[PM-1632] Redirect on SsoRequired - return SsoOrganizationIdentifier (#6597)

feat: add SSO request validation and organization identifier lookup - Implement SsoRequestValidator to validate SSO requirements - Add UserSsoOrganizationIdentifierQuery to fetch organization identifiers - Create SsoOrganizationIdentifier custom response for SSO redirects - Add feature flag (RedirectOnSsoRequired) for gradual rollout - Register validators and queries in dependency injection - Create RequestValidationConstants to reduce magic strings - Add comprehensive test coverage for validation logic - Update BaseRequestValidator to consume SsoRequestValidator
2025-12-29 22:54:00 +00:00 · 2025-11-30 16:55:47 -05:00
parent f151abee54
commit 8a67aafbe5
18 changed files with 1448 additions and 50 deletions
--- a/src/Core/Auth/Sso/IUserSsoOrganizationIdentifierQuery.cs
+++ b/src/Core/Auth/Sso/IUserSsoOrganizationIdentifierQuery.cs
@@ -0,0 +1,23 @@
+using Bit.Core.Entities;
+
+namespace Bit.Core.Auth.Sso;
+
+/// <summary>
+/// Query to retrieve the SSO organization identifier that a user is a confirmed member of.
+/// </summary>
+public interface IUserSsoOrganizationIdentifierQuery
+{
+    /// <summary>
+    /// Retrieves the SSO organization identifier for a confirmed organization user.
+    /// If there is more than one organization a User is associated with, we return null. If there are more than one
+    /// organization there is no way to know which organization the user wishes to authenticate with.
+    /// Owners and Admins who are not subject to the SSO required policy cannot utilize this flow, since they may have
+    /// multiple organizations with different SSO configurations.
+    /// </summary>
+    /// <param name="userId">The ID of the <see cref="User"/> to retrieve the SSO organization for. _Not_ an <see cref="OrganizationUser"/>.</param>
+    /// <returns>
+    /// The organization identifier if the user is a confirmed member of an organization with SSO configured,
+    /// otherwise null
+    /// </returns>
+    Task<string?> GetSsoOrganizationIdentifierAsync(Guid userId);
+}
--- a/src/Core/Auth/Sso/UserSsoOrganizationIdentifierQuery.cs
+++ b/src/Core/Auth/Sso/UserSsoOrganizationIdentifierQuery.cs
@@ -0,0 +1,38 @@
+using Bit.Core.Enums;
+using Bit.Core.Repositories;
+
+namespace Bit.Core.Auth.Sso;
+
+/// <summary>
+/// TODO : PM-28846 review data structures as they relate to this query
+/// Query to retrieve the SSO organization identifier that a user is a confirmed member of.
+/// </summary>
+public class UserSsoOrganizationIdentifierQuery(
+    IOrganizationUserRepository _organizationUserRepository,
+    IOrganizationRepository _organizationRepository) : IUserSsoOrganizationIdentifierQuery
+{
+    /// <inheritdoc />
+    public async Task<string?> GetSsoOrganizationIdentifierAsync(Guid userId)
+    {
+        // Get all confirmed organization memberships for the user
+        var organizationUsers = await _organizationUserRepository.GetManyByUserAsync(userId);
+
+        // we can only confidently return the correct SsoOrganizationIdentifier if there is exactly one Organization.
+        // The user must also be in the Confirmed status.
+        var confirmedOrgUsers = organizationUsers.Where(ou => ou.Status == OrganizationUserStatusType.Confirmed);
+        if (confirmedOrgUsers.Count() != 1)
+        {
+            return null;
+        }
+
+        var confirmedOrgUser = confirmedOrgUsers.Single();
+        var organization = await _organizationRepository.GetByIdAsync(confirmedOrgUser.OrganizationId);
+
+        if (organization == null)
+        {
+            return null;
+        }
+
+        return organization.Identifier;
+    }
+}
--- a/src/Core/Auth/UserFeatures/UserServiceCollectionExtensions.cs
+++ b/src/Core/Auth/UserFeatures/UserServiceCollectionExtensions.cs
@@ -1,5 +1,4 @@
-
-
+using Bit.Core.Auth.Sso;
 using Bit.Core.Auth.UserFeatures.DeviceTrust;
 using Bit.Core.Auth.UserFeatures.Registration;
 using Bit.Core.Auth.UserFeatures.Registration.Implementations;
@@ -29,6 +28,7 @@ public static class UserServiceCollectionExtensions
        services.AddWebAuthnLoginCommands();
        services.AddTdeOffboardingPasswordCommands();
        services.AddTwoFactorQueries();
+        services.AddSsoQueries();
    }

    public static void AddDeviceTrustCommands(this IServiceCollection services)
@@ -69,4 +69,9 @@ public static class UserServiceCollectionExtensions
    {
        services.AddScoped<ITwoFactorIsEnabledQuery, TwoFactorIsEnabledQuery>();
    }
+
+    private static void AddSsoQueries(this IServiceCollection services)
+    {
+        services.AddScoped<IUserSsoOrganizationIdentifierQuery, UserSsoOrganizationIdentifierQuery>();
+    }
 }
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -166,6 +166,7 @@ public static class FeatureFlagKeys
    public const string MJMLBasedEmailTemplates = "mjml-based-email-templates";
    public const string MjmlWelcomeEmailTemplates = "pm-21741-mjml-welcome-email";
    public const string MarketingInitiatedPremiumFlow = "pm-26140-marketing-initiated-premium-flow";
+    public const string RedirectOnSsoRequired = "pm-1632-redirect-on-sso-required";

    /* Autofill Team */
    public const string IdpAutoSubmitLogin = "idp-auto-submit-login";