feat: Add relay state for SAML SSO (#12597)

Co-authored-by: Muhsin Keloth <muhsinkeramam@gmail.com>
2025-10-29 10:12:34 +00:00 · 2025-10-07 20:32:29 +05:30
parent 4b2ebb8877
commit 978f4c431a
8 changed files with 101 additions and 3 deletions
--- a/app/controllers/devise_overrides/omniauth_callbacks_controller.rb
+++ b/app/controllers/devise_overrides/omniauth_callbacks_controller.rb
@@ -19,6 +19,19 @@ class DeviseOverrides::OmniauthCallbacksController < DeviseTokenAuth::OmniauthCa
    redirect_to login_page_url(email: encoded_email, sso_auth_token: @resource.generate_sso_auth_token)
  end

+  def sign_in_user_on_mobile
+    @resource.skip_confirmation! if confirmable_enabled?
+
+    # once the resource is found and verified
+    # we can just send them to the login page again with the SSO params
+    # that will log them in
+    encoded_email = ERB::Util.url_encode(@resource.email)
+    params = { email: encoded_email, sso_auth_token: @resource.generate_sso_auth_token }.to_query
+
+    mobile_deep_link_base = GlobalConfigService.load('MOBILE_DEEP_LINK_BASE', 'chatwootapp')
+    redirect_to "#{mobile_deep_link_base}://auth/saml?#{params}", allow_other_host: true
+  end
+
  def sign_up_user
    return redirect_to login_page_url(error: 'no-account-found') unless account_signup_allowed?
    return redirect_to login_page_url(error: 'business-account-only') unless validate_signup_email_is_business_domain?
--- a/app/javascript/v3/views/login/Index.vue
+++ b/app/javascript/v3/views/login/Index.vue
@@ -22,6 +22,8 @@ import MfaVerification from 'dashboard/components/auth/MfaVerification.vue';
 const ERROR_MESSAGES = {
  'no-account-found': 'LOGIN.OAUTH.NO_ACCOUNT_FOUND',
  'business-account-only': 'LOGIN.OAUTH.BUSINESS_ACCOUNTS_ONLY',
+  'saml-authentication-failed': 'LOGIN.SAML.API.ERROR_MESSAGE',
+  'saml-not-enabled': 'LOGIN.SAML.API.ERROR_MESSAGE',
 };

 const IMPERSONATION_URL_SEARCH_KEY = 'impersonation';
--- a/app/javascript/v3/views/login/Saml.vue
+++ b/app/javascript/v3/views/login/Saml.vue
@@ -15,6 +15,10 @@ const props = defineProps({
    type: String,
    default: '',
  },
+  target: {
+    type: String,
+    default: 'web',
+  },
 });

 const store = useStore();
@@ -107,6 +111,7 @@ onMounted(async () => {
          name="authenticity_token"
          :value="csrfToken"
        />
+        <input type="hidden" class="h-0" name="target" :value="target" />
        <NextButton
          lg
          type="submit"
--- a/app/javascript/v3/views/routes.js
+++ b/app/javascript/v3/views/routes.js
@@ -28,6 +28,7 @@ export default [
    meta: { requireEnterprise: true },
    props: route => ({
      authError: route.query.error,
+      target: route.query.target,
    }),
  },
  {
--- a/enterprise/app/controllers/api/v1/auth_controller.rb
+++ b/enterprise/app/controllers/api/v1/auth_controller.rb
@@ -5,7 +5,9 @@ class Api::V1::AuthController < Api::BaseController
  def saml_login
    return if @account.nil?

-    saml_initiation_url = "/auth/saml?account_id=#{@account.id}"
+    relay_state = params[:target] || 'web'
+
+    saml_initiation_url = "/auth/saml?account_id=#{@account.id}&RelayState=#{relay_state}"
    redirect_to saml_initiation_url, status: :temporary_redirect
  end

@@ -44,7 +46,18 @@ class Api::V1::AuthController < Api::BaseController
  end

  def render_saml_error
-    redirect_to sso_login_page_url(error: 'saml-authentication-failed')
+    error = 'saml-authentication-failed'
+
+    if mobile_target?
+      mobile_deep_link_base = GlobalConfigService.load('MOBILE_DEEP_LINK_BASE', 'chatwootapp')
+      redirect_to "#{mobile_deep_link_base}://auth/saml?error=#{ERB::Util.url_encode(error)}", allow_other_host: true
+    else
+      redirect_to sso_login_page_url(error: error)
+    end
+  end
+
+  def mobile_target?
+    params[:target]&.casecmp('mobile')&.zero?
  end

  def sso_login_page_url(error: nil)
--- a/enterprise/app/controllers/enterprise/devise_overrides/omniauth_callbacks_controller.rb
+++ b/enterprise/app/controllers/enterprise/devise_overrides/omniauth_callbacks_controller.rb
@@ -32,17 +32,40 @@ module Enterprise::DeviseOverrides::OmniauthCallbacksController
    end
  end

+  def omniauth_failure
+    return super unless params[:provider] == 'saml'
+
+    relay_state = saml_relay_state
+    error = params[:message] || 'authentication-failed'
+
+    if for_mobile?(relay_state)
+      redirect_to_mobile_error(error, relay_state)
+    else
+      redirect_to login_page_url(error: "saml-#{error}")
+    end
+  end
+
  private

  def handle_saml_auth
    account_id = extract_saml_account_id
-    return redirect_to login_page_url(error: 'saml-not-enabled') unless saml_enabled_for_account?(account_id)
+    relay_state = saml_relay_state
+
+    unless saml_enabled_for_account?(account_id)
+      return redirect_to_mobile_error('saml-not-enabled') if for_mobile?(relay_state)
+
+      return redirect_to login_page_url(error: 'saml-not-enabled')
+    end

