From 7bea768a7d17c399e0949c63dfc3d835d7c2a617 Mon Sep 17 00:00:00 2001
From: "xiyuan@chromium.org"
 <xiyuan@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Tue, 17 Dec 2013 06:47:35 +0000
Subject: [PATCH] cros: Polish SAML signin.

- Show 'Cancel' button on footer bar when SAML is active;
- Add a message on top of sign-in frame when redirected to saml idp page;
- Use logo and padding as signin screen for confirm password and no password
  screen;

BUG=307202
EST=Browser tests SamlTest.*.

Review URL: https://codereview.chromium.org/70763002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@241161 0039d316-1c4b-4281-b951-d872f2087c98
---
 chrome/app/chromeos_strings.grdp                   |   3 +
 chrome/browser/chromeos/login/saml_browsertest.cc  | 382 +++++++++++++++++++++
 .../chromeos/login/screen_confirm_password.css     |   4 +-
 .../chromeos/login/screen_confirm_password.html    |   2 +-
 .../chromeos/login/screen_gaia_signin.css          |  21 +-
 .../chromeos/login/screen_gaia_signin.html         |   3 +
 .../resources/chromeos/login/screen_gaia_signin.js |  42 ++-
 .../chromeos/login/screen_message_box.css          |   3 +-
 .../chromeos/login/screen_message_box.html         |   2 +-
 chrome/browser/resources/gaia_auth/main.js         |  20 +-
 .../browser/resources/gaia_auth/saml_injected.js   |  18 +-
 chrome/browser/resources/gaia_auth/util.js         |  21 ++
 .../resources/gaia_auth_host/gaia_auth_host.js     |  44 ++-
 .../webui/chromeos/login/signin_screen_handler.cc  |   2 +
 chrome/chrome_tests.gypi                           |   1 +
 google_apis/gaia/fake_gaia.cc                      |  52 ++-
 google_apis/gaia/fake_gaia.h                       |  20 +-
 17 files changed, 560 insertions(+), 80 deletions(-)
 create mode 100644 chrome/browser/chromeos/login/saml_browsertest.cc

