IdP-Initiated Saml Sign In Implementation

FirebaseAuth/Sources/Swift/Auth/Auth.swift

@@ -2341,6 +2341,29 @@
     }
   #endif
 
+  // MARK: IDP Initiated SAML Sign In
+
+  public func signInWithSamlIdp(ProviderId providerId: String,
+                                SpAcsUrl SpAcsUrl: String,
+                                SamlResp samlResp: String) async throws -> AuthDataResult {
+    let samlRespBody = "SAMLResponse=\(samlResp)&providerId=\(providerId)"
+    let request = SignInWithSamlIdpRequest(
+      requestUri: SpAcsUrl,
+      postBody: samlRespBody,
+      returnSecureToken: true,
+      requestConfiguration: requestConfiguration
+    )
+    let response = try await backend.call(with: request)
+    let user = try await completeSignIn(
+      withAccessToken: response.idToken,
+      accessTokenExpirationDate: response.expirationDate,
+      refreshToken: response.refreshToken,
+      anonymous: false
+    )
+    try await updateCurrentUser(user)
+    return AuthDataResult(withUser: user, additionalUserInfo: nil)
+  }
+
   // MARK: Internal properties
 
   /// Allow tests to swap in an alternate mainBundle, including ObjC unit tests via CocoaPods.

FirebaseAuth/Sources/Swift/Backend/RPC/SignInWithSamlIdpRequest.swift

@@ -0,0 +1,55 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import Foundation
+
+final class SignInWithSamlIdpRequest: AuthRPCRequest {
+  typealias Response = SignInWithSamlIdpResponse
+  private let config: AuthRequestConfiguration
+  private let requestUri: String
+  private let postBody: String
+  private let returnSecureToken: Bool
+
+  init(requestUri: String,
+       postBody: String,
+       returnSecureToken: Bool,
+       requestConfiguration: AuthRequestConfiguration) {
+    self.requestUri = requestUri
+    self.postBody = postBody
+    self.returnSecureToken = returnSecureToken
+    config = requestConfiguration
+  }
+
+  func requestConfiguration() -> AuthRequestConfiguration {
+    return config
+  }
+
+  func requestURL() -> URL {
+    var comps = URLComponents()
+    comps.scheme = "https"
+    comps.host = "identitytoolkit.googleapis.com"
+    comps.path = "/v1/accounts:signInWithIdp"
+    comps.queryItems = [URLQueryItem(name: "key", value: config.apiKey)]
+    return comps.url!
+  }
+
+  var unencodedHTTPRequestBody: [String: AnyHashable]? {
+    var body: [String: AnyHashable] = [
+      "requestUri": requestUri,
+      "postBody": postBody,
+      "returnSecureToken": returnSecureToken,
+    ]
+    return body
+  }
+}

FirebaseAuth/Sources/Swift/Backend/RPC/SignInWithSamlIdpResponse.swift

@@ -0,0 +1,46 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import Foundation
+
+struct SignInWithSamlIdpResponse: AuthRPCResponse {
+  /// The user raw access token.
+  let idToken: String
+  /// Refresh token for the authenticated user.
+  let refreshToken: String
+  /// The provider Identifier
+  let providerId: String
+  /// The email id of user
+  let email: String
+  /// The calculated date and time when the token expires.
+  let expirationDate: Date
+
+  init(dictionary: [String: AnyHashable]) throws {
+    guard
+      let email = dictionary["email"] as? String,
+      let expiration = dictionary["expiresIn"] as? String,
+      let idToken = dictionary["idToken"] as? String,
+      let providerId = dictionary["providerId"] as? String,
+      let refreshToken = dictionary["refreshToken"] as? String
+    else {
+      throw AuthErrorUtils.unexpectedResponse(deserializedResponse: dictionary)
+    }
+    self.idToken = idToken
+    self.refreshToken = refreshToken
+    self.providerId = providerId
+    self.email = email
+    let expiresInSec = TimeInterval(expiration)
+    expirationDate = Date().addingTimeInterval(expiresInSec ?? 3600)
+  }
+}

