feat(core,console,schemas): add idp-initiated sso session create log (#6743)

add idp-initiated sso session create log
2024-12-16 20:26:19 -05:00 · 2024-10-24 17:56:49 +08:00 · 2024-10-24 17:56:49 +08:00 · f2d280466d
commit f2d280466d
parent 5bb9375055
3 changed files with 14 additions and 1 deletions
--- a/packages/console/src/consts/logs.ts
+++ b/packages/console/src/consts/logs.ts
@ -104,6 +104,8 @@ export const auditLogEventTitle: Record<string, Optional<string>> & {
    'Create and send forgot-password SMS verification code',
  'Interaction.ForgotPassword.Verification.SmsVerificationCode.Submit':
    'Verify forgot-password SMS verification code',
+  'Interaction.SignIn.Verification.IdpInitiatedSso.Create':
+    'Create IdP-initiated SAML SSO authentication session',
 });

 export const logEventTitle: Record<string, Optional<string>> & {
--- a/packages/core/src/routes/authn.ts
+++ b/packages/core/src/routes/authn.ts
@ -18,6 +18,7 @@ import {

 import { idpInitiatedSamlSsoSessionCookieName } from '../constants/index.js';
 import { EnvSet } from '../env-set/index.js';
+import koaAuditLog from '../middleware/koa-audit-log.js';

 import { ssoPath } from './interaction/const.js';
 import type { AnonymousRouter, RouterInitArgs } from './types.js';
@ -183,6 +184,7 @@ export default function authnRoutes<T extends AnonymousRouter>(
      params: z.object({ connectorId: z.string().min(1) }),
      status: [302, 400, 404],
    }),
+    koaAuditLog(queries),
    async (ctx, next) => {
      const {
        params: { connectorId },
@ -237,6 +239,13 @@ export default function authnRoutes<T extends AnonymousRouter>(
        const { autoSendAuthorizationRequest, clientIdpInitiatedAuthCallbackUri } =
          idpInitiatedAuthConfig;

+        const log = ctx.createLog('Interaction.SignIn.Verification.IdpInitiatedSso.Create');
+        log.append({
+          connectorId,
+          ssoSessionId: id,
+          assertionContent,
+        });
+
        // Redirect to the client side callback URI if the autoSendAuthorizationRequest is disabled.
        // Client side will generate and verify the state to prevent CSRF attack.
        if (!autoSendAuthorizationRequest) {
--- a/packages/schemas/src/types/log/interaction.ts
+++ b/packages/schemas/src/types/log/interaction.ts
@ -96,4 +96,6 @@ export type LogKey =
      | Action.Submit
      | Action.Create}`
  | `${Prefix}.${InteractionEvent}.${Field.Verification}.${VerificationType}.${Action}`
-  | `${Prefix}.${InteractionEvent}.${Field.Identifier}.${Action.Submit}`;
+  | `${Prefix}.${InteractionEvent}.${Field.Identifier}.${Action.Submit}`
+  // IdpInitiatedSingleSignOn log, used upon receiving a SAML request from the IdP
+  | `${Prefix}.${InteractionEvent.SignIn}.${Field.Verification}.IdpInitiatedSso.${Action.Create}`;