diff --git a/chrome/app/chromeos_strings.grdp b/chrome/app/chromeos_strings.grdp
index f8932f471709..9add97383b27 100644
--- a/chrome/app/chromeos_strings.grdp
+++ b/chrome/app/chromeos_strings.grdp
@@ -423,6 +423,9 @@ Press any key to continue exploring.
   <message name="IDS_LOGIN_PREVIOUS_PASSWORD" desc="Password field text on the password changed dialog">
     Previous password
   </message>
+  <message name="IDS_LOGIN_SAML_NOTICE" desc="Text message displayed above SAML portal to learly indicate that the user is being redirected to another sign-in provider.">
+    You are being redirected below to a sign-in service hosted by <ph name="SAML_DOMAIN">$1<ex>saml.com</ex></ph>.
+  </message>
   <message name="IDS_LOGIN_CONFIRM_PASSWORD_TITLE" desc="Title for the confirm password dialog.">
     Please confirm your password.
   </message>
diff --git a/chrome/browser/chromeos/login/saml_browsertest.cc b/chrome/browser/chromeos/login/saml_browsertest.cc
new file mode 100644
index 000000000000..af8c2a096363
--- /dev/null
+++ b/chrome/browser/chromeos/login/saml_browsertest.cc
@@ -0,0 +1,382 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "base/command_line.h"
+#include "base/strings/string_util.h"
+#include "base/strings/utf_string_conversions.h"
+#include "chrome/browser/chrome_notification_types.h"
+#include "chrome/browser/chromeos/login/existing_user_controller.h"
+#include "chrome/browser/chromeos/login/login_display_host_impl.h"
+#include "chrome/browser/chromeos/login/test/oobe_screen_waiter.h"
+#include "chrome/browser/chromeos/login/webui_login_display.h"
+#include "chrome/browser/chromeos/login/wizard_controller.h"
+#include "chrome/browser/lifetime/application_lifetime.h"
+#include "chrome/common/chrome_switches.h"
+#include "chrome/test/base/in_process_browser_test.h"
+#include "chromeos/chromeos_switches.h"
+#include "content/public/browser/render_view_host.h"
+#include "content/public/browser/web_contents.h"
+#include "content/public/test/browser_test_utils.h"
+#include "content/public/test/test_utils.h"
+#include "google_apis/gaia/fake_gaia.h"
+#include "google_apis/gaia/gaia_switches.h"
+#include "net/base/url_util.h"
+#include "net/dns/mock_host_resolver.h"
+#include "net/test/embedded_test_server/embedded_test_server.h"
+#include "net/test/embedded_test_server/http_request.h"
+#include "net/test/embedded_test_server/http_response.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+using net::test_server::BasicHttpResponse;
+using net::test_server::HttpRequest;
+using net::test_server::HttpResponse;
+
+namespace chromeos {
+
+namespace {
+
+const char kRelayState[] = "RelayState";
+
+const char kDefaultIdpHtml[] =
+    "<form id=IdPForm method=post action=\"$Post\">"
+      "<input type=hidden name=RelayState value=\"$RelayState\">"
+      "User: <input type=text id=Email name=Email>"
+      "Password: <input type=password id=Password name=Password>"
+      "<input id=Submit type=submit>"
+    "</form>";
+
+// FakeSamlIdp serves IdP auth form and the form submission. The form is
+// served with the template's RelayState placeholder expanded to the real
+// RelayState parameter from request. The form submission redirects back to
+// FakeGaia with the same RelayState.
+class FakeSamlIdp {
+ public:
+  FakeSamlIdp() : html_template_(kDefaultIdpHtml) {}
+  ~FakeSamlIdp() {}
+
+  void SetUp(const std::string& base_path, const GURL& gaia_url) {
+    base_path_= base_path;
+    post_path_ = base_path + "Auth";
+    gaia_assertion_url_ = gaia_url.Resolve("/SSO");
+  }
+
+  scoped_ptr<HttpResponse> HandleRequest(const HttpRequest& request) {
+    // The scheme and host of the URL is actually not important but required to
+    // get a valid GURL in order to parse |request.relative_url|.
+    GURL request_url = GURL("http://localhost").Resolve(request.relative_url);
+    std::string request_path = request_url.path();
+
+    scoped_ptr<BasicHttpResponse> http_response(new BasicHttpResponse());
+    if (request_path == base_path_) {
+      std::string relay_state;
+      net::GetValueForKeyInQuery(request_url, kRelayState, &relay_state);
+
+      std::string response_html = html_template_;
+      ReplaceSubstringsAfterOffset(
+          &response_html, 0, "$RelayState", relay_state);
+      ReplaceSubstringsAfterOffset(
+          &response_html, 0, "$Post", post_path_);
+
+      http_response->set_code(net::HTTP_OK);
+      http_response->set_content(response_html);
+      http_response->set_content_type("text/html");
+    } else if (request_path == post_path_) {
+      std::string relay_state;
+      FakeGaia::GetQueryParameter(request.content, kRelayState, &relay_state);
+
+      GURL redirect_url = gaia_assertion_url_;
+      redirect_url = net::AppendQueryParameter(
+          redirect_url, "SAMLResponse", "fake_response");
+      redirect_url = net::AppendQueryParameter(
+          redirect_url, kRelayState, relay_state);
+
+      http_response->set_code(net::HTTP_TEMPORARY_REDIRECT);
+      http_response->AddCustomHeader("Location", redirect_url.spec());
+    } else {
+      // Request not understood.
+      return scoped_ptr<HttpResponse>();
+    }
+
+    return http_response.PassAs<HttpResponse>();
+  }
+
+  void set_html_template(const std::string& html_template) {
+    html_template_ = html_template;
+  }
+
+ private:
+  std::string base_path_;
+  std::string post_path_;
+  std::string html_template_;
+
+  GURL gaia_assertion_url_;
+  DISALLOW_COPY_AND_ASSIGN(FakeSamlIdp);
+};
+
+}  // namespace
+
+class SamlTest : public InProcessBrowserTest {
+ public:
+  SamlTest() : saml_load_injected_(false) {}
+  virtual ~SamlTest() {}
+
+  virtual void SetUp() OVERRIDE {
+    // Start embedded test server here so that we can get server base url
+    // and override Gaia urls in SetupCommandLine.
+    ASSERT_TRUE(embedded_test_server()->InitializeAndWaitUntilReady());
+
+    // Stop IO thread here because no threads are allowed while
+    // spawning sandbox host process. See crbug.com/322732.
+    embedded_test_server()->StopThread();
+
+    InProcessBrowserTest::SetUp();
+  }
+
+  virtual void SetUpInProcessBrowserTestFixture() OVERRIDE {
+    host_resolver()->AddRule("*", "127.0.0.1");
+  }
+
+  virtual void SetUpCommandLine(CommandLine* command_line) OVERRIDE {
+    command_line->AppendSwitch(switches::kLoginManager);
+    command_line->AppendSwitch(switches::kForceLoginManagerInTests);
+    command_line->AppendSwitch(::switches::kDisableBackgroundNetworking);
+    command_line->AppendSwitchASCII(switches::kLoginProfile, "user");
+    command_line->AppendSwitch(switches::kEnableSamlSignin);
+
+    const GURL& server_url = embedded_test_server()->base_url();
+
+    std::string gaia_host("gaia");
+    GURL::Replacements replace_gaia_host;
+    replace_gaia_host.SetHostStr(gaia_host);
+    gaia_url_ = server_url.ReplaceComponents(replace_gaia_host);
+
+    command_line->AppendSwitchASCII(::switches::kGaiaUrl, gaia_url_.spec());
+    command_line->AppendSwitchASCII(::switches::kLsoUrl, gaia_url_.spec());
+    command_line->AppendSwitchASCII(::switches::kGoogleApisUrl,
+                                    gaia_url_.spec());
+
+    std::string saml_idp_host("saml.idp");
+    GURL::Replacements replace_saml_idp_host;
+    replace_saml_idp_host.SetHostStr(saml_idp_host);
+    GURL saml_idp_url = server_url.ReplaceComponents(replace_saml_idp_host);
+    saml_idp_url = saml_idp_url.Resolve("/SAML/SSO");
+
+    fake_saml_idp_.SetUp(saml_idp_url.path(), gaia_url_);
+    fake_gaia_.RegisterSamlUser("saml_user", saml_idp_url);
+  }
+
+  virtual void SetUpOnMainThread() OVERRIDE {
+    embedded_test_server()->RegisterRequestHandler(
+        base::Bind(&FakeGaia::HandleRequest, base::Unretained(&fake_gaia_)));
+    embedded_test_server()->RegisterRequestHandler(base::Bind(
+        &FakeSamlIdp::HandleRequest, base::Unretained(&fake_saml_idp_)));
+
