greenpau
diff --git a/‎Makefile
+4-2 b/‎Makefile
+4-2
diff --git a/‎assets/portal/templates/basic/apps_aws_sso.template ‎assets/portal/templates/basic/apps_sso.template
+2-2 b/‎assets/portal/templates/basic/apps_aws_sso.template ‎assets/portal/templates/basic/apps_sso.template
+2-2
diff --git a/‎assets/portal/templates/basic/login.template
+4-4 b/‎assets/portal/templates/basic/login.template
+4-4
diff --git a/‎assets/scripts/generate_ui.sh
+1-1 b/‎assets/scripts/generate_ui.sh
+1-1
diff --git a/‎config.go
+32-6 b/‎config.go
+32-6
diff --git a/‎internal/tag/tag_test.go
+24-2 b/‎internal/tag/tag_test.go
+24-2
diff --git a/‎pkg/authn/config.go
+2 b/‎pkg/authn/config.go
+2
diff --git a/‎pkg/authn/handle_http_apps_aws_sso.go ‎pkg/authn/handle_http_apps_sso.go
+57-2 b/‎pkg/authn/handle_http_apps_aws_sso.go ‎pkg/authn/handle_http_apps_sso.go
+57-2
diff --git a/‎pkg/authn/portal.go
+28-4 b/‎pkg/authn/portal.go
+28-4
diff --git a/‎pkg/authn/respond_http.go
+2-4 b/‎pkg/authn/respond_http.go
+2-4
diff --git a/‎pkg/authn/ui/content.go
+10-10 b/‎pkg/authn/ui/content.go
+10-10
@@ -88,12 +88,12 @@ clean:
 
 qtest: covdir
 	@echo "Perform quick tests ..."
+	@time richgo test -v -coverprofile=.coverage/coverage.out internal/tag/*.go
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out ./pkg/util/data/...
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestNewConfig ./*.go
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestNewServer ./*.go
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out ./pkg/registry/...
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out ./pkg/waf/...
-	@#time richgo test -v -coverprofile=.coverage/coverage.out internal/tag/*.go
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestAuthorize ./pkg/authz/validator/...
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out  -run TestAddProviders ./pkg/messaging/...
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out ./pkg/messaging/...
@@ -103,7 +103,9 @@ qtest: covdir
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out ./pkg/authn/...
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestNewPortal ./pkg/authn/*.go
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestServeHTTP ./pkg/authn/*.go
-	@time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestFactory ./pkg/authn/cookie/*.go
+	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestFactory ./pkg/authn/cookie/*.go
+	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestNewSingleSignOnProviderConfig ./pkg/sso/*.go
+	@time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestNewSingleSignOnProvider ./pkg/sso/*.go
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestValidateJwksKey ./pkg/authn/backends/oauth2/jwks*.go
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out -run TestTransformData ./pkg/authn/transformer/*.go
 	@#time richgo test $(VERBOSE) $(TEST) -coverprofile=.coverage/coverage.out ./pkg/authn/icons/...
 
@@ -11,7 +11,7 @@
     <link rel="icon" href="{{ pathjoin .ActionEndpoint "/assets/images/favicon.png" }}" type="image/png" />
     <link rel="stylesheet" href="{{ pathjoin .ActionEndpoint "/assets/google-webfonts/roboto.css" }}" />
     <link rel="stylesheet" href="{{ pathjoin .ActionEndpoint "/assets/line-awesome/line-awesome.css" }}" />
-    <link rel="stylesheet" href="{{ pathjoin .ActionEndpoint "/assets/css/apps_aws_sso.css" }}" />
+    <link rel="stylesheet" href="{{ pathjoin .ActionEndpoint "/assets/css/apps_sso.css" }}" />
     {{ if eq .Data.ui_options.custom_css_required "yes" }}
       <link rel="stylesheet" href="{{ pathjoin .ActionEndpoint "/assets/css/custom.css" }}" />
     {{ end }}
@@ -86,7 +86,7 @@
       </div>
     </div>
     <!-- JavaScript -->
-    <script src="{{ pathjoin .ActionEndpoint "/assets/js/apps_aws_sso.js" }}"></script>
+    <script src="{{ pathjoin .ActionEndpoint "/assets/js/apps_sso.js" }}"></script>
     {{ if eq .Data.ui_options.custom_js_required "yes" }}
       <script src="{{ pathjoin .ActionEndpoint "/assets/js/custom.js" }}"></script>
     {{ end }}
 
