devise_saml_authenticatable 1.6.0 → 1.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8f372d3d801220ab4ce4a7e83501f0e5d7a9cc2590eb64aa1c91a0a5ad053d7d
-  data.tar.gz: bcdfc0370f0926a542164ea577030e9ff17666adb9e0d5ae8367a605e4966866
+  metadata.gz: 23fdb33308c8d98c67e3fe7d5654bfcdc7afe40c2276822a3936785ed29e15ea
+  data.tar.gz: 11569096a198fb51b129d82eaab03a870c3c8983b7dfe88aa0bcc53f1f4fa2ce
 SHA512:
-  metadata.gz: d9bd026db0bb199aaa9b72d1c03fccef49a905dc7270739b48e682623036f945b74f16c99f1d457086df47ff03f8e71aee5c4a412d01cd9f9c80b4f84e79d58a
-  data.tar.gz: c2f32e5297c0e9a4aadce6069282d8c17e91d95550a777e2f5755745effc0fda5eaa958e4656d5776e2a507251d230fdaba3d944189874d0166d3f2cefbe153c
+  metadata.gz: 605f76c64fa08cb1ec9f26224af74ccec6c8d85b507899e6f61f1c65e8ada6b7672b6b9398d78fcfbd075d8c7754e824e0a8ed822001b124a6658e862b72203c
+  data.tar.gz: 0f8bb1f715288790cffb1b20214d6c0da71c546aaa09e626183b86d1274c5d6e3aae90dea8af6c4d572c6f2131360c948203a9a14706ed7414c685833eac173d

data/.github/workflows/ci.yml

@@ -0,0 +1,76 @@
+name: ci
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+jobs:
+  test:
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby:
+          - "2.7"
+          - "2.6"
+          - "2.5"
+          - "2.4"
+          - "2.3"
+        gemfile:
+          - Gemfile
+          - spec/support/Gemfile.rails6
+          - spec/support/Gemfile.rails5.2
+          - spec/support/Gemfile.rails5.1
+          - spec/support/Gemfile.rails5
+        bundler:
+          - "2"
+        exclude:
+          - ruby: "2.3"
+            gemfile: Gemfile
+            bundler: "2"
+          - ruby: "2.3"
+            gemfile: spec/support/Gemfile.rails6
+            bundler: "2"
+          - ruby: "2.4"
+            gemfile: Gemfile
+            bundler: "2"
+          - ruby: "2.4"
+            gemfile: spec/support/Gemfile.rails6
+            bundler: "2"
+        include:
+          - ruby: "2.5"
+            gemfile: spec/support/Gemfile.rails4
+            bundler: "1"
+          - ruby: "2.4"
+            gemfile: spec/support/Gemfile.rails4
+            bundler: "1"
+          - ruby: "2.3"
+            gemfile: spec/support/Gemfile.rails4
+            bundler: "1"
+          - ruby: "2.2"
+            gemfile: spec/support/Gemfile.rails5.1
+            bundler: "1"
+          - ruby: "2.2"
+            gemfile: spec/support/Gemfile.rails5
+            bundler: "1"
+          - ruby: "2.2"
+            gemfile: spec/support/Gemfile.rails4
+            bundler: "1"
+          - ruby: "2.1"
+            gemfile: spec/support/Gemfile.rails4
+            bundler: "1"
+          - ruby: "2.0"
+            gemfile: spec/support/Gemfile.rails4
+            bundler: "1"
+    runs-on: ubuntu-latest
+    env:
+      BUNDLE_GEMFILE: ${{ github.workspace }}/${{ matrix.gemfile }}
+    steps:
+      - uses: actions/checkout@v2
+      - uses: ruby/setup-ruby@v1
+        with:
+          bundler: ${{ matrix.bundler }}
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+      - run: bundle exec rake

data/README.md

@@ -57,8 +57,8 @@ An extra step in SAML SSO setup is adding your application to your identity prov
 Your IdP should give you some information you need to configure in [ruby-saml](https://github.com/onelogin/ruby-saml), as in the next section:
 
 - Issuer (`idp_entity_id`)
-- SSO endpoint (`idp_sso_target_url`)
-- SLO endpoint (`idp_slo_target_url`)
+- SSO endpoint (`idp_sso_service_url`)
+- SLO endpoint (`idp_slo_service_url`)
 - Certificate fingerprint (`idp_cert_fingerprint`) and algorithm (`idp_cert_fingerprint_algorithm`)
     - Or the certificate itself (`idp_cert`)
 
@@ -89,13 +89,13 @@ In `config/initializers/devise.rb`:
     # If you don't set it then email will be extracted from SAML assertation attributes.
     config.saml_use_subject = true
 
-    # You can support multiple IdPs by setting this value to a class that implements a #settings method which takes
-    # an IdP entity id as an argument and returns a hash of idp settings for the corresponding IdP.
-    config.idp_settings_adapter = nil
+    # You can support multiple IdPs by setting this value to the name of a class that implements a ::settings method
+    # which takes an IdP entity id as an argument and returns a hash of idp settings for the corresponding IdP.
+    # config.idp_settings_adapter = "MyIdPSettingsAdapter"
 
     # You provide you own method to find the idp_entity_id in a SAML message in the case of multiple IdPs
-    # by setting this to a custom reader class, or use the default.
-    # config.idp_entity_id_reader = DeviseSamlAuthenticatable::DefaultIdpEntityIdReader
+    # by setting this to the name of a custom reader class, or use the default.