+    // Restart the thread as the sandbox host process has already been spawned.
+    embedded_test_server()->RestartThreadAndListen();
+  }
+
+  virtual void CleanUpOnMainThread() OVERRIDE {
+    // If the login display is still showing, exit gracefully.
+    if (LoginDisplayHostImpl::default_host()) {
+      base::MessageLoop::current()->PostTask(FROM_HERE,
+                                             base::Bind(&chrome::AttemptExit));
+      content::RunMessageLoop();
+    }
+  }
+
+  WebUILoginDisplay* GetLoginDisplay() {
+    ExistingUserController* controller =
+        ExistingUserController::current_controller();
+    CHECK(controller);
+    return static_cast<WebUILoginDisplay*>(controller->login_display());
+  }
+
+  void WaitForSigninScreen() {
+    WizardController::SkipPostLoginScreensForTesting();
+    WizardController* wizard_controller =
+        chromeos::WizardController::default_controller();
+    CHECK(wizard_controller);
+    wizard_controller->SkipToLoginForTesting(LoginScreenContext());
+
+    content::WindowedNotificationObserver(
+      chrome::NOTIFICATION_LOGIN_OR_LOCK_WEBUI_VISIBLE,
+      content::NotificationService::AllSources()).Wait();
+  }
+
+  void StartSamlAndWaitForIdpPageLoad() {
+    WaitForSigninScreen();
+
+    if (!saml_load_injected_) {
+      saml_load_injected_ = true;
+
+      ASSERT_TRUE(content::ExecuteScript(
+          GetLoginUI()->GetWebContents(),
+          "$('gaia-signin').gaiaAuthHost_.addEventListener('authFlowChange',"
+              "function() {"
+                "window.domAutomationController.setAutomationId(0);"
+                "window.domAutomationController.send("
+                    "$('gaia-signin').isSAML() ? 'SamlLoaded' : 'GaiaLoaded');"
+              "});"));
+    }
+
+    content::DOMMessageQueue message_queue;  // Start observe before SAML.
+    GetLoginDisplay()->ShowSigninScreenForCreds("saml_user", "");
+
+    std::string message;
+    ASSERT_TRUE(message_queue.WaitForMessage(&message));
+    EXPECT_EQ("\"SamlLoaded\"", message);
+  }
+
+  void SetSignFormField(const std::string& field_id,
+                        const std::string& field_value) {
+    std::string js =
+        "(function(){"
+          "document.getElementById('$FieldId').value = '$FieldValue';"
+          "var e = new Event('input');"
+          "document.getElementById('$FieldId').dispatchEvent(e);"
+        "})();";
+    ReplaceSubstringsAfterOffset(&js, 0, "$FieldId", field_id);
+    ReplaceSubstringsAfterOffset(&js, 0, "$FieldValue", field_value);
+    ExecuteJsInSigninFrame(js);
+  }
+
+  void SendConfirmPassword(const std::string& password_to_confirm) {
+    std::string js =
+        "$('confirm-password-input').value='$Password';"
+        "$('confirm-password').onConfirmPassword_();";
+    ReplaceSubstringsAfterOffset(&js, 0, "$Password", password_to_confirm);
+    ASSERT_TRUE(content::ExecuteScript(GetLoginUI()->GetWebContents(), js));
+  }
+
+  void JsExpect(const std::string& js) {
+    bool result;
+    EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
+        GetLoginUI()->GetWebContents(),
+        "window.domAutomationController.send(!!(" + js + "));",
+        &result));
+    EXPECT_TRUE(result) << js;
+  }
+
+  content::WebUI* GetLoginUI() {
+    return static_cast<chromeos::LoginDisplayHostImpl*>(
+        chromeos::LoginDisplayHostImpl::default_host())->GetOobeUI()->web_ui();
+  }
+
+  // Executes Js code in the auth iframe hosted by gaia_auth extension.
+  void ExecuteJsInSigninFrame(const std::string& js) {
+    ASSERT_TRUE(content::ExecuteScriptInFrame(
+        GetLoginUI()->GetWebContents(),
+        "//iframe[@id='signin-frame']\n//iframe",
+        js));
+  }
+
+  FakeSamlIdp* fake_saml_idp() { return &fake_saml_idp_; }
+
+ private:
+  GURL gaia_url_;
+  FakeGaia fake_gaia_;
+  FakeSamlIdp fake_saml_idp_;
+
+  bool saml_load_injected_;
+
+  DISALLOW_COPY_AND_ASSIGN(SamlTest);
+};
+
+// Tests that signin frame should have 'saml' class and 'cancel' button is
+// visible when SAML IdP page is loaded. And 'cancel' button goes back to
+// gaia on clicking.
+IN_PROC_BROWSER_TEST_F(SamlTest, SamlUI) {
+  StartSamlAndWaitForIdpPageLoad();
+
+  // Saml flow UI expectations.
+  JsExpect("$('gaia-signin').classList.contains('saml')");
+  JsExpect("!$('cancel-add-user-button').hidden");
+
+  // Click on 'cancel'.
+  content::DOMMessageQueue message_queue;  // Observe before 'cancel'.
+  ASSERT_TRUE(content::ExecuteScript(
+      GetLoginUI()->GetWebContents(),
+      "$('cancel-add-user-button').click();"));
+
+  // Auth flow should change back to Gaia.
+  std::string message;
+  do {
+    ASSERT_TRUE(message_queue.WaitForMessage(&message));
+  } while (message != "\"GaiaLoaded\"");
+
+  // Saml flow is gone.
+  JsExpect("!$('gaia-signin').classList.contains('saml')");
+}
+
+// Tests the single password scraped flow.
+IN_PROC_BROWSER_TEST_F(SamlTest, ScrapedSingle) {
+  StartSamlAndWaitForIdpPageLoad();
+
+  // Fill-in the SAML IdP form and submit.
+  SetSignFormField("Email", "fake_user");
+  SetSignFormField("Password", "fake_password");
+  ExecuteJsInSigninFrame("document.getElementById('IdPForm').submit();");
+
+  // Lands on confirm password screen.
+  OobeScreenWaiter(OobeDisplay::SCREEN_CONFIRM_PASSWORD).Wait();
+
+  // Enter an unknown password should go back to confirm password screen.
+  SendConfirmPassword("wrong_password");
+  OobeScreenWaiter(OobeDisplay::SCREEN_CONFIRM_PASSWORD).Wait();
+
+  // Enter a known password should finish login and start session.
+  SendConfirmPassword("fake_password");
+  content::WindowedNotificationObserver(
+      chrome::NOTIFICATION_SESSION_STARTED,
+      content::NotificationService::AllSources()).Wait();
+}
+
+// Tests the multiple password scraped flow.
+IN_PROC_BROWSER_TEST_F(SamlTest, ScrapedMultiple) {
+  fake_saml_idp()->set_html_template(
+    "<form id=IdPForm method=post action=\"$Post\">"
+      "<input type=hidden name=RelayState value=\"$RelayState\">"
+      "User: <input type=text id=Email name=Email>"
+      "Password: <input type=password id=Password name=Password>"
+      "Password: <input type=password id=Password1 name=Password1>"
+      "<input id=Submit type=submit>"
+    "</form>");
+
+  StartSamlAndWaitForIdpPageLoad();
+
+  SetSignFormField("Email", "fake_user");
+  SetSignFormField("Password", "fake_password");
+  SetSignFormField("Password1", "password1");
+  ExecuteJsInSigninFrame("document.getElementById('IdPForm').submit();");
+
+  OobeScreenWaiter(OobeDisplay::SCREEN_CONFIRM_PASSWORD).Wait();
+
+  // Either scraped password should be able to sign-in.
+  SendConfirmPassword("password1");
+  content::WindowedNotificationObserver(
+      chrome::NOTIFICATION_SESSION_STARTED,
+      content::NotificationService::AllSources()).Wait();
+}
+
+// Tests the no password scraped flow.
+IN_PROC_BROWSER_TEST_F(SamlTest, ScrapedNone) {
+  fake_saml_idp()->set_html_template(
+    "<form id=IdPForm method=post action=\"$Post\">"
+      "<input type=hidden name=RelayState value=\"$RelayState\">"
+      "User: <input type=text id=Email name=Email>"
+      "<input id=Submit type=submit>"
+    "</form>");
+
+  StartSamlAndWaitForIdpPageLoad();
+
+  SetSignFormField("Email", "fake_user");
+  ExecuteJsInSigninFrame("document.getElementById('IdPForm').submit();");
+
+  OobeScreenWaiter(OobeDisplay::SCREEN_MESSAGE_BOX).Wait();
+  JsExpect(
+      "$('message-box-title').textContent == "
+      "loadTimeData.getString('noPasswordWarningTitle')");
+}
+
+}  // namespace chromeos
diff --git a/chrome/browser/resources/chromeos/login/screen_confirm_password.css b/chrome/browser/resources/chromeos/login/screen_confirm_password.css
index 94ff3d722463..2ce1374dd403 100644
--- a/chrome/browser/resources/chromeos/login/screen_confirm_password.css
+++ b/chrome/browser/resources/chromeos/login/screen_confirm_password.css
@@ -4,8 +4,8 @@
  */
 
