devise_saml_authenticatable 1.4.1 → 1.6.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 377131d065bd2670e5830eff8c0cdf75fa221d69
-  data.tar.gz: 9304fbf24d72a198ea36290fe45f25a63be62790
+SHA256:
+  metadata.gz: f648472eaaf23e5e668e51f84fadff2354879045f0ec798a383dd8a2e2ee135a
+  data.tar.gz: 443a5e883595f8baa2297e2ca173e8f97ae0abf3502538ce1d0f4e0e1c84081e
 SHA512:
-  metadata.gz: 0d4d5fb0973e73ee61052e9ba5f2a34cc5bf721659e32d0b760db46d355648cd1d825e7510278e73f7597aa4fb52c87187270441131bf409baf1308583ccfeb7
-  data.tar.gz: 0749346b7c5d0db06780fe811763eb62ffebb49f0f0d0c5d6de45c69fd04baafb3fd3c8957c95628c403044bfc26b2ee27460db28817c05d3ca5802d58b3842d
+  metadata.gz: 4765fe0a60d2a8ffd97d30d5b0d2fdb55d70a56bd9cb91f760ef7862a0d9ec80570da5d4758a784ac552232e1e5893fdd1accead2ff677893b0eb4a3500dcb9c
+  data.tar.gz: fcd0e6f70b75fdb9b12b3c1954899989e26f8ddb874c6222ab59ca460387a9672ab7767c13855bc4c3cbabd14fdcdb3ddabb2478412dbb452a17194c20ff4c32

data/.gitignore

@@ -13,6 +13,4 @@ lib/bundler/man
 pkg
 rdoc
 spec/reports
-spec/support/idp/
-spec/support/sp/
 tmp

data/.travis.yml

@@ -1,43 +1,52 @@
 language: ruby
 rvm:
-  - "1.9.3"
   - "2.0.0"
   - "2.1.10"
-  - "2.2.9"
-  - "2.3.6"
-  - "2.4.3"
-  - "2.5.0"
+  - "2.2.10"
+  - "2.3.8"
+  - "2.4.10"
+  - "2.5.8"
+  - "2.6.6"
+  - "2.7.1"
 gemfile:
   - Gemfile
+  - spec/support/Gemfile.rails5.2
+  - spec/support/Gemfile.rails5.1
   - spec/support/Gemfile.rails5
   - spec/support/Gemfile.rails4
 matrix:
   allow_failures:
-    - rvm: "1.9.3"
-      gemfile: Gemfile
-    - rvm: "1.9.3"
-      gemfile: spec/support/Gemfile.rails5
     - rvm: "2.0.0"
       gemfile: Gemfile
     - rvm: "2.0.0"
       gemfile: spec/support/Gemfile.rails5
+    - rvm: "2.0.0"
+      gemfile: spec/support/Gemfile.rails5.1
+    - rvm: "2.0.0"
+      gemfile: spec/support/Gemfile.rails5.2
     - rvm: "2.1.10"
       gemfile: Gemfile
     - rvm: "2.1.10"
       gemfile: spec/support/Gemfile.rails5
+    - rvm: "2.1.10"
+      gemfile: spec/support/Gemfile.rails5.1
+    - rvm: "2.1.10"
+      gemfile: spec/support/Gemfile.rails5.2
+    - rvm: "2.2.10"
+      gemfile: Gemfile
+    - rvm: "2.2.10"
+      gemfile: spec/support/Gemfile.rails5.2
+    - rvm: "2.3.8"
+      gemfile: Gemfile
+    - rvm: "2.4.10"
+      gemfile: Gemfile
+    - rvm: "2.6.6"
+      gemfile: spec/support/Gemfile.rails4
+    - rvm: "2.7.1"
+      gemfile: spec/support/Gemfile.rails4
 
 before_install:
-  # update bundler to avoid https://github.com/travis-ci/travis-ci/issues/5239
-  - gem install bundler
+  - command -v bundle || gem install bundler -v '~> 1.17.3'
 
