devise_saml_authenticatable 1.3.2 → 1.6.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 269c0505d92b49c3b9a79d1b8aece87533018b10
-  data.tar.gz: 259f7e012808aabe3ab06e854a01deab8959843a
+SHA256:
+  metadata.gz: d3ca38cfe51cdf71fc8a264de868fc285bfa413307aa4798e097fbf88e85020d
+  data.tar.gz: 2371ef1371e29547b4eb9681066fa43f0b6d39236b7df8676236bf13678e2d01
 SHA512:
-  metadata.gz: 83a89cbe087accbcf239e047027188a35793c9cdcb3198fd207edeb95652bb6e8957ef8e0aeaa9b919f01cbb91677bf4c5ade49fae0a85b86cf95edc4b09592b
-  data.tar.gz: 230f5490186a0853cd63f401b390afa29129b8f103de04cbb64a734274edd88de9467030784122cccdc743fbd5eb7babf75ad3635be5b51d2a5af467d4e17b1f
+  metadata.gz: 872bfb214a00504735d9183d169e4119ebb9c6ae3129de729be642f39c4675b57040bb1c9d46899e73d534aa82d7ac9291c425109c10eaeb290831480e7976ab
+  data.tar.gz: 3269ef293937aef443afa9a325acc0addf027c3ad7421865a9ebe1554d7215461767ffe9e34cd4cc2bf8edbae831e7e342dd3c47245d57209d8ddd820a128212

data/.gitignore

@@ -13,6 +13,4 @@ lib/bundler/man
 pkg
 rdoc
 spec/reports
-spec/support/idp/
-spec/support/sp/
 tmp

data/.travis.yml

@@ -1,45 +1,52 @@
 language: ruby
 rvm:
-  - "1.9.3"
   - "2.0.0"
   - "2.1.10"
-  - "2.2.7"
-  - "2.3.4"
-  - "2.4.1"
+  - "2.2.10"
+  - "2.3.8"
+  - "2.4.10"
+  - "2.5.8"
+  - "2.6.6"
+  - "2.7.1"
 gemfile:
   - Gemfile
+  - spec/support/Gemfile.rails5.2
+  - spec/support/Gemfile.rails5.1
   - spec/support/Gemfile.rails5
   - spec/support/Gemfile.rails4
-  - spec/support/Gemfile.ruby-saml-1.3
 matrix:
   allow_failures:
-    - rvm: "1.9.3"
-      gemfile: Gemfile
-    - rvm: "1.9.3"
-      gemfile: spec/support/Gemfile.rails5
-    - rvm: "1.9.3"
-      gemfile: spec/support/Gemfile.ruby-saml-1.3
     - rvm: "2.0.0"
       gemfile: Gemfile
     - rvm: "2.0.0"
       gemfile: spec/support/Gemfile.rails5
     - rvm: "2.0.0"
-      gemfile: spec/support/Gemfile.ruby-saml-1.3
+      gemfile: spec/support/Gemfile.rails5.1
+    - rvm: "2.0.0"
+      gemfile: spec/support/Gemfile.rails5.2
     - rvm: "2.1.10"
       gemfile: Gemfile
     - rvm: "2.1.10"
       gemfile: spec/support/Gemfile.rails5
     - rvm: "2.1.10"
-      gemfile: spec/support/Gemfile.ruby-saml-1.3
+      gemfile: spec/support/Gemfile.rails5.1
+    - rvm: "2.1.10"
+      gemfile: spec/support/Gemfile.rails5.2
+    - rvm: "2.2.10"
+      gemfile: Gemfile
+    - rvm: "2.2.10"
+      gemfile: spec/support/Gemfile.rails5.2
+    - rvm: "2.3.8"
+      gemfile: Gemfile
+    - rvm: "2.4.10"
+      gemfile: Gemfile
+    - rvm: "2.6.6"
+      gemfile: spec/support/Gemfile.rails4
+    - rvm: "2.7.1"
+      gemfile: spec/support/Gemfile.rails4
+
+before_install:
+  - command -v bundle || gem install bundler -v '~> 1.17.3'
 
 script:
   - bundle exec rake
-
-notifications:
-  hipchat:
-    rooms:
-      secure: cuDak5a6fBeg+sp61COqxQfzdcFEsjwCqtwvCISso0RNh5SR8v+uVYKcA8rlK+GE1l9uR7tLRHeHF3ZmzvFSOat07NvpScvjZXi+OSpWlc6rwQ6Pl6bBP6gu6sREiKVe0eT/uGrvJloyWKZaXIhiiBzQ+ZERx/ssGA9WMmNkhlwy1OgGnPNurNNHZLBjEZn1V6kdyxiXx6QPASNpjNEgN1G8dUh3qzcWUGVQGNZSJk65A6ie1MveNyecTjDhw+ADBU8nS28Ja4y6ohRm4FzofSgespYrvfygIZ5rYF0HPMj5FW1ZDWtM5355ojCk8RLT+ZkuhssCn1OJk7ogaOVjnYcOFRxEfpu3eIbjtMmUz3j4umatFqbgas+6SXMVIPkr5HUoTrP8HNFssIpcEBOnPwAF8QCpx+daHc0r2cc8lGuXhtJfpW0P2F0dmwJNiQ7//nz2y2xs84x4Gb7MV9tEDYp0FqEClMuFBkPNizBljarm04PkiLSrqvR52aMDfQz7YAX2oXAvFjPzI1GC0K8x7xX8TuHT9yuHy7fI+rUSNivZYLKO+IEZqPPDdJpXISUbVwanZoNvmQYk5PZV21MfDSGwQrz8eO/uFiAblj18yIlNbAfb2hdZDVYsm4EvWxELJtfaTxgrj6M3Y3m/KbCbCoDp+2jE307M2rxL0Gum2gk=
-    template:
-      - '%{repository}<a href="%{build_url}">#%{build_number}</a> (%{branch} - <a href="%{compare_url}">%{commit}</a> : %{author}): %{message}'
-    format: html
-    on_pull_requests: true

data/Gemfile

@@ -6,9 +6,9 @@ gemspec
 group :test do
   gem 'rake'
   gem 'rspec', '~> 3.0'
-  gem 'rails', '~> 5.1'
+  gem 'rails', '~> 6.0'
   gem 'rspec-rails'
-  gem 'sqlite3'
+  gem 'sqlite3', '~> 1.4.0'
   gem 'capybara'
   gem 'poltergeist'
 end

data/README.md

@@ -6,19 +6,20 @@ It uses [ruby-saml][] to handle all SAML-related stuff.
 
 ## Installation
 
-Add this line to your application's Gemfile:
+Add this gem to your application's Gemfile:
 
-    gem 'devise_saml_authenticatable'
+    git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
+    gem "devise_saml_authenticatable", github: "apokalipto/devise_saml_authenticatable"
 
 And then execute:
 
     $ bundle
 
-Or install it yourself as:
+## Usage
 
-    $ gem install devise_saml_authenticatable
+Follow the [normal devise installation process](https://github.com/plataformatec/devise/tree/master#getting-started). The controller filters and helpers are unchanged from normal devise usage.
 
-## Usage
+### Configuring Models
 
 In `app/models/<YOUR_MODEL>.rb` set the `:saml_authenticatable` strategy.
 