 #confirm-password {
-  height: 150px;
-  padding: 16px;
+  height: 200px;
+  padding: 70px 17px;
   width: 400px;
 }
 
diff --git a/chrome/browser/resources/chromeos/login/screen_confirm_password.html b/chrome/browser/resources/chromeos/login/screen_confirm_password.html
index d5fe83104c2a..bf07edd04528 100644
--- a/chrome/browser/resources/chromeos/login/screen_confirm_password.html
+++ b/chrome/browser/resources/chromeos/login/screen_confirm_password.html
@@ -1,4 +1,4 @@
-<div id="confirm-password" class="step no-logo hidden">
+<div id="confirm-password" class="step hidden">
   <div class="step-contents">
     <p id="confirm-password-title" i18n-content="confirmPasswordTitle"></p>
     <div>
diff --git a/chrome/browser/resources/chromeos/login/screen_gaia_signin.css b/chrome/browser/resources/chromeos/login/screen_gaia_signin.css
index 46955de4532b..3adcc183e490 100644
--- a/chrome/browser/resources/chromeos/login/screen_gaia_signin.css
+++ b/chrome/browser/resources/chromeos/login/screen_gaia_signin.css
@@ -14,8 +14,7 @@
 }
 
 #gaia-signin.saml {
-  padding: 70px 10px 10px;
-  width: 1000px;
+  padding: 75px 10px 10px;
 }
 
 #signin-right {
@@ -26,7 +25,8 @@
 }
 
 #signin-right,
-#enterprise-info-container {
+#enterprise-info-container,
+#saml-info-container {
   font-size: 12px;
 }
 
