Clear idp cookie after succesful SSO

changes/47343-idp-cookie

@@ -0,0 +1 @@
+* Clear SSO authentication cookie after successful authentication.

frontend/templates/enroll-ota.html

@@ -488,6 +488,7 @@ <h1 class="error-header">
       const ANDROID_MDM_ENABLED = "{{.AndroidMDMEnabled}}" === "true";
       const MAC_MDM_ENABLED = "{{.MacMDMEnabled}}" == "true";
       const ERROR_MESSAGE = "{{.ErrorMessage}}";
+      const IDP_UUID = "{{.IdpUUID}}";
       const isFullyManaged = new URLSearchParams(window.location.search).has(
         "fully_managed",
         true
@@ -681,6 +682,12 @@ <h1 class="error-header">
           url = url.concat("&fully_managed=true");
         }
 
+        if (IDP_UUID) {
+          url = url.concat(
+            `&idp_uuid=${encodeURIComponent(IDP_UUID)}`
+          );
+        }
+
         const response = await fetch(url, {
           method: "GET",
           headers: {

server/mdm/android/service.go

@@ -7,6 +7,8 @@ import (
 	"google.golang.org/api/androidmanagement/v1"
 )
 
+const byodIdpCookieName = "__Host-FLEETBYODIDP"
+
 type Service interface {
 	EnterpriseSignup(ctx context.Context) (*SignupDetails, error)
 	EnterpriseSignupCallback(ctx context.Context, signupToken string, enterpriseToken string) error
@@ -100,3 +102,21 @@ type EnrollmentTokenResponse struct {
 	*EnrollmentToken
 	DefaultResponse
 }
+
+// SetCookies clears the BYOD IdP cookie after an enrollment token is
+// successfully created so that subsequent enrollments require a fresh SSO
+// authentication instead of reusing a stale identity.
+func (r EnrollmentTokenResponse) SetCookies(_ context.Context, w http.ResponseWriter) {
+	if r.Err != nil {
+		return
+	}
+	http.SetCookie(w, &http.Cookie{
+		Name:     byodIdpCookieName,
+		Value:    "",
+		Path:     "/",
+		MaxAge:   -1,
+		Secure:   true,
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
+	})
+}

server/mdm/android/service/service.go

@@ -491,14 +491,22 @@ func (enrollmentTokenRequest) DecodeRequest(ctx context.Context, r *http.Request
 		}
 	}
 
-	byodIdpCookie, err := r.Cookie(mdm.BYODIdpCookieName)
-
 	fullyManaged := false
 	fullyManagedParam := r.URL.Query().Get("fully_managed")
 	if fullyManagedParam == "true" || fullyManagedParam == "1" {
 		fullyManaged = true
 	}
 
+	if idpUUID := r.URL.Query().Get("idp_uuid"); idpUUID != "" {
+		return &enrollmentTokenRequest{
+			EnrollSecret: enrollSecret,
+			IdpUUID:      idpUUID,
+			FullyManaged: fullyManaged,
+		}, nil
+	}
+
+	byodIdpCookie, err := r.Cookie(mdm.BYODIdpCookieName)
+
 	if err == http.ErrNoCookie {
 		// We do not fail here if no cookie is found, we validate later down the line if it's required
 		return &enrollmentTokenRequest{

server/service/frontend.go

@@ -120,15 +120,15 @@ func ServeEndUserEnrollOTA(
 
 		errorMsg := r.URL.Query().Get("error")
 		if errorMsg != "" {
-			if err := renderEnrollPage(w, appCfg, urlPrefix, "", errorMsg, nonce); err != nil {
+			if err := renderEnrollPage(w, appCfg, urlPrefix, "", errorMsg, nonce, ""); err != nil {
 				herr(ctx, w, err.Error())
 			}
 			return
 		}
 
 		enrollSecret := r.URL.Query().Get("enroll_secret")
 		if enrollSecret == "" {
-			if err := renderEnrollPage(w, appCfg, urlPrefix, "", "This URL is invalid. : Enroll secret is invalid. Please contact your IT admin.", nonce); err != nil {
+			if err := renderEnrollPage(w, appCfg, urlPrefix, "", "This URL is invalid. : Enroll secret is invalid. Please contact your IT admin.", nonce, ""); err != nil {
 				herr(ctx, w, err.Error())
 			}
 			return
@@ -171,7 +171,23 @@ func ServeEndUserEnrollOTA(
 		// if we get here, IdP SSO authentication is either not required, or has
 		// been successfully completed (we have a cookie with the IdP account
 		// reference).
-		if err := renderEnrollPage(w, appCfg, urlPrefix, enrollSecret, "", nonce); err != nil {
+
+		// Clear the BYOD IdP cookie now that we are about to render the enrollment page.
+		var idpUUID string
+		if authRequired {
+			idpUUID = r.URL.Query().Get("enrollment_reference")
+			http.SetCookie(w, &http.Cookie{
+				Name:     shared_mdm.BYODIdpCookieName,
+				Value:    "",
+				Path:     "/",
+				MaxAge:   -1,
+				Secure:   true,
+				HttpOnly: true,
+				SameSite: http.SameSiteLaxMode,
+			})
+		}
+
+		if err := renderEnrollPage(w, appCfg, urlPrefix, enrollSecret, "", nonce, idpUUID); err != nil {
 			herr(ctx, w, err.Error())
 			return
 		}
@@ -195,7 +211,7 @@ func generateEnrollOTAURL(fleetURL string, enrollSecret string) (string, error)
 	return enrollURL.String(), nil
 }
 
-func renderEnrollPage(w io.Writer, appCfg *fleet.AppConfig, urlPrefix, enrollSecret, errorMessage, nonce string) error {
+func renderEnrollPage(w io.Writer, appCfg *fleet.AppConfig, urlPrefix, enrollSecret, errorMessage, nonce, idpUUID string) error {
 	fs := newBinaryFileSystem("/frontend")
 	file, err := fs.Open("templates/enroll-ota.html")
 	if err != nil {
@@ -224,6 +240,7 @@ func renderEnrollPage(w io.Writer, appCfg *fleet.AppConfig, urlPrefix, enrollSec
 		MacMDMEnabled         bool
 		AndroidFeatureEnabled bool
 		CSPNonce              string
+		IdpUUID               string
 	}{
 		URLPrefix:             urlPrefix,
 		EnrollURL:             enrollURL,
@@ -232,6 +249,7 @@ func renderEnrollPage(w io.Writer, appCfg *fleet.AppConfig, urlPrefix, enrollSec
 		MacMDMEnabled:         appCfg.MDM.EnabledAndConfigured,
 		AndroidFeatureEnabled: true,
 		CSPNonce:              nonce,
+		IdpUUID:               idpUUID,
 	}); err != nil {
 		return fmt.Errorf("execute react template: %w", err)
 	}