+    # config.idp_entity_id_reader = "DeviseSamlAuthenticatable::DefaultIdpEntityIdReader"
 
     # You can set a handler object that takes the response for a failed SAML request and the strategy,
     # and implements a #handle method. This method can then redirect the user, return error messages, etc.
@@ -111,6 +111,10 @@ In `config/initializers/devise.rb`:
     # This is a time in seconds.
     # config.allowed_clock_drift_in_seconds = 0
 
+    # In SAML responses, validate that the identity provider has included an InResponseTo
+    # header that matches the ID of the SAML request. (Default is false)
+    # config.saml_validate_in_response_to = false
+
     # Configure with your SAML settings (see ruby-saml's README for more information: https://github.com/onelogin/ruby-saml).
     config.saml_configure do |settings|
       # assertion_consumer_service_url is required starting with ruby-saml 1.4.3: https://github.com/onelogin/ruby-saml#updating-from-142-to-143
@@ -119,8 +123,8 @@ In `config/initializers/devise.rb`:
       settings.name_identifier_format             = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
       settings.issuer                             = "http://localhost:3000/saml/metadata"
       settings.authn_context                      = ""
-      settings.idp_slo_target_url                 = "http://localhost/simplesaml/www/saml2/idp/SingleLogoutService.php"
-      settings.idp_sso_target_url                 = "http://localhost/simplesaml/www/saml2/idp/SSOService.php"
+      settings.idp_slo_service_url                = "http://localhost/simplesaml/www/saml2/idp/SingleLogoutService.php"
+      settings.idp_sso_service_url                = "http://localhost/simplesaml/www/saml2/idp/SSOService.php"
       settings.idp_cert_fingerprint               = "00:A1:2B:3C:44:55:6F:A7:88:CC:DD:EE:22:33:44:55:D6:77:8F:99"
       settings.idp_cert_fingerprint_algorithm     = "http://www.w3.org/2000/09/xmldsig#sha1"
     end
@@ -169,7 +173,7 @@ If you only have one IdP, you can use the config file above, or just return a si
     ...
     # ==> Configuration for :saml_authenticatable
 
-    config.saml_attribute_map_resolver = MyAttributeMapResolver
+    config.saml_attribute_map_resolver = "MyAttributeMapResolver"
   end
 ```
 
@@ -207,8 +211,8 @@ class IdPSettingsAdapter
         issuer: "http://localhost:3000/saml/metadata",
         idp_entity_id: "http://www.example_idp_entity_id.com",
         authn_context: "",
-        idp_slo_target_url: "http://example_idp_slo_target_url.com",
-        idp_sso_target_url: "http://example_idp_sso_target_url.com",
+        idp_slo_service_url: "http://example_idp_slo_service_url.com",
+        idp_sso_service_url: "http://example_idp_sso_service_url.com",
         idp_cert: "example_idp_cert"
       }
     when "http://www.another_idp_entity_id.biz"
@@ -219,8 +223,8 @@ class IdPSettingsAdapter
         issuer: "http://localhost:3000/saml/metadata",
         idp_entity_id: "http://www.another_idp_entity_id.biz",
         authn_context: "",
-        idp_slo_target_url: "http://another_idp_slo_target_url.com",
-        idp_sso_target_url: "http://another_idp_sso_target_url.com",
+        idp_slo_service_url: "http://another_idp_slo_service_url.com",
+        idp_sso_service_url: "http://another_idp_sso_service_url.com",
         idp_cert: "another_idp_cert"
       }
     else

data/app/controllers/devise/saml_sessions_controller.rb

@@ -5,10 +5,10 @@ class Devise::SamlSessionsController < Devise::SessionsController
   unloadable if Rails::VERSION::MAJOR < 4
   if Rails::VERSION::MAJOR < 5
     skip_before_filter :verify_authenticity_token
-    prepend_before_filter :store_info_for_sp_initiated_logout, only: :destroy
+    prepend_before_filter :verify_signed_out_user, :store_info_for_sp_initiated_logout, only: :destroy
   else
     skip_before_action :verify_authenticity_token, raise: false
-    prepend_before_action :store_info_for_sp_initiated_logout, only: :destroy
+    prepend_before_action :verify_signed_out_user, :store_info_for_sp_initiated_logout, only: :destroy
   end
 
   def new
@@ -16,12 +16,16 @@ class Devise::SamlSessionsController < Devise::SessionsController
     request = OneLogin::RubySaml::Authrequest.new
     auth_params = { RelayState: relay_state } if relay_state
     action = request.create(saml_config(idp_entity_id), auth_params || {})
+    if request.respond_to?(:request_id)
+      session[:saml_transaction_id] = request.request_id
+    end
     redirect_to action
   end
 
   def metadata
+    idp_entity_id = params[:idp_entity_id]
     meta = OneLogin::RubySaml::Metadata.new
-    render :xml => meta.generate(saml_config)
+    render :xml => meta.generate(saml_config(idp_entity_id))
   end
 
   def idp_sign_out
@@ -78,6 +82,18 @@ class Devise::SamlSessionsController < Devise::SessionsController
     request.create(saml_settings)
   end
 
+  # Overried devise: if user is signed out, not create the SP initiated logout request,
+  # redirect to saml_sign_out_success_url,
+  # or devise's after_sign_out_path_for
+  def verify_signed_out_user
+    if all_signed_out?
+      set_flash_message! :notice, :already_signed_out
+
+      redirect_to Devise.saml_sign_out_success_url.presence ||
+                  Devise::SessionsController.new.after_sign_out_path_for(resource_name)
+    end
+  end
+
   def generate_idp_logout_response(saml_config, logout_request_id)
 
     params = {}

data/lib/devise_saml_authenticatable/model.rb

@@ -33,7 +33,7 @@ module Devise
           key = Devise.saml_default_user_key
           decorated_response = ::SamlAuthenticatable::SamlResponse.new(
             saml_response,
-            Devise.saml_attribute_map_resolver.new(saml_response).attribute_map,
+            attribute_map(saml_response),
           )
           if Devise.saml_use_subject
             auth_value = saml_response.name_id
@@ -80,6 +80,18 @@ module Devise
         def find_for_shibb_authentication(conditions)
           find_for_authentication(conditions)
         end
+
+        def attribute_map(saml_response = nil)
+          attribute_map_resolver.new(saml_response).attribute_map
+        end
+
+        def attribute_map_resolver
+          if Devise.saml_attribute_map_resolver.respond_to?(:new)
+            Devise.saml_attribute_map_resolver
+          else
+            Devise.saml_attribute_map_resolver.constantize
+          end
+        end
       end
     end
   end

data/lib/devise_saml_authenticatable/saml_config.rb

@@ -22,7 +22,7 @@ module DeviseSamlAuthenticatable
     def adapter_based_config(idp_entity_id)
       config = Marshal.load(Marshal.dump(Devise.saml_config))
 
-      Devise.idp_settings_adapter.settings(idp_entity_id).each do |k,v|
+      idp_settings_adapter.settings(idp_entity_id).each do |k,v|
         acc = "#{k.to_s}=".to_sym
 
         if config.respond_to? acc
@@ -33,7 +33,23 @@ module DeviseSamlAuthenticatable
     end
 
     def get_idp_entity_id(params)
-      Devise.idp_entity_id_reader.entity_id(params)
+      idp_entity_id_reader.entity_id(params)
+    end
+
+    def idp_entity_id_reader
+      if Devise.idp_entity_id_reader.respond_to?(:entity_id)
+        Devise.idp_entity_id_reader
+      else
+        @idp_entity_id_reader ||= Devise.idp_entity_id_reader.constantize
+      end
+    end
+
+    def idp_settings_adapter
+      if Devise.idp_settings_adapter.respond_to?(:settings)
+        Devise.idp_settings_adapter
+      else
+        @idp_settings_adapter ||= Devise.idp_settings_adapter.constantize
+      end
     end
   end
 end

data/lib/devise_saml_authenticatable/strategy.rb

@@ -8,8 +8,7 @@ module Devise
         if params[:SAMLResponse]
           OneLogin::RubySaml::Response.new(
             params[:SAMLResponse],
-            settings: saml_config(get_idp_entity_id(params)),
-            allowed_clock_drift: Devise.allowed_clock_drift_in_seconds,
+            response_options,
           )
         else
           false
@@ -36,8 +35,7 @@ module Devise
       def parse_saml_response
         @response = OneLogin::RubySaml::Response.new(
           params[:SAMLResponse],
-          settings: saml_config(get_idp_entity_id(params)),
-          allowed_clock_drift: Devise.allowed_clock_drift_in_seconds,
+          response_options,
         )
         unless @response.is_valid?
