From b851046cde4de2783a8bb2f6cd6795fbc724ba08 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Crist=C3=B2fol=20Torrens?= <piffall@gmail.com>
Date: Mon, 29 Jan 2024 16:00:49 +0100
Subject: [PATCH] Implement support for Azure App Registration SSO. (#78)

---
 README.md        | 4 +++-
 server/config.go | 3 ++-
 server/proxy.go  | 3 +++
 server/server.go | 3 +++
 4 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 3044766..781f6ce 100644
--- a/README.md
+++ b/README.md
@@ -12,7 +12,7 @@ Provides a SAML SP authentication proxy for backend web services
   -attribute-header-mappings attribute=header
         Comma separated list of attribute=header pairs mapping SAML IdP response attributes to forwarded request header (env SAML_PROXY_ATTRIBUTE_HEADER_MAPPINGS)
   -attribute-header-wildcard string
-         (env SAML_PROXY_ATTRIBUTE_HEADER_WILDCARD)
+        Maps all SAML attributes with this option as a prefix, slashes in attribute names will be replaced by dashes (env SAML_PROXY_ATTRIBUTE_HEADER_WILDCARD)
   -auth-verify bool
         Enables verify path endpoint for forward auth and trusts X-Forwarded headers (env SAML_PROXY_AUTH_VERIFY)
   -auth-verify-path string
@@ -33,6 +33,8 @@ Provides a SAML SP authentication proxy for backend web services
         Specifies the amount of time the authentication token will remain valid (env SAML_PROXY_COOKIE_MAX_AGE) (default 2h0m0s) 
   -cookie-name string
         Name of the cookie that tracks session token (env SAML_PROXY_COOKIE_NAME) (default "token")
+  -entity-id string
+        Entity ID of this service provider (env SAML_PROXY_ENTITY_ID)
   -idp-ca-path path
         Optional path to a CA certificate PEM file for the IdP (env SAML_PROXY_IDP_CA_PATH)
   -idp-metadata-url URL
diff --git a/server/config.go b/server/config.go
index d10bd59..2be79a3 100644
--- a/server/config.go
+++ b/server/config.go
@@ -7,6 +7,7 @@ type Config struct {
 	Bind                    string            `default:":8080" usage:"[host:port] to bind for serving HTTP"`
 	BaseUrl                 string            `usage:"External [URL] of this proxy"`
 	BackendUrl              string            `usage:"[URL] of the backend being proxied"`
+	EntityID                string            `usage:"Entity ID of this service provider"`
 	IdpMetadataUrl          string            `usage:"[URL] of the IdP's metadata XML, can be a local file by specifying the file:// scheme"`
 	IdpCaPath               string            `usage:"Optional [path] to a CA certificate PEM file for the IdP"`
 	NameIdFormat            string            `usage:"One of unspecified, transient, email, or persistent to use a standard format or give a full URN of the name ID format" default:"transient"`
@@ -14,7 +15,7 @@ type Config struct {
 	SpCertPath              string            `default:"saml-auth-proxy.cert" usage:"The [path] to the X509 public certificate PEM file for this SP"`
 	NameIdMapping           string            `usage:"Name of the request [header] to convey the SAML nameID/subject"`
 	AttributeHeaderMappings map[string]string `usage:"Comma separated list of [attribute=header] pairs mapping SAML IdP response attributes to forwarded request header"`
-	AttributeHeaderWildcard string            `usage:"Maps all SAML attributes with this option as a prefix"`
+	AttributeHeaderWildcard string            `usage:"Maps all SAML attributes with this option as a prefix, slashes in attribute names will be replaced by dashes"`
 	NewAuthWebhookUrl       string            `usage:"[URL] of webhook that will get POST'ed when a new authentication is processed"`
 	AuthorizeAttribute      string            `usage:"Enables authorization and specifies the [attribute] to check for authorized values"`
 	AuthorizeValues         []string          `usage:"If enabled, comma separated list of [values] that must be present in the authorize attribute"`
diff --git a/server/proxy.go b/server/proxy.go
index b11b7b3..b197252 100644
--- a/server/proxy.go
+++ b/server/proxy.go
@@ -208,6 +208,9 @@ func (p *Proxy) addHeaders(sessionClaims samlsp.JWTSessionClaims, headers http.H
 	if p.config.AttributeHeaderWildcard != "" {
 		for attr, values := range sessionClaims.GetAttributes() {
 			for _, value := range values {
+				if uri, err := url.Parse(attr); err == nil {
+					attr = strings.Trim(strings.Replace(uri.Path, "/", "-", -1), "-")
+				}
 				headers.Add(p.config.AttributeHeaderWildcard+attr, value)
 			}
 		}
diff --git a/server/server.go b/server/server.go
index 7deacc8..16cb54e 100644
--- a/server/server.go
+++ b/server/server.go
@@ -52,6 +52,9 @@ func Start(ctx context.Context, logger *zap.Logger, cfg *Config) error {
 		Certificate:       keyPair.Leaf,
 		AllowIDPInitiated: cfg.AllowIdpInitiated,
 	}
+	if cfg.EntityID != "" {
+		samlOpts.EntityID = cfg.EntityID
+	}
 
 	samlOpts.IDPMetadata, err = fetchMetadata(ctx, httpClient, idpMetadataUrl)
 	if err != nil {