devise_saml_authenticatable 1.3.1 → 1.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: eeabad37a5473557499db0b8de604afb7740608d
-  data.tar.gz: 952108992254613cdf27f72aedbf6e2a772f95a3
+SHA256:
+  metadata.gz: 8f372d3d801220ab4ce4a7e83501f0e5d7a9cc2590eb64aa1c91a0a5ad053d7d
+  data.tar.gz: bcdfc0370f0926a542164ea577030e9ff17666adb9e0d5ae8367a605e4966866
 SHA512:
-  metadata.gz: 720d7b21c40596b762a85c5c0df2f9dc3d1af7fdce86a7c8562428b866e79eab6a768e070c648fd4c657415bca175102d4eaa0dff6866c7cc8b14025d1bf5101
-  data.tar.gz: c3368984264f54a99a37ce9e4b546b7bbd2460a834bc57300dfaf242232619bad50f51bb66adc4d2e1e41d287ce4f3f7f85923697835a06bf14f73968a31f1ed
+  metadata.gz: d9bd026db0bb199aaa9b72d1c03fccef49a905dc7270739b48e682623036f945b74f16c99f1d457086df47ff03f8e71aee5c4a412d01cd9f9c80b4f84e79d58a
+  data.tar.gz: c2f32e5297c0e9a4aadce6069282d8c17e91d95550a777e2f5755745effc0fda5eaa958e4656d5776e2a507251d230fdaba3d944189874d0166d3f2cefbe153c

data/.gitignore

@@ -13,6 +13,4 @@ lib/bundler/man
 pkg
 rdoc
 spec/reports
-spec/support/idp/
-spec/support/sp/
 tmp

data/.travis.yml

@@ -1,37 +1,52 @@
 language: ruby
 rvm:
-  - "1.9.3"
   - "2.0.0"
-  - "2.1.9"
-  - "2.2.5"
-  - "2.3.1"
+  - "2.1.10"
+  - "2.2.10"
+  - "2.3.8"
+  - "2.4.10"
+  - "2.5.8"
+  - "2.6.6"
+  - "2.7.1"
 gemfile:
   - Gemfile
+  - spec/support/Gemfile.rails5.2
+  - spec/support/Gemfile.rails5.1
+  - spec/support/Gemfile.rails5
   - spec/support/Gemfile.rails4
-  - spec/support/Gemfile.ruby-saml-1.3
 matrix:
   allow_failures:
-    - rvm: "1.9.3"
-      gemfile: Gemfile
-    - rvm: "1.9.3"
-      gemfile: spec/support/Gemfile.ruby-saml-1.3
     - rvm: "2.0.0"
       gemfile: Gemfile
     - rvm: "2.0.0"
-      gemfile: spec/support/Gemfile.ruby-saml-1.3
-    - rvm: "2.1.9"
+      gemfile: spec/support/Gemfile.rails5
+    - rvm: "2.0.0"
+      gemfile: spec/support/Gemfile.rails5.1
+    - rvm: "2.0.0"
+      gemfile: spec/support/Gemfile.rails5.2
+    - rvm: "2.1.10"
+      gemfile: Gemfile
+    - rvm: "2.1.10"
+      gemfile: spec/support/Gemfile.rails5
+    - rvm: "2.1.10"
+      gemfile: spec/support/Gemfile.rails5.1
+    - rvm: "2.1.10"
+      gemfile: spec/support/Gemfile.rails5.2
+    - rvm: "2.2.10"
       gemfile: Gemfile
-    - rvm: "2.1.9"
-      gemfile: spec/support/Gemfile.ruby-saml-1.3
+    - rvm: "2.2.10"
+      gemfile: spec/support/Gemfile.rails5.2
+    - rvm: "2.3.8"
+      gemfile: Gemfile
+    - rvm: "2.4.10"
+      gemfile: Gemfile
+    - rvm: "2.6.6"
+      gemfile: spec/support/Gemfile.rails4
+    - rvm: "2.7.1"
+      gemfile: spec/support/Gemfile.rails4
+
+before_install:
+  - command -v bundle || gem install bundler -v '~> 1.17.3'
 