@@ -84,22 +84,22 @@
                 </form>
               </div>
 
-              <div id="user_actions" class="flex flex-wrap pt-6 justify-center gap-4{{ if or (ne $authenticatorCount 1) (eq .Data.login_options.hide_links "yes") }} hidden{{ end -}}">
-                <div id="user_register_link"{{ if eq .Data.login_options.hide_register_link "yes" }} class="hidden"{{ end -}}>
+              <div id="user_actions" class="flex flex-wrap pt-6 justify-center gap-4 {{ if or (ne $authenticatorCount 1) (eq .Data.login_options.hide_links "yes") }}hidden{{ end -}}">
+                <div id="user_register_link" {{ if eq .Data.login_options.hide_register_link "yes" }}class="hidden"{{ end -}}>
                   <a class="text-primary-600" href="{{ pathjoin .ActionEndpoint "/register" .Data.login_options.default_realm }}">
                     <i class="las la-book"></i>
                     <span class="text-lg">Register</span>
                   </a>
                 </div>
 
-                <div id="forgot_username_link"{{ if eq .Data.login_options.hide_forgot_username_link "yes" }} class="hidden"{{ end -}}>
+                <div id="forgot_username_link" {{ if eq .Data.login_options.hide_forgot_username_link "yes" }}class="hidden"{{ end -}}>
                   <a class="text-primary-600" href="{{ pathjoin .ActionEndpoint "/forgot" .Data.login_options.default_realm }}">
                     <i class="las la-unlock"></i>
                     <span class="text-lg">Forgot Username?</span>
                   </a>
                 </div>
 
-                <div id="contact_support_link"{{ if eq .Data.login_options.hide_contact_support_link "yes" }} class="hidden"{{ end -}}>
+                <div id="contact_support_link" {{ if eq .Data.login_options.hide_contact_support_link "yes" }}class="hidden"{{ end -}}>
                   <a class="text-primary-600" href="{{ pathjoin .ActionEndpoint "/help" .Data.login_options.default_realm }}">
                     <i class="las la-info-circle"></i>
                     <span class="text-lg">Contact Support</span>
 
@@ -16,7 +16,7 @@ _PAGES[${#_PAGES[@]}]="register"
 _PAGES[${#_PAGES[@]}]="generic"
 _PAGES[${#_PAGES[@]}]="settings"
 _PAGES[${#_PAGES[@]}]="sandbox"
-_PAGES[${#_PAGES[@]}]="apps_aws_sso"
+_PAGES[${#_PAGES[@]}]="apps_sso"
 _PAGES[${#_PAGES[@]}]="apps_mobile_access"
 
 printf "package ui\n\n" > ${UI_FILE}
 
@@ -24,16 +24,18 @@ import (
 	"github.com/greenpau/go-authcrunch/pkg/ids"
 	"github.com/greenpau/go-authcrunch/pkg/messaging"
 	"github.com/greenpau/go-authcrunch/pkg/registry"
+	"github.com/greenpau/go-authcrunch/pkg/sso"
 )
 
