From 4446fb0f14f100ab3e4b13920f63ae41702991d8 Mon Sep 17 00:00:00 2001
From: "Pierre H. Lehnen" <Hudell@users.noreply.github.com>
Date: Sat, 20 Jul 2019 22:41:47 -0300
Subject: [PATCH] [NEW] Setting to configure custom authn context on SAML
 requests (#14675)

---
 app/meteor-accounts-saml/server/saml_rocketchat.js | 8 ++++++++
 app/meteor-accounts-saml/server/saml_utils.js      | 3 ++-
 packages/rocketchat-i18n/i18n/en.i18n.json         | 1 +
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/app/meteor-accounts-saml/server/saml_rocketchat.js b/app/meteor-accounts-saml/server/saml_rocketchat.js
index fdb9ad837f88..7234b5e29eb2 100644
--- a/app/meteor-accounts-saml/server/saml_rocketchat.js
+++ b/app/meteor-accounts-saml/server/saml_rocketchat.js
@@ -122,6 +122,12 @@ Meteor.methods({
 			section: name,
 			i18nLabel: 'SAML_Custom_Logout_Behaviour',
 		});
+		settings.add(`SAML_Custom_${ name }_custom_authn_context`, 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport', {
+			type: 'string',
+			group: 'SAML',
+			section: name,
+			i18nLabel: 'SAML_Custom_Authn_Context',
+		});
 	},
 });
 
@@ -149,6 +155,7 @@ const getSamlConfigs = function(service) {
 		mailOverwrite: settings.get(`${ service.key }_mail_overwrite`),
 		issuer: settings.get(`${ service.key }_issuer`),
 		logoutBehaviour: settings.get(`${ service.key }_logout_behaviour`),
+		customAuthnContext: settings.get(`${ service.key }_custom_authn_context`),
 		secret: {
 			privateKey: settings.get(`${ service.key }_private_key`),
 			publicCert: settings.get(`${ service.key }_public_cert`),
@@ -193,6 +200,7 @@ const configureSamlService = function(samlConfigs) {
 		cert: samlConfigs.secret.cert,
 		privateCert,
 		privateKey,
+		customAuthnContext: samlConfigs.customAuthnContext,
 	};
 };
 
diff --git a/app/meteor-accounts-saml/server/saml_utils.js b/app/meteor-accounts-saml/server/saml_utils.js
index b910ff6c15d5..37313596a222 100644
--- a/app/meteor-accounts-saml/server/saml_utils.js
+++ b/app/meteor-accounts-saml/server/saml_utils.js
@@ -96,9 +96,10 @@ SAML.prototype.generateAuthorizeRequest = function(req) {
 		request += `<samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Format="${ this.options.identifierFormat }" AllowCreate="true"></samlp:NameIDPolicy>\n`;
 	}
 
+	const authnContext = this.options.customAuthnContext || 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport';
 	request
 		+= '<samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">'
-		+ '<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext>\n'
+		+ `<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">${ authnContext }</saml:AuthnContextClassRef></samlp:RequestedAuthnContext>\n`
 		+ '</samlp:AuthnRequest>';
 
 	return request;
diff --git a/packages/rocketchat-i18n/i18n/en.i18n.json b/packages/rocketchat-i18n/i18n/en.i18n.json
index 85f2b1bc5c75..da43a5525d39 100644
--- a/packages/rocketchat-i18n/i18n/en.i18n.json
+++ b/packages/rocketchat-i18n/i18n/en.i18n.json
@@ -2565,6 +2565,7 @@
   "Same_As_Token_Sent_Via": "Same as \"Token Sent Via\"",
   "Same_Style_For_Mentions": "Same style for mentions",
   "SAML": "SAML",
+  "SAML_Custom_Authn_Context": "Custom Authn Context",
   "SAML_Custom_Cert": "Custom Certificate",
   "SAML_Custom_Debug": "Enable Debug",
   "SAML_Custom_Entry_point": "Custom Entry Point",