           failed_auth("Auth errors: #{@response.errors.join(', ')}")
@@ -57,6 +55,18 @@ module Devise
         Devise.saml_failed_callback.new.handle(@response, self) if Devise.saml_failed_callback
       end
 
+      def response_options
+        options = {
+          settings: saml_config(get_idp_entity_id(params)),
+          allowed_clock_drift: Devise.allowed_clock_drift_in_seconds,
+        }
+
+        if Devise.saml_validate_in_response_to
+          options[:matches_request_id] = request.session[:saml_transaction_id] || "ID_MISSING"
+        end
+
+        options
+      end
     end
   end
 end

data/lib/devise_saml_authenticatable/version.rb

@@ -1,3 +1,3 @@
 module DeviseSamlAuthenticatable
-  VERSION = "1.6.0"
+  VERSION = "1.7.0"
 end

data/lib/devise_saml_authenticatable.rb

@@ -56,7 +56,7 @@ module Devise
 
   # Reader that can parse entity id from a SAMLMessage
   mattr_accessor :idp_entity_id_reader
-  @@idp_entity_id_reader ||= ::DeviseSamlAuthenticatable::DefaultIdpEntityIdReader
+  @@idp_entity_id_reader ||= "::DeviseSamlAuthenticatable::DefaultIdpEntityIdReader"
 
   # Implements a #handle method that takes the response and strategy as an argument
   mattr_accessor :saml_failed_callback
@@ -67,9 +67,13 @@ module Devise
   mattr_accessor :saml_relay_state
   @@saml_relay_state
 
+  # Validate that the InResponseTo header in SAML responses matches the ID of the request.
+  mattr_accessor :saml_validate_in_response_to
+  @@saml_validate_in_response_to = false
+
   # Instead of storing the attribute_map in attribute-map.yml, store it in the database, or set it programatically
   mattr_accessor :saml_attribute_map_resolver
-  @@saml_attribute_map_resolver ||= ::DeviseSamlAuthenticatable::DefaultAttributeMapResolver
+  @@saml_attribute_map_resolver ||= "::DeviseSamlAuthenticatable::DefaultAttributeMapResolver"
 
   # Implements a #validate method that takes the retrieved resource and response right after retrieval,
   # and returns true if it's valid.  False will cause authentication to fail.

data/spec/controllers/devise/saml_sessions_controller_spec.rb

@@ -1,4 +1,5 @@
 require 'rails_helper'
+require 'support/ruby_saml_support'
 
 # The important parts from devise
 class DeviseController < ApplicationController
@@ -8,38 +9,55 @@ class DeviseController < ApplicationController
     User
   end
 
+  def resource_name
+    "users"
+  end
+
   def require_no_authentication
   end
+
+  def set_flash_message!(key, kind, options = {})
+    flash[key] = I18n.t("devise.sessions.#{kind}")
+  end
 end
+
 class Devise::SessionsController < DeviseController
   def destroy
     sign_out
     redirect_to after_sign_out_path_for(:user)
   end
-
-  def verify_signed_out_user
-    # no-op for these tests
-  end
 end
 
 require_relative '../../../app/controllers/devise/saml_sessions_controller'
 
 describe Devise::SamlSessionsController, type: :controller do
+  include RubySamlSupport
+
   let(:idp_providers_adapter) { spy("Stub IDPSettings Adaptor") }
 
   before do
     @request.env["devise.mapping"] = Devise.mappings[:user]
-    allow(idp_providers_adapter).to receive(:settings).and_return({
+    settings = {
       assertion_consumer_service_url: "acs_url",
       assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
       name_identifier_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
       issuer: "sp_issuer",
       idp_entity_id: "http://www.example.com",
       authn_context: "",
-      idp_slo_target_url: "http://idp_slo_url",
-      idp_sso_target_url: "http://idp_sso_url",
       idp_cert: "idp_cert"
+    }
+    with_ruby_saml_1_12_or_greater(proc {
+      settings.merge!(
+        idp_slo_service_url: "http://idp_slo_url",
+        idp_sso_service_url: "http://idp_sso_url",
+      )
+    }, else_do: proc {
+      settings.merge!(
+        idp_slo_target_url: "http://idp_slo_url",
+        idp_sso_target_url: "http://idp_sso_url",
+      )
     })
+    allow(idp_providers_adapter).to receive(:settings).and_return(settings)
   end
 
   before do
@@ -72,6 +90,13 @@ describe Devise::SamlSessionsController, type: :controller do
         do_get
         expect(response).to redirect_to(%r(\Ahttp://localhost:8009/saml/auth\?SAMLRequest=))
       end
+
+      it "stores saml_transaction_id in the session" do
+        do_get
+        if OneLogin::RubySaml::Authrequest.public_instance_methods.include?(:request_id)
+          expect(session[:saml_transaction_id]).to be_present
+        end
+      end
     end
 
     context "with a specified idp" do
@@ -84,6 +109,13 @@ describe Devise::SamlSessionsController, type: :controller do
         expect(response).to redirect_to(%r(\Ahttp://idp_sso_url\?SAMLRequest=))
       end
 
+      it "stores saml_transaction_id in the session" do
+        do_get
+        if OneLogin::RubySaml::Authrequest.public_instance_methods.include?(:request_id)
+          expect(session[:saml_transaction_id]).to be_present
+        end
+      end
+
       it "uses the DefaultIdpEntityIdReader" do
         expect(DeviseSamlAuthenticatable::DefaultIdpEntityIdReader).to receive(:entity_id)
         do_get
@@ -172,80 +204,136 @@ describe Devise::SamlSessionsController, type: :controller do
   end
 
   describe '#destroy' do
-    before do
-      allow(controller).to receive(:sign_out)
-    end
+    subject { delete :destroy }
 
-    context "when using the default saml config" do
-      it "signs out and redirects to the IdP" do
-        delete :destroy
-        expect(controller).to have_received(:sign_out)
-        expect(response).to redirect_to(%r(\Ahttp://localhost:8009/saml/logout\?SAMLRequest=))
+    context "when user is signed out" do
+      before do
+        class Devise::SessionsController < DeviseController
+          def all_signed_out?