 script:
   - bundle exec rake
-
-notifications:
-  hipchat:
-    rooms:
-      secure: cuDak5a6fBeg+sp61COqxQfzdcFEsjwCqtwvCISso0RNh5SR8v+uVYKcA8rlK+GE1l9uR7tLRHeHF3ZmzvFSOat07NvpScvjZXi+OSpWlc6rwQ6Pl6bBP6gu6sREiKVe0eT/uGrvJloyWKZaXIhiiBzQ+ZERx/ssGA9WMmNkhlwy1OgGnPNurNNHZLBjEZn1V6kdyxiXx6QPASNpjNEgN1G8dUh3qzcWUGVQGNZSJk65A6ie1MveNyecTjDhw+ADBU8nS28Ja4y6ohRm4FzofSgespYrvfygIZ5rYF0HPMj5FW1ZDWtM5355ojCk8RLT+ZkuhssCn1OJk7ogaOVjnYcOFRxEfpu3eIbjtMmUz3j4umatFqbgas+6SXMVIPkr5HUoTrP8HNFssIpcEBOnPwAF8QCpx+daHc0r2cc8lGuXhtJfpW0P2F0dmwJNiQ7//nz2y2xs84x4Gb7MV9tEDYp0FqEClMuFBkPNizBljarm04PkiLSrqvR52aMDfQz7YAX2oXAvFjPzI1GC0K8x7xX8TuHT9yuHy7fI+rUSNivZYLKO+IEZqPPDdJpXISUbVwanZoNvmQYk5PZV21MfDSGwQrz8eO/uFiAblj18yIlNbAfb2hdZDVYsm4EvWxELJtfaTxgrj6M3Y3m/KbCbCoDp+2jE307M2rxL0Gum2gk=
-    template:
-      - '%{repository}<a href="%{build_url}">#%{build_number}</a> (%{branch} - <a href="%{compare_url}">%{commit}</a> : %{author}): %{message}'
-    format: html
-    on_pull_requests: true

data/Gemfile

@@ -6,17 +6,9 @@ gemspec
 group :test do
   gem 'rake'
   gem 'rspec', '~> 3.0'
-  gem 'rails', '~> 5.0'
+  gem 'rails', '~> 6.0'
   gem 'rspec-rails'
-  gem 'sqlite3'
+  gem 'sqlite3', '~> 1.4.0'
   gem 'capybara'
   gem 'poltergeist'
-
-  # Lock down versions of gems for older versions of Ruby
-  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.0")
-    gem 'mime-types', '~> 2.99'
-  end
-  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
-    gem 'devise', '~> 3.5'
-  end
 end

data/README.md

@@ -2,25 +2,27 @@
 # DeviseSamlAuthenticatable
 
 Devise Saml Authenticatable is a Single-Sign-On authentication strategy for devise that relies on SAML.
-It uses [ruby-saml][] to handle all SAML related stuff.
+It uses [ruby-saml][] to handle all SAML-related stuff.
 
 ## Installation
 
-Add this line to your application's Gemfile:
+Add this gem to your application's Gemfile:
 
-    gem 'devise_saml_authenticatable'
+    git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
+    gem "devise_saml_authenticatable", github: "apokalipto/devise_saml_authenticatable"
 
 And then execute:
 
     $ bundle
 
-Or install it yourself as:
+## Usage
 
-    $ gem install devise_saml_authenticatable
+Follow the [normal devise installation process](https://github.com/plataformatec/devise/tree/master#getting-started). The controller filters and helpers are unchanged from normal devise usage.
 
