crOS Account Manager: Ignore 3P SAML IdP redirect policy

Gaia, by default, applies the Chrome OS Login Screen's third party SAML
IdP's SSO redirection policies to Chrome OS Account Manager's in-session
sign-in flows.

The policy has the effect of blocking sign-ins on the login screen for
some managed users. Note that however, the policy does not apply to
Chrome content area sign-ins in Chrome OS.

After Chrome OS Account Manager's unified sign-in flow is rolled out,
there is no way to sign-in from Chrome content area.

This has the effect of making certain managed accounts totally unusable
on Chrome OS: they cannot login out-of-session from the login screen and
they cannot login from within the session, from Chrome OS Account
Manager.

Fix this by sending a signal to Gaia that IdP redirection policies
should be ignored, and let Chrome OS Account Manager's sign-in flow be
treated like Chrome content area as far as this policy is concerned.

Please check the attached bugs for more context.

Bug: 984525, b/137886522
Change-Id: If0758a056e9e49da8a54502bd3b9742db640d666
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1715804Reviewed-by: Xiyuan Xia <xiyuan@chromium.org>
Commit-Queue: Kush Sinha <sinhak@chromium.org>
Cr-Commit-Position: refs/heads/master@{#680147}

chrome/browser/resources/gaia_auth_host/authenticator.js

@@ -87,6 +87,9 @@ cr.define('cr.login', function() {
     'obfuscatedOwnerId',         // Obfuscated device owner ID, if needed.
     'extractSamlPasswordAttributes',  // If enabled attempts to extract password
                                       // attributes from the SAML response.
+    'ignoreCrOSIdpSetting',  // If set to true, causes Gaia to ignore 3P
+                             // SAML IdP SSO redirection policies (and
+                             // redirect to SAML IdPs by default).
 
     // The email fields allow for the following possibilities:
     //
@@ -572,6 +575,9 @@ cr.define('cr.login', function() {
         // argument to show an email domain.
         url = appendParam(url, 'hd', data.emailDomain);
       }
+      if (data.ignoreCrOSIdpSetting === true) {
+        url = appendParam(url, 'ignoreCrOSIdpSetting', 'true');
+      }
       return url;
     }
 

chrome/browser/ui/webui/signin/inline_login_handler_chromeos.cc

@@ -124,6 +124,12 @@ void InlineLoginHandlerChromeOS::SetExtraInitParams(
   params.SetKey("constrained", base::Value("1"));
   params.SetKey("flow", base::Value("crosAddAccount"));
   params.SetBoolean("dontResizeNonEmbeddedPages", true);
+
+  // For in-session login flows, request Gaia to ignore third party SAML IdP SSO
+  // redirection policies (and redirect to SAML IdPs by default), otherwise some
+  // managed users will not be able to login to Chrome OS at all. Please check
+  // https://crbug.com/984525 and https://crbug.com/984525#c20 for more context.
+  params.SetBoolean("ignoreCrOSIdpSetting", true);
 }
 
 void InlineLoginHandlerChromeOS::CompleteLogin(const std::string& email,