+            true
+          end
+        end
       end
-    end
 
-    context "when configured to use a non-transient name identifier" do
-      before do
-        allow(Devise.saml_config).to receive(:name_identifier_format).and_return("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent")
+      shared_examples "not create SP initiated logout request" do
+        it do
+          expect(OneLogin::RubySaml::Logoutrequest).not_to receive(:new)
+          subject
+        end
+      end
+
+      context "when Devise.saml_sign_out_success_url is set" do
+        before do
+          allow(Devise).to receive(:saml_sign_out_success_url).and_return("http://localhost:8009/logged_out")
+        end
+
+        it "redirect to saml_sign_out_success_url" do
+          is_expected.to redirect_to "http://localhost:8009/logged_out"
+          expect(flash[:notice]).to eq I18n.t("devise.sessions.already_signed_out")
+        end
+
+        it_behaves_like "not create SP initiated logout request"
       end
 
-      it "includes a LogoutRequest with the name identifier and session index", :aggregate_failures do
-        controller.current_user = Struct.new(:email, :session_index).new("user@example.com", "sessionindex")
+      context "when Devise.saml_sign_out_success_url is not set" do
+        before do
+          class Devise::SessionsController < DeviseController
+            def after_sign_out_path_for(_)
+              "http://localhost:8009/logged_out"
+            end
+          end
+        end
 
-        actual_settings = nil
-        expect_any_instance_of(OneLogin::RubySaml::Logoutrequest).to receive(:create) do |_, settings|
-          actual_settings = settings
-          "http://localhost:8009/saml/logout"
+        it "redirect to devise's after sign out path" do
+          is_expected.to redirect_to "http://localhost:8009/logged_out"
+          expect(flash[:notice]).to eq I18n.t("devise.sessions.already_signed_out")
         end
 
-        delete :destroy
-        expect(actual_settings.name_identifier_value).to eq("user@example.com")
-        expect(actual_settings.sessionindex).to eq("sessionindex")
+        it_behaves_like "not create SP initiated logout request"
       end
     end
 
-    context "with a specified idp" do
+    context "when user is not signed out" do
       before do
-        Devise.idp_settings_adapter = idp_providers_adapter
+        class Devise::SessionsController < DeviseController
+          def all_signed_out?
+            false
+          end
+        end
+        allow(controller).to receive(:sign_out)
       end
 
-      it "redirects to the associated IdP SSO target url" do
-        expect(DeviseSamlAuthenticatable::DefaultIdpEntityIdReader).to receive(:entity_id)
-        delete :destroy
-        expect(controller).to have_received(:sign_out)
-        expect(response).to redirect_to(%r(\Ahttp://idp_slo_url\?SAMLRequest=))
+      context "when using the default saml config" do
+        it "signs out and redirects to the IdP" do
+          delete :destroy
+          expect(controller).to have_received(:sign_out)
+          expect(response).to redirect_to(%r(\Ahttp://localhost:8009/saml/logout\?SAMLRequest=))
+        end
       end
 
-      context "with a specified idp entity id reader" do
-        class OurIdpEntityIdReader
-          def self.entity_id(params)
-            params[:entity_id]
-          end
+      context "when configured to use a non-transient name identifier" do
+        before do
+          allow(Devise.saml_config).to receive(:name_identifier_format).and_return("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent")
         end
 
-        subject(:do_delete) {
-          if Rails::VERSION::MAJOR > 4
-            delete :destroy, params: {entity_id: "http://www.example.com"}
-          else
-            delete :destroy, entity_id: "http://www.example.com"
+        it "includes a LogoutRequest with the name identifier and session index", :aggregate_failures do
+          controller.current_user = Struct.new(:email, :session_index).new("user@example.com", "sessionindex")
+
+          actual_settings = nil
+          expect_any_instance_of(OneLogin::RubySaml::Logoutrequest).to receive(:create) do |_, settings|
+            actual_settings = settings
+            "http://localhost:8009/saml/logout"
           end
-        }
 
-        before do
-          @default_reader = Devise.idp_entity_id_reader
-          Devise.idp_entity_id_reader = OurIdpEntityIdReader # which will have some different behavior
+          delete :destroy
+          expect(actual_settings.name_identifier_value).to eq("user@example.com")
+          expect(actual_settings.sessionindex).to eq("sessionindex")
         end
+      end
 
-        after do
-          Devise.idp_entity_id_reader = @default_reader
+      context "with a specified idp" do
+        before do
+          Devise.idp_settings_adapter = idp_providers_adapter
         end
 
-        it "redirects to the associated IdP SLO target url" do
-          do_delete
+        it "redirects to the associated IdP SSO target url" do
+          expect(DeviseSamlAuthenticatable::DefaultIdpEntityIdReader).to receive(:entity_id)
+          delete :destroy
           expect(controller).to have_received(:sign_out)
-          expect(idp_providers_adapter).to have_received(:settings).with("http://www.example.com")
           expect(response).to redirect_to(%r(\Ahttp://idp_slo_url\?SAMLRequest=))
         end
+
+        context "with a specified idp entity id reader" do
+          class OurIdpEntityIdReader
+            def self.entity_id(params)
+              params[:entity_id]
+            end
+          end
+
+          subject(:do_delete) {
+            if Rails::VERSION::MAJOR > 4
+              delete :destroy, params: {entity_id: "http://www.example.com"}
+            else
+              delete :destroy, entity_id: "http://www.example.com"
+            end
+          }
+
