🔑 feat: SAML authentication (#6169)

* feat: add SAML authentication * refactor: change SAML icon * refactor: resolve SAML metadata paths using paths.js * test: add samlStrategy tests * fix: update setupSaml import * test: add SAML settings tests in config.spec.js * test: add client tests * refactor: improve SAML button label and fallback localization * feat: allow only one authentication method OpenID or SAML at a time * doc: add SAML configuration sample to docker-compose.override * fix: require SAML_SESSION_SECRET to enable SAML * feat: update samlStrategy * test: update samle tests * feat: add SAML login button label to translations and remove default value * fix: update SAML cert file binding * chore: update override example with SAML cert volume * fix: update SAML session handling with Redis backend --------- Co-authored-by: Ruben Talstra <RubenTalstra1211@outlook.com>
2025-12-19 18:00:15 +01:00 · 2025-05-30 00:00:58 +09:00 · 2025-05-30 00:00:58 +09:00 · 939b4ce659
commit 939b4ce659
parent 87255dac81
22 changed files with 1134 additions and 20 deletions
--- a/api/server/socialLogins.js
+++ b/api/server/socialLogins.js
@ -10,6 +10,7 @@ const {
  discordLogin,
  facebookLogin,
  appleLogin,
+  setupSaml,
  openIdJwtLogin,
 } = require('~/strategies');
 const { isEnabled } = require('~/server/utils');
@ -70,6 +71,34 @@ const configureSocialLogins = async (app) => {
    }
    logger.info('OpenID Connect configured.');
  }
+  if (
+    process.env.SAML_ENTRY_POINT &&
+    process.env.SAML_ISSUER &&
+    process.env.SAML_CERT &&
+    process.env.SAML_SESSION_SECRET
+  ) {
+    logger.info('Configuring SAML Connect...');
+    const sessionOptions = {
+      secret: process.env.SAML_SESSION_SECRET,
+      resave: false,
+      saveUninitialized: false,
+    };
+    if (isEnabled(process.env.USE_REDIS)) {
+      logger.debug('Using Redis for session storage in SAML...');
+      const keyv = new Keyv({ store: keyvRedis });
+      const client = keyv.opts.store.client;
+      sessionOptions.store = new RedisStore({ client, prefix: 'saml_session' });
+    } else {
+      sessionOptions.store = new MemoryStore({
+        checkPeriod: 86400000, // prune expired entries every 24h
+      });
+    }
+    app.use(session(sessionOptions));
+    app.use(passport.session());
+    setupSaml();
+
+    logger.info('SAML Connect configured.');
+  }
 };

 module.exports = configureSocialLogins;