 script:
   - bundle exec rake
-
-notifications:
-  hipchat:
-    rooms:
-      secure: cuDak5a6fBeg+sp61COqxQfzdcFEsjwCqtwvCISso0RNh5SR8v+uVYKcA8rlK+GE1l9uR7tLRHeHF3ZmzvFSOat07NvpScvjZXi+OSpWlc6rwQ6Pl6bBP6gu6sREiKVe0eT/uGrvJloyWKZaXIhiiBzQ+ZERx/ssGA9WMmNkhlwy1OgGnPNurNNHZLBjEZn1V6kdyxiXx6QPASNpjNEgN1G8dUh3qzcWUGVQGNZSJk65A6ie1MveNyecTjDhw+ADBU8nS28Ja4y6ohRm4FzofSgespYrvfygIZ5rYF0HPMj5FW1ZDWtM5355ojCk8RLT+ZkuhssCn1OJk7ogaOVjnYcOFRxEfpu3eIbjtMmUz3j4umatFqbgas+6SXMVIPkr5HUoTrP8HNFssIpcEBOnPwAF8QCpx+daHc0r2cc8lGuXhtJfpW0P2F0dmwJNiQ7//nz2y2xs84x4Gb7MV9tEDYp0FqEClMuFBkPNizBljarm04PkiLSrqvR52aMDfQz7YAX2oXAvFjPzI1GC0K8x7xX8TuHT9yuHy7fI+rUSNivZYLKO+IEZqPPDdJpXISUbVwanZoNvmQYk5PZV21MfDSGwQrz8eO/uFiAblj18yIlNbAfb2hdZDVYsm4EvWxELJtfaTxgrj6M3Y3m/KbCbCoDp+2jE307M2rxL0Gum2gk=
-    template:
-      - '%{repository}<a href="%{build_url}">#%{build_number}</a> (%{branch} - <a href="%{compare_url}">%{commit}</a> : %{author}): %{message}'
-    format: html
-    on_pull_requests: true

data/Gemfile

@@ -6,9 +6,9 @@ gemspec
 group :test do
   gem 'rake'
   gem 'rspec', '~> 3.0'
-  gem 'rails', '~> 5.1'
+  gem 'rails', '~> 6.0'
   gem 'rspec-rails'
-  gem 'sqlite3'
+  gem 'sqlite3', '~> 1.4.0'
   gem 'capybara'
   gem 'poltergeist'
 end

data/README.md

@@ -6,19 +6,20 @@ It uses [ruby-saml][] to handle all SAML-related stuff.
 
 ## Installation
 
-Add this line to your application's Gemfile:
+Add this gem to your application's Gemfile:
 
-    gem 'devise_saml_authenticatable'
+    git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
+    gem "devise_saml_authenticatable", github: "apokalipto/devise_saml_authenticatable"
 
 And then execute:
 
     $ bundle
 
-Or install it yourself as:
+## Usage
 
-    $ gem install devise_saml_authenticatable
+Follow the [normal devise installation process](https://github.com/plataformatec/devise/tree/master#getting-started). The controller filters and helpers are unchanged from normal devise usage.
 
-## Usage
+### Configuring Models
 
 In `app/models/<YOUR_MODEL>.rb` set the `:saml_authenticatable` strategy.
 
@@ -32,6 +33,37 @@ In the example the model is `user.rb`:
   end
 ```
 
+### Configuring routes
+
+In `config/routes.rb` add `devise_for` to set up helper methods and routes:
+
+```ruby
+devise_for :users
+```
+
+The named routes can be customized in the initializer config file.
+
+### Configuring the IdP
+
+An extra step in SAML SSO setup is adding your application to your identity provider. The required setup is specific to each IdP, but we have some examples in [our wiki](https://github.com/apokalipto/devise_saml_authenticatable/wiki). You'll need to tell your IdP how to send requests and responses to your application.
+
+- Creating a new session: `/users/saml/auth`
+    - IdPs may call this the "consumer," "recipient," "destination," or even "single sign-on." This is where they send a SAML response for an authenticated user.
+- Metadata: `/users/saml/metadata`
+    - IdPs may call this the "audience."
+- Single Logout: `/users/saml/idp_sign_out`
+    - if desired, you can ask the IdP to send a Logout request to this endpoint to sign the user out of your application when they sign out of the IdP itself.
+
+Your IdP should give you some information you need to configure in [ruby-saml](https://github.com/onelogin/ruby-saml), as in the next section:
+
+- Issuer (`idp_entity_id`)
+- SSO endpoint (`idp_sso_target_url`)
+- SLO endpoint (`idp_slo_target_url`)
+- Certificate fingerprint (`idp_cert_fingerprint`) and algorithm (`idp_cert_fingerprint_algorithm`)
+    - Or the certificate itself (`idp_cert`)
+
+### Configuring handling of IdP requests and responses
+
 In `config/initializers/devise.rb`:
 