+          before do
+            @default_reader = Devise.idp_entity_id_reader
+            Devise.idp_entity_id_reader = OurIdpEntityIdReader # which will have some different behavior
+          end
+
+          after do
+            Devise.idp_entity_id_reader = @default_reader
+          end
+
+          it "redirects to the associated IdP SLO target url" do
+            do_delete
+            expect(controller).to have_received(:sign_out)
+            expect(idp_providers_adapter).to have_received(:settings).with("http://www.example.com")
+            expect(response).to redirect_to(%r(\Ahttp://idp_slo_url\?SAMLRequest=))
+          end
+        end
       end
     end
   end

data/spec/devise_saml_authenticatable/model_spec.rb

@@ -372,4 +372,10 @@ describe Devise::Models::SamlAuthenticatable do
       allow(Devise).to receive(:saml_resource_locator).and_return(block)
     end
   end
+
+  describe "::attribute_map" do
+    it "returns the attribute map" do
+      expect(Model.attribute_map).to eq(attributemap)
+    end
+  end
 end

data/spec/devise_saml_authenticatable/saml_config_spec.rb

@@ -1,6 +1,9 @@
 require 'spec_helper'
+require 'support/ruby_saml_support'
 
 describe DeviseSamlAuthenticatable::SamlConfig do
+  include RubySamlSupport
+
   let(:saml_config) { controller.saml_config }
   let(:controller) { Class.new { include DeviseSamlAuthenticatable::SamlConfig }.new }
 
@@ -26,32 +29,54 @@ describe DeviseSamlAuthenticatable::SamlConfig do
       let(:saml_config) { controller.saml_config(idp_entity_id) }
       let(:idp_providers_adapter) {
         Class.new {
+          extend RubySamlSupport
+
           def self.settings(idp_entity_id)
             #some hash of stuff (by doing a fetch, in our case, but could also be a giant hash keyed by idp_entity_id)
             if idp_entity_id == "http://www.example.com"
-              {
+              base = {
                 assertion_consumer_service_url: "acs_url",
                 assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
                 name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
                 issuer: "sp_issuer",
                 idp_entity_id: "http://www.example.com",
                 authn_context: "",
-                idp_slo_target_url: "idp_slo_url",
-                idp_sso_target_url: "idp_sso_url",
                 idp_cert: "idp_cert"
               }
+              with_ruby_saml_1_12_or_greater(proc {
+                base.merge!(
+                  idp_slo_service_url: "idp_slo_url",
+                  idp_sso_service_url: "idp_sso_url",
+                )
+              }, else_do: proc {
+                base.merge!(
+                  idp_slo_target_url: "idp_slo_url",
+                  idp_sso_target_url: "idp_sso_url",
+                )
+              })
+              base
             elsif idp_entity_id == "http://www.example.com_other"
-              {
+              base = {
                 assertion_consumer_service_url: "acs_url_other",
                 assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST_other",
                 name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress_other",
                 issuer: "sp_issuer_other",
                 idp_entity_id: "http://www.example.com_other",
                 authn_context: "_other",
-                idp_slo_target_url: "idp_slo_url_other",
-                idp_sso_target_url: "idp_sso_url_other",
                 idp_cert: "idp_cert_other"
               }
+              with_ruby_saml_1_12_or_greater(proc {
+                base.merge!(
+                  idp_slo_service_url: "idp_slo_url_other",
+                  idp_sso_service_url: "idp_sso_url_other",
+                )
+              }, else_do: proc {
+                base.merge!(
+                  idp_slo_target_url: "idp_slo_url_other",
+                  idp_sso_target_url: "idp_sso_url_other",
+                )
+              })
+              base
             else
               {}
             end
@@ -63,7 +88,11 @@ describe DeviseSamlAuthenticatable::SamlConfig do
         let(:idp_entity_id) { "http://www.example.com" }
         it "uses the settings from the adapter for that idp" do
           expect(saml_config.idp_entity_id).to eq (idp_entity_id)
-          expect(saml_config.idp_sso_target_url).to eq ("idp_sso_url")
+          with_ruby_saml_1_12_or_greater(proc {
+            expect(saml_config.idp_sso_service_url).to eq('idp_sso_url')
+          }, else_do: proc {
+            expect(saml_config.idp_sso_target_url).to eq('idp_sso_url')
+          })
           expect(saml_config.class).to eq OneLogin::RubySaml::Settings
         end
       end
@@ -72,7 +101,11 @@ describe DeviseSamlAuthenticatable::SamlConfig do
         let(:idp_entity_id) { "http://www.example.com_other" }
         it "returns the other idp settings" do
           expect(saml_config.idp_entity_id).to eq (idp_entity_id)
-          expect(saml_config.idp_sso_target_url).to eq ("idp_sso_url_other")
+          with_ruby_saml_1_12_or_greater(proc {
+            expect(saml_config.idp_sso_service_url).to eq('idp_sso_url_other')
+          }, else_do: proc {
+            expect(saml_config.idp_sso_target_url).to eq('idp_sso_url_other')
+          })
           expect(saml_config.class).to eq OneLogin::RubySaml::Settings
         end
       end
@@ -80,11 +113,8 @@ describe DeviseSamlAuthenticatable::SamlConfig do
   end
 
   context "when config/idp.yml exists" do
-    before do
-      allow(Rails).to receive(:env).and_return("environment")
-      allow(Rails).to receive(:root).and_return("/railsroot")
-      allow(File).to receive(:exists?).with("/railsroot/config/idp.yml").and_return(true)
-      allow(File).to receive(:read).with("/railsroot/config/idp.yml").and_return(<<-IDP)
+    let(:idp_yaml) {
+      yaml = <<-IDP
 ---
 environment:
   assertion_consumer_logout_service_binding: assertion_consumer_logout_service_binding
@@ -104,8 +134,6 @@ environment:
   idp_cert_fingerprint: idp_cert_fingerprint
   idp_cert_fingerprint_algorithm: idp_cert_fingerprint_algorithm
   idp_entity_id: idp_entity_id
-  idp_slo_target_url: idp_slo_target_url
-  idp_sso_target_url: idp_sso_target_url
   issuer: issuer
   name_identifier_format: name_identifier_format
   name_identifier_value: name_identifier_value
@@ -116,6 +144,20 @@ environment:
   sessionindex: sessionindex
   sp_name_qualifier: sp_name_qualifier
       IDP
+    with_ruby_saml_1_12_or_greater(proc { yaml << <<SERVICE_URLS }, else_do: proc { yaml << <<TARGET_URLS })
+  idp_slo_service_url: idp_slo_service_url
+  idp_sso_service_url: idp_sso_service_url
+SERVICE_URLS
+  idp_slo_target_url: idp_slo_service_url
+  idp_sso_target_url: idp_sso_service_url
+TARGET_URLS
+      yaml
+    }
+    before do
+      allow(Rails).to receive(:env).and_return("environment")
+      allow(Rails).to receive(:root).and_return("/railsroot")
+      allow(File).to receive(:exists?).with("/railsroot/config/idp.yml").and_return(true)
+      allow(File).to receive(:read).with("/railsroot/config/idp.yml").and_return(idp_yaml)
     end
 
     it "uses that file's contents" do
@@ -136,8 +178,13 @@ environment:
       expect(saml_config.idp_cert_fingerprint).to eq('idp_cert_fingerprint')
       expect(saml_config.idp_cert_fingerprint_algorithm).to eq('idp_cert_fingerprint_algorithm')
       expect(saml_config.idp_entity_id).to eq('idp_entity_id')
-      expect(saml_config.idp_slo_target_url).to eq('idp_slo_target_url')
-      expect(saml_config.idp_sso_target_url).to eq('idp_sso_target_url')
+      with_ruby_saml_1_12_or_greater(proc {
+        expect(saml_config.idp_slo_service_url).to eq('idp_slo_service_url')
+        expect(saml_config.idp_sso_service_url).to eq('idp_sso_service_url')
+      }, else_do: proc {
+        expect(saml_config.idp_slo_target_url).to eq('idp_slo_service_url')
+        expect(saml_config.idp_sso_target_url).to eq('idp_sso_service_url')
+      })
       expect(saml_config.issuer).to eq('issuer')
       expect(saml_config.name_identifier_format).to eq('name_identifier_format')
       expect(saml_config.name_identifier_value).to eq('name_identifier_value')

data/spec/devise_saml_authenticatable/strategy_spec.rb

@@ -1,6 +1,9 @@
 require 'rails_helper'
+require 'support/ruby_saml_support'
 
 describe Devise::Strategies::SamlAuthenticatable do
+  include RubySamlSupport
+
   subject(:strategy) { described_class.new(env, :user) }
   let(:env) { {} }
   let(:errors) { ["Test1", "Test2"] }
@@ -16,7 +19,7 @@ describe Devise::Strategies::SamlAuthenticatable do
   let(:user) { double(:user) }
   before do
     allow(strategy).to receive(:mapping).and_return(mapping)
-    allow(user).to receive(:after_saml_authentication)
+    allow(user).to(receive(:after_saml_authentication)) if user
   end
 
   let(:params) { {} }
@@ -54,17 +57,27 @@ describe Devise::Strategies::SamlAuthenticatable do
       let(:idp_providers_adapter) {
         Class.new {
           def self.settings(idp_entity_id)
-            {
+            base = {
               assertion_consumer_service_url: "acs_url",
               assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
               name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
               issuer: "sp_issuer",
               idp_entity_id: "http://www.example.com",
               authn_context: "",
-              idp_slo_target_url: "idp_slo_url",
-              idp_sso_target_url: "http://idp_sso_url",
               idp_cert: "idp_cert"
             }
+            with_ruby_saml_1_12_or_greater(proc {
+              base.merge!(
+                idp_slo_service_url: "idp_slo_url",
+                idp_sso_service_url: "http://idp_sso_url",
+              )
+            }, else_do: proc {
+              base.merge!(
+                idp_slo_target_url: "idp_slo_url",
+                idp_sso_target_url: "http://idp_sso_url",
+              )
+            })
+            base
           end
         }
       }
@@ -93,8 +106,10 @@ describe Devise::Strategies::SamlAuthenticatable do
       let(:user) { nil }
 
       it "fails to authenticate" do
-        expect(strategy).to receive(:fail!).with(:invalid)
         strategy.authenticate!
+        expect(strategy).to be_halted
+        expect(strategy.message).to be(:invalid)
+        expect(strategy.result).to be(:failure)
       end
 
       it 'logs the error' do
@@ -152,6 +167,40 @@ describe Devise::Strategies::SamlAuthenticatable do
         strategy.authenticate!
       end
     end
+
+    context "when saml_validate_in_response_to is opted-in to" do
+      let(:transaction_id) { "abc123" }
+
+      before do
+        allow(Devise).to receive(:saml_validate_in_response_to).and_return(true)
+        allow_any_instance_of(ActionDispatch::Request).to receive(:session).and_return(session)
+      end
+
+      context "when the session has a saml_transaction_id" do
+        let(:session) { { saml_transaction_id: transaction_id }}
+
+        it "is valid with the matches_request_id parameter" do
+          expect(OneLogin::RubySaml::Response).to receive(:new).with(params[:SAMLResponse], hash_including(matches_request_id: transaction_id))
+          expect(strategy).to be_valid
+        end
+
+        it "authenticates with the matches_request_id parameter" do
+          expect(OneLogin::RubySaml::Response).to receive(:new).with(params[:SAMLResponse], hash_including(matches_request_id: transaction_id))
+
+          expect(strategy).to receive(:success!).with(user)
+          strategy.authenticate!
+        end
+      end
+
+      context "when the session is missing a saml_transaction_id" do
+        let(:session) { { } }
+
+        it "uses 'ID_MISSING' for matches_request_id so validation will fail" do
+          expect(OneLogin::RubySaml::Response).to receive(:new).with(params[:SAMLResponse], hash_including(matches_request_id: "ID_MISSING"))
+          strategy.authenticate!