    @resource = SamlUserBuilder.new(auth_hash, account_id).perform

    if @resource.persisted?
+      return sign_in_user_on_mobile if for_mobile?(relay_state)
+
      sign_in_user
    else
+      return redirect_to_mobile_error('saml-authentication-failed') if for_mobile?(relay_state)
+
      redirect_to login_page_url(error: 'saml-authentication-failed')
    end
  end
@@ -51,6 +74,19 @@ module Enterprise::DeviseOverrides::OmniauthCallbacksController
    params[:account_id] || session[:saml_account_id] || request.env['omniauth.params']&.dig('account_id')
  end

+  def saml_relay_state
+    session[:saml_relay_state] || request.env['omniauth.params']&.dig('RelayState')
+  end
+
+  def for_mobile?(relay_state)
+    relay_state.to_s.casecmp('mobile').zero?
+  end
+
+  def redirect_to_mobile_error(error)
+    mobile_deep_link_base = GlobalConfigService.load('MOBILE_DEEP_LINK_BASE', 'chatwootapp')
+    redirect_to "#{mobile_deep_link_base}://auth/saml?error=#{ERB::Util.url_encode(error)}", allow_other_host: true
+  end
+
  def saml_enabled_for_account?(account_id)
    return false if account_id.blank?

--- a/enterprise/config/initializers/omniauth_saml.rb
+++ b/enterprise/config/initializers/omniauth_saml.rb
@@ -9,18 +9,22 @@ SAML_SETUP_PROC = proc do |env|
  account_id = request.params['account_id'] ||
               request.session[:saml_account_id] ||
               env['omniauth.params']&.dig('account_id')
+  relay_state = request.params['RelayState'] || ''

  if account_id
    # Store in session and omniauth params for callback
    request.session[:saml_account_id] = account_id
+    request.session[:saml_relay_state] = relay_state
    env['omniauth.params'] ||= {}
    env['omniauth.params']['account_id'] = account_id
+    env['omniauth.params']['RelayState'] = relay_state

    # Find SAML settings for this account
    settings = AccountSamlSettings.find_by(account_id: account_id)

    if settings
      # Configure the strategy options dynamically
+      env['omniauth.strategy'].options[:idp_sso_service_url_runtime_params] = { RelayState: :RelayState }
      env['omniauth.strategy'].options[:assertion_consumer_service_url] = "#{ENV.fetch('FRONTEND_URL', 'http://localhost:3000')}/omniauth/saml/callback?account_id=#{account_id}"
      env['omniauth.strategy'].options[:sp_entity_id] = settings.sp_entity_id
      env['omniauth.strategy'].options[:idp_entity_id] = settings.idp_entity_id
--- a/spec/enterprise/controllers/api/v1/auth_controller_spec.rb
+++ b/spec/enterprise/controllers/api/v1/auth_controller_spec.rb
@@ -36,6 +36,12 @@ RSpec.describe 'Api::V1::Auth', type: :request do

        expect(response.location).to eq('http://www.example.com/app/login/sso?error=saml-authentication-failed')
      end
+
+      it 'redirects to mobile deep link with error when target is mobile' do
+        post '/api/v1/auth/saml_login', params: { email: 'nonexistent@example.com', target: 'mobile' }
+
+        expect(response.location).to eq('chatwootapp://auth/saml?error=saml-authentication-failed')
+      end
    end

    context 'when user exists but has no SAML enabled accounts' do
@@ -48,6 +54,12 @@ RSpec.describe 'Api::V1::Auth', type: :request do

        expect(response.location).to eq('http://www.example.com/app/login/sso?error=saml-authentication-failed')
      end
+
+      it 'redirects to mobile deep link with error when target is mobile' do
+        post '/api/v1/auth/saml_login', params: { email: user.email, target: 'mobile' }
+
+        expect(response.location).to eq('chatwootapp://auth/saml?error=saml-authentication-failed')
+      end
    end

    context 'when user has account without SAML feature enabled' do
@@ -65,6 +77,12 @@ RSpec.describe 'Api::V1::Auth', type: :request do

        expect(response.location).to eq('http://www.example.com/app/login/sso?error=saml-authentication-failed')
      end
+
+      it 'redirects to mobile deep link with error when target is mobile' do
+        post '/api/v1/auth/saml_login', params: { email: user.email, target: 'mobile' }
+
+        expect(response.location).to eq('chatwootapp://auth/saml?error=saml-authentication-failed')
+      end
    end

    context 'when user has valid SAML configuration' do
@@ -82,6 +100,12 @@ RSpec.describe 'Api::V1::Auth', type: :request do

        expect(response.location).to include("/auth/saml?account_id=#{account.id}")
      end
+
+      it 'redirects to SAML initiation URL with mobile relay state' do
+        post '/api/v1/auth/saml_login', params: { email: user.email, target: 'mobile' }
+
+        expect(response.location).to include("/auth/saml?account_id=#{account.id}&RelayState=mobile")
+      end
    end

    context 'when user has multiple accounts with SAML' do