 ```ruby
@@ -57,18 +89,28 @@ In `config/initializers/devise.rb`:
     # If you don't set it then email will be extracted from SAML assertation attributes.
     config.saml_use_subject = true
 
-    # You can support multiple IdPs by setting this value to a class that implements a #settings method which takes
-    # an IdP entity id as an argument and returns a hash of idp settings for the corresponding IdP.
-    config.idp_settings_adapter = nil
+    # You can support multiple IdPs by setting this value to the name of a class that implements a ::settings method
+    # which takes an IdP entity id as an argument and returns a hash of idp settings for the corresponding IdP.
+    # config.idp_settings_adapter = "MyIdPSettingsAdapter"
 
     # You provide you own method to find the idp_entity_id in a SAML message in the case of multiple IdPs
-    # by setting this to a custom reader class, or use the default.
-    # config.idp_entity_id_reader = DeviseSamlAuthenticatable::DefaultIdpEntityIdReader
+    # by setting this to the name of a custom reader class, or use the default.
+    # config.idp_entity_id_reader = "DeviseSamlAuthenticatable::DefaultIdpEntityIdReader"
 
     # You can set a handler object that takes the response for a failed SAML request and the strategy,
     # and implements a #handle method. This method can then redirect the user, return error messages, etc.
     # config.saml_failed_callback = nil
 
+    # You can customize the named routes generated in case of named route collisions with
+    # other Devise modules or libraries. Set the saml_route_helper_prefix to a string that will
+    # be appended to the named route.
+    # If saml_route_helper_prefix = 'saml' then the new_user_session route becomes new_saml_user_session
+    # config.saml_route_helper_prefix = 'saml'
+
+    # You can add allowance for clock drift between the sp and idp.
+    # This is a time in seconds.
+    # config.allowed_clock_drift_in_seconds = 0
+
     # Configure with your SAML settings (see ruby-saml's README for more information: https://github.com/onelogin/ruby-saml).
     config.saml_configure do |settings|
       # assertion_consumer_service_url is required starting with ruby-saml 1.4.3: https://github.com/onelogin/ruby-saml#updating-from-142-to-143
@@ -79,29 +121,32 @@ In `config/initializers/devise.rb`:
       settings.authn_context                      = ""
       settings.idp_slo_target_url                 = "http://localhost/simplesaml/www/saml2/idp/SingleLogoutService.php"
       settings.idp_sso_target_url                 = "http://localhost/simplesaml/www/saml2/idp/SSOService.php"
-      settings.idp_cert                           = <<-CERT.chomp
------BEGIN CERTIFICATE-----
-1111111111111111111111111111111111111111111111111111111111111111
-1111111111111111111111111111111111111111111111111111111111111111
-1111111111111111111111111111111111111111111111111111111111111111
-1111111111111111111111111111111111111111111111111111111111111111
-1111111111111111111111111111111111111111111111111111111111111111
-1111111111111_______IDP_CERTIFICATE________111111111111111111111
-1111111111111111111111111111111111111111111111111111111111111111
-1111111111111111111111111111111111111111111111111111111111111111
-1111111111111111111111111111111111111111111111111111111111111111
-1111111111111111111111111111111111111111111111111111111111111111
-1111111111111111111111111111111111111111111111111111111111111111
-1111111111111111111111111111111111111111111111111111111111111111
-1111111111111111111111111111111111111111111111111111111111111111
-111111111111111111
------END CERTIFICATE-----
-      CERT
+      settings.idp_cert_fingerprint               = "00:A1:2B:3C:44:55:6F:A7:88:CC:DD:EE:22:33:44:55:D6:77:8F:99"
+      settings.idp_cert_fingerprint_algorithm     = "http://www.w3.org/2000/09/xmldsig#sha1"
     end
   end
 ```
 
-In the config directory, create a YAML file (`attribute-map.yml`) that maps SAML attributes with your model's fields:
+#### Attributes
+
+There are two ways to map SAML attributes to User attributes:
+
+- [initializer](#attribute-map-initializer)
+- [config file](#attribute-map-config-file)
+
+The attribute mappings are very dependent on the way the IdP encodes the attributes.
+In these examples the attributes are given in URN style.
+Other IdPs might provide them as OID's, or by other means.
+
+You are now ready to test it against an IdP.
+
+When the user visits `/users/saml/sign_in` they will be redirected to the login page of the IdP.
+
+Upon successful login the user is redirected to the Devise `user_root_path`.
+
+##### Attribute map config file
+
+Create a YAML file (`config/attribute-map.yml`) that maps SAML attributes with your model's fields:
 
