feat: Add relay state for SAML SSO (#12597)

Co-authored-by: Muhsin Keloth <muhsinkeramam@gmail.com>
2025-10-07 20:32:29 +05:30
parent 4b2ebb8877
commit 978f4c431a
8 changed files with 101 additions and 3 deletions
--- a/enterprise/app/controllers/api/v1/auth_controller.rb
+++ b/enterprise/app/controllers/api/v1/auth_controller.rb
@@ -5,7 +5,9 @@ class Api::V1::AuthController < Api::BaseController
  def saml_login
    return if @account.nil?

-    saml_initiation_url = "/auth/saml?account_id=#{@account.id}"
+    relay_state = params[:target] || 'web'
+
+    saml_initiation_url = "/auth/saml?account_id=#{@account.id}&RelayState=#{relay_state}"
    redirect_to saml_initiation_url, status: :temporary_redirect
  end

@@ -44,7 +46,18 @@ class Api::V1::AuthController < Api::BaseController
  end

  def render_saml_error
-    redirect_to sso_login_page_url(error: 'saml-authentication-failed')
+    error = 'saml-authentication-failed'
+
+    if mobile_target?
+      mobile_deep_link_base = GlobalConfigService.load('MOBILE_DEEP_LINK_BASE', 'chatwootapp')
+      redirect_to "#{mobile_deep_link_base}://auth/saml?error=#{ERB::Util.url_encode(error)}", allow_other_host: true
+    else
+      redirect_to sso_login_page_url(error: error)
+    end
+  end
+
+  def mobile_target?
+    params[:target]&.casecmp('mobile')&.zero?
  end

  def sso_login_page_url(error: nil)
--- a/enterprise/app/controllers/enterprise/devise_overrides/omniauth_callbacks_controller.rb
+++ b/enterprise/app/controllers/enterprise/devise_overrides/omniauth_callbacks_controller.rb
@@ -32,17 +32,40 @@ module Enterprise::DeviseOverrides::OmniauthCallbacksController
    end
  end

+  def omniauth_failure
+    return super unless params[:provider] == 'saml'
+
+    relay_state = saml_relay_state
+    error = params[:message] || 'authentication-failed'
+
+    if for_mobile?(relay_state)
+      redirect_to_mobile_error(error, relay_state)
+    else
+      redirect_to login_page_url(error: "saml-#{error}")
+    end
+  end
+
  private

  def handle_saml_auth
    account_id = extract_saml_account_id
-    return redirect_to login_page_url(error: 'saml-not-enabled') unless saml_enabled_for_account?(account_id)
+    relay_state = saml_relay_state
+
+    unless saml_enabled_for_account?(account_id)
+      return redirect_to_mobile_error('saml-not-enabled') if for_mobile?(relay_state)
+
+      return redirect_to login_page_url(error: 'saml-not-enabled')
+    end

    @resource = SamlUserBuilder.new(auth_hash, account_id).perform

    if @resource.persisted?
+      return sign_in_user_on_mobile if for_mobile?(relay_state)
+
      sign_in_user
    else
+      return redirect_to_mobile_error('saml-authentication-failed') if for_mobile?(relay_state)
+
      redirect_to login_page_url(error: 'saml-authentication-failed')
    end
  end
@@ -51,6 +74,19 @@ module Enterprise::DeviseOverrides::OmniauthCallbacksController
    params[:account_id] || session[:saml_account_id] || request.env['omniauth.params']&.dig('account_id')
  end

+  def saml_relay_state
+    session[:saml_relay_state] || request.env['omniauth.params']&.dig('RelayState')
+  end
+
+  def for_mobile?(relay_state)
+    relay_state.to_s.casecmp('mobile').zero?
+  end
+
+  def redirect_to_mobile_error(error)
+    mobile_deep_link_base = GlobalConfigService.load('MOBILE_DEEP_LINK_BASE', 'chatwootapp')
+    redirect_to "#{mobile_deep_link_base}://auth/saml?error=#{ERB::Util.url_encode(error)}", allow_other_host: true
+  end
+
  def saml_enabled_for_account?(account_id)
    return false if account_id.blank?