Implement SAML custom attributes support for Identity Provider

This commit adds support for custom attributes in SAML single sign-on requests
in the Elasticsearch X-Pack Identity Provider plugin. This feature allows
passage of custom key-value attributes in SAML requests and responses.

Key components:
- Added SamlInitiateSingleSignOnAttributes class for holding attributes
- Added validation for null and empty attribute keys
- Updated request and response objects to handle attributes
- Modified authentication flow to process attributes
- Added test coverage to validate attributes functionality

The implementation follows Elasticsearch patterns with robust validation
and serialization mechanisms, while maintaining backward compatibility.

Author: lloydmeta

x-pack/plugin/identity-provider/qa/idp-rest-tests/src/javaRestTest/java/org/elasticsearch/xpack/idp/IdentityProviderAuthenticationIT.java

@@ -18,13 +18,15 @@
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.core.Nullable;
 import org.elasticsearch.xcontent.ObjectPath;
+import org.elasticsearch.xcontent.XContentBuilder;
 import org.elasticsearch.xcontent.json.JsonXContent;
 import org.elasticsearch.xpack.core.security.action.saml.SamlPrepareAuthenticationResponse;
 import org.elasticsearch.xpack.idp.saml.sp.SamlServiceProviderIndex;
 import org.junit.Before;
 
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
+import java.util.ArrayList;
 import java.util.Base64;
 import java.util.List;
 import java.util.Map;
@@ -74,6 +76,47 @@ public void testRegistrationAndIdpInitiatedSso() throws Exception {
         authenticateWithSamlResponse(samlResponse, null);
     }
 
+    public void testCustomAttributesInIdpInitiatedSso() throws Exception {
+        final Map<String, Object> request = Map.ofEntries(
+            Map.entry("name", "Test SP With Custom Attributes"),
+            Map.entry("acs", SP_ACS),
+            Map.entry("privileges", Map.ofEntries(Map.entry("resource", SP_ENTITY_ID), Map.entry("roles", List.of("sso:(\\w+)")))),
+            Map.entry(
+                "attributes",
+                Map.ofEntries(
+                    Map.entry("principal", "https://idp.test.es.elasticsearch.org/attribute/principal"),
+                    Map.entry("name", "https://idp.test.es.elasticsearch.org/attribute/name"),
+                    Map.entry("email", "https://idp.test.es.elasticsearch.org/attribute/email"),
+                    Map.entry("roles", "https://idp.test.es.elasticsearch.org/attribute/roles")
+                )
+            )
+        );
+        final SamlServiceProviderIndex.DocumentVersion docVersion = createServiceProvider(SP_ENTITY_ID, request);
+        checkIndexDoc(docVersion);
+        ensureGreen(SamlServiceProviderIndex.INDEX_NAME);
+
+        // Create custom attributes
+        List<Map<String, Object>> attributesList = new ArrayList<>();
+        Map<String, Object> attr1 = Map.of("key", "department", "values", List.of("engineering", "product"));
+        Map<String, Object> attr2 = Map.of("key", "region", "values", List.of("APAC"));
+        attributesList.add(attr1);
+        attributesList.add(attr2);
+
+        final Map<String, Object> requestAttributes = Map.of("attributes", attributesList);
+
+        // Generate SAML response with custom attributes
+        final String samlResponse = generateSamlResponseWithAttributes(SP_ENTITY_ID, SP_ACS, null, requestAttributes);
+
+        // Verify the response includes our custom attributes
+        assertThat(samlResponse, containsString("department"));
+        assertThat(samlResponse, containsString("engineering"));
+        assertThat(samlResponse, containsString("product"));
+        assertThat(samlResponse, containsString("region"));
+        assertThat(samlResponse, containsString("APAC"));
+
+        authenticateWithSamlResponse(samlResponse, null);
+    }
+
     public void testRegistrationAndSpInitiatedSso() throws Exception {
         final Map<String, Object> request = Map.ofEntries(
             Map.entry("name", "Test SP"),
@@ -125,17 +168,37 @@ private SamlPrepareAuthenticationResponse generateSamlAuthnRequest(String realmN
         }
     }
 
-    private String generateSamlResponse(String entityId, String acs, @Nullable Map<String, Object> authnState) throws Exception {
+    private String generateSamlResponse(String entityId, String acs, @Nullable Map<String, Object> authnState) throws IOException {
+        return generateSamlResponseWithAttributes(entityId, acs, authnState, null);
+    }
+
+    private String generateSamlResponseWithAttributes(
+        String entityId,
+        String acs,
+        @Nullable Map<String, Object> authnState,
+        @Nullable Map<String, Object> attributes
+    ) throws IOException {
         final Request request = new Request("POST", "/_idp/saml/init");
-        if (authnState != null && authnState.isEmpty() == false) {
-            request.setJsonEntity(Strings.format("""
-                {"entity_id":"%s", "acs":"%s","authn_state":%s}
-                """, entityId, acs, Strings.toString(JsonXContent.contentBuilder().map(authnState))));
-        } else {
-            request.setJsonEntity(Strings.format("""
-                {"entity_id":"%s", "acs":"%s"}
-                """, entityId, acs));
+
+        XContentBuilder builder = JsonXContent.contentBuilder();
+        builder.startObject();
+        builder.field("entity_id", entityId);
+        builder.field("acs", acs);
+
+        if (authnState != null) {
+            builder.field("authn_state");
+            builder.map(authnState);
         }
+
+        if (attributes != null) {
+            builder.field("attributes");
+            builder.map(attributes);
+        }
+
+        builder.endObject();
+        String jsonEntity = Strings.toString(builder);
+
+        request.setJsonEntity(jsonEntity);
         request.setOptions(
             RequestOptions.DEFAULT.toBuilder()
                 .addHeader("es-secondary-authorization", basicAuthHeaderValue("idp_user", new SecureString("idp-password".toCharArray())))

