GUACAMOLE-1780: Merge changes adding MFA compatibility to SSO support.

extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/AuthenticationProviderService.java

@@ -69,6 +69,27 @@ public class AuthenticationProviderService implements SSOAuthenticationProviderS
     @Inject
     private SAMLService saml;
 
+    /**
+     * Return the value of the session identifier associated with the given
+     * credentials, or null if no session identifier is found in the
+     * credentials.
+     *
+     * @param credentials
+     *     The credentials from which to extract the session identifier.
+     *
+     * @return
+     *     The session identifier associated with the given credentials, or
+     *     null if no identifier is found.
+     */
+    public static String getSessionIdentifier(Credentials credentials) {
+
+        // Return the session identifier from the request params, if set, or
+        // null otherwise
+        return credentials != null && credentials.getRequest() != null
+                ? credentials.getRequest().getParameter(AUTH_SESSION_QUERY_PARAM)
+                : null;
+    }
+
     @Override
     public SAMLAuthenticatedUser authenticateUser(Credentials credentials)
             throws GuacamoleException {
@@ -80,7 +101,9 @@ public class AuthenticationProviderService implements SSOAuthenticationProviderS
             return null;
 
         // Use established SAML identity if already provided by the SAML IdP
-        AssertedIdentity identity = sessionManager.getIdentity(request.getParameter(AUTH_SESSION_QUERY_PARAM));
+        AssertedIdentity identity = sessionManager.getIdentity(
+                getSessionIdentifier(credentials));
+
         if (identity != null) {
 
             // Back-port the username to the credentials

extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/SAMLAuthenticationEventListener.java

@@ -0,0 +1,66 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.saml;
+
+import org.apache.guacamole.auth.saml.acs.SAMLAuthenticationSessionManager;
+import org.apache.guacamole.auth.sso.SSOAuthenticationEventListener;
+import org.apache.guacamole.net.auth.Credentials;
+
+import com.google.inject.Inject;
+
+/**
+ * A Listener that will reactivate or invalidate SAML auth sessions depending on
+ * overall auth success or failure.
+ */
+public class SAMLAuthenticationEventListener extends SSOAuthenticationEventListener {
+
+    /**
+     * Session manager for generating and maintaining unique tokens to
+     * represent the authentication flow of a user who has only partially
+     * authenticated.
+     *
+     * Requires static injection due to the fact that the webapp just calls the
+     * constructor directly when creating new Listeners. The instances will not
+     * be constructed by guice.
+     *
+     * Note that is possible to instead inject an AuthenticationSessionManager
+     * instance directly into the base class, but this results in different
+     * instances of the session manager injected here and in the rest of the
+     * extension, regardless of singleton configuration for the service.
+     */
+    @Inject
+    protected static SAMLAuthenticationSessionManager sessionManager;
+
+    @Override
+    protected String getSessionIdentifier(Credentials credentials) {
+        return AuthenticationProviderService.getSessionIdentifier(credentials);
+    }
+
+    @Override
+    protected void reactivateSession(String sessionIdentifier) {
+        sessionManager.reactivateSession(sessionIdentifier);
+    }
+
+    @Override
+    protected void invalidateSession(String sessionIdentifier) {
+        sessionManager.invalidateSession(sessionIdentifier);
+    }
+
+}

extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/SAMLAuthenticationProviderModule.java

@@ -36,6 +36,8 @@ public class SAMLAuthenticationProviderModule extends AbstractModule {
         bind(ConfigurationService.class);
         bind(SAMLAuthenticationSessionManager.class);
         bind(SAMLService.class);
+        
+        requestStaticInjection(SAMLAuthenticationEventListener.class);
     }
 
 }

extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/resources/guac-manifest.json

@@ -9,6 +9,10 @@
         "org.apache.guacamole.auth.saml.SAMLAuthenticationProvider"
     ],
 
+    "listeners" : [
+        "org.apache.guacamole.auth.saml.SAMLAuthenticationEventListener"
+    ],
+
     "css" : [
         "styles/sso-providers.css"
     ],