@@ -32,6 +33,37 @@ In the example the model is `user.rb`:
   end
 ```
 
+### Configuring routes
+
+In `config/routes.rb` add `devise_for` to set up helper methods and routes:
+
+```ruby
+devise_for :users
+```
+
+The named routes can be customized in the initializer config file.
+
+### Configuring the IdP
+
+An extra step in SAML SSO setup is adding your application to your identity provider. The required setup is specific to each IdP, but we have some examples in [our wiki](https://github.com/apokalipto/devise_saml_authenticatable/wiki). You'll need to tell your IdP how to send requests and responses to your application.
+
+- Creating a new session: `/users/saml/auth`
+    - IdPs may call this the "consumer," "recipient," "destination," or even "single sign-on." This is where they send a SAML response for an authenticated user.
+- Metadata: `/users/saml/metadata`
+    - IdPs may call this the "audience."
+- Single Logout: `/users/saml/idp_sign_out`
+    - if desired, you can ask the IdP to send a Logout request to this endpoint to sign the user out of your application when they sign out of the IdP itself.
+
+Your IdP should give you some information you need to configure in [ruby-saml](https://github.com/onelogin/ruby-saml), as in the next section:
+
+- Issuer (`idp_entity_id`)
+- SSO endpoint (`idp_sso_target_url`)
+- SLO endpoint (`idp_slo_target_url`)
+- Certificate fingerprint (`idp_cert_fingerprint`) and algorithm (`idp_cert_fingerprint_algorithm`)
+    - Or the certificate itself (`idp_cert`)
+
+### Configuring handling of IdP requests and responses
+
 In `config/initializers/devise.rb`:
 
 ```ruby
@@ -69,8 +101,19 @@ In `config/initializers/devise.rb`:
     # and implements a #handle method. This method can then redirect the user, return error messages, etc.
     # config.saml_failed_callback = nil
 
-    # Configure with your SAML settings (see [ruby-saml][] for more information).
+    # You can customize the named routes generated in case of named route collisions with
+    # other Devise modules or libraries. Set the saml_route_helper_prefix to a string that will
+    # be appended to the named route.
+    # If saml_route_helper_prefix = 'saml' then the new_user_session route becomes new_saml_user_session
+    # config.saml_route_helper_prefix = 'saml'
+
+    # You can add allowance for clock drift between the sp and idp.
+    # This is a time in seconds.
+    # config.allowed_clock_drift_in_seconds = 0
+
+    # Configure with your SAML settings (see ruby-saml's README for more information: https://github.com/onelogin/ruby-saml).
     config.saml_configure do |settings|
+      # assertion_consumer_service_url is required starting with ruby-saml 1.4.3: https://github.com/onelogin/ruby-saml#updating-from-142-to-143
       settings.assertion_consumer_service_url     = "http://localhost:3000/users/saml/auth"
       settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
       settings.name_identifier_format             = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
@@ -78,29 +121,32 @@ In `config/initializers/devise.rb`:
       settings.authn_context                      = ""
       settings.idp_slo_target_url                 = "http://localhost/simplesaml/www/saml2/idp/SingleLogoutService.php"
       settings.idp_sso_target_url                 = "http://localhost/simplesaml/www/saml2/idp/SSOService.php"
-      settings.idp_cert                           = <<-CERT.chomp
------BEGIN CERTIFICATE-----
-1111111111111111111111111111111111111111111111111111111111111111
-1111111111111111111111111111111111111111111111111111111111111111
-1111111111111111111111111111111111111111111111111111111111111111
-1111111111111111111111111111111111111111111111111111111111111111
-1111111111111111111111111111111111111111111111111111111111111111
-1111111111111_______IDP_CERTIFICATE________111111111111111111111
-1111111111111111111111111111111111111111111111111111111111111111
-1111111111111111111111111111111111111111111111111111111111111111
-1111111111111111111111111111111111111111111111111111111111111111
-1111111111111111111111111111111111111111111111111111111111111111
-1111111111111111111111111111111111111111111111111111111111111111
-1111111111111111111111111111111111111111111111111111111111111111
-1111111111111111111111111111111111111111111111111111111111111111
-111111111111111111
------END CERTIFICATE-----
-      CERT
+      settings.idp_cert_fingerprint               = "00:A1:2B:3C:44:55:6F:A7:88:CC:DD:EE:22:33:44:55:D6:77:8F:99"
+      settings.idp_cert_fingerprint_algorithm     = "http://www.w3.org/2000/09/xmldsig#sha1"
     end
   end
 ```
 
-In the config directory, create a YAML file (`attribute-map.yml`) that maps SAML attributes with your model's fields:
+#### Attributes
+
+There are two ways to map SAML attributes to User attributes:
+
+- [initializer](#attribute-map-initializer)
+- [config file](#attribute-map-config-file)
+
+The attribute mappings are very dependent on the way the IdP encodes the attributes.
+In these examples the attributes are given in URN style.
+Other IdPs might provide them as OID's, or by other means.
+
+You are now ready to test it against an IdP.
+
+When the user visits `/users/saml/sign_in` they will be redirected to the login page of the IdP.
+
+Upon successful login the user is redirected to the Devise `user_root_path`.
+
+##### Attribute map config file
+
+Create a YAML file (`config/attribute-map.yml`) that maps SAML attributes with your model's fields:
 
