feat(CLI-SSO-Login): [Auth/PM-21116] CLI - SSO Login - Add SSO Org Identifier option (#14605)

* Add --identifier option for SSO on CLI

* Add option for identifier

* Moved auto-submit after the setting of client arguments

* Adjusted comment

* Changed to pass in as SSO option

* Renamed to orgSsoIdentifier for clarity

* Added more changes to orgSsoIdentifier.

libs/auth/src/angular/sso/sso.component.ts

@@ -155,7 +155,14 @@ export class SsoComponent implements OnInit {
       return;
     }
 
-    // Detect if we have landed here but only have an SSO identifier in the URL.
+    // Detect if we are on the first portion of the SSO flow
+    // and have been sent here from another client with the info in query params.
+    // If so, we want to initialize the SSO flow with those values.
+    if (this.hasParametersFromOtherClientRedirect(qParams)) {
+      this.initializeFromRedirectFromOtherClient(qParams);
+    }
+
+    // Detect if we have landed here with an SSO identifier in the URL.
     // This is used by integrations that want to "short-circuit" the login to send users
     // directly to their IdP to simulate IdP-initiated SSO, so we submit automatically.
     if (qParams.identifier != null) {
@@ -165,13 +172,6 @@ export class SsoComponent implements OnInit {
       return;
     }
 
-    // Detect if we are on the first portion of the SSO flow
-    // and have been sent here from another client with the info in query params.
-    // If so, we want to initialize the SSO flow with those values.
-    if (this.hasParametersFromOtherClientRedirect(qParams)) {
-      this.initializeFromRedirectFromOtherClient(qParams);
-    }
-
     // Try to determine the identifier using claimed domain or local state
     // persisted from the user's last login attempt.
     await this.initializeIdentifierFromEmailOrStorage();

libs/auth/src/common/services/sso-redirect/sso-url.service.spec.ts

@@ -92,4 +92,27 @@ describe("SsoUrlService", () => {
     );
     expect(result).toBe(expectedUrl);
   });
+
+  it("should build CLI SSO URL with Org SSO Identifier correctly", () => {
+    const baseUrl = "https://web-vault.bitwarden.com";
+    const clientType = ClientType.Cli;
+    const redirectUri = "https://localhost:1000";
+    const state = "abc123";
+    const codeChallenge = "xyz789";
+    const email = "test@bitwarden.com";
+    const orgSsoIdentifier = "test-org";
+
+    const expectedUrl = `${baseUrl}/#/sso?clientId=cli&redirectUri=${encodeURIComponent(redirectUri)}&state=${state}&codeChallenge=${codeChallenge}&email=${encodeURIComponent(email)}&identifier=${encodeURIComponent(orgSsoIdentifier)}`;
+
+    const result = service.buildSsoUrl(
+      baseUrl,
+      clientType,
+      redirectUri,
+      state,
+      codeChallenge,
+      email,
+      orgSsoIdentifier,
+    );
+    expect(result).toBe(expectedUrl);
+  });
 });

libs/auth/src/common/services/sso-redirect/sso-url.service.ts

@@ -11,6 +11,7 @@ export class SsoUrlService {
    * @param state A state value that will be peristed through the SSO flow
    * @param codeChallenge A challenge value that will be used to verify the SSO code after authentication
    * @param email The optional email adddress of the user initiating SSO, which will be used to look up the org SSO identifier
+   * @param orgSsoIdentifier The optional SSO identifier of the org that is initiating SSO
    * @returns The URL for redirecting users to the web app SSO component
    */
   buildSsoUrl(
@@ -20,6 +21,7 @@ export class SsoUrlService {
     state: string,
     codeChallenge: string,
     email?: string,
+    orgSsoIdentifier?: string,
   ): string {
     let url =
       webAppUrl +
@@ -36,6 +38,10 @@ export class SsoUrlService {
       url += "&email=" + encodeURIComponent(email);
     }
 
+    if (orgSsoIdentifier) {
+      url += "&identifier=" + encodeURIComponent(orgSsoIdentifier);
+    }
+
     return url;
   }
 }