Implement SAML endpoints for APIv4 (#5671)

* Implement SAML endpoints for APIv4

* Fix unit test

* Only disable encryption when removing puplic/private certs

11 files changed, 540 insertions, 19 deletions

diff --git a/api/admin.go b/api/admin.go
index 3aa1dc67d..785b8bf24 100644
--- a/api/admin.go
+++ b/api/admin.go
@@ -383,7 +383,7 @@ func addCertificate(c *Context, w http.ResponseWriter, r *http.Request) {
 
 	fileData := fileArray[0]
 
-	if err := app.AddSamlCertificate(fileData); err != nil {
+	if err := app.WriteSamlFile(fileData); err != nil {
 		c.Err = err
 		return
 	}
@@ -393,7 +393,7 @@ func addCertificate(c *Context, w http.ResponseWriter, r *http.Request) {
 func removeCertificate(c *Context, w http.ResponseWriter, r *http.Request) {
 	props := model.MapFromJson(r.Body)
 
-	if err := app.RemoveSamlCertificate(props["filename"]); err != nil {
+	if err := app.RemoveSamlFile(props["filename"]); err != nil {
 		c.Err = err
 		return
 	}
@@ -403,7 +403,13 @@ func removeCertificate(c *Context, w http.ResponseWriter, r *http.Request) {
 
 func samlCertificateStatus(c *Context, w http.ResponseWriter, r *http.Request) {
 	status := app.GetSamlCertificateStatus()
-	w.Write([]byte(model.StringInterfaceToJson(status)))
+
+	statusMap := map[string]interface{}{}
+	statusMap["IdpCertificateFile"] = status.IdpCertificateFile
+	statusMap["PrivateKeyFile"] = status.PrivateKeyFile
+	statusMap["PublicCertificateFile"] = status.PublicCertificateFile
+
+	w.Write([]byte(model.StringInterfaceToJson(statusMap)))
 }
 
 func getRecentlyActiveUsers(c *Context, w http.ResponseWriter, r *http.Request) {
diff --git a/api/apitestlib.go b/api/apitestlib.go
index df5ac5d26..4206d033e 100644
--- a/api/apitestlib.go
+++ b/api/apitestlib.go
@@ -6,6 +6,7 @@ package api
 import (
 	"time"
 
+	"github.com/mattermost/platform/api4"
 	"github.com/mattermost/platform/app"
 	"github.com/mattermost/platform/model"
 	"github.com/mattermost/platform/store"
@@ -43,6 +44,7 @@ func SetupEnterprise() *TestHelper {
 		InitRouter()
 		app.StartServer()
 		utils.InitHTML()
+		api4.InitApi(false)
 		InitApi()
 		utils.EnableDebugLogForTest()
 		app.Srv.Store.MarkSystemRanUnitTests()
diff --git a/api4/api.go b/api4/api.go
index c8c0e170b..71dfbcdf3 100644
--- a/api4/api.go
+++ b/api4/api.go
@@ -60,6 +60,8 @@ type Routes struct {
 
 	OAuth *mux.Router // 'api/v4/oauth'
 
+	SAML *mux.Router // 'api/v4/saml'
+
 	Admin *mux.Router // 'api/v4/admin'
 
 	System *mux.Router // 'api/v4/system'
@@ -127,6 +129,7 @@ func InitApi(full bool) {
 	BaseRoutes.OutgoingHooks = BaseRoutes.Hooks.PathPrefix("/outgoing").Subrouter()
 	BaseRoutes.OutgoingHook = BaseRoutes.OutgoingHooks.PathPrefix("/{hook_id:[A-Za-z0-9]+}").Subrouter()
 
+	BaseRoutes.SAML = BaseRoutes.ApiRoot.PathPrefix("/saml").Subrouter()
 	BaseRoutes.OAuth = BaseRoutes.ApiRoot.PathPrefix("/oauth").Subrouter()
 	BaseRoutes.Admin = BaseRoutes.ApiRoot.PathPrefix("/admin").Subrouter()
 	BaseRoutes.System = BaseRoutes.ApiRoot.PathPrefix("/system").Subrouter()
@@ -147,6 +150,7 @@ func InitApi(full bool) {
 	InitSystem()
 	InitWebhook()
 	InitPreference()
+	InitSaml()
 
 	app.Srv.Router.Handle("/api/v4/{anything:.*}", http.HandlerFunc(Handle404))
 
diff --git a/api4/apitestlib.go b/api4/apitestlib.go
index 3d2feaf6e..30dbfadae 100644
--- a/api4/apitestlib.go
+++ b/api4/apitestlib.go
@@ -38,6 +38,37 @@ type TestHelper struct {
 	SystemAdminUser   *model.User
 }
 
+func SetupEnterprise() *TestHelper {
+	if app.Srv == nil {
+		utils.TranslationsPreInit()
+		utils.LoadConfig("config.json")
+		utils.InitTranslations(utils.Cfg.LocalizationSettings)
+		utils.Cfg.TeamSettings.MaxUsersPerTeam = 50
+		*utils.Cfg.RateLimitSettings.Enable = false
+		utils.Cfg.EmailSettings.SendEmailNotifications = true
+		utils.Cfg.EmailSettings.SMTPServer = "dockerhost"
+		utils.Cfg.EmailSettings.SMTPPort = "2500"
+		utils.Cfg.EmailSettings.FeedbackEmail = "test@example.com"
+		utils.DisableDebugLogForTest()
+		utils.License.Features.SetDefaults()
+		app.NewServer()
+		app.InitStores()
+		InitRouter()
+		app.StartServer()
+		utils.InitHTML()
+		InitApi(true)
+		utils.EnableDebugLogForTest()
+		app.Srv.Store.MarkSystemRanUnitTests()
+
+		*utils.Cfg.TeamSettings.EnableOpenServer = true
+	}
+
+	th := &TestHelper{}
+	th.Client = th.CreateClient()
+	th.SystemAdminClient = th.CreateClient()
+	return th
+}
+
 func Setup() *TestHelper {
 	if app.Srv == nil {
 		utils.TranslationsPreInit()
diff --git a/api4/saml.go b/api4/saml.go
new file mode 100644
index 000000000..e2c35f30d
--- /dev/null
+++ b/api4/saml.go
@@ -0,0 +1,171 @@
+// Copyright (c) 2017 Mattermost, Inc. All Rights Reserved.
+// See License.txt for license information.
+
+package api4
+
+import (
+	"mime/multipart"
+	"net/http"
+
+	l4g "github.com/alecthomas/log4go"
+	"github.com/mattermost/platform/app"
+	"github.com/mattermost/platform/model"
+	"github.com/mattermost/platform/utils"
+)
+
+func InitSaml() {
+	l4g.Debug(utils.T("api.saml.init.debug"))
+
+	BaseRoutes.SAML.Handle("/metadata", ApiHandler(getSamlMetadata)).Methods("GET")
+
+	BaseRoutes.SAML.Handle("/certificate/public", ApiSessionRequired(addSamlPublicCertificate)).Methods("POST")
+	BaseRoutes.SAML.Handle("/certificate/private", ApiSessionRequired(addSamlPrivateCertificate)).Methods("POST")
+	BaseRoutes.SAML.Handle("/certificate/idp", ApiSessionRequired(addSamlIdpCertificate)).Methods("POST")
+
+	BaseRoutes.SAML.Handle("/certificate/public", ApiSessionRequired(removeSamlPublicCertificate)).Methods("DELETE")
+	BaseRoutes.SAML.Handle("/certificate/private", ApiSessionRequired(removeSamlPrivateCertificate)).Methods("DELETE")
+	BaseRoutes.SAML.Handle("/certificate/idp", ApiSessionRequired(removeSamlIdpCertificate)).Methods("DELETE")
+
+	BaseRoutes.SAML.Handle("/certificate/status", ApiSessionRequired(getSamlCertificateStatus)).Methods("GET")
+}
+
+func getSamlMetadata(c *Context, w http.ResponseWriter, r *http.Request) {
+	metadata, err := app.GetSamlMetadata()
+	if err != nil {
+		c.Err = err
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/xml")
+	w.Header().Set("Content-Disposition", "attachment; filename=\"metadata.xml\"")
+	w.Write([]byte(metadata))
+}
+
+func parseSamlCertificateRequest(r *http.Request) (*multipart.FileHeader, *model.AppError) {