 ```yaml
   # attribute-map.yml
@@ -111,15 +157,39 @@ In the config directory, create a YAML file (`attribute-map.yml`) that maps SAML
   "urn:mace:dir:attribute-def:givenName": "name"
 ```
 
-The attribute mappings are very dependent on the way the IdP encodes the attributes.
-In this example the attributes are given in URN style.
-Other IdPs might provide them as OID's, or by other means.
+##### Attribute map initializer
 
-You are now ready to test it against an IdP.
+In `config/initializers/devise.rb` (see above), add an attribute map resolver.
+The resolver gets the [SAML response from the IdP](https://github.com/onelogin/ruby-saml/blob/master/lib/onelogin/ruby-saml/response.rb) so it can decide which attribute map to load.
+If you only have one IdP, you can use the config file above, or just return a single hash.
 
-When the user visits `/users/saml/sign_in` they will be redirected to the login page of the IdP.
+```ruby
+  # config/initializers/devise.rb
+  Devise.setup do |config|
+    ...
+    # ==> Configuration for :saml_authenticatable
 
-Upon successful login the user is redirected to the Devise `user_root_path`.
+    config.saml_attribute_map_resolver = MyAttributeMapResolver
+  end
+```
+
+```ruby
+  # app/lib/my_attribute_map_resolver
+  class MyAttributeMapResolver < DeviseSamlAuthenticatable::DefaultAttributeMapResolver
+    def attribute_map
+      issuer = saml_response.issuers.first
+      case issuer
+      when "idp_entity_id"
+        {
+          "urn:mace:dir:attribute-def:uid" => "user_name",
+          "urn:mace:dir:attribute-def:email" => "email",
+          "urn:mace:dir:attribute-def:name" => "last_name",
+          "urn:mace:dir:attribute-def:givenName" => "name",
+        }
+      end
+    end
+  end
+```
 
 ## Supporting Multiple IdPs
 
@@ -159,6 +229,7 @@ class IdPSettingsAdapter
   end
 end
 ```
+Settings specified in the adapter will override settings in `config/initializers/devise.rb`. This is useful for establishing common settings or defaults across all IdPs.
 
 Detecting the entity ID passed to the `settings` method is done by `config.idp_entity_id_reader`.
 
@@ -192,10 +263,12 @@ Logout requests from the IDP are supported by the `idp_sign_out` endpoint.  Dire
 
 `saml_session_index_key` must be configured to support this feature.
 
-## Signing and Encrypting Authentication Requests
+## Signing and Encrypting Authentication Requests and Assertions
 
 ruby-saml 1.0.0 supports signature and decrypt. The only requirement is to set the public certificate and the private key. For more information, see [the ruby-saml documentation](https://github.com/onelogin/ruby-saml#signing).
 
