providers/saml: add ?force_binding to limit bindings for metadata endpoint

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

authentik/providers/saml/api.py

@@ -36,6 +36,7 @@ from authentik.flows.models import Flow, FlowDesignation
 from authentik.providers.saml.models import SAMLPropertyMapping, SAMLProvider
 from authentik.providers.saml.processors.metadata import MetadataProcessor
 from authentik.providers.saml.processors.metadata_parser import ServiceProviderMetadataParser
+from authentik.sources.saml.processors.constants import SAML_BINDING_POST, SAML_BINDING_REDIRECT
 
 LOGGER = get_logger()
 
@@ -109,7 +110,19 @@ class SAMLProviderViewSet(UsedByMixin, ModelViewSet):
                 name="download",
                 location=OpenApiParameter.QUERY,
                 type=OpenApiTypes.BOOL,
+            ),
+            OpenApiParameter(
+                name="force_binding",
+                location=OpenApiParameter.QUERY,
+                type=OpenApiTypes.STR,
+                enum=[
+                    SAML_BINDING_REDIRECT,
+                    SAML_BINDING_POST,
+                ],
+                description=(
+                    "Optionally force the metadata to only include one binding."
                 )
+            ),
         ],
     )
     @action(methods=["GET"], detail=True, permission_classes=[AllowAny])
@@ -122,7 +135,9 @@ class SAMLProviderViewSet(UsedByMixin, ModelViewSet):
         except ValueError:
             raise Http404
         try:
-            metadata = MetadataProcessor(provider, request).build_entity_descriptor()
+            proc = MetadataProcessor(provider, request)
+            proc.force_binding = request.query_params.get("force_binding", None)
+            metadata = proc.build_entity_descriptor()
             if "download" in request.query_params:
                 response = HttpResponse(metadata, content_type="application/xml")
                 response[

authentik/providers/saml/processors/metadata.py

@@ -29,10 +29,12 @@ class MetadataProcessor:
 
     provider: SAMLProvider
     http_request: HttpRequest
+    force_binding: Optional[str]
 
     def __init__(self, provider: SAMLProvider, request: HttpRequest):
         self.provider = provider
         self.http_request = request
+        self.force_binding = None
         self.xml_id = get_random_id()
 
     def get_signing_key_descriptor(self) -> Optional[Element]:
@@ -79,6 +81,8 @@ class MetadataProcessor:
             ),
         }
         for binding, url in binding_url_map.items():
+            if self.force_binding and self.force_binding != binding:
+                continue
             element = Element(f"{{{NS_SAML_METADATA}}}SingleSignOnService")
             element.attrib["Binding"] = binding
             element.attrib["Location"] = url

schema.yml

@@ -11645,6 +11645,14 @@ paths:
         name: download
         schema:
           type: boolean
+      - in: query
+        name: force_binding
+        schema:
+          type: string
+          enum:
+          - urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
+          - urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
+        description: Optionally force the metadata to only include one binding.
       - in: path
         name: id
         schema: