Restrict sub organization apps with SAML2 inbound protocol

components/org.wso2.carbon.identity.sso.saml/pom.xml

@@ -161,6 +161,10 @@
                 </exclusion>
             </exclusions>
         </dependency>
+        <dependency>
+            <groupId>org.wso2.carbon.identity.organization.management.core</groupId>
+            <artifactId>org.wso2.carbon.identity.organization.management.service</artifactId>
+        </dependency>
 
         <!--SAML Common Util dependency-->
         <dependency>
@@ -328,11 +332,6 @@
             <artifactId>org.wso2.carbon.identity.testutil</artifactId>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>org.wso2.carbon.identity.organization.management.core</groupId>
-            <artifactId>org.wso2.carbon.identity.organization.management.service</artifactId>
-            <scope>test</scope>
-        </dependency>
     </dependencies>
 
     <build>
@@ -368,6 +367,8 @@
                             org.wso2.carbon.idp.mgt; version="${carbon.identity.framework.imp.pkg.version.range}",
                             org.wso2.carbon.identity.application.common;
                             version="${carbon.identity.framework.imp.pkg.version.range}",
+                            org.wso2.carbon.identity.organization.management.service.util;
+                            version="${org.wso2.carbon.identity.organization.management.core.version.range}",
                             org.wso2.carbon.identity.application.mgt.listener;
                             version="${carbon.identity.framework.imp.pkg.version.range}",
                             org.apache.xerces.impl; resolution:= optional,

components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAML2InboundAuthConfigHandler.java

@@ -19,6 +19,7 @@
 package org.wso2.carbon.identity.sso.saml;
 
 import org.apache.commons.lang.StringUtils;
+import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants;
 import org.wso2.carbon.identity.application.common.IdentityApplicationManagementClientException;
 import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
@@ -30,7 +31,10 @@
 import org.wso2.carbon.identity.application.mgt.inbound.dto.InboundProtocolsDTO;
 import org.wso2.carbon.identity.application.mgt.inbound.protocol.ApplicationInboundAuthConfigHandler;
 import org.wso2.carbon.identity.base.IdentityException;
+import org.wso2.carbon.identity.base.IdentityRuntimeException;
 import org.wso2.carbon.identity.core.util.IdentityUtil;
+import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
+import org.wso2.carbon.identity.organization.management.service.util.OrganizationManagementUtil;
 import org.wso2.carbon.identity.sso.saml.dto.SAML2ProtocolConfigDTO;
 import org.wso2.carbon.identity.sso.saml.dto.SAMLSSOServiceProviderDTO;
 import org.wso2.carbon.identity.sso.saml.exception.IdentitySAML2ClientException;
@@ -60,7 +64,15 @@ public class SAML2InboundAuthConfigHandler implements ApplicationInboundAuthConf
      */
     @Override
     public boolean canHandle(InboundProtocolsDTO inboundProtocolsDTO) {
-
+
+        try {
+            String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain();
+            if (OrganizationManagementUtil.isOrganization(tenantDomain)) {
+                return false;
+            }
+        } catch (OrganizationManagementException e) {
+            throw new IdentityRuntimeException("Error while checking the tenant domain.", e);
+        }
         return inboundProtocolsDTO.getInboundProtocolConfigurationMap().containsKey(SAML2);
     }
 

components/org.wso2.carbon.identity.sso.saml/src/test/java/org/wso2/carbon/identity/sso/saml/SAML2InboundAuthConfigHandlerTest.java

@@ -31,14 +31,18 @@
 import org.powermock.modules.testng.PowerMockTestCase;
 import org.testng.Assert;
 import org.testng.annotations.BeforeMethod;
+import org.testng.annotations.DataProvider;
 import org.testng.annotations.Test;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants;
 import org.wso2.carbon.identity.application.common.model.InboundAuthenticationConfig;
 import org.wso2.carbon.identity.application.common.model.InboundAuthenticationRequestConfig;
 import org.wso2.carbon.identity.application.common.model.ServiceProvider;
 import org.wso2.carbon.identity.application.mgt.inbound.dto.InboundProtocolsDTO;
+import org.wso2.carbon.identity.base.IdentityRuntimeException;
 import org.wso2.carbon.identity.core.internal.IdentityCoreServiceComponent;
+import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
+import org.wso2.carbon.identity.organization.management.service.util.OrganizationManagementUtil;
 import org.wso2.carbon.identity.sso.saml.dto.SAML2ProtocolConfigDTO;
 import org.wso2.carbon.identity.sso.saml.dto.SAMLSSOServiceProviderDTO;
 import org.wso2.carbon.identity.sso.saml.internal.IdentitySAMLSSOServiceComponentHolder;
@@ -49,14 +53,18 @@
 import java.util.Map;
 
 import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyString;
 import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 import static org.powermock.api.mockito.PowerMockito.mock;
 import static org.powermock.api.mockito.PowerMockito.mockStatic;
 import static org.powermock.api.mockito.PowerMockito.when;
 
-@PrepareForTest({IdentitySAMLSSOServiceComponentHolder.class, PrivilegedCarbonContext.class})
+@PrepareForTest({
+        IdentitySAMLSSOServiceComponentHolder.class,
+        PrivilegedCarbonContext.class,
+        OrganizationManagementUtil.class})
 public class SAML2InboundAuthConfigHandlerTest extends PowerMockTestCase {
 
     @Mock
@@ -76,6 +84,7 @@ public class SAML2InboundAuthConfigHandlerTest extends PowerMockTestCase {
     private static final String APPLICATION_NAME = "dummyApplication";
     private static final String APPLICATION_RESOURCE_ID = "dummyResourceId";
     private static final String META_DATA_URL = "https://localhost:9443/identity/metadata/saml2";
+    private static final String TENANT_DOMAIN = "tenantDomain";
 
     @BeforeMethod
     public void setUp() throws Exception {
@@ -87,6 +96,43 @@ public void setUp() throws Exception {
 
         initConfigsAndRealm();
     }
+
+    @DataProvider(name = "organizationDataProvider")
+    public Object[][] organizationDataProvider() {
+
+        return new Object[][]{
+                {true, false},
+                {false, true}
+        };
+    }
+
+    @Test(dataProvider = "organizationDataProvider")
+    public void testCanHandle(boolean isOrganization, boolean expected) throws Exception{
+
+        mockPrivilegeCarbonContext();
+        mockStatic(OrganizationManagementUtil.class);
+        when(OrganizationManagementUtil.isOrganization(anyString())).thenReturn(isOrganization);
+
+        InboundProtocolsDTO inboundProtocolsDTO = new InboundProtocolsDTO();
+        SAML2ProtocolConfigDTO saml2ProtocolConfigDTO = new SAML2ProtocolConfigDTO();
+        inboundProtocolsDTO.addProtocolConfiguration(saml2ProtocolConfigDTO);
+
+        Assert.assertEquals(saml2InboundAuthConfigHandler.canHandle(inboundProtocolsDTO), expected);
+    }
+
+    @Test(expectedExceptions = IdentityRuntimeException.class)
+    public void testCanHandleWithException() throws Exception {
+
+        mockPrivilegeCarbonContext();
+        mockStatic(OrganizationManagementUtil.class);
+        when(OrganizationManagementUtil.isOrganization(anyString())).thenThrow(OrganizationManagementException.class);
+
+        InboundProtocolsDTO inboundProtocolsDTO = new InboundProtocolsDTO();
+        SAML2ProtocolConfigDTO saml2ProtocolConfigDTO = new SAML2ProtocolConfigDTO();
+        inboundProtocolsDTO.addProtocolConfiguration(saml2ProtocolConfigDTO);
+
+        saml2InboundAuthConfigHandler.canHandle(inboundProtocolsDTO);
+    }
 
     @Test
     public void testCreateInboundSAML2Protocol() throws Exception {
@@ -203,6 +249,7 @@ private void mockPrivilegeCarbonContext() {
         mockStatic(PrivilegedCarbonContext.class);
         PrivilegedCarbonContext privilegedCarbonContext = mock(PrivilegedCarbonContext.class);
         when(PrivilegedCarbonContext.getThreadLocalCarbonContext()).thenReturn(privilegedCarbonContext);
+        when(privilegedCarbonContext.getTenantDomain()).thenReturn(TENANT_DOMAIN);
     }
 
     private void mockServiceProvider(boolean setInboundAuthConfig) {
@@ -232,8 +279,7 @@ private Map<String, Object> getDummyMap() {
     private String getDummyAuditLogData() {
 
         Gson gson = new Gson();
-        String json = gson.toJson(getDummyMap());
-        return gson.fromJson(json, new TypeToken<Map<String, Object>>() {
-        }.getType());
+        Map<String, Object> dummyMap = getDummyMap();
+        return gson.toJson(dummyMap);
     }
 }

components/org.wso2.carbon.identity.sso.saml/src/test/resources/testng.xml

@@ -20,6 +20,7 @@
 <suite name="identity-sso-saml-test-suite">
     <test name="identity-sso-saml-test-all">
         <classes>
+            <class name="org.wso2.carbon.identity.sso.saml.SAML2InboundAuthConfigHandlerTest"/>
             <class name="org.wso2.carbon.identity.sso.saml.util.AssertionBuildingTest" />
             <class name="org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtilTest" />
             <class name="org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtilMarshallTest" />

pom.xml

@@ -131,6 +131,11 @@
                 <artifactId>opensaml</artifactId>
                 <version>${opensaml3.wso2.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.wso2.carbon.identity.organization.management.core</groupId>
+                <artifactId>org.wso2.carbon.identity.organization.management.service</artifactId>
+                <version>${carbon.identity.organization.management.core.version}</version>
+            </dependency>
 
             <!--OpenSAML3 dependencies-->
             <dependency>
@@ -365,12 +370,6 @@
                 <artifactId>xercesImpl</artifactId>
                 <version>${xercesImpl.version}</version>
             </dependency>
-            <dependency>
-                <groupId>org.wso2.carbon.identity.organization.management.core</groupId>
-                <artifactId>org.wso2.carbon.identity.organization.management.service</artifactId>
-                <scope>test</scope>
-                <version>${carbon.identity.organization.management.core.version}</version>
-            </dependency>
             <dependency>
                 <groupId>com.google.code.gson</groupId>
                 <artifactId>gson</artifactId>
@@ -484,7 +483,9 @@
         <carbon.identity.framework.version>7.0.105</carbon.identity.framework.version>
         <carbon.identity.framework.imp.pkg.version.range>[5.25.260, 8.0.0)
         </carbon.identity.framework.imp.pkg.version.range>
-        <carbon.identity.organization.management.core.version>1.0.0</carbon.identity.organization.management.core.version>
+        <carbon.identity.organization.management.core.version>1.1.19</carbon.identity.organization.management.core.version>
+        <org.wso2.carbon.identity.organization.management.core.version.range>[1.0.0, 2.0.0)
+        </org.wso2.carbon.identity.organization.management.core.version.range>
 
         <identity.inbound.auth.saml.version>${project.version}</identity.inbound.auth.saml.version>
         <identity.inbound.auth.saml.exp.version>${identity.inbound.auth.saml.version}