+If you have multiple IdPs, the certificate and private key must be in the shared settings in `config/initializers/devise.rb`.
+
 ## Thanks
 
 The continued maintenance of this gem could not have been possible without the hard work of [Adam Stegman](https://github.com/adamstegman) and [Mitch Lindsay](https://github.com/mitch-lindsay). Thank you guys for keeping this project alive.

data/app/controllers/devise/saml_sessions_controller.rb

@@ -5,8 +5,10 @@ class Devise::SamlSessionsController < Devise::SessionsController
   unloadable if Rails::VERSION::MAJOR < 4
   if Rails::VERSION::MAJOR < 5
     skip_before_filter :verify_authenticity_token
+    prepend_before_filter :store_info_for_sp_initiated_logout, only: :destroy
   else
     skip_before_action :verify_authenticity_token, raise: false
+    prepend_before_action :store_info_for_sp_initiated_logout, only: :destroy
   end
 
   def new
@@ -18,8 +20,9 @@ class Devise::SamlSessionsController < Devise::SessionsController
   end
 
   def metadata
+    idp_entity_id = params[:idp_entity_id]
     meta = OneLogin::RubySaml::Metadata.new
-    render :xml => meta.generate(saml_config)
+    render :xml => meta.generate(saml_config(idp_entity_id))
   end
 
   def idp_sign_out
@@ -30,16 +33,16 @@ class Devise::SamlSessionsController < Devise::SessionsController
 
       redirect_to generate_idp_logout_response(saml_config, logout_request.id)
     elsif params[:SAMLResponse]
-      #Currently Devise handles the session invalidation when the request is made.
-      #To support a true SP initiated logout response, the request ID would have to be tracked and session invalidated
-      #based on that.
+      # Currently Devise handles the session invalidation when the request is made.
+      # To support a true SP initiated logout response, the request ID would have to be tracked and session invalidated
+      # based on that.
       if Devise.saml_sign_out_success_url
         redirect_to Devise.saml_sign_out_success_url
       else
         redirect_to action: :new
       end
     else
-      head :invalid_request
+      head 500
     end
   end
 
@@ -51,13 +54,38 @@ class Devise::SamlSessionsController < Devise::SessionsController
     end
   end
 
+  # For non transient name ID, save info to identify user for logout purpose
+  # before that user's session got destroyed. These info are used in the
+  # `after_sign_out_path_for` method below.
+  def store_info_for_sp_initiated_logout
+    return if Devise.saml_config.name_identifier_format == "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
+    @name_identifier_value_for_sp_initiated_logout = Devise.saml_name_identifier_retriever.call(current_user)
+    @sessionindex_for_sp_initiated_logout = current_user.public_send(Devise.saml_session_index_key) if Devise.saml_session_index_key
+  end
+
   # Override devise to send user to IdP logout for SLO
   def after_sign_out_path_for(_)
+    idp_entity_id = get_idp_entity_id(params)
     request = OneLogin::RubySaml::Logoutrequest.new
-    request.create(saml_config)
+    saml_settings = saml_config(idp_entity_id).dup
+
+    # Add attributes to saml_settings which will later be used to create the SP
+    # initiated logout request
+    unless Devise.saml_config.name_identifier_format == 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
+      saml_settings.name_identifier_value = @name_identifier_value_for_sp_initiated_logout
+      saml_settings.sessionindex = @sessionindex_for_sp_initiated_logout
+    end
+
+    request.create(saml_settings)
   end
 
   def generate_idp_logout_response(saml_config, logout_request_id)
-    OneLogin::RubySaml::SloLogoutresponse.new.create(saml_config, logout_request_id, nil)
+
+    params = {}
+    if relay_state
+      params[:RelayState] = relay_state
+    end
+
+    OneLogin::RubySaml::SloLogoutresponse.new.create(saml_config, logout_request_id, nil, params)
   end
 end

data/devise_saml_authenticatable.gemspec

@@ -7,6 +7,7 @@ Gem::Specification.new do |gem|
   gem.description   = %q{SAML Authentication for devise}
   gem.summary       = %q{SAML Authentication for devise }
   gem.homepage      = ""
+  gem.license     = "MIT"
 