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/action/SamlInitiateSingleSignOnRequest.java

@@ -12,6 +12,7 @@
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.io.stream.StreamOutput;
 import org.elasticsearch.xpack.idp.saml.support.SamlAuthenticationState;
+import org.elasticsearch.xpack.idp.saml.support.SamlInitiateSingleSignOnAttributes;
 
 import java.io.IOException;
 
@@ -22,12 +23,14 @@ public class SamlInitiateSingleSignOnRequest extends ActionRequest {
     private String spEntityId;
     private String assertionConsumerService;
     private SamlAuthenticationState samlAuthenticationState;
+    private SamlInitiateSingleSignOnAttributes attributes;
 
     public SamlInitiateSingleSignOnRequest(StreamInput in) throws IOException {
         super(in);
         spEntityId = in.readString();
         assertionConsumerService = in.readString();
         samlAuthenticationState = in.readOptionalWriteable(SamlAuthenticationState::new);
+        attributes = in.readOptionalWriteable(SamlInitiateSingleSignOnAttributes::new);
     }
 
     public SamlInitiateSingleSignOnRequest() {}
@@ -68,17 +71,36 @@ public void setSamlAuthenticationState(SamlAuthenticationState samlAuthenticatio
         this.samlAuthenticationState = samlAuthenticationState;
     }
 
+    public SamlInitiateSingleSignOnAttributes getAttributes() {
+        return attributes;
+    }
+
+    public void setAttributes(SamlInitiateSingleSignOnAttributes attributes) {
+        this.attributes = attributes;
+    }
+
     @Override
     public void writeTo(StreamOutput out) throws IOException {
         super.writeTo(out);
         out.writeString(spEntityId);
         out.writeString(assertionConsumerService);
         out.writeOptionalWriteable(samlAuthenticationState);
+        out.writeOptionalWriteable(attributes);
     }
 
     @Override
     public String toString() {
-        return getClass().getSimpleName() + "{spEntityId='" + spEntityId + "', acs='" + assertionConsumerService + "'}";
+        return getClass().getSimpleName()
+            + "{"
+            + "spEntityId='"
+            + spEntityId
+            + "', "
+            + "acs='"
+            + assertionConsumerService
+            + "', "
+            + "attributes="
+            + attributes
+            + "'}";
     }
 
 }

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/action/SamlInitiateSingleSignOnResponse.java

@@ -10,6 +10,7 @@
 import org.elasticsearch.common.io.stream.StreamOutput;
 import org.elasticsearch.core.Nullable;
 import org.elasticsearch.xcontent.XContentBuilder;
+import org.elasticsearch.xpack.idp.saml.support.SamlInitiateSingleSignOnAttributes;
 
 import java.io.IOException;
 
@@ -20,19 +21,32 @@ public class SamlInitiateSingleSignOnResponse extends ActionResponse {
     private final String entityId;
     private final String samlStatus;
     private final String error;
+    private final SamlInitiateSingleSignOnAttributes attributes;
 
     public SamlInitiateSingleSignOnResponse(
         String entityId,
         String postUrl,
         String samlResponse,
         String samlStatus,
         @Nullable String error
+    ) {
+        this(entityId, postUrl, samlResponse, samlStatus, error, null);
+    }
+
+    public SamlInitiateSingleSignOnResponse(
+        String entityId,
+        String postUrl,
+        String samlResponse,
+        String samlStatus,
+        @Nullable String error,
+        @Nullable SamlInitiateSingleSignOnAttributes attributes
     ) {
         this.entityId = entityId;
         this.postUrl = postUrl;
         this.samlResponse = samlResponse;
         this.samlStatus = samlStatus;
         this.error = error;
+        this.attributes = attributes;
     }
 
     public String getPostUrl() {
@@ -55,13 +69,18 @@ public String getSamlStatus() {
         return samlStatus;
     }
 
+    public SamlInitiateSingleSignOnAttributes getAttributes() {
+        return attributes;
+    }
+
     @Override
     public void writeTo(StreamOutput out) throws IOException {
         out.writeString(entityId);
         out.writeString(postUrl);
         out.writeString(samlResponse);
         out.writeString(samlStatus);
         out.writeOptionalString(error);
+        out.writeOptionalWriteable(attributes);
     }
 
     public void toXContent(XContentBuilder builder) throws IOException {

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/action/TransportSamlInitiateSingleSignOnAction.java