-## Usage
+### Configuring Models
 
 In `app/models/<YOUR_MODEL>.rb` set the `:saml_authenticatable` strategy.
+
 In the example the model is `user.rb`:
 
 ```ruby
@@ -31,7 +33,38 @@ In the example the model is `user.rb`:
   end
 ```
 
-In config/initializers/devise.rb
+### Configuring routes
+
+In `config/routes.rb` add `devise_for` to set up helper methods and routes:
+
+```ruby
+devise_for :users
+```
+
+The named routes can be customized in the initializer config file.
+
+### Configuring the IdP
+
+An extra step in SAML SSO setup is adding your application to your identity provider. The required setup is specific to each IdP, but we have some examples in [our wiki](https://github.com/apokalipto/devise_saml_authenticatable/wiki). You'll need to tell your IdP how to send requests and responses to your application.
+
+- Creating a new session: `/users/saml/auth`
+    - IdPs may call this the "consumer," "recipient," "destination," or even "single sign-on." This is where they send a SAML response for an authenticated user.
+- Metadata: `/users/saml/metadata`
+    - IdPs may call this the "audience."
+- Single Logout: `/users/saml/idp_sign_out`
+    - if desired, you can ask the IdP to send a Logout request to this endpoint to sign the user out of your application when they sign out of the IdP itself.
+
+Your IdP should give you some information you need to configure in [ruby-saml](https://github.com/onelogin/ruby-saml), as in the next section:
+
+- Issuer (`idp_entity_id`)
+- SSO endpoint (`idp_sso_target_url`)
+- SLO endpoint (`idp_slo_target_url`)
+- Certificate fingerprint (`idp_cert_fingerprint`) and algorithm (`idp_cert_fingerprint_algorithm`)
+    - Or the certificate itself (`idp_cert`)
+
+### Configuring handling of IdP requests and responses
+
+In `config/initializers/devise.rb`:
 
 ```ruby
   Devise.setup do |config|
@@ -52,8 +85,8 @@ In config/initializers/devise.rb
     # for the user's session to facilitate an IDP initiated logout request.
     config.saml_session_index_key = :session_index
 
-    # You can set this value to use Subject or SAML assertation as info to which email will be compared
-    # If you don't set it then email will be extracted from SAML assertation attributes
+    # You can set this value to use Subject or SAML assertation as info to which email will be compared.
+    # If you don't set it then email will be extracted from SAML assertation attributes.
     config.saml_use_subject = true
 
     # You can support multiple IdPs by setting this value to a class that implements a #settings method which takes
@@ -68,8 +101,19 @@ In config/initializers/devise.rb
     # and implements a #handle method. This method can then redirect the user, return error messages, etc.
     # config.saml_failed_callback = nil
 
-    # Configure with your SAML settings (see [ruby-saml][] for more information).
+    # You can customize the named routes generated in case of named route collisions with
+    # other Devise modules or libraries. Set the saml_route_helper_prefix to a string that will
+    # be appended to the named route.
+    # If saml_route_helper_prefix = 'saml' then the new_user_session route becomes new_saml_user_session
+    # config.saml_route_helper_prefix = 'saml'
+
+    # You can add allowance for clock drift between the sp and idp.
+    # This is a time in seconds.
+    # config.allowed_clock_drift_in_seconds = 0
+
+    # Configure with your SAML settings (see ruby-saml's README for more information: https://github.com/onelogin/ruby-saml).
     config.saml_configure do |settings|
+      # assertion_consumer_service_url is required starting with ruby-saml 1.4.3: https://github.com/onelogin/ruby-saml#updating-from-142-to-143
       settings.assertion_consumer_service_url     = "http://localhost:3000/users/saml/auth"
       settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
       settings.name_identifier_format             = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
@@ -77,29 +121,32 @@ In config/initializers/devise.rb
       settings.authn_context                      = ""
       settings.idp_slo_target_url                 = "http://localhost/simplesaml/www/saml2/idp/SingleLogoutService.php"
       settings.idp_sso_target_url                 = "http://localhost/simplesaml/www/saml2/idp/SSOService.php"
-      settings.idp_cert                           = <<-CERT.chomp
------BEGIN CERTIFICATE-----
-1111111111111111111111111111111111111111111111111111111111111111
-1111111111111111111111111111111111111111111111111111111111111111
-1111111111111111111111111111111111111111111111111111111111111111
-1111111111111111111111111111111111111111111111111111111111111111
-1111111111111111111111111111111111111111111111111111111111111111
-1111111111111_______IDP_CERTIFICATE________111111111111111111111
-1111111111111111111111111111111111111111111111111111111111111111
-1111111111111111111111111111111111111111111111111111111111111111
-1111111111111111111111111111111111111111111111111111111111111111
-1111111111111111111111111111111111111111111111111111111111111111
-1111111111111111111111111111111111111111111111111111111111111111
-1111111111111111111111111111111111111111111111111111111111111111
-1111111111111111111111111111111111111111111111111111111111111111
-111111111111111111
------END CERTIFICATE-----
-      CERT
+      settings.idp_cert_fingerprint               = "00:A1:2B:3C:44:55:6F:A7:88:CC:DD:EE:22:33:44:55:D6:77:8F:99"
+      settings.idp_cert_fingerprint_algorithm     = "http://www.w3.org/2000/09/xmldsig#sha1"
     end
   end
 ```
 