@@ -136,3 +136,18 @@
   margin-top: 10px;
 }
 
+#saml-notice-container {
+  left: 0;
+  position: absolute;
+  right: 0;
+  text-align: center;
+  top: 50px;
+}
+
+#saml-notice-message {
+  background-color: rgb(250, 245, 202);
+  border: 2px solid rgb(250, 245, 202);
+  border-radius: 2px;
+  margin-left: auto;
+  margin-right: auto;
+}
diff --git a/chrome/browser/resources/chromeos/login/screen_gaia_signin.html b/chrome/browser/resources/chromeos/login/screen_gaia_signin.html
index fdf2cee13c49..e76f292c5f79 100644
--- a/chrome/browser/resources/chromeos/login/screen_gaia_signin.html
+++ b/chrome/browser/resources/chromeos/login/screen_gaia_signin.html
@@ -32,4 +32,7 @@
   <div id="enterprise-info-container" hidden>
     <include src="enterprise_info.html">
   </div>
+  <div id="saml-notice-container" hidden>
+    <span id="saml-notice-message"></span>
+  </div>
 </div>
diff --git a/chrome/browser/resources/chromeos/login/screen_gaia_signin.js b/chrome/browser/resources/chromeos/login/screen_gaia_signin.js
index f0099e792b77..25e61955bc37 100644
--- a/chrome/browser/resources/chromeos/login/screen_gaia_signin.js
+++ b/chrome/browser/resources/chromeos/login/screen_gaia_signin.js
@@ -76,8 +76,8 @@ login.createScreen('GaiaSigninScreen', 'gaia-signin', function() {
           this.onAuthConfirmPassword_.bind(this);
       this.gaiaAuthHost_.noPasswordCallback =
           this.onAuthNoPassword_.bind(this);
-      this.gaiaAuthHost_.authPageLoadedCallback =
-          this.onAuthPageLoaded_.bind(this);
+      this.gaiaAuthHost_.addEventListener('authFlowChange',
+          this.onAuthFlowChange_.bind(this));
 
       $('enterprise-info-hint-link').addEventListener('click', function(e) {
         chrome.send('launchHelpApp', [HELP_TOPIC_ENTERPRISE_REPORTING]);
@@ -296,13 +296,33 @@ login.createScreen('GaiaSigninScreen', 'gaia-signin', function() {
     },
 
     /**
-     * Invoked when the auth host notifies about an auth page is loaded.
-     * @param {boolean} isSAML True if the loaded auth page is SAML.
+     * Whether the current auth flow is SAML.
      */
-    onAuthPageLoaded_: function(isSAML) {
+    isSAML: function() {
+       return this.gaiaAuthHost_.authFlow ==
+           cr.login.GaiaAuthHost.AuthFlow.SAML;
+    },
+
+    /**
+     * Invoked when the authFlow property is changed no the gaia host.
+     * @param {Event} e Property change event.
+     */
+    onAuthFlowChange_: function(e) {
+      var isSAML = this.isSAML();
+
+      if (isSAML) {
+        $('saml-notice-message').textContent = loadTimeData.getStringF(
+            'samlNotice',
+            this.gaiaAuthHost_.authDomain);
+      }
+
       this.classList.toggle('saml', isSAML);
-      if (Oobe.getInstance().currentScreen === this)
+      $('saml-notice-container').hidden = !isSAML;
+
+      if (Oobe.getInstance().currentScreen === this) {
         Oobe.getInstance().updateScreenSize(this);
+        $('login-header-bar').allowCancel = isSAML || this.cancelAllowed_;
+      }
     },
 
     /**
@@ -482,8 +502,16 @@ login.createScreen('GaiaSigninScreen', 'gaia-signin', function() {
      * Called when user canceled signin.
      */
     cancel: function() {
-      if (!this.cancelAllowed_)
+      if (!this.cancelAllowed_) {
+        // In OOBE signin screen, cancel is not allowed because there is
+        // no other screen to show. If user is in middle of a saml flow,
+        // reset signin screen to get out of the saml flow.
+        if (this.isSAML())
+          Oobe.resetSigninUI(true);
+
         return;
+      }
+
       $('pod-row').loadLastWallpaper();
       Oobe.showScreen({id: SCREEN_ACCOUNT_PICKER});
       Oobe.resetSigninUI(true);
diff --git a/chrome/browser/resources/chromeos/login/screen_message_box.css b/chrome/browser/resources/chromeos/login/screen_message_box.css
index 2fe64ddb74ee..8b9e175ee3df 100644
--- a/chrome/browser/resources/chromeos/login/screen_message_box.css
+++ b/chrome/browser/resources/chromeos/login/screen_message_box.css
@@ -4,8 +4,7 @@
  */
 
 #message-box {
-  height: 180px;
-  padding: 16px;
+  padding: 70px 17px;
   width: 400px;
 }
 
diff --git a/chrome/browser/resources/chromeos/login/screen_message_box.html b/chrome/browser/resources/chromeos/login/screen_message_box.html
index 2be5c828edbb..87be74bc3dfc 100644
--- a/chrome/browser/resources/chromeos/login/screen_message_box.html
+++ b/chrome/browser/resources/chromeos/login/screen_message_box.html
@@ -1,4 +1,4 @@
-<div id="message-box" class="step no-logo hidden">
+<div id="message-box" class="step hidden">
   <div class="step-contents">
     <p id="message-box-title"></p>
     <p id="message-box-body"></p>
diff --git a/chrome/browser/resources/gaia_auth/main.js b/chrome/browser/resources/gaia_auth/main.js
index db046d20fdb9..8b9b30d1291f 100644
--- a/chrome/browser/resources/gaia_auth/main.js
+++ b/chrome/browser/resources/gaia_auth/main.js
@@ -35,7 +35,7 @@ Authenticator.prototype = {
   inputLang_: undefined,
   intputEmail_: undefined,
 