+        end
+      end
+    end
   end
 
   it "is not valid without a SAMLResponse parameter" do

data/spec/features/saml_authentication_spec.rb

@@ -141,7 +141,7 @@ describe "SAML Authentication", type: :feature do
   context "when the idp_settings_adapter key is set" do
     before(:each) do
       create_app('idp', 'INCLUDE_SUBJECT_IN_ATTRIBUTES' => "false")
-      create_app('sp', 'USE_SUBJECT_TO_AUTHENTICATE' => "true", 'IDP_SETTINGS_ADAPTER' => "IdpSettingsAdapter", 'IDP_ENTITY_ID_READER' => "OurEntityIdReader")
+      create_app('sp', 'USE_SUBJECT_TO_AUTHENTICATE' => "true", 'IDP_SETTINGS_ADAPTER' => '"IdpSettingsAdapter"', 'IDP_ENTITY_ID_READER' => '"OurEntityIdReader"')
 
       # use a different port for this entity ID; configured in spec/support/idp_settings_adapter.rb.erb
       @idp_pid = start_app('idp', 8010)
@@ -204,7 +204,7 @@ describe "SAML Authentication", type: :feature do
       )
       create_app(
         "sp",
-        "ATTRIBUTE_MAP_RESOLVER" => "AttributeMapResolver",
+        "ATTRIBUTE_MAP_RESOLVER" => '"AttributeMapResolver"',
         "USE_SUBJECT_TO_AUTHENTICATE" => "true",
       )
       @idp_pid = start_app("idp", idp_port)

data/spec/support/Gemfile.rails5.2

@@ -6,7 +6,7 @@ gemspec path: '../..'
 group :test do
   gem 'rake'
   gem 'rspec', '~> 3.0'
-  gem 'rails', '~> 5.2'
+  gem 'rails', '~> 5.2.0'
   gem 'rspec-rails', '~> 3.9'
   gem 'sqlite3', '~> 1.3.6'
   gem 'capybara'

data/spec/support/Gemfile.rails6

@@ -0,0 +1,14 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in devise_saml_authenticatable.gemspec
+gemspec path: '../..'
+
+group :test do
+  gem 'rake'
+  gem 'rspec', '~> 3.0'
+  gem 'rails', '~> 6.0.0'
+  gem 'rspec-rails', '~> 5.0'
+  gem 'sqlite3', '~> 1.4.0'
+  gem 'capybara'
+  gem 'poltergeist'
+end

data/spec/support/idp_settings_adapter.rb.erb

@@ -1,17 +1,27 @@
 class IdpSettingsAdapter
   def self.settings(idp_entity_id)
     if idp_entity_id == "http://localhost:8020/saml/metadata"
-      {
-          assertion_consumer_service_url: "http://localhost:8020/users/saml/auth",
-          assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
-          name_identifier_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
-          issuer: "sp_issuer",
-          idp_entity_id: "http://localhost:8020/saml/metadata",
-          authn_context: "",
+      base = {
+        assertion_consumer_service_url: "http://localhost:8020/users/saml/auth",
+        assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+        name_identifier_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
+        issuer: "sp_issuer",
+        idp_entity_id: "http://localhost:8020/saml/metadata",
+        authn_context: "",
+        idp_cert_fingerprint: "9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D"
+      }
+      if Gem::Version.new(OneLogin::RubySaml::VERSION) >= Gem::Version.new("1.12.0")
+        base.merge!(
+          idp_slo_service_url: "http://localhost:8010/saml/logout",
+          idp_sso_service_url: "http://localhost:8010/saml/auth",
+        )
+      else
+        base.merge!(
           idp_slo_target_url: "http://localhost:8010/saml/logout",
           idp_sso_target_url: "http://localhost:8010/saml/auth",
-          idp_cert_fingerprint: "9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D"
-      }
+        )
+      end
+      base
     else
       {}
     end

data/spec/support/rails_app.rb

@@ -21,12 +21,11 @@ def create_app(name, env = {})
   puts "[#{name}] Creating Rails app"
   rails_new_options = %w[-T -J -S --skip-spring --skip-listen --skip-bootsnap]
   rails_new_options << "-O" if name == "idp"
-  with_clean_env do
-    Dir.chdir(working_directory) do
-      FileUtils.rm_rf(name)
-      puts("rails _#{Rails.version}_ new #{name} #{rails_new_options.join(" ")} -m #{File.expand_path("../#{name}_template.rb", __FILE__)}")
-      system(env, "rails", "_#{Rails.version}_", "new", name, *rails_new_options, "-m", File.expand_path("../#{name}_template.rb", __FILE__))
-    end
+  env.merge!("RUBY_SAML_VERSION" => OneLogin::RubySaml::VERSION)
+  Dir.chdir(working_directory) do
+    FileUtils.rm_rf(name)
+    puts("[#{working_directory}] rails _#{Rails.version}_ new #{name} #{rails_new_options.join(" ")} -m #{File.expand_path("../#{name}_template.rb", __FILE__)}")
+    system(env, "rails", "_#{Rails.version}_", "new", name, *rails_new_options, "-m", File.expand_path("../#{name}_template.rb", __FILE__))
   end
 end
 

data/spec/support/ruby_saml_support.rb

@@ -0,0 +1,10 @@
+module RubySamlSupport
+  VERSION_1_12 = Gem::Version.new("1.12.0")
+  def with_ruby_saml_1_12_or_greater(body, args = {else_do: nil})
+    if Gem::Version.new(OneLogin::RubySaml::VERSION) >= VERSION_1_12
+      body.call
+    else
+      args[:else_do].call
+    end
+  end
+end

data/spec/support/sp_template.rb

@@ -6,15 +6,16 @@ attribute_map_resolver = ENV.fetch("ATTRIBUTE_MAP_RESOLVER", "nil")
 saml_session_index_key = ENV.fetch('SAML_SESSION_INDEX_KEY', ":session_index")
 use_subject_to_authenticate = ENV.fetch('USE_SUBJECT_TO_AUTHENTICATE')
 idp_settings_adapter = ENV.fetch('IDP_SETTINGS_ADAPTER', "nil")
-idp_entity_id_reader = ENV.fetch('IDP_ENTITY_ID_READER', "DeviseSamlAuthenticatable::DefaultIdpEntityIdReader")