@@ -139,7 +139,7 @@ protected void doExecute(
                         identityProvider
                     );
                     try {
-                        final Response response = builder.build(user, authenticationState);
+                        final Response response = builder.build(user, authenticationState, request.getAttributes());
                         listener.onResponse(
                             new SamlInitiateSingleSignOnResponse(
                                 user.getServiceProvider().getEntityId(),

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/saml/authn/SuccessfulAuthenticationResponseMessageBuilder.java

@@ -18,6 +18,7 @@
 import org.elasticsearch.xpack.idp.saml.support.SamlAuthenticationState;
 import org.elasticsearch.xpack.idp.saml.support.SamlFactory;
 import org.elasticsearch.xpack.idp.saml.support.SamlInit;
+import org.elasticsearch.xpack.idp.saml.support.SamlInitiateSingleSignOnAttributes;
 import org.elasticsearch.xpack.idp.saml.support.SamlObjectSigner;
 import org.opensaml.core.xml.schema.XSString;
 import org.opensaml.saml.saml2.core.Assertion;
@@ -66,7 +67,11 @@ public SuccessfulAuthenticationResponseMessageBuilder(SamlFactory samlFactory, C
         this.idp = idp;
     }
 
-    public Response build(UserServiceAuthentication user, @Nullable SamlAuthenticationState authnState) {
+    public Response build(
+        UserServiceAuthentication user,
+        @Nullable SamlAuthenticationState authnState,
+        @Nullable SamlInitiateSingleSignOnAttributes customAttributes
+    ) {
         logger.debug("Building success response for [{}] from [{}]", user, authnState);
         final Instant now = clock.instant();
         final SamlServiceProvider serviceProvider = user.getServiceProvider();
@@ -87,10 +92,13 @@ public Response build(UserServiceAuthentication user, @Nullable SamlAuthenticati
         assertion.setIssueInstant(now);
         assertion.setConditions(buildConditions(now, serviceProvider));
         assertion.setSubject(buildSubject(now, user, authnState));
-        assertion.getAuthnStatements().add(buildAuthnStatement(now, user));
-        final AttributeStatement attributes = buildAttributes(user);
-        if (attributes != null) {
-            assertion.getAttributeStatements().add(attributes);
+
+        final AuthnStatement authnStatement = buildAuthnStatement(now, user);
+        assertion.getAuthnStatements().add(authnStatement);
+
+        final AttributeStatement attributeStatement = buildAttributes(user, customAttributes);
+        if (attributeStatement != null) {
+            assertion.getAttributeStatements().add(attributeStatement);
         }
         response.getAssertions().add(assertion);
         return sign(response);
@@ -179,7 +187,10 @@ private static String resolveAuthnClass(Set<AuthenticationMethod> authentication
         }
     }
 
-    private AttributeStatement buildAttributes(UserServiceAuthentication user) {
+    private AttributeStatement buildAttributes(
+        UserServiceAuthentication user,
+        @Nullable SamlInitiateSingleSignOnAttributes customAttributes
+    ) {
         final SamlServiceProvider serviceProvider = user.getServiceProvider();
         final AttributeStatement statement = samlFactory.object(AttributeStatement.class, AttributeStatement.DEFAULT_ELEMENT_NAME);
         final List<Attribute> attributes = new ArrayList<>();
@@ -199,6 +210,16 @@ private AttributeStatement buildAttributes(UserServiceAuthentication user) {
         if (name != null) {
             attributes.add(name);
         }
+        // Add custom attributes if provided
+        if (customAttributes != null && customAttributes.getAttributes().isEmpty() == false) {
+            for (SamlInitiateSingleSignOnAttributes.Attribute customAttr : customAttributes.getAttributes()) {
+                Attribute attribute = buildAttribute(customAttr.getKey(), customAttr.getKey(), customAttr.getValues());
+                if (attribute != null) {
+                    attributes.add(attribute);
+                }
+            }
+        }
+
         if (attributes.isEmpty()) {
             return null;
         }

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/saml/rest/action/RestSamlInitiateSingleSignOnAction.java

@@ -20,6 +20,7 @@
 import org.elasticsearch.xpack.idp.action.SamlInitiateSingleSignOnRequest;
 import org.elasticsearch.xpack.idp.action.SamlInitiateSingleSignOnResponse;
 import org.elasticsearch.xpack.idp.saml.support.SamlAuthenticationState;
+import org.elasticsearch.xpack.idp.saml.support.SamlInitiateSingleSignOnAttributes;
 
 import java.io.IOException;
 import java.util.Collections;
@@ -41,6 +42,11 @@ public class RestSamlInitiateSingleSignOnAction extends IdpBaseRestHandler {
             (p, c) -> SamlAuthenticationState.fromXContent(p),
             new ParseField("authn_state")
         );
+        PARSER.declareObject(
+            SamlInitiateSingleSignOnRequest::setAttributes,
+            (p, c) -> SamlInitiateSingleSignOnAttributes.fromXContent(p),
+            new ParseField("attributes")
+        );
     }
 
     public RestSamlInitiateSingleSignOnAction(XPackLicenseState licenseState) {