-In config directory create a YAML file (`attribute-map.yml`) that maps SAML attributes with your model's fields:
+#### Attributes
+
+There are two ways to map SAML attributes to User attributes:
+
+- [initializer](#attribute-map-initializer)
+- [config file](#attribute-map-config-file)
+
+The attribute mappings are very dependent on the way the IdP encodes the attributes.
+In these examples the attributes are given in URN style.
+Other IdPs might provide them as OID's, or by other means.
+
+You are now ready to test it against an IdP.
+
+When the user visits `/users/saml/sign_in` they will be redirected to the login page of the IdP.
+
+Upon successful login the user is redirected to the Devise `user_root_path`.
+
+##### Attribute map config file
+
+Create a YAML file (`config/attribute-map.yml`) that maps SAML attributes with your model's fields:
 
 ```yaml
   # attribute-map.yml
@@ -110,17 +157,43 @@ In config directory create a YAML file (`attribute-map.yml`) that maps SAML attr
   "urn:mace:dir:attribute-def:givenName": "name"
 ```
 
-The attribute mappings are very dependent on the way the IdP encodes the attributes.
-In this example the attributes are given in URN style.
-Other IdPs might provide them as OID's or other means.
+##### Attribute map initializer
 
-You are now ready to test it against an IdP.
-When the user goes to `/users/saml/sign_in` he will be redirected to the login page of the IdP.
-Upon successful login the user is redirected to devise `user_root_path`.
+In `config/initializers/devise.rb` (see above), add an attribute map resolver.
+The resolver gets the [SAML response from the IdP](https://github.com/onelogin/ruby-saml/blob/master/lib/onelogin/ruby-saml/response.rb) so it can decide which attribute map to load.
+If you only have one IdP, you can use the config file above, or just return a single hash.
+
+```ruby
+  # config/initializers/devise.rb
+  Devise.setup do |config|
+    ...
+    # ==> Configuration for :saml_authenticatable
+
+    config.saml_attribute_map_resolver = MyAttributeMapResolver
+  end
+```
+
+```ruby
+  # app/lib/my_attribute_map_resolver
+  class MyAttributeMapResolver < DeviseSamlAuthenticatable::DefaultAttributeMapResolver
+    def attribute_map
+      issuer = saml_response.issuers.first
+      case issuer
+      when "idp_entity_id"
+        {
+          "urn:mace:dir:attribute-def:uid" => "user_name",
+          "urn:mace:dir:attribute-def:email" => "email",
+          "urn:mace:dir:attribute-def:name" => "last_name",
+          "urn:mace:dir:attribute-def:givenName" => "name",
+        }
+      end
+    end
+  end
+```
 