-  samlPageLoaded_: false,
+  isSAMLFlow_: false,
   samlSupportChannel_: null,
 
   GAIA_URL: 'https://accounts.google.com/',
@@ -194,7 +194,7 @@ Authenticator.prototype = {
    * Invoked when 'enableSAML' event is received to initialize SAML support.
    */
   onEnableSAML_: function() {
-    this.samlPageLoaded_ = false;
+    this.isSAMLFlow_ = false;
 
     this.samlSupportChannel_ = new Channel();
     this.samlSupportChannel_.connect('authMain');
@@ -211,10 +211,16 @@ Authenticator.prototype = {
    * @param {!Object} msg Details sent with the message.
    */
   onAuthPageLoaded_: function(msg) {
-    this.samlPageLoaded_ = msg.url.indexOf(this.gaiaUrl_) != 0;
+    var isSAMLPage = msg.url.indexOf(this.gaiaUrl_) != 0;
+
+    // Set isSAMLFlow_ flag when a SAML page is loaded. The flag is sticky.
+    if (isSAMLPage)
+      this.isSAMLFlow_ = true;
+
     window.parent.postMessage({
       'method': 'authPageLoaded',
-      'isSAML': this.samlPageLoaded_
+      'isSAML': this.isSAMLFlow_,
+      'domain': extractDomain(msg.url)
     }, this.parentPage_);
   },
 
@@ -230,7 +236,7 @@ Authenticator.prototype = {
   },
 
   onConfirmLogin_: function() {
-    if (!this.samlPageLoaded_) {
+    if (!this.isSAMLFlow_) {
       this.completeLogin(this.email_, this.password_);
       return;
     }
@@ -272,14 +278,14 @@ Authenticator.prototype = {
       this.email_ = msg.email;
       this.password_ = msg.password;
       this.attemptToken_ = msg.attemptToken;
-      this.samlPageLoaded_ = false;
+      this.isSAMLFlow_ = false;
       if (this.samlSupportChannel_)
         this.samlSupportChannel_.send({name: 'startAuth'});
     } else if (msg.method == 'clearOldAttempts' && this.isGaiaMessage_(e)) {
       this.email_ = null;
       this.password_ = null;
       this.attemptToken_ = null;
-      this.samlPageLoaded_ = false;
+      this.isSAMLFlow_ = false;
       this.onLoginUILoaded();
       if (this.samlSupportChannel_)
         this.samlSupportChannel_.send({name: 'resetAuth'});
diff --git a/chrome/browser/resources/gaia_auth/saml_injected.js b/chrome/browser/resources/gaia_auth/saml_injected.js
index d7fd1b8e37ee..2e871c9bcb05 100644
--- a/chrome/browser/resources/gaia_auth/saml_injected.js
+++ b/chrome/browser/resources/gaia_auth/saml_injected.js
@@ -51,11 +51,7 @@
 
       for (var i = 0; i < this.passwordFields_.length; ++i) {
         this.passwordFields_[i].addEventListener(
-            'change', this.onPasswordChanged_.bind(this, i));
-        // 'keydown' event is needed for the case that the form is submitted
-        // on enter key, in which case no 'change' event is dispatched.
-        this.passwordFields_[i].addEventListener(
-            'keydown', this.onPasswordKeyDown_.bind(this, i));
+            'input', this.onPasswordChanged_.bind(this, i));
 
         this.passwordValues_[i] = this.passwordFields_[i].value;
       }
@@ -89,18 +85,6 @@
      */
     onPasswordChanged_: function(index) {
       this.maybeSendUpdatedPassword(index);
-    },
-
-    /**
-     * Handles 'keydown' event to trigger password change detection and
-     * updates on enter key.
-     * @param {number} index The index of the password fields in
-     *     |passwordFields_|.
-     * @param {Event} e The keydown event.
-     */
-    onPasswordKeyDown_: function(index, e) {
-      if (e.keyIdentifier == 'Enter')
-        this.maybeSendUpdatedPassword(index);
     }
   };
 
diff --git a/chrome/browser/resources/gaia_auth/util.js b/chrome/browser/resources/gaia_auth/util.js
index 72d13c2f2f6e..9d8ebd7237d1 100644
--- a/chrome/browser/resources/gaia_auth/util.js
+++ b/chrome/browser/resources/gaia_auth/util.js
@@ -2,10 +2,20 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+/**
+ * Alias for document.getElementById.
+ * @param {string} id The ID of the element to find.
+ * @return {HTMLElement} The found element or null if not found.
+ */
 function $(id) {
   return document.getElementById(id);
 }
 
+/**
+ * Extract query params from given search string of an URL.
+ * @param {string} search The search portion of an URL to extract params.
+ * @return {Object} The key value pairs of the extracted params.
+ */
 function getUrlSearchParams(search) {
   var params = {};
 
@@ -51,3 +61,14 @@ function appendParam(url, key, value) {
 function stripParams(url) {
   return url.substring(0, url.indexOf('?')) || url;
 }
+
+/**
+ * Extract domain name from an URL.
+ * @param {string} url An URL string.
+ * @return {string} The host name of the URL.
+ */
+function extractDomain(url) {
+  var a = document.createElement('a');
+  a.href = url;
+  return a.hostname;
+}
diff --git a/chrome/browser/resources/gaia_auth_host/gaia_auth_host.js b/chrome/browser/resources/gaia_auth_host/gaia_auth_host.js
index 47e0e096d22f..e16e474d18d5 100644
--- a/chrome/browser/resources/gaia_auth_host/gaia_auth_host.js
+++ b/chrome/browser/resources/gaia_auth_host/gaia_auth_host.js
@@ -91,6 +91,15 @@ cr.define('cr.login', function() {
   };
 
