigTest.groovy |  8 ++++++--
 config/samlConfig/samlConfig.groovy     | 13 +++++++++++--
 3 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/config/samlConfig/README.md b/config/samlConfig/README.md
index 2fce5621..651ff9cf 100644
--- a/config/samlConfig/README.md
+++ b/config/samlConfig/README.md
@@ -16,6 +16,8 @@ returned JSON string has the following fields:
 - `serviceProviderName`: The SAML service provider name
 - `noAutoUserCreation`: Whether to automatically create users on SAML login
 - `certificate`: The SAML certificate as a base64 string
+- `groupAttribute`: The group attribute in the SAML login XML response
+- `emailAttribute`: If Auto Create Artifactory Users is enabled or an internal user exists, the system will set the user’s email to the value in this attribute that is returned by the SAML login XML response.
 
 For example:
 
@@ -27,7 +29,9 @@ $ curl -u admin:password 'http://localhost:8081/artifactory/api/plugins/execute/
     "logoutUrl": "http://mylogout",
     "serviceProviderName": "my-service-provider",
     "noAutoUserCreation": true,
-    "certificate": "my-certificate"
+    "certificate": "my-certificate",
+    "groupAttribute": "groups",
+    "emailAttribute": "email"
 }
 ```
 
diff --git a/config/samlConfig/SamlConfigTest.groovy b/config/samlConfig/SamlConfigTest.groovy
index e0f7d0e7..3cf42e57 100644
--- a/config/samlConfig/SamlConfigTest.groovy
+++ b/config/samlConfig/SamlConfigTest.groovy
@@ -19,7 +19,9 @@ class SamlConfigTest extends Specification {
             loginUrl: 'http://mylogin', logoutUrl: 'http://mylogout',
             serviceProviderName: 'my-service-provider',
             noAutoUserCreation: false,
-            certificate: 'my-certificate']
+            certificate: 'my-certificate',
+            groupAttribute: 'groups',
+            emailAttribute: 'email']
         conn = new URL("$baseurl/setSaml").openConnection()
         conn.doOutput = true
         conn.requestMethod = 'POST'
@@ -44,7 +46,9 @@ class SamlConfigTest extends Specification {
             loginUrl: 'http://mynewlogin', logoutUrl: 'http://mynewlogout',
             serviceProviderName: 'my-new-service-provider',
             noAutoUserCreation: true,
-            certificate: 'my-new-certificate']
+            certificate: 'my-new-certificate',
+            groupAttribute: 'groups',
+            emailAttribute: 'email']
         conn = new URL("$baseurl/setSaml").openConnection()
         conn.doOutput = true
         conn.requestMethod = 'POST'
diff --git a/config/samlConfig/samlConfig.groovy b/config/samlConfig/samlConfig.groovy
index a8e82126..91ef95c2 100644
--- a/config/samlConfig/samlConfig.groovy
+++ b/config/samlConfig/samlConfig.groovy
@@ -36,7 +36,14 @@ def propList = ['enableIntegration': [
         { c, v -> c.noAutoUserCreation = v ?: false }
     ], 'certificate': [
         CharSequence.class, 'string',
-        { c, v -> c.certificate = v ?: null }]]
+        { c, v -> c.certificate = v ?: null }
+    ], 'groupAttribute': [
+        CharSequence.class, 'string',
+        { c, v -> c.groupAttribute = v ?: null }
+    ], 'emailAttribute': [
+        CharSequence.class, 'string',
+        { c, v -> c.emailAttribute = v ?: null }
+    ]]
 
 executions {
     getSaml(version: '1.0', httpMethod: 'GET') { params ->
@@ -48,7 +55,9 @@ executions {
             logoutUrl: cfg.logoutUrl ?: null,
             serviceProviderName: cfg.serviceProviderName ?: null,
             noAutoUserCreation: cfg.noAutoUserCreation ?: false,
-            certificate: cfg.certificate ?: null]
+            certificate: cfg.certificate ?: null,
+            groupAttribute: cfg.groupAttribute ?: null,
+            emailAttribute: cfg.emailAttribute ?: null]
         message = new JsonBuilder(json).toPrettyString()
         status = 200
     }

From 70c430077e3f36802168c7fa1d542b997006e054 Mon Sep 17 00:00:00 2001
From: Musa Nasrullah <musa.nasrullah@agoda.com>
Date: Wed, 1 Jun 2022 23:03:02 +0700
Subject: [PATCH 2/2] update attribute list

---
 config/samlConfig/README.md         | 14 ++++++++++++--
 config/samlConfig/samlConfig.groovy | 28 ++++++++++++++++++++++++----
 2 files changed, 36 insertions(+), 6 deletions(-)

diff --git a/config/samlConfig/README.md b/config/samlConfig/README.md
index 651ff9cf..5ae781be 100644
--- a/config/samlConfig/README.md
+++ b/config/samlConfig/README.md
@@ -11,11 +11,16 @@ getSaml
 returned JSON string has the following fields:
 
 - `enableIntegration`: Whether SAML is enabled
+- `verifyAudienceRestriction`: A verification step has been set up opposite the SAML server to validate SAML SSO authentication requests
 - `loginUrl`: The SAML login URL
 - `logoutUrl`: The SAML logout URL
+- `certificate`: The SAML certificate as a base64 string
 - `serviceProviderName`: The SAML service provider name
 - `noAutoUserCreation`: Whether to automatically create users on SAML login
-- `certificate`: The SAML certificate as a base64 string
+- `allowUserToAccessProfile`: When selected, users created after authenticating using SAML, will be able to access their profile
+- `useEncryptedAssertion`: When set, an X.509 public certificate will be created by Artifactory. Download this certificate and upload it to your IDP and choose your own encryption algorithm. This process will let you encrypt the assertion section in your SAML response
+- `autoRedirect`: When set, clicking on the login link will direct the users to the configured SAML login URL
+- `syncGroups`: When set, in addition to the groups the user is already associated with, they will also be associated with the groups returned in the SAML login response
 - `groupAttribute`: The group attribute in the SAML login XML response
 - `emailAttribute`: If Auto Create Artifactory Users is enabled or an internal user exists, the system will set the user’s email to the value in this attribute that is returned by the SAML login XML response.
