Add a chromeos device policy to control the login authentication behavior

This will enable admins to set the behavior of the login authentication
flow for the enrolled device. The behavior will be one of the following.
* The normal GAIA authentication flow.
* An interstitial screen that offers the user to go forward with SAML IdP
  endpoint authentication, or go back to the normal GAIA flow.
* Automatic redirection to the SAML IdP endpoint without user confirmation.

BUG=587900

Review URL: https://codereview.chromium.org/1713683002

Cr-Commit-Position: refs/heads/master@{#379938}

8 files changed, 91 insertions, 2 deletions

diff --git a/chrome/browser/chromeos/policy/device_policy_decoder_chromeos.cc b/chrome/browser/chromeos/policy/device_policy_decoder_chromeos.cc
index 2c4d9e7..3e0d695 100644
--- a/chrome/browser/chromeos/policy/device_policy_decoder_chromeos.cc
+++ b/chrome/browser/chromeos/policy/device_policy_decoder_chromeos.cc
@@ -300,6 +300,20 @@ void DecodeLoginPolicies(const em::ChromeDeviceSettingsProto& policy,
                     NULL);
     }
   }
+
+  if (policy.has_login_authentication_behavior()) {
+    const em::LoginAuthenticationBehaviorProto& container(
+        policy.login_authentication_behavior());
+    if (container.has_login_authentication_behavior()) {
+      policies->Set(key::kLoginAuthenticationBehavior,
+                    POLICY_LEVEL_MANDATORY,
+                    POLICY_SCOPE_MACHINE,
+                    POLICY_SOURCE_CLOUD,
+                    DecodeIntegerValue(
+                        container.login_authentication_behavior()).release(),
+                    nullptr);
+    }
+  }
 }
 
 void DecodeNetworkPolicies(const em::ChromeDeviceSettingsProto& policy,
diff --git a/chrome/browser/chromeos/policy/proto/chrome_device_policy.proto b/chrome/browser/chromeos/policy/proto/chrome_device_policy.proto
index 5083919..a6eacb6 100644
--- a/chrome/browser/chromeos/policy/proto/chrome_device_policy.proto
+++ b/chrome/browser/chromeos/policy/proto/chrome_device_policy.proto
@@ -655,6 +655,18 @@ message AllowKioskAppControlChromeVersionProto {
   optional bool allow_kiosk_app_control_chrome_version = 1 [default = false];
 }
 
+// Settings that control the flow of the login authentication to be either via
+// GAIA (default), or via an interstitial screen that can redirect to a SAML IdP
+// endpoint or return back to the default GAIA flow.
+message LoginAuthenticationBehaviorProto {
+  enum LoginBehavior {
+    GAIA = 0;
+    SAML_INTERSTITIAL = 1;
+  };
+  
+  optional LoginBehavior login_authentication_behavior = 1 [default = GAIA];
+}
+
 message ChromeDeviceSettingsProto {
   optional DevicePolicyRefreshRateProto device_policy_refresh_rate = 1;
   optional UserWhitelistProto user_whitelist = 2;
@@ -701,4 +713,5 @@ message ChromeDeviceSettingsProto {
   optional DisplayRotationDefaultProto display_rotation_default = 39;
   optional AllowKioskAppControlChromeVersionProto
       allow_kiosk_app_control_chrome_version = 40;
+  optional LoginAuthenticationBehaviorProto login_authentication_behavior = 41;
 }
diff --git a/chrome/browser/chromeos/settings/device_settings_provider.cc b/chrome/browser/chromeos/settings/device_settings_provider.cc
index cb2c5fc..8fd931a 100644
--- a/chrome/browser/chromeos/settings/device_settings_provider.cc
+++ b/chrome/browser/chromeos/settings/device_settings_provider.cc
@@ -67,7 +67,7 @@ const char* const kKnownSettings[] = {
     kExtensionCacheSize,
     kHeartbeatEnabled,
     kHeartbeatFrequency,
-    kSystemLogUploadEnabled,
+    kLoginAuthenticationBehavior,
     kPolicyMissingMitigationMode,
     kRebootOnShutdown,
     kReleaseChannel,
@@ -85,6 +85,7 @@ const char* const kKnownSettings[] = {
     kSignedDataRoamingEnabled,
     kStartUpFlags,
     kStatsReportingPref,
+    kSystemLogUploadEnabled,
     kSystemTimezonePolicy,
     kSystemUse24HourClock,
     kUpdateDisabled,
@@ -258,6 +259,14 @@ void DecodeLoginPolicies(
                                 policy.login_screen_domain_auto_complete()
                                     .login_screen_domain_auto_complete());
   }
+
+  if (policy.has_login_authentication_behavior() &&
+      policy.login_authentication_behavior()
+          .has_login_authentication_behavior()) {
+    new_values_cache->SetInteger(
+        kLoginAuthenticationBehavior,
+        policy.login_authentication_behavior().login_authentication_behavior());
+  }
 }
 
 void DecodeNetworkPolicies(
diff --git a/chrome/test/data/policy/policy_test_cases.json b/chrome/test/data/policy/policy_test_cases.json
index 211d843..ad5a219 100644
--- a/chrome/test/data/policy/policy_test_cases.json
+++ b/chrome/test/data/policy/policy_test_cases.json
@@ -2666,6 +2666,14 @@
 