+	err := r.ParseMultipartForm(*utils.Cfg.FileSettings.MaxFileSize)
+	if err != nil {
+		return nil, model.NewAppError("addSamlCertificate", "api.admin.add_certificate.no_file.app_error", nil, err.Error(), http.StatusBadRequest)
+	}
+
+	m := r.MultipartForm
+
+	fileArray, ok := m.File["certificate"]
+	if !ok {
+		return nil, model.NewAppError("addSamlCertificate", "api.admin.add_certificate.no_file.app_error", nil, "", http.StatusBadRequest)
+	}
+
+	if len(fileArray) <= 0 {
+		return nil, model.NewAppError("addSamlCertificate", "api.admin.add_certificate.array.app_error", nil, "", http.StatusBadRequest)
+	}
+
+	return fileArray[0], nil
+}
+
+func addSamlPublicCertificate(c *Context, w http.ResponseWriter, r *http.Request) {
+	if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM)
+		return
+	}
+
+	fileData, err := parseSamlCertificateRequest(r)
+	if err != nil {
+		c.Err = err
+		return
+	}
+
+	if err := app.AddSamlPublicCertificate(fileData); err != nil {
+		c.Err = err
+		return
+	}
+	ReturnStatusOK(w)
+}
+
+func addSamlPrivateCertificate(c *Context, w http.ResponseWriter, r *http.Request) {
+	if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM)
+		return
+	}
+
+	fileData, err := parseSamlCertificateRequest(r)
+	if err != nil {
+		c.Err = err
+		return
+	}
+
+	if err := app.AddSamlPrivateCertificate(fileData); err != nil {
+		c.Err = err
+		return
+	}
+	ReturnStatusOK(w)
+}
+
+func addSamlIdpCertificate(c *Context, w http.ResponseWriter, r *http.Request) {
+	if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM)
+		return
+	}
+
+	fileData, err := parseSamlCertificateRequest(r)
+	if err != nil {
+		c.Err = err
+		return
+	}
+
+	if err := app.AddSamlIdpCertificate(fileData); err != nil {
+		c.Err = err
+		return
+	}
+	ReturnStatusOK(w)
+}
+
+func removeSamlPublicCertificate(c *Context, w http.ResponseWriter, r *http.Request) {
+	if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM)
+		return
+	}
+
+	if err := app.RemoveSamlPublicCertificate(); err != nil {
+		c.Err = err
+		return
+	}
+
+	ReturnStatusOK(w)
+}
+
+func removeSamlPrivateCertificate(c *Context, w http.ResponseWriter, r *http.Request) {
+	if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM)
+		return
+	}
+
+	if err := app.RemoveSamlPrivateCertificate(); err != nil {
+		c.Err = err
+		return
+	}
+
+	ReturnStatusOK(w)
+}
+
+func removeSamlIdpCertificate(c *Context, w http.ResponseWriter, r *http.Request) {
+	if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM)
+		return
+	}
+
+	if err := app.RemoveSamlIdpCertificate(); err != nil {
+		c.Err = err
+		return
+	}
+
+	ReturnStatusOK(w)
+}
+
+func getSamlCertificateStatus(c *Context, w http.ResponseWriter, r *http.Request) {
+	if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM)
+		return
+	}
+
+	status := app.GetSamlCertificateStatus()
+	w.Write([]byte(status.ToJson()))
+}
diff --git a/api4/saml_test.go b/api4/saml_test.go
new file mode 100644
index 000000000..7e4722a3b
--- /dev/null
+++ b/api4/saml_test.go
@@ -0,0 +1,19 @@
+// Copyright (c) 2017 Mattermost, Inc. All Rights Reserved.
+// See License.txt for license information.
+
+package api4
+
+import (
+	"testing"
+)
+
+func TestGetSamlMetadata(t *testing.T) {
+	th := Setup().InitBasic().InitSystemAdmin()
+	defer TearDown()
+	Client := th.Client
+
+	_, resp := Client.GetSamlMetadata()
+	CheckNotImplementedStatus(t, resp)
+
+	// Rest is tested by enterprise tests
+}
diff --git a/app/saml.go b/app/saml.go
index cc39d4540..444214302 100644
--- a/app/saml.go
+++ b/app/saml.go
@@ -16,21 +16,19 @@ import (
 
 func GetSamlMetadata() (string, *model.AppError) {
 	samlInterface := einterfaces.GetSamlInterface()
-
 	if samlInterface == nil {
-		err := model.NewLocAppError("GetSamlMetadata", "api.admin.saml.not_available.app_error", nil, "")
-		err.StatusCode = http.StatusNotImplemented
+		err := model.NewAppError("GetSamlMetadata", "api.admin.saml.not_available.app_error", nil, "", http.StatusNotImplemented)
 		return "", err
 	}
 
 	if result, err := samlInterface.GetMetadata(); err != nil {
-		return "", model.NewLocAppError("GetSamlMetadata", "api.admin.saml.metadata.app_error", nil, "err="+err.Message)
+		return "", model.NewAppError("GetSamlMetadata", "api.admin.saml.metadata.app_error", nil, "err="+err.Message, http.StatusInternalServerError)
 	} else {
 		return result, nil
 	}
 }
 
-func AddSamlCertificate(fileData *multipart.FileHeader) *model.AppError {
+func WriteSamlFile(fileData *multipart.FileHeader) *model.AppError {
 	file, err := fileData.Open()
 	defer file.Close()
 	if err != nil {
@@ -47,7 +45,67 @@ func AddSamlCertificate(fileData *multipart.FileHeader) *model.AppError {
 	return nil
 }
 
-func RemoveSamlCertificate(filename string) *model.AppError {
+func AddSamlPublicCertificate(fileData *multipart.FileHeader) *model.AppError {
+	if err := WriteSamlFile(fileData); err != nil {
+		return err
+	}
+
+	cfg := &model.Config{}
+	*cfg = *utils.Cfg
+
+	*cfg.SamlSettings.PublicCertificateFile = fileData.Filename
+
+	if err := cfg.IsValid(); err != nil {
+		return err
+	}
+
+	utils.SaveConfig(utils.CfgFileName, cfg)
+	utils.LoadConfig(utils.CfgFileName)
+
+	return nil
+}
+
+func AddSamlPrivateCertificate(fileData *multipart.FileHeader) *model.AppError {
+	if err := WriteSamlFile(fileData); err != nil {
+		return err
+	}
+
+	cfg := &model.Config{}
+	*cfg = *utils.Cfg
+
+	*cfg.SamlSettings.PrivateKeyFile = fileData.Filename
+
+	if err := cfg.IsValid(); err != nil {
+		return err
+	}
+
+	utils.SaveConfig(utils.CfgFileName, cfg)
+	utils.LoadConfig(utils.CfgFileName)
+
+	return nil
+}
+
+func AddSamlIdpCertificate(fileData *multipart.FileHeader) *model.AppError {
+	if err := WriteSamlFile(fileData); err != nil {
+		return err
+	}
+
+	cfg := &model.Config{}
+	*cfg = *utils.Cfg
+
+	*cfg.SamlSettings.IdpCertificateFile = fileData.Filename
+
+	if err := cfg.IsValid(); err != nil {
+		return err
+	}
+
+	utils.SaveConfig(utils.CfgFileName, cfg)
+	utils.LoadConfig(utils.CfgFileName)
+
+	return nil
+}
+
+func RemoveSamlFile(filename string) *model.AppError {
 	if err := os.Remove(utils.FindConfigFile(filename)); err != nil {
 		return model.NewLocAppError("removeCertificate", "api.admin.remove_certificate.delete.app_error",
 			map[string]interface{}{"Filename": filename}, err.Error())
@@ -56,12 +114,75 @@ func RemoveSamlCertificate(filename string) *model.AppError {
 	return nil
 }
 
