Redirect login page to SAML2 login if only auth provider (#3472)

williamjallen · web-flow · commit 9f87d4e4a0f4 · 2026-02-25T14:39:23.000Z
This PR adds logic to automatically redirect the login page to the
configured SAML2 provider, if SAML2 is the only configured
authentication provider. This bypasses the need to click on a single
button on the login form for instances where the only means of logging
in is SAML.
diff --git a/app/Http/Controllers/Auth/LoginController.php b/app/Http/Controllers/Auth/LoginController.php
@@ -10,6 +10,7 @@
 use Illuminate\Support\Facades\DB;
 use Illuminate\Support\Facades\Schema;
 use Illuminate\Validation\ValidationException;
+use Illuminate\View\View;
 use LdapRecord\Laravel\Auth\ListensForLdapBindFailure;
 use Symfony\Component\HttpFoundation\Response;
 
@@ -27,6 +28,7 @@ final class LoginController extends AbstractController
     */
 
     use AuthenticatesUsers {
+        showLoginForm as traitShowLoginForm;
         login as traitLogin;
         credentials as traitCredentials;
     }
@@ -47,6 +49,22 @@ public function __construct()
         $this->listenForLdapBindFailure();
     }
 
+    public function showLoginForm(): View|Response|RedirectResponse
+    {
+        $hasOAuthLogin = collect(config('services'))->where('oauth', 'true')->firstWhere('enable', true) !== null;
+        $hasSAMLLogin = config('saml2.enabled') === true;
+
+        if (
+            config('cdash.username_password_authentication_enabled') === false
+            && !$hasOAuthLogin
+            && $hasSAMLLogin
+        ) {
+            return self::saml2Login();
+        }
+
+        return $this->traitShowLoginForm();
+    }
+
     /**
      * Handle a login request to the application.
      *
diff --git a/tests/Feature/LoginAndRegistration.php b/tests/Feature/LoginAndRegistration.php
@@ -143,6 +143,30 @@ public function testLocalView(): void
         unlink($tmp_view_path);
     }
 
+    /** @return array<string, string|int> */
+    private function createSamlTenant(): array
+    {
+        $saml_uuid = (string) Str::uuid();
+        $saml2_tenant_name = 'saml2_client_for_testing';
+        $saml2_tenant_uri = 'https://cdash.org/fake-saml2-idp/asdf';
+        $params = [
+            'uuid' => $saml_uuid,
+            'key' => $saml2_tenant_name,
+            'idp_entity_id' => $saml2_tenant_uri,
+            'idp_login_url' => "$saml2_tenant_uri/login",
+            'idp_logout_url' => "$saml2_tenant_uri/logout",
+            'idp_x509_cert' => base64_encode('asdf'),
+            'metadata' => '{}',
+            'name_id_format' => 'persistent',
+        ];
+        $saml2_tenant_id = DB::table('saml2_tenants')->insertGetId($params);
+
+        return [
+            ...$params,
+            'saml2_tenant_id' => $saml2_tenant_id,
+        ];
+    }
+
     public function testSaml2(): void
     {
         // Verify that SAML2 login fails when disabled.
@@ -169,28 +193,33 @@ public function testSaml2(): void
         $response->assertStatus(500);
         $response->assertSeeText('SAML2 tenant not found');
 
-        // Create a SAML2 tenant.
-        $saml_uuid = (string) Str::uuid();
-        $saml2_tenant_name = 'saml2_client_for_testing';
-        $saml2_tenant_uri = 'https://cdash.org/fake-saml2-idp/asdf';
-        $params = [
-            'uuid' => $saml_uuid,
-            'key' => $saml2_tenant_name,
-            'idp_entity_id' => $saml2_tenant_uri,
-            'idp_login_url' => "$saml2_tenant_uri/login",
-            'idp_logout_url' => "$saml2_tenant_uri/logout",
-            'idp_x509_cert' => base64_encode('asdf'),
-            'metadata' => '{}',
-            'name_id_format' => 'persistent',
-        ];
-        $saml2_tenant_id = DB::table('saml2_tenants')->insertGetId($params);
+        $saml_tenant = $this->createSamlTenant();
 
         // Verify that SAML2 login redirects as expected.
         $response = $this->post('/saml2/login');
-        $response->assertRedirectContains("/saml2/{$saml_uuid}/login?returnTo=");
+        $response->assertRedirectContains("/saml2/{$saml_tenant['uuid']}/login?returnTo=");
+
+        // Delete SAML2 tenant.
+        DB::table('saml2_tenants')->delete($saml_tenant['saml2_tenant_id']);
+    }
+
+    public function testRedirectsToSamlIfOnlyAuthProvider(): void
+    {
+        config(['saml2.enabled' => true]);
+        $saml_tenant = $this->createSamlTenant();
+
+        // Verify that we see the login page if username+password is enabled
+        $response = $this->get('/login');
+        $response->assertViewIs('auth.login');
+
+        config(['cdash.username_password_authentication_enabled' => false]);
+
+        // Verify that we get redirected to the SAML2 route if it's the only configured auth provider
+        $response = $this->get('/login');
+        $response->assertRedirectContains("/saml2/{$saml_tenant['uuid']}/login?returnTo=");
 
         // Delete SAML2 tenant.
-        DB::table('saml2_tenants')->delete($saml2_tenant_id);
+        DB::table('saml2_tenants')->delete($saml_tenant['saml2_tenant_id']);
     }
 
     /**