 // Config is a configuration of Server.
 type Config struct {
-	Credentials               *credentials.Config           `json:"credentials,omitempty" xml:"credentials,omitempty" yaml:"credentials,omitempty"`
-	Messaging                 *messaging.Config             `json:"messaging,omitempty" xml:"messaging,omitempty" yaml:"messaging,omitempty"`
-	AuthenticationPortals     []*authn.PortalConfig         `json:"authentication_portals,omitempty" xml:"authentication_portals,omitempty" yaml:"authentication_portals,omitempty"`
-	AuthorizationPolicies     []*authz.PolicyConfig         `json:"authorization_policies,omitempty" xml:"authorization_policies,omitempty" yaml:"authorization_policies,omitempty"`
-	IdentityStores            []*ids.IdentityStoreConfig    `json:"identity_stores,omitempty" xml:"identity_stores,omitempty" yaml:"identity_stores,omitempty"`
-	IdentityProviders         []*idp.IdentityProviderConfig `json:"identity_providers,omitempty" xml:"identity_providers,omitempty" yaml:"identity_providers,omitempty"`
+	Credentials               *credentials.Config               `json:"credentials,omitempty" xml:"credentials,omitempty" yaml:"credentials,omitempty"`
+	Messaging                 *messaging.Config                 `json:"messaging,omitempty" xml:"messaging,omitempty" yaml:"messaging,omitempty"`
+	AuthenticationPortals     []*authn.PortalConfig             `json:"authentication_portals,omitempty" xml:"authentication_portals,omitempty" yaml:"authentication_portals,omitempty"`
+	AuthorizationPolicies     []*authz.PolicyConfig             `json:"authorization_policies,omitempty" xml:"authorization_policies,omitempty" yaml:"authorization_policies,omitempty"`
+	IdentityStores            []*ids.IdentityStoreConfig        `json:"identity_stores,omitempty" xml:"identity_stores,omitempty" yaml:"identity_stores,omitempty"`
+	IdentityProviders         []*idp.IdentityProviderConfig     `json:"identity_providers,omitempty" xml:"identity_providers,omitempty" yaml:"identity_providers,omitempty"`
+	SingleSignOnProviders     []*sso.SingleSignOnProviderConfig `json:"sso_providers,omitempty" xml:"sso_providers,omitempty" yaml:"sso_providers,omitempty"`
 	disabledIdentityStores    map[string]interface{}
 	disabledIdentityProviders map[string]interface{}
 	UserRegistries            []*registry.UserRegistryConfig `json:"user_registries,omitempty" xml:"user_registries,omitempty" yaml:"user_registries,omitempty"`
@@ -80,6 +82,16 @@ func (cfg *Config) AddIdentityProvider(name, kind string, data map[string]interf
 	return nil
 }
 
+// AddSingleSignOnProvider adds a single sign-on provider configuration.
+func (cfg *Config) AddSingleSignOnProvider(data map[string]interface{}) error {
+	provider, err := sso.NewSingleSignOnProviderConfig(data)
+	if err != nil {
+		return err
+	}
+	cfg.SingleSignOnProviders = append(cfg.SingleSignOnProviders, provider)
+	return nil
+}
+
 // AddAuthenticationPortal adds an authentication portal configuration.
 func (cfg *Config) AddAuthenticationPortal(p *authn.PortalConfig) error {
 	if err := p.Validate(); err != nil {
@@ -230,6 +242,20 @@ func (cfg *Config) Validate() error {
 				authByName[providerName] = "identity provider in " + realmName + " realm"
 			}
 		}
+
+		// Iterate over SSO providers.
+		for _, providerName := range portalCfg.SingleSignOnProviders {
+			var providerFound bool
+			for _, entry := range cfg.SingleSignOnProviders {
+				if providerName == entry.Name {
+					providerFound = true
+					break
+				}
+			}
+			if !providerFound {
+				return fmt.Errorf("sso provider %q configuration not found", providerName)
+			}
+		}
 	}
 
