feat(xo-server-auth-saml): disableRequestedAuthnContext (#4675)

Fixes xoa-support#1940

CHANGELOG.unreleased.md

@@ -8,6 +8,7 @@
 > Users must be able to say: “Nice enhancement, I'm eager to test it”
 
 - [Backup NG] Make report recipients configurable in the backup settings [#4581](https://github.com/vatesfr/xen-orchestra/issues/4581) (PR [#4646](https://github.com/vatesfr/xen-orchestra/pull/4646))
+- [SAML] Setting to disable requested authentication context (helps with _Active Directory_) (PR [#4675](https://github.com/vatesfr/xen-orchestra/pull/4675))
 
 ### Bug fixes
 
@@ -20,6 +21,7 @@
 >
 > Rule of thumb: add packages on top.
 
+- xo-server-auth-saml v0.7.0
 - xo-server-backup-reports v0.16.4
 - @xen-orchestra/fs v0.10.2
 - xo-server v5.53.0

packages/xo-server-auth-saml/src/index.js

@@ -2,6 +2,10 @@ import { Strategy } from 'passport-saml'
 
 // ===================================================================
 
+const DEFAULTS = {
+  disableRequestedAuthnContext: false,
+}
+
 export const configurationSchema = {
   description:
     'Important: When registering your instance to your identity provider, you must configure its callback URL to `https://<xo.company.net>/signin/saml/callback`!',
@@ -30,6 +34,11 @@ You should try \`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddr
       `,
       type: 'string',
     },
+    disableRequestedAuthnContext: {
+      title: "Don't request an authentication context",
+      description: 'This is known to help when using Active Directory',
+      default: DEFAULTS.disableRequestedAuthnContext,
+    },
   },
   required: ['cert', 'entryPoint', 'issuer', 'usernameField'],
 }
@@ -46,6 +55,7 @@ class AuthSamlXoPlugin {
   configure({ usernameField, ...conf }) {
     this._usernameField = usernameField
     this._conf = {
+      ...DEFAULTS,
       ...conf,
 
       // must match the callback URL