diff --git a/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs b/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs index 17a7b9e8c7..30c25f6757 100644 --- a/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs +++ b/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs @@ -349,7 +349,9 @@ public class DynamicAuthenticationSchemeProvider : AuthenticationSchemeProvider } var spEntityId = new Sustainsys.Saml2.Metadata.EntityId( - SsoConfigurationData.BuildSaml2ModulePath(_globalSettings.BaseServiceUri.Sso)); + SsoConfigurationData.BuildSaml2ModulePath( + _globalSettings.BaseServiceUri.Sso, + config.SpUniqueEntityId ? name : null)); bool? allowCreate = null; if (config.SpNameIdFormat != Saml2NameIdFormat.Transient) { diff --git a/src/Api/Auth/Models/Request/OrganizationSsoRequestModel.cs b/src/Api/Auth/Models/Request/OrganizationSsoRequestModel.cs index a1a50ed3f6..d82b26aa26 100644 --- a/src/Api/Auth/Models/Request/OrganizationSsoRequestModel.cs +++ b/src/Api/Auth/Models/Request/OrganizationSsoRequestModel.cs @@ -66,6 +66,7 @@ public class SsoConfigurationDataRequest : IValidatableObject public string ExpectedReturnAcrValue { get; set; } // SAML2 SP + public bool? SpUniqueEntityId { get; set; } public Saml2NameIdFormat SpNameIdFormat { get; set; } public string SpOutboundSigningAlgorithm { get; set; } public Saml2SigningBehavior SpSigningBehavior { get; set; } @@ -190,6 +191,7 @@ public class SsoConfigurationDataRequest : IValidatableObject IdpAllowUnsolicitedAuthnResponse = IdpAllowUnsolicitedAuthnResponse.GetValueOrDefault(), IdpDisableOutboundLogoutRequests = IdpDisableOutboundLogoutRequests.GetValueOrDefault(), IdpWantAuthnRequestsSigned = IdpWantAuthnRequestsSigned.GetValueOrDefault(), + SpUniqueEntityId = SpUniqueEntityId.GetValueOrDefault(), SpNameIdFormat = SpNameIdFormat, SpOutboundSigningAlgorithm = SpOutboundSigningAlgorithm ?? SamlSigningAlgorithms.Sha256, SpSigningBehavior = SpSigningBehavior, diff --git a/src/Api/Auth/Models/Response/OrganizationSsoResponseModel.cs b/src/Api/Auth/Models/Response/OrganizationSsoResponseModel.cs index bbf9d57c79..0d327e1009 100644 --- a/src/Api/Auth/Models/Response/OrganizationSsoResponseModel.cs +++ b/src/Api/Auth/Models/Response/OrganizationSsoResponseModel.cs @@ -33,7 +33,8 @@ public class SsoUrls { CallbackPath = SsoConfigurationData.BuildCallbackPath(globalSettings.BaseServiceUri.Sso); SignedOutCallbackPath = SsoConfigurationData.BuildSignedOutCallbackPath(globalSettings.BaseServiceUri.Sso); - SpEntityId = SsoConfigurationData.BuildSaml2ModulePath(globalSettings.BaseServiceUri.Sso); + SpEntityIdStatic = SsoConfigurationData.BuildSaml2ModulePath(globalSettings.BaseServiceUri.Sso); + SpEntityId = SsoConfigurationData.BuildSaml2ModulePath(globalSettings.BaseServiceUri.Sso, organizationId); SpMetadataUrl = SsoConfigurationData.BuildSaml2MetadataUrl(globalSettings.BaseServiceUri.Sso, organizationId); SpAcsUrl = SsoConfigurationData.BuildSaml2AcsUrl(globalSettings.BaseServiceUri.Sso, organizationId); } @@ -41,6 +42,7 @@ public class SsoUrls public string CallbackPath { get; set; } public string SignedOutCallbackPath { get; set; } public string SpEntityId { get; set; } + public string SpEntityIdStatic { get; set; } public string SpMetadataUrl { get; set; } public string SpAcsUrl { get; set; } } diff --git a/src/Core/Auth/Models/Data/SsoConfigurationData.cs b/src/Core/Auth/Models/Data/SsoConfigurationData.cs index d434661af6..fe39a5a054 100644 --- a/src/Core/Auth/Models/Data/SsoConfigurationData.cs +++ b/src/Core/Auth/Models/Data/SsoConfigurationData.cs @@ -70,6 +70,7 @@ public class SsoConfigurationData public bool IdpWantAuthnRequestsSigned { get; set; } // SAML2 SP + public bool SpUniqueEntityId { get; set; } public Saml2NameIdFormat SpNameIdFormat { get; set; } public string SpOutboundSigningAlgorithm { get; set; } public Saml2SigningBehavior SpSigningBehavior { get; set; }