-func GetSamlCertificateStatus() map[string]interface{} {
-	status := make(map[string]interface{})
+func RemoveSamlPublicCertificate() *model.AppError {
+	if err := RemoveSamlFile(*utils.Cfg.SamlSettings.PublicCertificateFile); err != nil {
+		return err
+	}
+
+	cfg := &model.Config{}
+	*cfg = *utils.Cfg
+
+	*cfg.SamlSettings.PublicCertificateFile = ""
+	*cfg.SamlSettings.Encrypt = false
+
+	if err := cfg.IsValid(); err != nil {
+		return err
+	}
+
+	utils.SaveConfig(utils.CfgFileName, cfg)
+	utils.LoadConfig(utils.CfgFileName)
+
+	return nil
+}
+
+func RemoveSamlPrivateCertificate() *model.AppError {
+	if err := RemoveSamlFile(*utils.Cfg.SamlSettings.PrivateKeyFile); err != nil {
+		return err
+	}
+
+	cfg := &model.Config{}
+	*cfg = *utils.Cfg
+
+	*cfg.SamlSettings.PrivateKeyFile = ""
+	*cfg.SamlSettings.Encrypt = false
+
+	if err := cfg.IsValid(); err != nil {
+		return err
+	}
+
+	utils.SaveConfig(utils.CfgFileName, cfg)
+	utils.LoadConfig(utils.CfgFileName)
+
+	return nil
+}
+
+func RemoveSamlIdpCertificate() *model.AppError {
+	if err := RemoveSamlFile(*utils.Cfg.SamlSettings.IdpCertificateFile); err != nil {
+		return err
+	}
+
+	cfg := &model.Config{}
+	*cfg = *utils.Cfg
+
+	*cfg.SamlSettings.IdpCertificateFile = ""
+	*cfg.SamlSettings.Enable = false
+
+	if err := cfg.IsValid(); err != nil {
+		return err
+	}
+
+	utils.SaveConfig(utils.CfgFileName, cfg)
+	utils.LoadConfig(utils.CfgFileName)
+
+	return nil
+}
+
+func GetSamlCertificateStatus() *model.SamlCertificateStatus {
+	status := &model.SamlCertificateStatus{}
 
-	status["IdpCertificateFile"] = utils.FileExistsInConfigFolder(*utils.Cfg.SamlSettings.IdpCertificateFile)
-	status["PrivateKeyFile"] = utils.FileExistsInConfigFolder(*utils.Cfg.SamlSettings.PrivateKeyFile)
-	status["PublicCertificateFile"] = utils.FileExistsInConfigFolder(*utils.Cfg.SamlSettings.PublicCertificateFile)
+	status.IdpCertificateFile = utils.FileExistsInConfigFolder(*utils.Cfg.SamlSettings.IdpCertificateFile)
+	status.PrivateKeyFile = utils.FileExistsInConfigFolder(*utils.Cfg.SamlSettings.PrivateKeyFile)
+	status.PublicCertificateFile = utils.FileExistsInConfigFolder(*utils.Cfg.SamlSettings.PublicCertificateFile)
 
