🔑 feat: SAML authentication (#6169)

* feat: add SAML authentication * refactor: change SAML icon * refactor: resolve SAML metadata paths using paths.js * test: add samlStrategy tests * fix: update setupSaml import * test: add SAML settings tests in config.spec.js * test: add client tests * refactor: improve SAML button label and fallback localization * feat: allow only one authentication method OpenID or SAML at a time * doc: add SAML configuration sample to docker-compose.override * fix: require SAML_SESSION_SECRET to enable SAML * feat: update samlStrategy * test: update samle tests * feat: add SAML login button label to translations and remove default value * fix: update SAML cert file binding * chore: update override example with SAML cert volume * fix: update SAML session handling with Redis backend --------- Co-authored-by: Ruben Talstra <RubenTalstra1211@outlook.com>
2025-12-18 09:20:15 +01:00 · 2025-05-30 00:00:58 +09:00 · 2025-05-30 00:00:58 +09:00 · 939b4ce659
commit 939b4ce659
parent 87255dac81
22 changed files with 1134 additions and 20 deletions
--- a/client/src/components/Auth/SocialLoginRender.tsx
+++ b/client/src/components/Auth/SocialLoginRender.tsx
@ -1,4 +1,12 @@
-import { GoogleIcon, FacebookIcon, OpenIDIcon, GithubIcon, DiscordIcon, AppleIcon } from '~/components';
+import {
+  GoogleIcon,
+  FacebookIcon,
+  OpenIDIcon,
+  GithubIcon,
+  DiscordIcon,
+  AppleIcon,
+  SamlIcon,
+} from '~/components';

 import SocialButton from './SocialButton';

@ -90,6 +98,23 @@ function SocialLoginRender({
        id="openid"
      />
    ),
+    saml: startupConfig.samlLoginEnabled && (
+      <SocialButton
+        key="saml"
+        enabled={startupConfig.samlLoginEnabled}
+        serverDomain={startupConfig.serverDomain}
+        oauthPath="saml"
+        Icon={() =>
+          startupConfig.samlImageUrl ? (
+            <img src={startupConfig.samlImageUrl} alt="SAML Logo" className="h-5 w-5" />
+          ) : (
+            <SamlIcon />
+          )
+        }
+        label={startupConfig.samlLabel ? startupConfig.samlLabel : localize('com_auth_saml_login')}
+        id="saml"
+      />
+    ),
  };

  return (
--- a/client/src/components/Auth/tests/Login.spec.tsx
+++ b/client/src/components/Auth/tests/Login.spec.tsx
@ -16,7 +16,7 @@ const mockStartupConfig = {
  isLoading: false,
  isError: false,
  data: {
-    socialLogins: ['google', 'facebook', 'openid', 'github', 'discord'],
+    socialLogins: ['google', 'facebook', 'openid', 'github', 'discord', 'saml'],
    discordLoginEnabled: true,
    facebookLoginEnabled: true,
    githubLoginEnabled: true,
@ -24,6 +24,9 @@ const mockStartupConfig = {
    openidLoginEnabled: true,
    openidLabel: 'Test OpenID',
    openidImageUrl: 'http://test-server.com',
+    samlLoginEnabled: true,
+    samlLabel: 'Test SAML',
+    samlImageUrl: 'http://test-server.com',
    ldap: {
      enabled: false,
    },
@ -143,6 +146,11 @@ test('renders login form', () => {
    'href',
    'mock-server/oauth/discord',
  );
+  expect(getByRole('link', { name: /Test SAML/i })).toBeInTheDocument();
+  expect(getByRole('link', { name: /Test SAML/i })).toHaveAttribute(
+    'href',
+    'mock-server/oauth/saml',
+  );
 });

 test('calls loginUser.mutate on login', async () => {
--- a/client/src/components/Auth/tests/LoginForm.spec.tsx
+++ b/client/src/components/Auth/tests/LoginForm.spec.tsx
@ -12,7 +12,7 @@ jest.mock('librechat-data-provider/react-query');
 const mockLogin = jest.fn();

 const mockStartupConfig: TStartupConfig = {
-  socialLogins: ['google', 'facebook', 'openid', 'github', 'discord'],
+  socialLogins: ['google', 'facebook', 'openid', 'github', 'discord', 'saml'],
  discordLoginEnabled: true,
  facebookLoginEnabled: true,
  githubLoginEnabled: true,
@ -20,6 +20,9 @@ const mockStartupConfig: TStartupConfig = {
  openidLoginEnabled: true,
  openidLabel: 'Test OpenID',
  openidImageUrl: 'http://test-server.com',
+  samlLoginEnabled: true,
+  samlLabel: 'Test SAML',
+  samlImageUrl: 'http://test-server.com',
  registrationEnabled: true,
  emailLoginEnabled: true,
  socialLoginEnabled: true,
--- a/client/src/components/Auth/tests/Registration.spec.tsx
+++ b/client/src/components/Auth/tests/Registration.spec.tsx
@ -17,7 +17,7 @@ const mockStartupConfig = {
  isLoading: false,
  isError: false,
  data: {
-    socialLogins: ['google', 'facebook', 'openid', 'github', 'discord'],
+    socialLogins: ['google', 'facebook', 'openid', 'github', 'discord', 'saml'],
    discordLoginEnabled: true,
    facebookLoginEnabled: true,
    githubLoginEnabled: true,
@ -25,6 +25,9 @@ const mockStartupConfig = {
    openidLoginEnabled: true,
    openidLabel: 'Test OpenID',
    openidImageUrl: 'http://test-server.com',
+    samlLoginEnabled: true,
+    samlLabel: 'Test SAML',
+    samlImageUrl: 'http://test-server.com',
    registrationEnabled: true,
    socialLoginEnabled: true,
    serverDomain: 'mock-server',
@ -146,6 +149,11 @@ test('renders registration form', () => {
    'href',
    'mock-server/oauth/discord',
  );
+  expect(getByRole('link', { name: /Test SAML/i })).toBeInTheDocument();
+  expect(getByRole('link', { name: /Test SAML/i })).toHaveAttribute(
+    'href',
+    'mock-server/oauth/saml',
+  );
 });

 // eslint-disable-next-line jest/no-commented-out-tests