Detect SAML public session endpoint specified in command line switch and login.

The switch for the endpoint is --public-accounts-saml-acl-url.

Bug: 984021
Change-Id: I9a7250d0c49e63b2ff08d0f5254e012ebf763b89
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1760730Reviewed-by: Roman Sorokin [CET] <rsorokin@chromium.org>
Reviewed-by: Ivan Šandrk <isandrk@chromium.org>
Reviewed-by: Denis Kuznetsov <antrim@chromium.org>
Reviewed-by: Alexey Baskakov <loyso@chromium.org>
Reviewed-by: Lutz Justen <ljusten@chromium.org>
Commit-Queue: Kamila Śledź <kamilasledz@google.com>
Cr-Commit-Position: refs/heads/master@{#690406}

chrome/browser/chromeos/extensions/device_local_account_management_policy_provider.cc

@@ -832,7 +832,8 @@ std::string DeviceLocalAccountManagementPolicyProvider::
 bool DeviceLocalAccountManagementPolicyProvider::UserMayLoad(
     const extensions::Extension* extension,
     base::string16* error) const {
-  if (account_type_ == policy::DeviceLocalAccount::TYPE_PUBLIC_SESSION) {
+  if (account_type_ == policy::DeviceLocalAccount::TYPE_PUBLIC_SESSION ||
+      account_type_ == policy::DeviceLocalAccount::TYPE_SAML_PUBLIC_SESSION) {
     // Allow extension if it is a component of Chrome.
     if (extension->location() == extensions::Manifest::EXTERNAL_COMPONENT ||
         extension->location() == extensions::Manifest::COMPONENT) {

chrome/browser/resources/chromeos/login/screen_gaia_signin.js

@@ -1222,6 +1222,9 @@ Polymer({
       chrome.send(
           'completeAdAuthentication',
           [credentials.username, credentials.password]);
+    } else if (credentials.publicSAML) {
+      this.email_ = credentials.email;
+      chrome.send('launchSAMLPublicSession', [credentials.email]);
     } else if (credentials.useOffline) {
       this.email_ = credentials.email;
       chrome.send(

chrome/browser/resources/gaia_auth_host/authenticator.js

@@ -112,6 +112,9 @@ cr.define('cr.login', function() {
     // If the authentication is done via external IdP, 'startsOnSamlPage'
     // indicates whether the flow should start on the IdP page.
     'startsOnSamlPage',
+    // SAML assertion consumer URL, used to detect when Gaia-less SAML flows end
+    // (e.g. for SAML managed guest sessions).
+    'samlAclUrl',
   ];
 
 
@@ -258,6 +261,7 @@ cr.define('cr.login', function() {
        * @private
        */
       this.isSamlUserPasswordless_ = null;
+      this.samlAclUrl_ = null;
 
       window.addEventListener(
           'message', this.onMessageFromWebview_.bind(this), false);
@@ -458,6 +462,12 @@ cr.define('cr.login', function() {
 
       this.initialFrameUrl_ = this.constructInitialFrameUrl_(data);
       this.reloadUrl_ = data.frameUrl || this.initialFrameUrl_;
+      this.samlAclUrl_ = data.samlAclUrl;
+      // The email field is repurposed as public session email in SAML guest
+      // mode, ie when frameUrl is not empty.
+      if (data.samlAclUrl) {
+        this.email_ = data.email;
+      }
 
       if (data.startsOnSamlPage) {
         this.samlHandler_.startsOnSamlPage = true;
@@ -968,6 +978,7 @@ cr.define('cr.login', function() {
               gaiaId: this.gaiaId_ || '',
               password: this.password_ || '',
               usingSAML: this.authFlow == AuthFlow.SAML,
+              publicSAML: this.samlAclUrl_ || false,
               chooseWhatToSync: this.chooseWhatToSync_,
               skipForNow: this.skipForNow_,
               sessionIndex: this.sessionIndex_ || '',
@@ -1093,6 +1104,9 @@ cr.define('cr.login', function() {
         this.webview_.focus();
       } else if (currentUrl == BLANK_PAGE_URL) {
         this.fireReadyEvent_();
+      } else if (currentUrl == this.samlAclUrl_) {
+        this.skipForNow_ = true;
+        this.onAuthCompleted_();
       }
     }
 

chrome/browser/resources/gaia_auth_host/saml_handler.js

@@ -150,7 +150,7 @@ cr.define('cr.login', function() {
       this.apiPasswordBytes_ = null;
 