 ## Supporting Multiple IdPs
 
-If you must support multiple Identity Providers you can implement an adapter class with a `#settings` method that takes an IdP entity id and returns a hash of settings for the corresponding IdP. The `config.idp_settings_adapter` then must be set to point to your adapter in config/initializers/devise.rb. The implementation of the adapter is up to you. A simple example may look like this:
+If you must support multiple Identity Providers you can implement an adapter class with a `#settings` method that takes an IdP entity id and returns a hash of settings for the corresponding IdP. The `config.idp_settings_adapter` then must be set to point to your adapter in `config/initializers/devise.rb`. The implementation of the adapter is up to you. A simple example may look like this:
 
 ```ruby
 class IdPSettingsAdapter
@@ -156,23 +229,29 @@ class IdPSettingsAdapter
   end
 end
 ```
+Settings specified in the adapter will override settings in `config/initializers/devise.rb`. This is useful for establishing common settings or defaults across all IdPs.
 
 Detecting the entity ID passed to the `settings` method is done by `config.idp_entity_id_reader`.
+
 By default this will find the `Issuer` in the SAML request.
+
 You can support more use cases by writing your own and implementing the `.entity_id` method.
+
 If you use encrypted assertions, your entity ID reader will need to understand how to decrypt the response from each of the possible IdPs.
 
 ## Identity Provider
 
-If you don't have an identity provider an you would like to test the authentication against your app there are some options:
+If you don't have an identity provider and you would like to test the authentication against your app, there are some options:
 
-1. Use [ruby-saml-idp](https://github.com/lawrencepit/ruby-saml-idp). You can add your own logic to your IdP, or you can also set it as a dummy IdP that always sends a valid authentication response to your app.
-2. Use an online service that can act as an IdP. Onelogin, Salesforce, Okta and some others provide you with this functionality
+1. Use [ruby-saml-idp](https://github.com/lawrencepit/ruby-saml-idp). You can add your own logic to your IdP, or you can also set it up as a dummy IdP that always sends a valid authentication response to your app.
+2. Use an online service that can act as an IdP. OneLogin, Salesforce, Okta and some others provide you with this functionality.
 3. Install your own IdP.
 
-There are numerous IdPs that support SAML 2.0, there are propietary (like Microsoft ADFS 2.0 or Ping federate) and there are also open source solutions like Shibboleth and simplesamlphp.
+There are numerous IdPs that support SAML 2.0, there are propietary (like Microsoft ADFS 2.0 or Ping federate) and there are also open source solutions like Shibboleth and [SimpleSAMLphp].
+
+[SimpleSAMLphp] was my choice for development since it is a production-ready SAML solution, that is also really easy to install, configure and use.
 
-[SimpleSAMLphp](http://simplesamlphp.org/) was my choice for development since it is a production-ready SAML solution, that is also really easy to install, configure and use.
+[SimpleSAMLphp]: http://simplesamlphp.org/
 
 ## Logout
 
@@ -180,18 +259,22 @@ Logout support is included by immediately terminating the local session and then
 
 ## Logout Request
 
-Logout requests from the IDP are supported by the `idp_sign_out` end point.  Directing logout requests to `users/saml/idp_sign_out` will logout the respective user by invalidating their current sessions.
+Logout requests from the IDP are supported by the `idp_sign_out` endpoint.  Directing logout requests to `users/saml/idp_sign_out` will log out the respective user by invalidating their current sessions.
+
 `saml_session_index_key` must be configured to support this feature.
 
-## Signing and Encrypting Authentication Requests
+## Signing and Encrypting Authentication Requests and Assertions
+
+ruby-saml 1.0.0 supports signature and decrypt. The only requirement is to set the public certificate and the private key. For more information, see [the ruby-saml documentation](https://github.com/onelogin/ruby-saml#signing).
 