   "AllowKioskAppControlChromeVersion": {
   },
+  
+  "LoginAuthenticationBehavior": {
+    "os": ["chromeos"],
+    "test_policy": { "LoginAuthenticationBehavior": 1 },
+    "pref_mappings": [
+      { "pref": "cros.device.login_authentication_behavior" }
+    ]
+  },
 
   "----- Chrome Frame policies -------------------------------------------": {},
 
diff --git a/chromeos/settings/cros_settings_names.cc b/chromeos/settings/cros_settings_names.cc
index f6de5ca..cce908b 100644
--- a/chromeos/settings/cros_settings_names.cc
+++ b/chromeos/settings/cros_settings_names.cc
@@ -183,4 +183,12 @@ const char kExtensionCacheSize[] = "cros.device.extension_cache_size";
 // 3 = 270 degrees clockwise rotation
 const char kDisplayRotationDefault[] = "cros.display_rotation_default";
 
+// An integer pref that sets the behavior of the login authentication flow.
+// 0 = authentication using the default GAIA flow.
+// 1 = authentication using an interstitial screen that offers the user to go
+// ahead via the SAML IdP of the device's enrollment domain, or go back to the
+// normal GAIA login flow.
+const char kLoginAuthenticationBehavior[] =
+    "cros.device.login_authentication_behavior";
+
 }  // namespace chromeos
diff --git a/chromeos/settings/cros_settings_names.h b/chromeos/settings/cros_settings_names.h
index 2045b9e..cd9cd85 100644
--- a/chromeos/settings/cros_settings_names.h
+++ b/chromeos/settings/cros_settings_names.h
@@ -94,6 +94,8 @@ CHROMEOS_EXPORT extern const char kExtensionCacheSize[];
 
 CHROMEOS_EXPORT extern const char kDisplayRotationDefault[];
 
+CHROMEOS_EXPORT extern const char kLoginAuthenticationBehavior[];
+
 }  // namespace chromeos
 
 #endif  // CHROMEOS_SETTINGS_CROS_SETTINGS_NAMES_H_
diff --git a/components/policy/resources/policy_templates.json b/components/policy/resources/policy_templates.json
index e620640..1403ea6 100644
--- a/components/policy/resources/policy_templates.json
+++ b/components/policy/resources/policy_templates.json
@@ -137,7 +137,7 @@
 #   persistent IDs for all fields (but not for groups!) are needed. These are
 #   specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs,
 #   because doing so would break the deployed wire format!
-#   For your editing convenience: highest ID currently used: 320
+#   For your editing convenience: highest ID currently used: 321
 #
 # Placeholders:
 #   The following placeholder strings are automatically substituted:
@@ -8269,6 +8269,40 @@
 
       If the policy is not configured or set to false, the required_platform_version manifest key is ignored and auto update proceeds as normal.''',
     },
+    {
+      'name': 'LoginAuthenticationBehavior',
+      'type': 'int-enum',
+      'schema': {
+        'type': 'integer',
+        'enum': [ 0, 1, 2 ],
+      },
+      'items': [
+        {
+          'name': 'GAIA',
+          'value': 0,
+          'caption': '''Authentication via the default GAIA flow''',
+        },
+        {
+          'name': 'SAML_INTERSTITIAL',
+          'value': 1,
+          'caption': '''Redirect to SAML IdP after user confirmation''',
+        },
+      ],
+      'supported_on': ['chrome_os:51-'],
+      'device_only': True,
+      'features': {
+        'dynamic_refresh': True,
+      },
+      'example_value': 0,
+      'id': 321,
+      'caption': '''Configure the login authentication behavior''',
+      'tags': [],
+      'desc': '''When this policy is set, the login authentication flow will be in one of the following ways depending on the value of the setting:
+
+      If set to GAIA, login will be done via the normal GAIA authentication flow.
+
+      If set to SAML_INTERSTITIAL, login will show an interstitial screen offering the user to go forward with authentication via the SAML IdP of the device's enrollment domain, or go back to the normal GAIA login flow.'''
+    },
   ],
   'messages': {
     # Messages that are not associated to any policies.
diff --git a/tools/metrics/histograms/histograms.xml b/tools/metrics/histograms/histograms.xml
index 5e33416..165d6fb 100644
--- a/tools/metrics/histograms/histograms.xml
+++ b/tools/metrics/histograms/histograms.xml
@@ -64345,6 +64345,7 @@ http://cs/file:chrome/histograms.xml - but prefer this file for new entries.
       label="Allow the auto launched with zero delay kiosk app to control
              ChromeOS version"/>
   <int value="320" label="Control use of the Web Bluetooth API"/>
+  <int value="321" label="Configure the login authentication behavior"/>
 </enum>
 
 <enum name="EnterprisePolicyInvalidations" type="int">