 ```yaml
   # attribute-map.yml
@@ -112,15 +157,39 @@ In the config directory, create a YAML file (`attribute-map.yml`) that maps SAML
   "urn:mace:dir:attribute-def:givenName": "name"
 ```
 
-The attribute mappings are very dependent on the way the IdP encodes the attributes.
-In this example the attributes are given in URN style.
-Other IdPs might provide them as OID's, or by other means.
+##### Attribute map initializer
 
-You are now ready to test it against an IdP.
+In `config/initializers/devise.rb` (see above), add an attribute map resolver.
+The resolver gets the [SAML response from the IdP](https://github.com/onelogin/ruby-saml/blob/master/lib/onelogin/ruby-saml/response.rb) so it can decide which attribute map to load.
+If you only have one IdP, you can use the config file above, or just return a single hash.
 
-When the user visits `/users/saml/sign_in` they will be redirected to the login page of the IdP.
+```ruby
+  # config/initializers/devise.rb
+  Devise.setup do |config|
+    ...
+    # ==> Configuration for :saml_authenticatable
 
-Upon successful login the user is redirected to the Devise `user_root_path`.
+    config.saml_attribute_map_resolver = "MyAttributeMapResolver"
+  end
+```
+
+```ruby
+  # app/lib/my_attribute_map_resolver
+  class MyAttributeMapResolver < DeviseSamlAuthenticatable::DefaultAttributeMapResolver
+    def attribute_map
+      issuer = saml_response.issuers.first
+      case issuer
+      when "idp_entity_id"
+        {
+          "urn:mace:dir:attribute-def:uid" => "user_name",
+          "urn:mace:dir:attribute-def:email" => "email",
+          "urn:mace:dir:attribute-def:name" => "last_name",
+          "urn:mace:dir:attribute-def:givenName" => "name",
+        }
+      end
+    end
+  end
+```
 
 ## Supporting Multiple IdPs
 

data/app/controllers/devise/saml_sessions_controller.rb

@@ -5,8 +5,10 @@ class Devise::SamlSessionsController < Devise::SessionsController
   unloadable if Rails::VERSION::MAJOR < 4
   if Rails::VERSION::MAJOR < 5
     skip_before_filter :verify_authenticity_token
+    prepend_before_filter :store_info_for_sp_initiated_logout, only: :destroy
   else
     skip_before_action :verify_authenticity_token, raise: false
+    prepend_before_action :store_info_for_sp_initiated_logout, only: :destroy
   end
 
   def new
@@ -18,8 +20,9 @@ class Devise::SamlSessionsController < Devise::SessionsController
   end
 
   def metadata
+    idp_entity_id = params[:idp_entity_id]
     meta = OneLogin::RubySaml::Metadata.new
-    render :xml => meta.generate(saml_config)
+    render :xml => meta.generate(saml_config(idp_entity_id))
   end
 
   def idp_sign_out
@@ -30,16 +33,16 @@ class Devise::SamlSessionsController < Devise::SessionsController
 
       redirect_to generate_idp_logout_response(saml_config, logout_request.id)
     elsif params[:SAMLResponse]
-      #Currently Devise handles the session invalidation when the request is made.
-      #To support a true SP initiated logout response, the request ID would have to be tracked and session invalidated
-      #based on that.
+      # Currently Devise handles the session invalidation when the request is made.
+      # To support a true SP initiated logout response, the request ID would have to be tracked and session invalidated
+      # based on that.
       if Devise.saml_sign_out_success_url
         redirect_to Devise.saml_sign_out_success_url
       else
         redirect_to action: :new
       end
     else
-      head :invalid_request
+      head 500
     end
   end
 
@@ -51,14 +54,38 @@ class Devise::SamlSessionsController < Devise::SessionsController
     end
   end
 
+  # For non transient name ID, save info to identify user for logout purpose
+  # before that user's session got destroyed. These info are used in the
+  # `after_sign_out_path_for` method below.
+  def store_info_for_sp_initiated_logout
+    return if Devise.saml_config.name_identifier_format == "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
+    @name_identifier_value_for_sp_initiated_logout = Devise.saml_name_identifier_retriever.call(current_user)
+    @sessionindex_for_sp_initiated_logout = current_user.public_send(Devise.saml_session_index_key) if Devise.saml_session_index_key