FirebaseAuth/Tests/Unit/AuthTests.swift

@@ -87,7 +87,7 @@
       return try self.rpcIssuer.respond(withJSON: ["signinMethods": allSignInMethods])
     }
 
     auth?.fetchSignInMethods(forEmail: kEmail) { signInMethods, error in
       // 4. After the response triggers the callback, verify the returned signInMethods.
       XCTAssertTrue(Thread.isMainThread)
       XCTAssertEqual(signInMethods, allSignInMethods)
@@ -108,7 +108,7 @@
       let message = "TOO_MANY_ATTEMPTS_TRY_LATER"
       return try self.rpcIssuer.respond(serverErrorMessage: message)
     }
     auth?.fetchSignInMethods(forEmail: kEmail) { signInMethods, error in
       XCTAssertTrue(Thread.isMainThread)
       XCTAssertNil(signInMethods)
       let rpcError = (error as? NSError)!
@@ -2231,7 +2231,7 @@
     let expectation2 = self.expectation(description: "dispatchAfterExpectation")
     kAuthGlobalWorkQueue.async {
       RPCBaseTests.waitSleep()
       XCTAssertNotNil(self.authDispatcherCallback)
       self.authDispatcherCallback?()
       expectation2.fulfill()
     }
@@ -2243,7 +2243,7 @@
 
     // Verify that current user's access token is the "new" access token provided in the mock secure
     // token response during automatic token refresh.
     XCTAssertEqual(AuthTests.kNewAccessToken, auth.currentUser?.rawAccessToken())
   }
 
