1 files changed, 27 insertions, 1 deletions

diff --git a/google/oauth2/challenges.py b/google/oauth2/challenges.py
index 7756a80..0baff62 100644
--- a/google/oauth2/challenges.py
+++ b/google/oauth2/challenges.py
@@ -25,6 +25,9 @@ from google.auth import exceptions
 
 
 REAUTH_ORIGIN = "https://accounts.google.com"
+SAML_CHALLENGE_MESSAGE = (
+    "Please run `gcloud auth login` to complete reauthentication with SAML."
+)
 
 
 def get_user_password(text):
@@ -148,7 +151,30 @@ class SecurityKeyChallenge(ReauthChallenge):
         return None
 
 
+class SamlChallenge(ReauthChallenge):
+    """Challenge that asks the users to browse to their ID Providers.
+
+    Currently SAML challenge is not supported. When obtaining the challenge
+    input, exception will be raised to instruct the users to run
+    `gcloud auth login` for reauthentication.
+    """
+
+    @property
+    def name(self):
+        return "SAML"
+
+    @property
+    def is_locally_eligible(self):
+        return True
+
+    def obtain_challenge_input(self, metadata):
+        # Magic Arch has not fully supported returning a proper dedirect URL
+        # for programmatic SAML users today. So we error our here and request
+        # users to use gcloud to complete a login.
+        raise exceptions.ReauthSamlChallengeFailError(SAML_CHALLENGE_MESSAGE)
+
+
 AVAILABLE_CHALLENGES = {
     challenge.name: challenge
-    for challenge in [SecurityKeyChallenge(), PasswordChallenge()]
+    for challenge in [SecurityKeyChallenge(), PasswordChallenge(), SamlChallenge()]
 }