 	return nil
 
@@ -47,6 +47,7 @@ import (
 	"github.com/greenpau/go-authcrunch/pkg/messaging"
 	"github.com/greenpau/go-authcrunch/pkg/registry"
 	"github.com/greenpau/go-authcrunch/pkg/requests"
+	"github.com/greenpau/go-authcrunch/pkg/sso"
 	"github.com/greenpau/go-authcrunch/pkg/user"
 	"github.com/greenpau/go-authcrunch/pkg/util"
 	"github.com/greenpau/go-authcrunch/pkg/util/cfg"
@@ -66,6 +67,16 @@ func TestTagCompliance(t *testing.T) {
 		shouldErr bool
 		err       error
 	}{
+		{
+			name:  "test sso.Provider struct",
+			entry: &sso.Provider{},
+			opts:  &Options{},
+		},
+		{
+			name:  "test sso.SingleSignOnProviderConfig struct",
+			entry: &sso.SingleSignOnProviderConfig{},
+			opts:  &Options{},
+		},
 		{
 			name:  "test ui.NavigationItem struct",
 			entry: &ui.NavigationItem{},
@@ -104,7 +115,12 @@ func TestTagCompliance(t *testing.T) {
 		{
 			name:  "test authn.PortalParameters struct",
 			entry: &authn.PortalParameters{},
-			opts:  &Options{},
+			opts: &Options{
+				AllowFieldMismatch: true,
+				AllowedFields: map[string]interface{}{
+					"sso_providers": true,
+				},
+			},
 		},
 		{
 			name:  "test idp.IdentityProviderConfig struct",
@@ -386,7 +402,12 @@ func TestTagCompliance(t *testing.T) {
 		{
 			name:  "test authn.PortalConfig struct",
 			entry: &authn.PortalConfig{},
-			opts:  &Options{},
+			opts: &Options{
+				AllowFieldMismatch: true,
+				AllowedFields: map[string]interface{}{
+					"sso_providers": true,
+				},
+			},
 		},
 		{
 			name:  "test requests.AuthorizationRequest struct",
@@ -622,6 +643,7 @@ func TestTagCompliance(t *testing.T) {
 				AllowedFields: map[string]interface{}{
 					"auth_portal_configs":  true,
 					"authz_policy_configs": true,
+					"sso_providers":        true,
 				},
 			},
 		},
 
@@ -39,6 +39,8 @@ type PortalConfig struct {
 	IdentityStores []string `json:"identity_stores,omitempty" xml:"identity_stores,omitempty" yaml:"identity_stores,omitempty"`
 	// The names of identity providers.
 	IdentityProviders []string `json:"identity_providers,omitempty" xml:"identity_providers,omitempty" yaml:"identity_providers,omitempty"`
+	// The names of SSO providers.
+	SingleSignOnProviders []string `json:"sso_providers,omitempty" xml:"sso_providers,omitempty" yaml:"sso_providers,omitempty"`
 	// The names of user registries.
 	UserRegistries []string `json:"user_registries,omitempty" xml:"user_registries,omitempty" yaml:"user_registries,omitempty"`
 	// AccessListConfigs hold the configurations for the ACL of the token validator.
 
@@ -16,14 +16,18 @@ package authn
 
 import (
 	"context"
+	"fmt"
 	"github.com/greenpau/go-authcrunch/pkg/requests"
 	"github.com/greenpau/go-authcrunch/pkg/user"
 	"go.uber.org/zap"
 	"net/http"
 	"strings"
 )
 
-func (p *Portal) handleHTTPAppsAwsSso(ctx context.Context, w http.ResponseWriter, r *http.Request, rr *requests.Request, parsedUser *user.User) error {
+func (p *Portal) handleHTTPAppsSingleSignOn(ctx context.Context, w http.ResponseWriter, r *http.Request, rr *requests.Request, parsedUser *user.User) error {
+	var assumedRole, authorizedRole bool
+	var accountID, roleName string
+
 	p.disableClientCache(w)
 	p.injectRedirectURL(ctx, w, r, rr)
 
