tests/e2e: add post binding test

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

authentik/providers/saml/api.py

@@ -119,9 +119,7 @@ class SAMLProviderViewSet(UsedByMixin, ModelViewSet):
                     SAML_BINDING_REDIRECT,
                     SAML_BINDING_POST,
                 ],
-                description=(
+                description=("Optionally force the metadata to only include one binding."),
-                    "Optionally force the metadata to only include one binding."
-                )
             ),
         ],
     )

tests/e2e/test_provider_saml.py

@@ -16,6 +16,7 @@ from authentik.flows.models import Flow
 from authentik.policies.expression.models import ExpressionPolicy
 from authentik.policies.models import PolicyBinding
 from authentik.providers.saml.models import SAMLBindings, SAMLPropertyMapping, SAMLProvider
+from authentik.sources.saml.processors.constants import SAML_BINDING_POST
 from tests.e2e.utils import SeleniumTestCase, apply_migration, object_manager, retry
 
 
@@ -25,9 +26,18 @@ class TestProviderSAML(SeleniumTestCase):
 
     container: Container
 
-    def setup_client(self, provider: SAMLProvider) -> Container:
+    def setup_client(self, provider: SAMLProvider, force_post: bool = False) -> Container:
         """Setup client saml-sp container which we test SAML against"""
         client: DockerClient = from_env()
+        metadata_url = (
+            self.url(
+                "authentik_api:samlprovider-metadata",
+                pk=provider.pk,
+            )
+            + "?download"
+        )
+        if force_post:
+            metadata_url += f"&force_binding={SAML_BINDING_POST}"
         container = client.containers.run(
             image="beryju.org/saml-test-sp:latest",
             detach=True,
@@ -41,13 +51,7 @@ class TestProviderSAML(SeleniumTestCase):
             environment={
                 "SP_ENTITY_ID": provider.issuer,
                 "SP_SSO_BINDING": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
-                "SP_METADATA_URL": (
+                "SP_METADATA_URL": metadata_url,
-                    self.url(
-                        "authentik_api:samlprovider-metadata",
-                        pk=provider.pk,
-                    )
-                    + "?download"
-                ),
             },
         )
         while True:
@@ -197,6 +201,83 @@ class TestProviderSAML(SeleniumTestCase):
             [self.user.email],
         )
 
+    @retry()
+    @apply_migration("authentik_flows", "0008_default_flows")
+    @apply_migration("authentik_flows", "0011_flow_title")
+    @apply_migration("authentik_flows", "0010_provider_flows")
+    @apply_migration("authentik_crypto", "0002_create_self_signed_kp")
+    @object_manager
+    def test_sp_initiated_explicit_post(self):
+        """test SAML Provider flow SP-initiated flow (explicit consent) (POST binding)"""
+        # Bootstrap all needed objects
+        authorization_flow = Flow.objects.get(
+            slug="default-provider-authorization-explicit-consent"
+        )
+        provider: SAMLProvider = SAMLProvider.objects.create(
+            name="saml-test",
+            acs_url="http://localhost:9009/saml/acs",
+            audience="authentik-e2e",
+            issuer="authentik-e2e",
+            sp_binding=SAMLBindings.POST,
+            authorization_flow=authorization_flow,
+            signing_kp=create_test_cert(),
+        )
+        provider.property_mappings.set(SAMLPropertyMapping.objects.all())
+        provider.save()
+        app = Application.objects.create(
+            name="SAML",
+            slug="authentik-saml",
+            provider=provider,
+        )
+        self.container = self.setup_client(provider, True)
+        self.driver.get("http://localhost:9009")
+        self.login()
+
+        self.wait.until(ec.presence_of_element_located((By.CSS_SELECTOR, "ak-flow-executor")))
+
+        flow_executor = self.get_shadow_root("ak-flow-executor")
+        consent_stage = self.get_shadow_root("ak-stage-consent", flow_executor)
+
+        self.assertIn(
+            app.name,
+            consent_stage.find_element(By.CSS_SELECTOR, "#header-text").text,
+        )
+        consent_stage.find_element(
+            By.CSS_SELECTOR,
+            ("[type=submit]"),
+        ).click()
+
+        self.wait_for_url("http://localhost:9009/")
+
+        body = loads(self.driver.find_element(By.CSS_SELECTOR, "pre").text)
+
+        self.assertEqual(
+            body["attr"]["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"],
+            [self.user.name],
+        )
+        self.assertEqual(
+            body["attr"][
+                "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"
+            ],
+            [self.user.username],
+        )
+        self.assertEqual(
+            body["attr"]["http://schemas.goauthentik.io/2021/02/saml/username"],
+            [self.user.username],
+        )
+        self.assertEqual(
+            body["attr"]["http://schemas.goauthentik.io/2021/02/saml/uid"],
+            [str(self.user.pk)],
+        )
+        self.assertEqual(
+            body["attr"]["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"],
+            [self.user.email],
+        )
+        self.assertEqual(
+            body["attr"]["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"],
+            [self.user.email],
+        )
+
     @retry()
     @apply_migration("authentik_flows", "0008_default_flows")
     @apply_migration("authentik_flows", "0011_flow_title")