 	return status
 }
diff --git a/i18n/en.json b/i18n/en.json
index 77660a840..24ade54d5 100644
--- a/i18n/en.json
+++ b/i18n/en.json
@@ -8,6 +8,10 @@
     "translation": "Link previews have been disabled by the system administrator."
   },
   {
+    "id": "model.client.upload_saml_cert.app_error",
+    "translation": "Error creating SAML certificate multipart form request"
+  },
+  {
     "id": "August",
     "translation": "August"
   },
diff --git a/model/client4.go b/model/client4.go
index 71d37341d..808ce74e3 100644
--- a/model/client4.go
+++ b/model/client4.go
@@ -150,6 +150,10 @@ func (c *Client4) GetPreferencesRoute(userId string) string {
 	return fmt.Sprintf(c.GetUserRoute(userId) + "/preferences")
 }
 
+func (c *Client4) GetSamlRoute() string {
+	return fmt.Sprintf("/saml")
+}
+
 func (c *Client4) DoApiGet(url string, etag string) (*http.Response, *AppError) {
 	return c.DoApiRequest(http.MethodGet, url, "", etag)
 }
@@ -994,7 +998,7 @@ func (c *Client4) DeleteIncomingWebhook(hookID string) (bool, *Response) {
 
 // Preferences Section
 
-// GetPreferences returns the user's preferences
+// GetPreferences returns the user's preferences.
 func (c *Client4) GetPreferences(userId string) (Preferences, *Response) {
 	if r, err := c.DoApiGet(c.GetPreferencesRoute(userId), ""); err != nil {
 		return nil, &Response{StatusCode: r.StatusCode, Error: err}
@@ -1005,7 +1009,7 @@ func (c *Client4) GetPreferences(userId string) (Preferences, *Response) {
 	}
 }
 
-// UpdatePreferences saves the user's preferences
+// UpdatePreferences saves the user's preferences.
 func (c *Client4) UpdatePreferences(userId string, preferences *Preferences) (bool, *Response) {
 	if r, err := c.DoApiPut(c.GetPreferencesRoute(userId), preferences.ToJson()); err != nil {
 		return false, &Response{StatusCode: r.StatusCode, Error: err}
@@ -1015,7 +1019,7 @@ func (c *Client4) UpdatePreferences(userId string, preferences *Preferences) (bo
 	}
 }
 
-// DeletePreferences deletes the user's preferences
+// DeletePreferences deletes the user's preferences.
 func (c *Client4) DeletePreferences(userId string, preferences *Preferences) (bool, *Response) {
 	if r, err := c.DoApiPost(c.GetPreferencesRoute(userId)+"/delete", preferences.ToJson()); err != nil {
 		return false, &Response{StatusCode: r.StatusCode, Error: err}
@@ -1025,7 +1029,7 @@ func (c *Client4) DeletePreferences(userId string, preferences *Preferences) (bo
 	}
 }
 
-// GetPreferencesByCategory returns the user's preferences from the provided category string
+// GetPreferencesByCategory returns the user's preferences from the provided category string.
 func (c *Client4) GetPreferencesByCategory(userId string, category string) (Preferences, *Response) {
 	url := fmt.Sprintf(c.GetPreferencesRoute(userId)+"/%s", category)
 	if r, err := c.DoApiGet(url, ""); err != nil {
@@ -1037,7 +1041,7 @@ func (c *Client4) GetPreferencesByCategory(userId string, category string) (Pref
 	}
 }
 