+idp_entity_id_reader = ENV.fetch('IDP_ENTITY_ID_READER', '"DeviseSamlAuthenticatable::DefaultIdpEntityIdReader"')
 saml_failed_callback = ENV.fetch('SAML_FAILED_CALLBACK', "nil")
+ruby_saml_version = ENV.fetch("RUBY_SAML_VERSION")
 
 if Rails::VERSION::MAJOR < 5 || (Rails::VERSION::MAJOR == 5 && Rails::VERSION::MINOR < 2)
   gsub_file 'config/secrets.yml', /secret_key_base:.*$/, 'secret_key_base: "8b5889df1fcf03f76c7d66da02d8776bcc85b06bed7d9c592f076d9c8a5455ee6d4beae45986c3c030b40208db5e612f2a6ef8283036a352e3fae83c5eda36be"'
 end
 
 gem 'devise_saml_authenticatable', path: File.expand_path("../../..", __FILE__)
-gem 'ruby-saml', OneLogin::RubySaml::VERSION
+gem 'ruby-saml', ruby_saml_version
 gem 'thin'
 
 insert_into_file('Gemfile', after: /\z/) {
@@ -92,13 +93,24 @@ after_bundle do
   config.saml_configure do |settings|
     settings.assertion_consumer_service_url = "http://localhost:8020/users/saml/auth"
     settings.issuer = "http://localhost:8020/saml/metadata"
-    settings.idp_slo_target_url = "http://localhost:8009/saml/logout"
-    settings.idp_sso_target_url = "http://localhost:8009/saml/auth"
     settings.idp_cert_fingerprint = "9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D"
     settings.name_identifier_format = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
   end
 end
   CONFIG
+  if Gem::Version.new(ruby_saml_version) >= Gem::Version.new("1.12.0")
+    gsub_file 'config/initializers/devise.rb', /^  config\.saml_configure do \|settings\|$/, <<CONFIG
+  config.saml_configure do |settings|
+    settings.idp_slo_service_url = "http://localhost:8009/saml/logout"
+    settings.idp_sso_service_url = "http://localhost:8009/saml/auth"
+CONFIG
+  else
+    gsub_file 'config/initializers/devise.rb', /^  config\.saml_configure do \|settings\|$/, <<CONFIG
+  config.saml_configure do |settings|
+    settings.idp_slo_target_url = "http://localhost:8009/saml/logout"
+    settings.idp_sso_target_url = "http://localhost:8009/saml/auth"
+CONFIG
+  end
 
   generate :controller, 'home', 'index'
   insert_into_file('app/controllers/home_controller.rb', after: "class HomeController < ApplicationController\n") {

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise_saml_authenticatable
 version: !ruby/object:Gem::Version
-  version: 1.6.0
+  version: 1.7.0
 platform: ruby
 authors:
 - Josef Sauter
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-07-13 00:00:00.000000000 Z
+date: 2021-09-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
@@ -45,9 +45,9 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/ci.yml"
 - ".gitignore"
 - ".rspec"
-- ".travis.yml"
 - Gemfile
 - LICENSE
 - README.md
@@ -82,12 +82,14 @@ files:
 - spec/support/Gemfile.rails5
 - spec/support/Gemfile.rails5.1
 - spec/support/Gemfile.rails5.2
+- spec/support/Gemfile.rails6
 - spec/support/attribute-map.yml
 - spec/support/attribute_map_resolver.rb.erb
 - spec/support/idp_settings_adapter.rb.erb
 - spec/support/idp_template.rb
 - spec/support/rails_app.rb
 - spec/support/response_encrypted_nameid.xml.base64
+- spec/support/ruby_saml_support.rb
 - spec/support/saml_idp-saml_slo_post.html.erb
 - spec/support/saml_idp_controller.rb.erb
 - spec/support/sp_template.rb
@@ -95,7 +97,7 @@ homepage: ''
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -110,8 +112,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.6
-signing_key: 
+rubygems_version: 3.1.4
+signing_key:
 specification_version: 4
 summary: SAML Authentication for devise
 test_files:
@@ -130,12 +132,14 @@ test_files:
 - spec/support/Gemfile.rails5
 - spec/support/Gemfile.rails5.1
 - spec/support/Gemfile.rails5.2
+- spec/support/Gemfile.rails6
 - spec/support/attribute-map.yml
 - spec/support/attribute_map_resolver.rb.erb
 - spec/support/idp_settings_adapter.rb.erb
 - spec/support/idp_template.rb
 - spec/support/rails_app.rb
 - spec/support/response_encrypted_nameid.xml.base64
+- spec/support/ruby_saml_support.rb
 - spec/support/saml_idp-saml_slo_post.html.erb
 - spec/support/saml_idp_controller.rb.erb
 - spec/support/sp_template.rb

data/.travis.yml

@@ -1,52 +0,0 @@
-language: ruby
-rvm:
-  - "2.0.0"
-  - "2.1.10"
-  - "2.2.10"
-  - "2.3.8"
-  - "2.4.10"
-  - "2.5.8"
-  - "2.6.6"
-  - "2.7.1"
-gemfile:
-  - Gemfile
-  - spec/support/Gemfile.rails5.2
-  - spec/support/Gemfile.rails5.1
-  - spec/support/Gemfile.rails5
-  - spec/support/Gemfile.rails4
-matrix:
-  allow_failures:
-    - rvm: "2.0.0"
-      gemfile: Gemfile
-    - rvm: "2.0.0"
-      gemfile: spec/support/Gemfile.rails5
-    - rvm: "2.0.0"
-      gemfile: spec/support/Gemfile.rails5.1
-    - rvm: "2.0.0"
-      gemfile: spec/support/Gemfile.rails5.2
-    - rvm: "2.1.10"
-      gemfile: Gemfile
-    - rvm: "2.1.10"
-      gemfile: spec/support/Gemfile.rails5
-    - rvm: "2.1.10"
-      gemfile: spec/support/Gemfile.rails5.1
-    - rvm: "2.1.10"
-      gemfile: spec/support/Gemfile.rails5.2
-    - rvm: "2.2.10"
-      gemfile: Gemfile
-    - rvm: "2.2.10"
-      gemfile: spec/support/Gemfile.rails5.2
-    - rvm: "2.3.8"
-      gemfile: Gemfile
-    - rvm: "2.4.10"
-      gemfile: Gemfile
-    - rvm: "2.6.6"
-      gemfile: spec/support/Gemfile.rails4
-    - rvm: "2.7.1"
-      gemfile: spec/support/Gemfile.rails4
-
-before_install:
-  - command -v bundle || gem install bundler -v '~> 1.17.3'
-
-script:
-  - bundle exec rake