 
@@ -25,11 +30,16 @@ For example:
 $ curl -u admin:password 'http://localhost:8081/artifactory/api/plugins/execute/getSaml'
 {
     "enableIntegration": true,
+    "verifyAudienceRestriction": true,
     "loginUrl": "http://mylogin",
     "logoutUrl": "http://mylogout",
+    "certificate": "my-certificate",    
     "serviceProviderName": "my-service-provider",
     "noAutoUserCreation": true,
-    "certificate": "my-certificate",
+    "allowUserToAccessProfile": false,
+    "useEncryptedAssertion": false,
+    "autoRedirect": false,
+    "syncGroups": true,
     "groupAttribute": "groups",
     "emailAttribute": "email"
 }
diff --git a/config/samlConfig/samlConfig.groovy b/config/samlConfig/samlConfig.groovy
index 91ef95c2..2cfadc16 100644
--- a/config/samlConfig/samlConfig.groovy
+++ b/config/samlConfig/samlConfig.groovy
@@ -22,21 +22,36 @@ import org.artifactory.resource.ResourceStreamHandle
 def propList = ['enableIntegration': [
         Boolean.class, 'boolean',
         { c, v -> c.enableIntegration = v ?: false }
+    ], 'verifyAudienceRestriction': [
+        Boolean.class, 'boolean',
+        { c, v -> c.verifyAudienceRestriction = v ?: false }
     ], 'loginUrl': [
         CharSequence.class, 'string',
         { c, v -> c.loginUrl = v ?: null }
     ], 'logoutUrl': [
         CharSequence.class, 'string',
         { c, v -> c.logoutUrl = v ?: null }
+    ], 'certificate': [
+        CharSequence.class, 'string',
+        { c, v -> c.certificate = v ?: null }
     ], 'serviceProviderName': [
         CharSequence.class, 'string',
         { c, v -> c.serviceProviderName = v ?: null }
     ], 'noAutoUserCreation': [
         Boolean.class, 'boolean',
         { c, v -> c.noAutoUserCreation = v ?: false }
-    ], 'certificate': [
-        CharSequence.class, 'string',
-        { c, v -> c.certificate = v ?: null }
+    ], 'allowUserToAccessProfile': [
+        Boolean.class, 'boolean',
+        { c, v -> c.allowUserToAccessProfile = v ?: false }
+    ], 'useEncryptedAssertion': [
+        Boolean.class, 'boolean',
+        { c, v -> c.useEncryptedAssertion = v ?: false }
+    ], 'autoRedirect': [
+        Boolean.class, 'boolean',
+        { c, v -> c.autoRedirect = v ?: false }
+    ], 'syncGroups': [
+        Boolean.class, 'boolean',
+        { c, v -> c.syncGroups = v ?: false }
     ], 'groupAttribute': [
         CharSequence.class, 'string',
         { c, v -> c.groupAttribute = v ?: null }
@@ -51,11 +66,16 @@ executions {
         if (cfg == null) cfg = new SamlSettings()
         def json = [
             enableIntegration: cfg.isEnableIntegration() ?: false,
+            verifyAudienceRestriction: cfg.verifyAudienceRestriction ?: false,
             loginUrl: cfg.loginUrl ?: null,
             logoutUrl: cfg.logoutUrl ?: null,
+            certificate: cfg.certificate ?: null,
             serviceProviderName: cfg.serviceProviderName ?: null,
             noAutoUserCreation: cfg.noAutoUserCreation ?: false,
-            certificate: cfg.certificate ?: null,
+            allowUserToAccessProfile: cfg.allowUserToAccessProfile ?: false,
+            useEncryptedAssertion: cfg.useEncryptedAssertion ?: false,
+            autoRedirect: cfg.autoRedirect ?: false,
+            syncGroups: cfg.syncGroups ?: false,
             groupAttribute: cfg.groupAttribute ?: null,
             emailAttribute: cfg.emailAttribute ?: null]
         message = new JsonBuilder(json).toPrettyString()