-// GetPreferenceByCategoryAndName returns the user's preferences from the provided category and preference name string
+// GetPreferenceByCategoryAndName returns the user's preferences from the provided category and preference name string.
 func (c *Client4) GetPreferenceByCategoryAndName(userId string, category string, preferenceName string) (*Preference, *Response) {
 	url := fmt.Sprintf(c.GetPreferencesRoute(userId)+"/%s/name/%v", category, preferenceName)
 	if r, err := c.DoApiGet(url, ""); err != nil {
@@ -1047,3 +1051,107 @@ func (c *Client4) GetPreferenceByCategoryAndName(userId string, category string,
 		return PreferenceFromJson(r.Body), BuildResponse(r)
 	}
 }
+
+// SAML Section
+
+// GetSamlMetadata returns metadata for the SAML configuration.
+func (c *Client4) GetSamlMetadata() (string, *Response) {
+	if r, err := c.DoApiGet(c.GetSamlRoute()+"/metadata", ""); err != nil {
+		return "", &Response{StatusCode: r.StatusCode, Error: err}
+	} else {
+		defer closeBody(r)
+		buf := new(bytes.Buffer)
+		buf.ReadFrom(r.Body)
+		return buf.String(), BuildResponse(r)
+	}
+}
+
+func samlFileToMultipart(data []byte, filename string) ([]byte, *multipart.Writer, error) {
+	body := &bytes.Buffer{}
+	writer := multipart.NewWriter(body)
+
+	if part, err := writer.CreateFormFile("certificate", filename); err != nil {
+		return nil, nil, err
+	} else if _, err = io.Copy(part, bytes.NewBuffer(data)); err != nil {
+		return nil, nil, err
+	}
+
+	if err := writer.Close(); err != nil {
+		return nil, nil, err
+	}
+
+	return body.Bytes(), writer, nil
+}
+
+// UploadSamlIdpCertificate will upload an IDP certificate for SAML and set the config to use it.
+func (c *Client4) UploadSamlIdpCertificate(data []byte, filename string) (bool, *Response) {
+	body, writer, err := samlFileToMultipart(data, filename)
+	if err != nil {
+		return false, &Response{Error: NewAppError("UploadSamlIdpCertificate", "model.client.upload_saml_cert.app_error", nil, err.Error(), http.StatusBadRequest)}
+	}
+
+	_, resp := c.DoUploadFile(c.GetSamlRoute()+"/certificate/idp", body, writer.FormDataContentType())
+	return resp.Error == nil, resp
+}
+
+// UploadSamlPublicCertificate will upload a public certificate for SAML and set the config to use it.
+func (c *Client4) UploadSamlPublicCertificate(data []byte, filename string) (bool, *Response) {
+	body, writer, err := samlFileToMultipart(data, filename)
+	if err != nil {
+		return false, &Response{Error: NewAppError("UploadSamlPublicCertificate", "model.client.upload_saml_cert.app_error", nil, err.Error(), http.StatusBadRequest)}
+	}
+
+	_, resp := c.DoUploadFile(c.GetSamlRoute()+"/certificate/public", body, writer.FormDataContentType())
+	return resp.Error == nil, resp
+}
+
+// UploadSamlPrivateCertificate will upload a private key for SAML and set the config to use it.
+func (c *Client4) UploadSamlPrivateCertificate(data []byte, filename string) (bool, *Response) {
+	body, writer, err := samlFileToMultipart(data, filename)
+	if err != nil {
+		return false, &Response{Error: NewAppError("UploadSamlPrivateCertificate", "model.client.upload_saml_cert.app_error", nil, err.Error(), http.StatusBadRequest)}
+	}
+
+	_, resp := c.DoUploadFile(c.GetSamlRoute()+"/certificate/private", body, writer.FormDataContentType())
+	return resp.Error == nil, resp
+}
+
+// DeleteSamlIdpCertificate deletes the SAML IDP certificate from the server and updates the config to not use it and disable SAML.
+func (c *Client4) DeleteSamlIdpCertificate() (bool, *Response) {
+	if r, err := c.DoApiDelete(c.GetSamlRoute() + "/certificate/idp"); err != nil {
+		return false, &Response{StatusCode: r.StatusCode, Error: err}
+	} else {
+		defer closeBody(r)
+		return CheckStatusOK(r), BuildResponse(r)
+	}
+}
+
+// DeleteSamlPublicCertificate deletes the SAML IDP certificate from the server and updates the config to not use it and disable SAML.
+func (c *Client4) DeleteSamlPublicCertificate() (bool, *Response) {
+	if r, err := c.DoApiDelete(c.GetSamlRoute() + "/certificate/public"); err != nil {
+		return false, &Response{StatusCode: r.StatusCode, Error: err}
+	} else {
+		defer closeBody(r)
+		return CheckStatusOK(r), BuildResponse(r)
+	}
+}
+
+// DeleteSamlPrivateCertificate deletes the SAML IDP certificate from the server and updates the config to not use it and disable SAML.
+func (c *Client4) DeleteSamlPrivateCertificate() (bool, *Response) {
+	if r, err := c.DoApiDelete(c.GetSamlRoute() + "/certificate/private"); err != nil {
+		return false, &Response{StatusCode: r.StatusCode, Error: err}
+	} else {
+		defer closeBody(r)
+		return CheckStatusOK(r), BuildResponse(r)
+	}
+}
+
+// GetSamlCertificateStatus returns metadata for the SAML configuration.
+func (c *Client4) GetSamlCertificateStatus() (*SamlCertificateStatus, *Response) {
+	if r, err := c.DoApiGet(c.GetSamlRoute()+"/certificate/status", ""); err != nil {
+		return nil, &Response{StatusCode: r.StatusCode, Error: err}
+	} else {
+		defer closeBody(r)
+		return SamlCertificateStatusFromJson(r.Body), BuildResponse(r)
+	}
+}
diff --git a/model/saml.go b/model/saml.go
index 16d3845da..1371c433f 100644
--- a/model/saml.go
+++ b/model/saml.go
@@ -3,6 +3,11 @@
 