@@ -54,6 +58,30 @@ func (p *Portal) handleHTTPAppsAwsSso(ctx context.Context, w http.ResponseWriter
 	resp.PageTitle = "AWS SSO"
 	resp.BaseURL(rr.Upstream.BasePath)
 
+	if strings.Contains(r.URL.Path, "/apps/sso") && strings.Contains(r.URL.Path, "metadata.xml") {
+		// TODO(greenpau): add metadata for realm.
+	}
+
+	if strings.Contains(r.URL.Path, "/apps/sso/assume") {
+		accountRole, err := getEndpoint(r.URL.Path, "/apps/sso/assume/")
+		if err != nil {
+			p.logger.Warn(
+				"SSO request failed",
+				zap.String("session_id", rr.Upstream.SessionID),
+				zap.String("request_id", rr.ID),
+				zap.String("error", "malformed SSO request"),
+			)
+		} else {
+			assumedRole = true
+			arr := strings.SplitN(accountRole, "/", 2)
+			if len(arr) != 2 {
+				return p.handleHTTPRenderError(ctx, w, r, rr, fmt.Errorf("Malformed SSO request"))
+			}
+			accountID = arr[0]
+			roleName = arr[1]
+		}
+	}
+
 	type roleEntry struct {
 		Name      string
 		AccountID string
@@ -73,12 +101,39 @@ func (p *Portal) handleHTTPAppsAwsSso(ctx context.Context, w http.ResponseWriter
 			AccountID: arr[1],
 		}
 		roles = append(roles, role)
+
+		if assumedRole {
+			if (role.Name == roleName) && (role.AccountID == accountID) {
+				authorizedRole = true
+				p.logger.Debug(
+					"SSO assume role request received",
+					zap.String("session_id", rr.Upstream.SessionID),
+					zap.String("request_id", rr.ID),
+					zap.String("role_name", roleName),
+					zap.String("account_id", accountID),
+				)
+			}
+		}
+	}
+
+	if assumedRole {
+		if !authorizedRole {
+			p.logger.Debug(
+				"Unauthorized SSO assume role request",
+				zap.String("session_id", rr.Upstream.SessionID),
+				zap.String("request_id", rr.ID),
+				zap.String("role_name", roleName),
+				zap.String("account_id", accountID),
+			)
+			return p.handleHTTPRenderError(ctx, w, r, rr, fmt.Errorf("Unauthorized SSO assume role request"))
+		}
+		p.logger.Debug("Redirecting to SAML endpoint")
 	}
 
 	resp.Data["role_count"] = len(roles)
 	resp.Data["roles"] = roles
 
-	content, err := p.ui.Render("apps_aws_sso", resp)
+	content, err := p.ui.Render("apps_sso", resp)
 	if err != nil {
 		return p.handleHTTPRenderError(ctx, w, r, rr, err)
 	}
 
@@ -29,6 +29,7 @@ import (
 	"github.com/greenpau/go-authcrunch/pkg/ids"
 	"github.com/greenpau/go-authcrunch/pkg/kms"
 	"github.com/greenpau/go-authcrunch/pkg/registry"
+	"github.com/greenpau/go-authcrunch/pkg/sso"
 	cfgutil "github.com/greenpau/go-authcrunch/pkg/util/cfg"
 	"sort"
 
@@ -54,6 +55,7 @@ type Portal struct {
 	keystore          *kms.CryptoKeyStore
 	identityStores    []ids.IdentityStore
 	identityProviders []idp.IdentityProvider
+	ssoProviders      []sso.SingleSignOnProvider
 	cookie            *cookie.Factory
 	transformer       *transformer.Factory
 	ui                *ui.Factory
@@ -66,10 +68,11 @@ type Portal struct {
 