+  end
+
   # Override devise to send user to IdP logout for SLO
   def after_sign_out_path_for(_)
     idp_entity_id = get_idp_entity_id(params)
     request = OneLogin::RubySaml::Logoutrequest.new
-    request.create(saml_config(idp_entity_id))
+    saml_settings = saml_config(idp_entity_id).dup
+
+    # Add attributes to saml_settings which will later be used to create the SP
+    # initiated logout request
+    unless Devise.saml_config.name_identifier_format == 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
+      saml_settings.name_identifier_value = @name_identifier_value_for_sp_initiated_logout
+      saml_settings.sessionindex = @sessionindex_for_sp_initiated_logout
+    end
+
+    request.create(saml_settings)
   end
 
   def generate_idp_logout_response(saml_config, logout_request_id)
-    OneLogin::RubySaml::SloLogoutresponse.new.create(saml_config, logout_request_id, nil)
+
+    params = {}
+    if relay_state
+      params[:RelayState] = relay_state
+    end
+
+    OneLogin::RubySaml::SloLogoutresponse.new.create(saml_config, logout_request_id, nil, params)
   end
 end

data/lib/devise_saml_authenticatable.rb

@@ -5,6 +5,7 @@ require "devise_saml_authenticatable/exception"
 require "devise_saml_authenticatable/logger"
 require "devise_saml_authenticatable/routes"
 require "devise_saml_authenticatable/saml_config"
+require "devise_saml_authenticatable/default_attribute_map_resolver"
 require "devise_saml_authenticatable/default_idp_entity_id_reader"
 
 begin
@@ -19,6 +20,10 @@ end
 
 # Get saml information from config/saml.yml now
 module Devise
+  # Allow route customization to avoid collision
+  mattr_accessor :saml_route_helper_prefix
+  @@saml_route_helper_prefix
+
   # Allow logging
   mattr_accessor :saml_logger
   @@saml_logger = true
@@ -51,7 +56,7 @@ module Devise
 
   # Reader that can parse entity id from a SAMLMessage
   mattr_accessor :idp_entity_id_reader
-  @@idp_entity_id_reader ||= ::DeviseSamlAuthenticatable::DefaultIdpEntityIdReader
+  @@idp_entity_id_reader ||= "::DeviseSamlAuthenticatable::DefaultIdpEntityIdReader"
 
   # Implements a #handle method that takes the response and strategy as an argument
   mattr_accessor :saml_failed_callback
@@ -62,11 +67,23 @@ module Devise
   mattr_accessor :saml_relay_state
   @@saml_relay_state
 
+  # Instead of storing the attribute_map in attribute-map.yml, store it in the database, or set it programatically
+  mattr_accessor :saml_attribute_map_resolver
+  @@saml_attribute_map_resolver ||= "::DeviseSamlAuthenticatable::DefaultAttributeMapResolver"
+
   # Implements a #validate method that takes the retrieved resource and response right after retrieval,
   # and returns true if it's valid.  False will cause authentication to fail.
+  # Only one of saml_resource_validator and saml_resource_validator_hook may be used.
   mattr_accessor :saml_resource_validator
   @@saml_resource_validator
 
+  # Proc that determines whether a technically correct SAML response is valid per some custom logic.
+  # Receives the user object (or nil, if no match was found), decorated saml_response and
+  # auth_value, inspects the combination for acceptability of login (or create+login, if enabled),
+  # and returns true if it's valid.  False will cause authentication to fail.
+  mattr_accessor :saml_resource_validator_hook
+  @@saml_resource_validator_hook
+
   # Custom value for ruby-saml allowed_clock_drift
   mattr_accessor :allowed_clock_drift_in_seconds
   @@allowed_clock_drift_in_seconds
@@ -112,6 +129,14 @@ module Devise
   # See saml_default_resource_locator above for an example.
   mattr_accessor :saml_resource_locator
   @@saml_resource_locator = @@saml_default_resource_locator
+
+  # Proc that is called to resolve the name identifier to use in a LogoutRequest for the current user.
+  # Receives the logged-in user.
+  # Is expected to return the identifier the IdP understands for this user, e.g. email address or username.
+  mattr_accessor :saml_name_identifier_retriever
+  @@saml_name_identifier_retriever = Proc.new do |current_user|
+    current_user.public_send(Devise.saml_default_user_key)
+  end
 end
 
 # Add saml_authenticatable strategy to defaults.