gravitational · flyinghermit · Mar 14, 2024 · Mar 12, 2024 · Mar 13, 2024 · Mar 14, 2024
diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto
@@ -5953,12 +5953,15 @@ message SAMLIdPServiceProviderSpecV1 {
   string EntityID = 2 [(gogoproto.jsontag) = "entity_id"];
   // ACSURL is the endpoint where SAML authentication response will be redirected.
   string ACSURL = 3 [(gogoproto.jsontag) = "acs_url"];
-  // AttributeMapping is used to map Service Provider requested attributes to
+  // AttributeMapping is used to map service provider requested attributes to
   // username, role and traits in Teleport.
   repeated SAMLAttributeMapping AttributeMapping = 4 [(gogoproto.jsontag) = "attribute_mapping"];
+  // Preset is used to define service provider profile that will have a custom behavior
+  // processed by Teleport.
+  string Preset = 5 [(gogoproto.jsontag) = "preset"];
 }
 
-// SAMLAttributeMapping represents SAML Service Provider requested attribute
+// SAMLAttributeMapping represents SAML service provider requested attribute
 // name, format and its values.
 message SAMLAttributeMapping {
   //  name is an attribute name.

diff --git a/api/types/saml_idp_service_provider.go b/api/types/saml_idp_service_provider.go
@@ -22,6 +22,7 @@ import (
 
 	"github.com/gravitational/trace"
 
+	"github.com/gravitational/teleport/api/types/samlsp"
 	"github.com/gravitational/teleport/api/utils"
 )
 
@@ -105,6 +106,8 @@ var (
 	// ErrDuplicateAttributeName is returned when attribute mapping declares two or more
 	// attributes with the same name.
 	ErrDuplicateAttributeName = &trace.BadParameterError{Message: "duplicate attribute name not allowed"}
+	// ErrUnsupportedPresetName is returned when preset name is not supported.
+	ErrUnsupportedPresetName = &trace.BadParameterError{Message: "unsupported preset name"}
 )
 
 // SAMLIdPServiceProvider specifies configuration for service providers for Teleport's built in SAML IdP.
@@ -262,6 +265,10 @@ func (s *SAMLIdPServiceProviderV1) CheckAndSetDefaults() error {
 		attrNames[attributeMap.Name] = struct{}{}
 	}
 
+	if ok := validatePreset(s.Spec.Preset); !ok {
+		return trace.Wrap(ErrUnsupportedPresetName)
+	}
+
 	return nil
 }
 
@@ -309,3 +316,14 @@ func (am *SAMLAttributeMapping) CheckAndSetDefaults() error {
 	}
 	return nil
 }
+
+// validatePreset validates SAMLIdPServiceProviderV1 preset field.
+// preset can be either empty or one of the supported type.
+func validatePreset(preset string) bool {
+	switch preset {
+	case "", samlsp.GCPWorkforce:
+		return true
+	default:
+		return false
+	}
+}
diff --git a/api/types/saml_idp_service_provider_test.go b/api/types/saml_idp_service_provider_test.go
@@ -20,6 +20,8 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/require"
+
+	"github.com/gravitational/teleport/api/types/samlsp"
 )
 
 // TestNewSAMLIdPServiceProvider ensures a valid SAML IdP service provider.
@@ -32,6 +34,7 @@ func TestNewSAMLIdPServiceProvider(t *testing.T) {
 		errAssertion     require.ErrorAssertionFunc
 		expectedEntityID string
 		attributeMapping []*SAMLAttributeMapping
+		preset           string
 	}{
 		{
 			name:             "valid entity descriptor",
@@ -171,6 +174,26 @@ func TestNewSAMLIdPServiceProvider(t *testing.T) {
 				require.ErrorContains(t, err, "invalid name format")
 			},
 		},
+		{
+			name:             "supported preset value",
+			entityDescriptor: "",
+			entityID:         "IAMShowcase",
+			acsURL:           "https:/test.com/acs",
+			expectedEntityID: "IAMShowcase",
+			errAssertion:     require.NoError,
+			preset:           samlsp.GCPWorkforce,
+		},
+		{
+			name:             "unsupported preset value",
+			entityDescriptor: "",
+			entityID:         "IAMShowcase",
+			acsURL:           "https:/test.com/acs",
+			expectedEntityID: "IAMShowcase",
+			errAssertion: func(t require.TestingT, err error, i ...interface{}) {
+				require.ErrorContains(t, err, "unsupported preset")
+			},
+			preset: "notsupported",
+		},
 	}
 
 	for _, test := range tests {
@@ -182,6 +205,7 @@ func TestNewSAMLIdPServiceProvider(t *testing.T) {
 				EntityID:         test.entityID,
 				ACSURL:           test.acsURL,
 				AttributeMapping: test.attributeMapping,
+				Preset:           test.preset,
 			})
 
 			test.errAssertion(t, err)

diff --git a/api/types/samlsp/samlsp.go b/api/types/samlsp/samlsp.go
@@ -0,0 +1,23 @@
+/*
+Copyright 2024 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package samlsp
+
+const (
+	// GCPWorkforce is a SAML service provider preset name for Google Cloud Platform
+	// Workforce Identity Federation.
+	GCPWorkforce = "gcp-workforce"
+)