-ruby-saml 1.0.0 supports signature and decrypt. Teh only requirement is to place the public certificate and the private key. Please reffer to these features in the ruby-saml documentation [here](https://github.com/onelogin/ruby-saml#signing)
+If you have multiple IdPs, the certificate and private key must be in the shared settings in `config/initializers/devise.rb`.
 
 ## Thanks
 
 The continued maintenance of this gem could not have been possible without the hard work of [Adam Stegman](https://github.com/adamstegman) and [Mitch Lindsay](https://github.com/mitch-lindsay). Thank you guys for keeping this project alive.
 
 Thanks to all other contributors that have also helped us make this software better.
+
 ## Contributing
 
 1. Fork it

data/app/controllers/devise/saml_sessions_controller.rb

@@ -3,7 +3,13 @@ require "ruby-saml"
 class Devise::SamlSessionsController < Devise::SessionsController
   include DeviseSamlAuthenticatable::SamlConfig
   unloadable if Rails::VERSION::MAJOR < 4
-  skip_before_filter :verify_authenticity_token, raise: false
+  if Rails::VERSION::MAJOR < 5
+    skip_before_filter :verify_authenticity_token
+    prepend_before_filter :store_info_for_sp_initiated_logout, only: :destroy
+  else
+    skip_before_action :verify_authenticity_token, raise: false
+    prepend_before_action :store_info_for_sp_initiated_logout, only: :destroy
+  end
 
   def new
     idp_entity_id = get_idp_entity_id(params)
@@ -26,16 +32,16 @@ class Devise::SamlSessionsController < Devise::SessionsController
 
       redirect_to generate_idp_logout_response(saml_config, logout_request.id)
     elsif params[:SAMLResponse]
-      #Currently Devise handles the session invalidation when the request is made.
-      #To support a true SP initiated logout response, the request ID would have to be tracked and session invalidated
-      #based on that.
+      # Currently Devise handles the session invalidation when the request is made.
+      # To support a true SP initiated logout response, the request ID would have to be tracked and session invalidated
+      # based on that.
       if Devise.saml_sign_out_success_url
         redirect_to Devise.saml_sign_out_success_url
       else
         redirect_to action: :new
       end
     else
-      head :invalid_request
+      head 500
     end
   end
 
@@ -47,13 +53,38 @@ class Devise::SamlSessionsController < Devise::SessionsController
     end
   end
 
+  # For non transient name ID, save info to identify user for logout purpose
+  # before that user's session got destroyed. These info are used in the
+  # `after_sign_out_path_for` method below.
+  def store_info_for_sp_initiated_logout
+    return if Devise.saml_config.name_identifier_format == "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
+    @name_identifier_value_for_sp_initiated_logout = Devise.saml_name_identifier_retriever.call(current_user)
+    @sessionindex_for_sp_initiated_logout = current_user.public_send(Devise.saml_session_index_key) if Devise.saml_session_index_key
+  end
+
   # Override devise to send user to IdP logout for SLO
   def after_sign_out_path_for(_)
+    idp_entity_id = get_idp_entity_id(params)
     request = OneLogin::RubySaml::Logoutrequest.new
-    request.create(saml_config)
+    saml_settings = saml_config(idp_entity_id).dup
+
+    # Add attributes to saml_settings which will later be used to create the SP
+    # initiated logout request
+    unless Devise.saml_config.name_identifier_format == 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
+      saml_settings.name_identifier_value = @name_identifier_value_for_sp_initiated_logout
+      saml_settings.sessionindex = @sessionindex_for_sp_initiated_logout
+    end
+
+    request.create(saml_settings)
   end
 
   def generate_idp_logout_response(saml_config, logout_request_id)
-    OneLogin::RubySaml::SloLogoutresponse.new.create(saml_config, logout_request_id, nil)
+
+    params = {}
+    if relay_state
+      params[:RelayState] = relay_state
+    end
+
+    OneLogin::RubySaml::SloLogoutresponse.new.create(saml_config, logout_request_id, nil, params)
   end
 end