       /**
-       * Whether to abort the authentication flow and show an error messagen
+       * Whether to abort the authentication flow and show an error message
        * when content served over an unencrypted connection is detected.
        * @type {boolean}
        */

chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.cc

@@ -451,15 +451,21 @@ void GaiaScreenHandler::LoadGaiaWithPartitionAndVersionAndConsent(
     const user_manager::User* const user =
         user_manager::UserManager::Get()->FindUser(account_id);
     if (user && user->using_saml() &&
-        user->GetType() == user_manager::USER_TYPE_PUBLIC_ACCOUNT) {
-      if (base::CommandLine::ForCurrentProcess()->HasSwitch(
+        user->GetType() == user_manager::USER_TYPE_PUBLIC_ACCOUNT &&
+        base::CommandLine::ForCurrentProcess()->HasSwitch(
             switches::kPublicAccountsSamlUrl)) {
       std::string saml_url =
           base::CommandLine::ForCurrentProcess()->GetSwitchValueASCII(
               switches::kPublicAccountsSamlUrl);
       params.SetBoolean("startsOnSamlPage", true);
       params.SetString("frameUrl", saml_url);
-      }
+      params.SetString("email", account_id.GetUserEmail());
+      CHECK(base::CommandLine::ForCurrentProcess()->HasSwitch(
+          switches::kPublicAccountsSamlAclUrl));
+      std::string saml_acl_url =
+          base::CommandLine::ForCurrentProcess()->GetSwitchValueASCII(
+              switches::kPublicAccountsSamlAclUrl);
+      params.SetString("samlAclUrl", saml_acl_url);
     }
   }
 

chrome/browser/ui/webui/chromeos/login/signin_screen_handler.cc

@@ -440,6 +440,8 @@ void SigninScreenHandler::RegisterMessages() {
   AddCallback("launchIncognito", &SigninScreenHandler::HandleLaunchIncognito);
   AddCallback("launchPublicSession",
               &SigninScreenHandler::HandleLaunchPublicSession);
+  AddCallback("launchSAMLPublicSession",
+              &SigninScreenHandler::HandleLaunchSAMLPublicSession);
   AddRawCallback("offlineLogin", &SigninScreenHandler::HandleOfflineLogin);
   AddCallback("rebootSystem", &SigninScreenHandler::HandleRebootSystem);
   AddCallback("removeUser", &SigninScreenHandler::HandleRemoveUser);
@@ -1111,6 +1113,14 @@ void SigninScreenHandler::HandleLaunchIncognito() {
     delegate_->Login(context, SigninSpecifics());
 }
 
+void SigninScreenHandler::HandleLaunchSAMLPublicSession(
+    const std::string& email) {
+  const AccountId account_id = user_manager::known_user::GetAccountId(
+      email, std::string() /* id */, AccountType::UNKNOWN);
+  SigninScreenHandler::HandleLaunchPublicSession(account_id, std::string(),
+                                                 std::string());
+}
+
 void SigninScreenHandler::HandleLaunchPublicSession(
     const AccountId& account_id,
     const std::string& locale,

chrome/browser/ui/webui/chromeos/login/signin_screen_handler.h

@@ -327,6 +327,7 @@ class SigninScreenHandler
                                            const std::string& password);
   void HandleAttemptUnlock(const std::string& username);
   void HandleLaunchIncognito();
+  void HandleLaunchSAMLPublicSession(const std::string& email);
   void HandleLaunchPublicSession(const AccountId& account_id,
                                  const std::string& locale,
                                  const std::string& input_method);

chromeos/constants/chromeos_switches.cc

@@ -426,8 +426,13 @@ const char kOobeSkipToLogin[] = "oobe-skip-to-login";
 // Interval at which we check for total time on OOBE.
 const char kOobeTimerInterval[] = "oobe-timer-interval";
 
-// Url addrress of SAML provider for a SAML public session.
-// TODO: Remove when https://crbug.com/984021 is fixed.
+// SAML assertion consumer URL, used to detect when Gaia-less SAML flows end
+// (e.g. for SAML managed guest sessions)
+// TODO(984021): Remove when URL is sent by DMServer.
+const char kPublicAccountsSamlAclUrl[] = "public-accounts-saml-acl-url";
+
+// Url address of SAML provider for a SAML public session.
+// TODO(984021): Remove when URL is sent by DMServer.
 const char kPublicAccountsSamlUrl[] = "public-accounts-saml-url";
 
 // If set to "true", the profile requires policy during restart (policy load
@@ -440,8 +445,8 @@ const char kRedirectLibassistantLogging[] = "redirect-libassistant-logging";
 // The rlz ping delay (in seconds) that overwrites the default value.
 const char kRlzPingDelay[] = "rlz-ping-delay";
 
-// Password change url for SAML users. Remove when https://crbug.com/941489 is
-// fixed.
+// Password change url for SAML users.
+// TODO(941489): Remove when the bug is fixed.
 const char kSamlPasswordChangeUrl[] = "saml-password-change-url";
 
 // Smaller, denser shelf in clamshell mode.

chromeos/constants/chromeos_switches.h

@@ -170,6 +170,8 @@ COMPONENT_EXPORT(CHROMEOS_CONSTANTS) extern const char kOobeGuestSession[];
 COMPONENT_EXPORT(CHROMEOS_CONSTANTS) extern const char kOobeSkipPostLogin[];
 COMPONENT_EXPORT(CHROMEOS_CONSTANTS) extern const char kOobeSkipToLogin[];
 COMPONENT_EXPORT(CHROMEOS_CONSTANTS) extern const char kOobeTimerInterval[];
+COMPONENT_EXPORT(CHROMEOS_CONSTANTS)
+extern const char kPublicAccountsSamlAclUrl[];
 COMPONENT_EXPORT(CHROMEOS_CONSTANTS) extern const char kPublicAccountsSamlUrl[];
 COMPONENT_EXPORT(CHROMEOS_CONSTANTS)
 extern const char kDisableArcCpuRestriction[];