 package model
 
+import (
+	"encoding/json"
+	"io"
+)
+
 const (
 	USER_AUTH_SERVICE_SAML      = "saml"
 	USER_AUTH_SERVICE_SAML_TEXT = "With SAML"
@@ -16,3 +21,29 @@ type SamlAuthRequest struct {
 	URL               string
 	RelayState        string
 }
+
+type SamlCertificateStatus struct {
+	IdpCertificateFile    bool `json:"idp_certificate_file"`
+	PrivateKeyFile        bool `json:"private_key_file"`
+	PublicCertificateFile bool `json:"public_certificate_file"`
+}
+
+func (s *SamlCertificateStatus) ToJson() string {
+	b, err := json.Marshal(s)
+	if err != nil {
+		return ""
+	} else {
+		return string(b)
+	}
+}
+
+func SamlCertificateStatusFromJson(data io.Reader) *SamlCertificateStatus {
+	decoder := json.NewDecoder(data)
+	var status SamlCertificateStatus
+	err := decoder.Decode(&status)
+	if err == nil {
+		return &status
+	} else {
+		return nil
+	}
+}
diff --git a/model/saml_test.go b/model/saml_test.go
new file mode 100644
index 000000000..578e78da5
--- /dev/null
+++ b/model/saml_test.go
@@ -0,0 +1,24 @@
+// Copyright (c) 2017 Mattermost, Inc. All Rights Reserved.
+// See License.txt for license information.
+
+package model
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestSamlCertificateStatusJson(t *testing.T) {
+	status := &SamlCertificateStatus{IdpCertificateFile: true, PrivateKeyFile: true, PublicCertificateFile: true}
+	json := status.ToJson()
+	rstatus := SamlCertificateStatusFromJson(strings.NewReader(json))
+
+	if status.IdpCertificateFile != rstatus.IdpCertificateFile {
+		t.Fatal("IdpCertificateFile do not match")
+	}
+
+	rstatus = SamlCertificateStatusFromJson(strings.NewReader("junk"))
+	if rstatus != nil {
+		t.Fatal("should be nil")
+	}
+}