[v14] Service Provider creation without entity descriptor in config file

api/proto/teleport/legacy/types/types.proto

@@ -5757,10 +5757,13 @@ message SAMLIdPServiceProviderV1 {
 message SAMLIdPServiceProviderSpecV1 {
   // EntityDescriptor is the entity descriptor for the service provider
   string EntityDescriptor = 1 [(gogoproto.jsontag) = "entity_descriptor"];
-  // EntityID is the entity ID for the entity descriptor. This ID is checked that it matches
-  // the entity ID in the entity descriptor at upsert time to avoid having to parse the
-  // XML blob in the entity descriptor every time we need to use this resource.
+  // EntityID is the entity ID for the entity descriptor. If entity descriptor is provided,
+  // this value is checked that it matches the entity ID in the entity descriptor
+  // at upsert time to avoid having to parse the XML blob in the entity descriptor
+  // every time we need to use this resource.
   string EntityID = 2 [(gogoproto.jsontag) = "entity_id"];
+  // ACSURL is the endpoint where SAML authentication response will be redirected.
+  string ACSURL = 3 [(gogoproto.jsontag) = "acs_url"];
 }
 
 // IdPOptions specify options related to access Teleport IdPs.

api/types/saml_idp_service_provider.go

@@ -25,6 +25,13 @@ import (
 	"github.com/gravitational/teleport/api/utils"
 )
 
+var (
+	// ErrMissingEntityDescriptorAndEntityID is returned when both entity descriptor and entity ID is empty.
+	ErrEmptyEntityDescriptorAndEntityID = trace.BadParameter("either entity_descriptor or entity_id must be provided")
+	// ErrMissingEntityDescriptorAndACSURL is returned when both entity descriptor and ACS URL is empty.
+	ErrEmptyEntityDescriptorAndACSURL = trace.BadParameter("either entity_descriptor or acs_url must be provided")
+)
+
 // SAMLIdPServiceProvider specifies configuration for service providers for Teleport's built in SAML IdP.
 //
 // Note: The EntityID is the entity ID for the entity descriptor. This ID is checked that it
@@ -40,6 +47,10 @@ type SAMLIdPServiceProvider interface {
 	GetEntityID() string
 	// SetEntityID sets the entity ID.
 	SetEntityID(string)
+	// GetACSURL returns the ACS URL.
+	GetACSURL() string
+	// SetACSURL sets the ACS URL.
+	SetACSURL(string)
 	// Copy returns a copy of this saml idp service provider object.
 	Copy() SAMLIdPServiceProvider
 	// CloneResource returns a copy of the SAMLIdPServiceProvider as a ResourceWithLabels
@@ -82,6 +93,16 @@ func (s *SAMLIdPServiceProviderV1) SetEntityID(entityID string) {
 	s.Spec.EntityID = entityID
 }
 
+// GetACSURL returns the ACS URL.
+func (s *SAMLIdPServiceProviderV1) GetACSURL() string {
+	return s.Spec.ACSURL
+}
+
+// SetACSURL sets the ACS URL.
+func (s *SAMLIdPServiceProviderV1) SetACSURL(acsURL string) {
+	s.Spec.ACSURL = acsURL
+}
+
 // String returns the SAML IdP service provider string representation.
 func (s *SAMLIdPServiceProviderV1) String() string {
 	return fmt.Sprintf("SAMLIdPServiceProviderV1(Name=%v)",
@@ -117,7 +138,13 @@ func (s *SAMLIdPServiceProviderV1) CheckAndSetDefaults() error {
 	}
 
 	if s.Spec.EntityDescriptor == "" {
-		return trace.BadParameter("missing entity descriptor")
+		if s.Spec.EntityID == "" {
+			return ErrEmptyEntityDescriptorAndEntityID
+		}
+
+		if s.Spec.ACSURL == "" {
+			return ErrEmptyEntityDescriptorAndACSURL
+		}
 	}
 
 	if s.Spec.EntityID == "" {

api/types/saml_idp_service_provider_test.go

@@ -28,6 +28,7 @@ func TestNewSAMLIdPServiceProvider(t *testing.T) {
 		name             string
 		entityDescriptor string
 		entityID         string
+		acsURL           string
 		errAssertion     require.ErrorAssertionFunc
 		expectedEntityID string
 	}{
@@ -47,7 +48,7 @@ func TestNewSAMLIdPServiceProvider(t *testing.T) {
 			expectedEntityID: "IAMShowcase",
 		},
 		{
-			name:             "empty entity descriptor",
+			name:             "empty entity descriptor, entity ID and ACS URL",
 			entityDescriptor: "",
 			errAssertion:     require.Error,
 		},
@@ -57,6 +58,30 @@ func TestNewSAMLIdPServiceProvider(t *testing.T) {
 			errAssertion:     require.NoError,
 			expectedEntityID: "IAMShowcase",
 		},
+		{
+			name:             "empty entity descriptor and entity ID",
+			entityDescriptor: "",
+			acsURL:           "https:/test.com/acs",
+			errAssertion: func(t require.TestingT, err error, i ...interface{}) {
+				require.ErrorIs(t, err, ErrEmptyEntityDescriptorAndEntityID)
+			},
+		},
+		{
+			name:             "empty entity descriptor and ACS URL",
+			entityDescriptor: "",
+			entityID:         "IAMShowcase",
+			errAssertion: func(t require.TestingT, err error, i ...interface{}) {
+				require.ErrorIs(t, err, ErrEmptyEntityDescriptorAndACSURL)
+			},
+		},
+		{
+			name:             "empty entity descriptor with entity ID and ACS URL",
+			entityDescriptor: "",
+			entityID:         "IAMShowcase",
+			acsURL:           "https:/test.com/acs",
+			errAssertion:     require.NoError,
+			expectedEntityID: "IAMShowcase",
+		},
 	}
 
 	for _, test := range tests {
@@ -66,6 +91,7 @@ func TestNewSAMLIdPServiceProvider(t *testing.T) {
 			}, SAMLIdPServiceProviderSpecV1{
 				EntityDescriptor: test.entityDescriptor,
 				EntityID:         test.entityID,
+				ACSURL:           test.acsURL,
 			})
 
 			test.errAssertion(t, err)