   /**
+   * Enum for the auth flow.
+   * @enum {number}
+   */
+  var AuthFlow = {
+    GAIA: 0,
+    SAML: 1
+  };
+
+  /**
    * Creates a new gaia auth extension host.
    * @param {HTMLIFrameElement|string} container The iframe element or its id
    *     to host the auth extension.
@@ -117,6 +126,12 @@ cr.define('cr.login', function() {
     reloadUrl_: null,
 
     /**
+     * The domain name of the current auth page.
+     * @type {string}
+     */
+    authDomain: '',
+
+    /**
      * Invoked when authentication is completed successfully with credential
      * data. A credential data object looks like this:
      * <pre>
@@ -155,14 +170,6 @@ cr.define('cr.login', function() {
     noPasswordCallback_: null,
 
     /**
-     * Invoked when the auth page hosted inside the extension is loaded.
-     * Param {@code saml} is true when the auth page is a SAML page (out of
-     * Gaia domain.
-     * @type {function{boolean)}
-     */
-    authPageLoadedCallback_: null,
-
-    /**
      * The iframe container.
      * @type {HTMLIFrameElement}
      */
@@ -187,14 +194,6 @@ cr.define('cr.login', function() {
     },
 
     /**
-     * Sets authPageLoadedCallback_.
-     * @type {function(boolean)}
-     */
-    set authPageLoadedCallback(callback) {
-      this.authPageLoadedCallback_ = callback;
-    },
-
-    /**
      * Loads the auth extension.
      * @param {AuthMode} authMode Authorization mode.
      * @param {Object} data Parameters for the auth extension. See the auth
@@ -238,6 +237,7 @@ cr.define('cr.login', function() {
       this.frame_.src = url;
       this.reloadUrl_ = url;
       this.successCallback_ = successCallback;
+      this.authFlow = AuthFlow.GAIA;
     },
 
     /**
@@ -245,6 +245,7 @@ cr.define('cr.login', function() {
      */
     reload: function() {
       this.frame_.src = this.reloadUrl_;
+      this.authFlow = AuthFlow.GAIA;
     },
 
     /**
@@ -341,8 +342,8 @@ cr.define('cr.login', function() {
       }
 
       if (msg.method == 'authPageLoaded') {
-        if (this.authPageLoadedCallback_)
-          this.authPageLoadedCallback_(msg.isSAML);
+        this.authDomain = msg.domain;
+        this.authFlow = msg.isSAML ? AuthFlow.SAML : AuthFlow.GAIA;
         return;
       }
 
@@ -382,9 +383,16 @@ cr.define('cr.login', function() {
     }
   };
 
+  /**
+   * The current auth flow of the hosted gaia_auth extension.
+   * @type {AuthFlow}
+   */
+  cr.defineProperty(GaiaAuthHost, 'authFlow');
+
   GaiaAuthHost.SUPPORTED_PARAMS = SUPPORTED_PARAMS;
   GaiaAuthHost.LOCALIZED_STRING_PARAMS = LOCALIZED_STRING_PARAMS;
   GaiaAuthHost.AuthMode = AuthMode;
+  GaiaAuthHost.AuthFlow = AuthFlow;
 
   return {
     GaiaAuthHost: GaiaAuthHost
diff --git a/chrome/browser/ui/webui/chromeos/login/signin_screen_handler.cc b/chrome/browser/ui/webui/chromeos/login/signin_screen_handler.cc
index abdd3de25272..6946d08ddccb 100644
--- a/chrome/browser/ui/webui/chromeos/login/signin_screen_handler.cc
+++ b/chrome/browser/ui/webui/chromeos/login/signin_screen_handler.cc
@@ -447,6 +447,8 @@ void SigninScreenHandler::DeclareLocalizedValues(
   builder->Add("removeUserWarningButtonTitle",
                IDS_LOGIN_POD_USER_REMOVE_WARNING_BUTTON);
 
+  builder->Add("samlNotice", IDS_LOGIN_SAML_NOTICE);
+
   // Strings used by confirm password dialog.
   builder->Add("confirmPasswordTitle", IDS_LOGIN_CONFIRM_PASSWORD_TITLE);
   builder->Add("confirmPasswordHint", IDS_LOGIN_CONFIRM_PASSWORD_HINT);
diff --git a/chrome/chrome_tests.gypi b/chrome/chrome_tests.gypi
index 5351f5d96cbf..02390a5d8b71 100644
--- a/chrome/chrome_tests.gypi
+++ b/chrome/chrome_tests.gypi
@@ -1021,6 +1021,7 @@
         'browser/chromeos/login/managed/supervised_user_creation_browsertest.cc',
         'browser/chromeos/login/mock_authenticator.cc',
         'browser/chromeos/login/mock_authenticator.h',
+        'browser/chromeos/login/saml_browsertest.cc',
         'browser/chromeos/login/session_login_browsertest.cc',
         'browser/chromeos/login/screen_locker_tester.cc',
         'browser/chromeos/login/screen_locker_tester.h',
diff --git a/google_apis/gaia/fake_gaia.cc b/google_apis/gaia/fake_gaia.cc
index 322ed54ff9fc..7474aca80a9b 100644
--- a/google_apis/gaia/fake_gaia.cc
+++ b/google_apis/gaia/fake_gaia.cc
@@ -4,6 +4,8 @@
 
 #include "google_apis/gaia/fake_gaia.h"
 
