SAMLProvider constant and add configurable name and email claims

TykTechnologies · May 25, 2020 · 437eb19 · 437eb19
1 parent cd6b930
commit 437eb19
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 9 deletions.
diff --git a/constants/constants.go b/constants/constants.go
@@ -7,8 +7,8 @@ const (
 
 //providers
 const (
-    SocialProvider = "SocialProvider"
-    ADProvider = "ADProvider"
-    ProxyProvider = "ProxyProvider"
+	SocialProvider = "SocialProvider"
+	ADProvider     = "ADProvider"
+	ProxyProvider  = "ProxyProvider"
+	SAMLProvider   = "SAMLProvider"
 )
-
diff --git a/providers/saml.go b/providers/saml.go
@@ -43,6 +43,9 @@ type SAMLConfig struct {
 	SAMLBaseURL         string
 	ForceAuthentication bool
 	SAMLBinding         string
+	SAMLEmailClaim      string
+	SAMLForenameClaim   string
+	SAMLSurnameClaim    string
 }
 
 func (s *SAMLProvider) Init(handler tap.IdentityHandler, profile tap.Profile, config []byte) error {
@@ -248,16 +251,32 @@ func (s *SAMLProvider) HandleCallback(w http.ResponseWriter, r *http.Request, on
 	}
 
 	//this is going to be a nightmare of slight differences between IDPs
+	// so lets make it configurable with a sensible backup
 	var email string
-	name := rawData["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"].(string) + " " +
-		rawData["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"].(string)
+	emailClaim := s.config.SAMLEmailClaim
+	if emailClaim == "" {
+		emailClaim = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
+	}
 
-	if _, ok := rawData["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]; ok {
-		email = rawData["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"].(string)
+	if _, ok := rawData[emailClaim]; ok {
+		email = rawData[emailClaim].(string)
 	} else if _, ok := rawData["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/"]; ok {
 		email = rawData["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"].(string)
 	}
 
+	givenNameClaim := s.config.SAMLForenameClaim
+	surnameClaim := s.config.SAMLSurnameClaim
+
+	if givenNameClaim == "" {
+		givenNameClaim = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
+	}
+
+	if surnameClaim == "" {
+		surnameClaim = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
+	}
+	name := rawData[givenNameClaim].(string) + " " +
+		rawData[surnameClaim].(string)
+
 	thisUser := goth.User{
 		UserID:   name,
 		Email:    email,

diff --git a/providers/tapProvider.go b/providers/tapProvider.go
@@ -22,7 +22,7 @@ func GetTAProvider(conf tap.Profile, handler tyk.TykAPI, identityKeyStore tap.Au
 		thisProvider = &ADProvider{}
 	case constants.ProxyProvider:
 		thisProvider = &ProxyProvider{}
-	case "SAMLProvider":
+	case constants.SAMLProvider:
 		thisProvider = &SAMLProvider{}
 	default:
 		return nil, errors.New("invalid provider name")