Added new filter to check for isForceAuthn

mujina-idp/src/main/java/mujina/idp/ForceAuthnFilter.java

@@ -0,0 +1,46 @@
+package mujina.idp;
+
+import org.opensaml.common.binding.SAMLMessageContext;
+import org.opensaml.saml2.core.AuthnRequest;
+import org.opensaml.saml2.metadata.provider.MetadataProviderException;
+import org.opensaml.ws.message.decoder.MessageDecodingException;
+import org.opensaml.xml.security.SecurityException;
+import org.opensaml.xml.validation.ValidationException;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.web.filter.GenericFilterBean;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+public class ForceAuthnFilter extends OncePerRequestFilter {
+
+  private SAMLMessageHandler samlMessageHandler;
+
+  public ForceAuthnFilter(SAMLMessageHandler samlMessageHandler) {
+    this.samlMessageHandler = samlMessageHandler;
+  }
+
+  @Override
+  protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException {
+    String servletPath = request.getServletPath();
+    if (servletPath == null || !servletPath.endsWith("SingleSignOnService") || request.getMethod().equalsIgnoreCase("GET")) {
+      chain.doFilter(request, response);
+      return;
+    }
+    SAMLMessageContext messageContext;
+    try {
+      messageContext = samlMessageHandler.extractSAMLMessageContext(request, response, request.getMethod().equalsIgnoreCase("POST"));
+    } catch (Exception e) {
+      throw new IllegalArgumentException(e);
+    }
+    AuthnRequest authnRequest = (AuthnRequest) messageContext.getInboundSAMLMessage();
+    if (authnRequest.isForceAuthn()) {
+      SecurityContextHolder.getContext().setAuthentication(null);
+    }
+    chain.doFilter(request, response);
+  }
+}

mujina-sp/src/main/java/mujina/sp/ConfigurableSAMLEntryPoint.java

@@ -0,0 +1,26 @@
+package mujina.sp;
+
+import org.opensaml.saml2.metadata.provider.MetadataProviderException;
+import org.opensaml.ws.transport.InTransport;
+import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.saml.SAMLEntryPoint;
+import org.springframework.security.saml.context.SAMLMessageContext;
+import org.springframework.security.saml.websso.WebSSOProfileOptions;
+
+public class ConfigurableSAMLEntryPoint extends SAMLEntryPoint {
+
+  @Override
+  protected WebSSOProfileOptions getProfileOptions(SAMLMessageContext context, AuthenticationException exception) throws MetadataProviderException {
+    WebSSOProfileOptions profileOptions = super.getProfileOptions(context, exception);
+    InTransport inboundMessageTransport = context.getInboundMessageTransport();
+    if (inboundMessageTransport instanceof HttpServletRequestAdapter) {
+      HttpServletRequestAdapter messageTransport = (HttpServletRequestAdapter) inboundMessageTransport;
+      String forceAuthn = messageTransport.getParameterValue("force-authn");
+      if (forceAuthn != null && "true".equals(forceAuthn)) {
+        profileOptions.setForceAuthN(true);
+      }
+    }
+    return profileOptions;
+  }
+}

mujina-sp/src/main/resources/public/sp.js

@@ -0,0 +1,7 @@
+document.addEventListener("DOMContentLoaded", function () {
+    document.getElementById("force-authn").addEventListener("change", function (e) {
+        var link = document.getElementById("user-link");
+        var checked = e.target.checked;
+        link.href = link.href.replace(checked ? "false" : "true", checked ? "true" : "false");
+    });
+});