   gem.files         = `git ls-files`.split($\)
   gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
@@ -17,5 +18,5 @@ Gem::Specification.new do |gem|
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
 
   gem.add_dependency("devise","> 2.0.0")
-  gem.add_dependency("ruby-saml","~> 1.3")
+  gem.add_dependency("ruby-saml","~> 1.7")
 end

data/lib/devise_saml_authenticatable.rb

@@ -5,6 +5,7 @@ require "devise_saml_authenticatable/exception"
 require "devise_saml_authenticatable/logger"
 require "devise_saml_authenticatable/routes"
 require "devise_saml_authenticatable/saml_config"
+require "devise_saml_authenticatable/default_attribute_map_resolver"
 require "devise_saml_authenticatable/default_idp_entity_id_reader"
 
 begin
@@ -19,6 +20,10 @@ end
 
 # Get saml information from config/saml.yml now
 module Devise
+  # Allow route customization to avoid collision
+  mattr_accessor :saml_route_helper_prefix
+  @@saml_route_helper_prefix
+
   # Allow logging
   mattr_accessor :saml_logger
   @@saml_logger = true
@@ -62,11 +67,23 @@ module Devise
   mattr_accessor :saml_relay_state
   @@saml_relay_state
 
+  # Instead of storing the attribute_map in attribute-map.yml, store it in the database, or set it programatically
+  mattr_accessor :saml_attribute_map_resolver
+  @@saml_attribute_map_resolver ||= ::DeviseSamlAuthenticatable::DefaultAttributeMapResolver
+
   # Implements a #validate method that takes the retrieved resource and response right after retrieval,
   # and returns true if it's valid.  False will cause authentication to fail.
+  # Only one of saml_resource_validator and saml_resource_validator_hook may be used.
   mattr_accessor :saml_resource_validator
   @@saml_resource_validator
 
+  # Proc that determines whether a technically correct SAML response is valid per some custom logic.
+  # Receives the user object (or nil, if no match was found), decorated saml_response and
+  # auth_value, inspects the combination for acceptability of login (or create+login, if enabled),
+  # and returns true if it's valid.  False will cause authentication to fail.
+  mattr_accessor :saml_resource_validator_hook
+  @@saml_resource_validator_hook
+
   # Custom value for ruby-saml allowed_clock_drift
   mattr_accessor :allowed_clock_drift_in_seconds
   @@allowed_clock_drift_in_seconds
@@ -94,7 +111,7 @@ module Devise
   end
 
   # Proc that is called if Devise.saml_update_user and/or Devise.saml_create_user are true.
-  # Recieves the user object, saml_response and auth_value, and defines how the object's values are
+  # Receives the user object, saml_response and auth_value, and defines how the object's values are
   # updated with regards to the SAML response. See saml_default_update_resource_hook for an example.
   mattr_accessor :saml_update_resource_hook
   @@saml_update_resource_hook = @@saml_default_update_resource_hook
@@ -107,11 +124,19 @@ module Devise
   end
 
   # Proc that is called to resolve the saml_response and auth_value into the correct user object.
-  # Recieves a copy of the ActiveRecord::Model, saml_response and auth_value. Is expected to return
+  # Receives a copy of the ActiveRecord::Model, saml_response and auth_value. Is expected to return
   # one instance of the provided model that is the matched account, or nil if none exists.
   # See saml_default_resource_locator above for an example.
   mattr_accessor :saml_resource_locator
   @@saml_resource_locator = @@saml_default_resource_locator
+
+  # Proc that is called to resolve the name identifier to use in a LogoutRequest for the current user.
+  # Receives the logged-in user.
+  # Is expected to return the identifier the IdP understands for this user, e.g. email address or username.
+  mattr_accessor :saml_name_identifier_retriever
+  @@saml_name_identifier_retriever = Proc.new do |current_user|
+    current_user.public_send(Devise.saml_default_user_key)
+  end
 end
 
 # Add saml_authenticatable strategy to defaults.