   #if os(iOS)
@@ -2287,6 +2287,152 @@
     }
   #endif
 
+  // MARK: SAML IdP sign-in
+
+  #if os(iOS)
+
+    static let kSamlProviderId = "saml.idp"
+    static let kSamlAcsUrl = "https://example.com/saml-acs-url"
+    static let kSamlResponse = "BASE64_SAML_ASSERTION"
+    static let kBadSamlResponse = "MALFORMED_OR_TAMPERED_SAML"
+
+    func testSignInWithSamlIdpSuccess() throws {
+      let expectation = self.expectation(description: #function)
+      setFakeGetAccountProvider()
+      setFakeSecureTokenService()
+      rpcIssuer.respondBlock = {
+        let req = try XCTUnwrap(self.rpcIssuer.request as? SignInWithSamlIdpRequest)
+        XCTAssertEqual(req.requestConfiguration().apiKey, AuthTests.kFakeAPIKey)
+        XCTAssertEqual(
+          req.unencodedHTTPRequestBody?["requestUri"] as? String,
+          AuthTests.kSamlAcsUrl
+        )
+        XCTAssertTrue(
+          (req.unencodedHTTPRequestBody?["postBody"] as? String)?.contains(
+            AuthTests.kSamlProviderId
+          ) ?? false
+        )
+        XCTAssertTrue(req.unencodedHTTPRequestBody?["returnSecureToken"] as? Bool ?? false)
+        return try self.rpcIssuer.respond(withJSON: [
+          "idToken": RPCBaseTests.kFakeAccessToken,
+          "refreshToken": self.kRefreshToken,
+          "email": self.kEmail,
+          "providerId": AuthTests.kSamlProviderId,
+          "expiresIn": "3600",
+        ])
+      }
+      try auth.signOut()
+      Task {
+        do {
+          let result = try await self.auth.signInWithSamlIdp(
+            ProviderId: AuthTests.kSamlProviderId,
+            SpAcsUrl: AuthTests.kSamlAcsUrl,
+            SamlResp: AuthTests.kSamlResponse
+          )
+          XCTAssertEqual(result.user.email, self.kEmail)
+          XCTAssertEqual(result.user.refreshToken, self.kRefreshToken)
+          XCTAssertFalse(result.user.isAnonymous)
+          expectation.fulfill()
+        } catch {
+          XCTFail("Unexpected error: \(error)")
+        }
+      }
+      waitForExpectations(timeout: 5)
+    }
+
+    func testSignInWithSamlIdpWithIncorrectUrl() throws {
+      let expectation = self.expectation(description: #function)
+      let kBadSamlAcsUrl = "https://example.com/saml-acs-incorrect-url"
+      rpcIssuer.respondBlock = {
+        let req = try XCTUnwrap(self.rpcIssuer.request as? SignInWithSamlIdpRequest)
+        XCTAssertEqual(req.requestConfiguration().apiKey, AuthTests.kFakeAPIKey)
+        let body = try XCTUnwrap(req.unencodedHTTPRequestBody)
+        XCTAssertEqual(body["requestUri"] as? String, kBadSamlAcsUrl)
+        return try self.rpcIssuer.respond(serverErrorMessage: "OPERATION_NOT_ALLOWED")
+      }
+      try auth.signOut()
+      Task {
+        do {
+          _ = try await self.auth.signInWithSamlIdp(
+            ProviderId: AuthTests.kSamlProviderId,
+            SpAcsUrl: kBadSamlAcsUrl,
+            SamlResp: AuthTests.kSamlResponse
+          )
+          XCTFail("Expected OPERATION_NOT_ALLOWED")
+        } catch {
+          let ns = error as NSError
+          XCTAssertEqual(ns.code, AuthErrorCode.operationNotAllowed.rawValue)
+          expectation.fulfill()
+        }
+      }
+      waitForExpectations(timeout: 5)
+      XCTAssertNil(auth.currentUser)
+    }
+
+    func testSignInWithSamlIdpWithWrongProviderId() throws {
+      let expectation = self.expectation(description: #function)
+      let badProvider = "saml.non-existent-idp"
+      rpcIssuer.respondBlock = {
+        let req = try XCTUnwrap(self.rpcIssuer.request as? SignInWithSamlIdpRequest)
+        XCTAssertEqual(req.requestConfiguration().apiKey, AuthTests.kFakeAPIKey)
+        let body = try XCTUnwrap(req.unencodedHTTPRequestBody)
+        let postBody = try XCTUnwrap(body["postBody"] as? String)
+        XCTAssertTrue(postBody.contains("providerId=\(badProvider)"))
+        return try self.rpcIssuer.respond(serverErrorMessage: "OPERATION_NOT_ALLOWED")
+      }
+      try auth.signOut()
+      Task {
+        do {
+          _ = try await self.auth.signInWithSamlIdp(
+            ProviderId: badProvider, // wrong providerId
+            SpAcsUrl: AuthTests.kSamlAcsUrl,
+            SamlResp: AuthTests.kSamlResponse
+          )
+          XCTFail("Expected OPERATION_NOT_ALLOWED")
+        } catch {
+          let ns = error as NSError
+          XCTAssertEqual(ns.code, AuthErrorCode.operationNotAllowed.rawValue)
+          expectation.fulfill()
+        }
+      }
+      waitForExpectations(timeout: 5)
+      XCTAssertNil(auth.currentUser)
+    }
+
+    func testSignInWithSamlIdp_InvalidPostBody_InternalError() throws {
+      let expectation = self.expectation(description: #function)
+      rpcIssuer.respondBlock = {
+        let req = try XCTUnwrap(self.rpcIssuer.request as? SignInWithSamlIdpRequest)
+        XCTAssertEqual(req.requestConfiguration().apiKey, AuthTests.kFakeAPIKey)
+        let body = try XCTUnwrap(req.unencodedHTTPRequestBody)
+        XCTAssertEqual(body["requestUri"] as? String, AuthTests.kSamlAcsUrl)
+        let postBody = try XCTUnwrap(body["postBody"] as? String)
+        XCTAssertTrue(postBody.contains("SAMLResponse=\(AuthTests.kBadSamlResponse)"))
+        XCTAssertTrue(postBody.contains("providerId=\(AuthTests.kSamlProviderId)"))
+        XCTAssertTrue(body["returnSecureToken"] as? Bool ?? false)
+        return try self.rpcIssuer
+          .respond(underlyingErrorMessage: "INVALID_CREDENTIAL_OR_PROVIDER_ID")
+      }
+      try auth.signOut()
+      Task {
+        do {
+          _ = try await self.auth.signInWithSamlIdp(
+            ProviderId: AuthTests.kSamlProviderId,
+            SpAcsUrl: AuthTests.kSamlAcsUrl,
+            SamlResp: AuthTests.kBadSamlResponse
+          )
+          XCTFail("Expected internalError but got success")
+        } catch {
+          let ns = error as NSError
+          XCTAssertEqual(ns.code, AuthErrorCode.internalError.rawValue)
+          expectation.fulfill()
+        }
+      }
+      waitForExpectations(timeout: 5)
+      XCTAssertNil(auth.currentUser)
+    }
+  #endif
+
   // MARK: Application Delegate tests.
 
   #if os(iOS)