+#include <vector>
+
 #include "base/base_paths.h"
 #include "base/file_util.h"
 #include "base/files/file_path.h"
@@ -59,12 +61,19 @@ scoped_ptr<HttpResponse> FakeGaia::HandleRequest(const HttpRequest& request) {
   } else if (request_path == gaia_urls->service_login_auth_url().path()) {
     std::string continue_url = gaia_urls->service_login_url().spec();
     GetQueryParameter(request.content, "continue", &continue_url);
-    http_response->set_code(net::HTTP_OK);
-    const std::string redirect_js =
-        "document.location.href = '" + continue_url + "'";
-    http_response->set_content(
-        "<HTML><HEAD><SCRIPT>\n" + redirect_js + "\n</SCRIPT></HEAD></HTML>");
-    http_response->set_content_type("text/html");
+    std::string redirect_url = continue_url;
+
+    std::string email;
+    if (GetQueryParameter(request.content, "Email", &email) &&
+        saml_account_idp_map_.find(email) != saml_account_idp_map_.end()) {
+      GURL url(saml_account_idp_map_[email]);
+      url = net::AppendQueryParameter(url, "SAMLRequest", "fake_request");
+      url = net::AppendQueryParameter(url, "RelayState", continue_url);
+      redirect_url = url.spec();
+    }
+
+    http_response->set_code(net::HTTP_TEMPORARY_REDIRECT);
+    http_response->AddCustomHeader("Location", redirect_url);
   } else if (request_path == gaia_urls->oauth2_token_url().path()) {
     std::string refresh_token;
     std::string client_id;
@@ -134,6 +143,12 @@ scoped_ptr<HttpResponse> FakeGaia::HandleRequest(const HttpRequest& request) {
     } else {
       http_response->set_code(net::HTTP_BAD_REQUEST);
     }
+  } else if (request_path == "/SSO") {
+    std::string relay_state;
+    GetQueryParameter(request.content, "RelayState", &relay_state);
+    std::string redirect_url = relay_state;
+    http_response->set_code(net::HTTP_TEMPORARY_REDIRECT);
+    http_response->AddCustomHeader("Location", redirect_url);
   } else {
     // Request not understood.
     return scoped_ptr<HttpResponse>();
@@ -147,6 +162,21 @@ void FakeGaia::IssueOAuthToken(const std::string& auth_token,
   access_token_info_map_.insert(std::make_pair(auth_token, token_info));
 }
 
+void FakeGaia::RegisterSamlUser(const std::string& account_id,
+                                const GURL& saml_idp) {
+  saml_account_idp_map_[account_id] = saml_idp;
+}
+
+// static
+bool FakeGaia::GetQueryParameter(const std::string& query,
+                                 const std::string& key,
+                                 std::string* value) {
+  // Name and scheme actually don't matter, but are required to get a valid URL
+  // for parsing.
+  GURL query_url("http://localhost?" + query);
+  return net::GetValueForKeyInQuery(query_url, key, value);
+}
+
 void FakeGaia::FormatJSONResponse(const base::DictionaryValue& response_dict,
                                   BasicHttpResponse* http_response) {
   std::string response_json;
@@ -178,13 +208,3 @@ const FakeGaia::AccessTokenInfo* FakeGaia::GetAccessTokenInfo(
 
   return NULL;
 }
-
-// static
-bool FakeGaia::GetQueryParameter(const std::string& query,
-                                 const std::string& key,
-                                 std::string* value) {
-  // Name and scheme actually don't matter, but are required to get a valid URL
-  // for parsing.
-  GURL query_url("http://localhost?" + query);
-  return net::GetValueForKeyInQuery(query_url, key, value);
-}
diff --git a/google_apis/gaia/fake_gaia.h b/google_apis/gaia/fake_gaia.h
index de4201f73372..7e211ae9add2 100644
--- a/google_apis/gaia/fake_gaia.h
+++ b/google_apis/gaia/fake_gaia.h
@@ -11,6 +11,7 @@
 
 #include "base/basictypes.h"
 #include "base/memory/scoped_ptr.h"
+#include "url/gurl.h"
 
 namespace base {
 class DictionaryValue;
@@ -61,8 +62,20 @@ class FakeGaia {
   void IssueOAuthToken(const std::string& auth_token,
                        const AccessTokenInfo& token_info);
 
+  // Associates an account id with a SAML IdP redirect endpoint. When a
+  // /ServiceLoginAuth request comes in for that user, it will be redirected
+  // to the associated redirect endpoint.
+  void RegisterSamlUser(const std::string& account_id, const GURL& saml_idp);
+
+  // Extracts the parameter named |key| from |query| and places it in |value|.
+  // Returns false if no parameter is found.
+  static bool GetQueryParameter(const std::string& query,
+                                const std::string& key,
+                                std::string* value);
+
  private:
   typedef std::multimap<std::string, AccessTokenInfo> AccessTokenInfoMap;
+  typedef std::map<std::string, GURL> SamlAccountIdpMap;
 
   // Formats a JSON response with the data in |response_dict|.
   void FormatJSONResponse(const base::DictionaryValue& response_dict,
@@ -77,14 +90,9 @@ class FakeGaia {
                                             const std::string& scope_string)
       const;
 
-  // Extracts the parameter named |key| from |query| and places it in |value|.
-  // Returns false if no parameter is found.
-  static bool GetQueryParameter(const std::string& query,
-                                const std::string& key,
-                                std::string* value);
-
   AccessTokenInfoMap access_token_info_map_;
   std::string service_login_response_;
+  SamlAccountIdpMap saml_account_idp_map_;
 
   DISALLOW_COPY_AND_ASSIGN(FakeGaia);
 };
-- 
2.11.4.GIT