 // PortalParameters are input parameters for NewPortal.
 type PortalParameters struct {
-	Config            *PortalConfig          `json:"config,omitempty" xml:"config,omitempty" yaml:"config,omitempty"`
-	Logger            *zap.Logger            `json:"logger,omitempty" xml:"logger,omitempty" yaml:"logger,omitempty"`
-	IdentityStores    []ids.IdentityStore    `json:"identity_stores,omitempty" xml:"identity_stores,omitempty" yaml:"identity_stores,omitempty"`
-	IdentityProviders []idp.IdentityProvider `json:"identity_providers,omitempty" xml:"identity_providers,omitempty" yaml:"identity_providers,omitempty"`
+	Config                *PortalConfig              `json:"config,omitempty" xml:"config,omitempty" yaml:"config,omitempty"`
+	Logger                *zap.Logger                `json:"logger,omitempty" xml:"logger,omitempty" yaml:"logger,omitempty"`
+	IdentityStores        []ids.IdentityStore        `json:"identity_stores,omitempty" xml:"identity_stores,omitempty" yaml:"identity_stores,omitempty"`
+	IdentityProviders     []idp.IdentityProvider     `json:"identity_providers,omitempty" xml:"identity_providers,omitempty" yaml:"identity_providers,omitempty"`
+	SingleSignOnProviders []sso.SingleSignOnProvider `json:"sso_providers,omitempty" xml:"sso_providers,omitempty" yaml:"sso_providers,omitempty"`
 }
 
 // NewPortal returns an instance of Portal.
@@ -132,6 +135,27 @@ func NewPortal(params PortalParameters) (*Portal, error) {
 		}
 	}
 
+	for _, providerName := range params.Config.SingleSignOnProviders {
+		var providerFound bool
+		for _, provider := range params.SingleSignOnProviders {
+			if provider.GetName() == providerName {
+				if !provider.Configured() {
+					return nil, errors.ErrNewPortal.WithArgs(
+						fmt.Errorf("sso provider %q not configured", providerName),
+					)
+				}
+				p.ssoProviders = append(p.ssoProviders, provider)
+				providerFound = true
+				break
+			}
+		}
+		if !providerFound {
+			return nil, errors.ErrNewPortal.WithArgs(
+				fmt.Errorf("sso provider %q not found", providerName),
+			)
+		}
+	}
+
 	if len(p.identityStores) < 1 && len(p.identityProviders) < 1 {
 		return nil, errors.ErrNewPortal.WithArgs(errors.ErrPortalConfigBackendsNotFound)
 	}
 
@@ -47,15 +47,13 @@ func (p *Portal) handleHTTP(ctx context.Context, w http.ResponseWriter, r *http.
 		return p.handleHTTPRegister(ctx, w, r, rr)
 	case strings.HasSuffix(r.URL.Path, "/whoami"):
 		return p.handleHTTPWhoami(ctx, w, r, rr, usr)
-	case strings.Contains(r.URL.Path, "/apps/aws-sso"):
-		return p.handleHTTPAppsAwsSso(ctx, w, r, rr, usr)
+	case strings.Contains(r.URL.Path, "/apps/sso"):
+		return p.handleHTTPAppsSingleSignOn(ctx, w, r, rr, usr)
 	case strings.Contains(r.URL.Path, "/apps/mobile-access"):
 		return p.handleHTTPAppsMobileAccess(ctx, w, r, rr, usr)
 	case strings.Contains(r.URL.Path, "/oauth2/") && strings.HasSuffix(r.URL.Path, "/logout"):
 		return p.handleHTTPExternalLogout(ctx, w, r, rr, "oauth2")
 	case strings.Contains(r.URL.Path, "/saml/"):
-		// TODO(greenpau): implement
-		// p.logRequest("external saml login traceback", r, rr)
 		return p.handleHTTPExternalLogin(ctx, w, r, rr, "saml")
 	case strings.Contains(r.URL.Path, "/oauth2/"):
 		return p.handleHTTPExternalLogin(ctx, w, r, rr, "oauth2")