devise_saml_authenticatable 1.6.2 → 1.9.1

data/spec/devise_saml_authenticatable/model_spec.rb

@@ -64,12 +64,12 @@ describe Devise::Models::SamlAuthenticatable do
 
   it "looks up the user by the configured default user key" do
     user = Model.new(new_record: false)
-    expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+    expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([user])
     expect(Model.authenticate_with_saml(response, nil)).to eq(user)
   end
 
   it "returns nil if it cannot find a user" do
-    expect(Model).to receive(:where).with(email: 'user@example.com').and_return([])
+    expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([])
     expect(Model.authenticate_with_saml(response, nil)).to be_nil
   end
 
@@ -83,12 +83,12 @@ describe Devise::Models::SamlAuthenticatable do
 
     it "looks up the user by the configured default user key" do
       user = Model.new(new_record: false)
-      expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+      expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([user])
       expect(Model.authenticate_with_saml(response, nil)).to eq(user)
     end
 
     it "returns nil if it cannot find a user" do
-      expect(Model).to receive(:where).with(email: 'user@example.com').and_return([])
+      expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([])
       expect(Model.authenticate_with_saml(response, nil)).to be_nil
     end
 
@@ -98,7 +98,7 @@ describe Devise::Models::SamlAuthenticatable do
       end
 
       it "creates and returns a new user with the name identifier and given attributes" do
-        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([])
+        expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([])
         model = Model.authenticate_with_saml(response, nil)
         expect(model.email).to eq('user@example.com')
         expect(model.name).to  eq('A User')
@@ -106,6 +106,32 @@ describe Devise::Models::SamlAuthenticatable do
       end
     end
 
+    context "when configured to create a user by a proc and the user is not found" do
+      before do
+        create_user_proc = -> (model_class, _saml_response, auth_value) { model_class == Model && auth_value == 'user@example.com' }
+        allow(Devise).to receive(:saml_create_user).and_return(create_user_proc)
+      end
+
+      context "when the proc returns true" do
+        it "creates and returns a new user with the name identifier and given attributes" do
+          expect(Model).to receive(:where).with({ email: name_id }).and_return([])
+          model = Model.authenticate_with_saml(response, nil)
+          expect(model.email).to eq('user@example.com')
+          expect(model.name).to  eq('A User')
+          expect(model.saved).to be(true)
+        end
+      end
+
+      context "when the proc returns false" do
+        let(:name_id) { 'do_not_create@example.com' }
+
+        it "does not creates new user" do
+          expect(Model).to receive(:where).with({ email: name_id }).and_return([])
+          expect(Model.authenticate_with_saml(response, nil)).to be_nil
+        end
+      end
+    end
+
     context "when configured to update a user and the user is found" do
       before do
         allow(Devise).to receive(:saml_update_user).and_return(true)
@@ -113,22 +139,53 @@ describe Devise::Models::SamlAuthenticatable do
 
       it "creates and returns a new user with the name identifier and given attributes" do
         user = Model.new(email: "old_mail@mail.com", name: "old name", new_record: false)
-        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+        expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([user])
         model = Model.authenticate_with_saml(response, nil)
         expect(model.email).to eq('user@example.com')
         expect(model.name).to  eq('A User')
         expect(model.saved).to be(true)
       end
     end
+
+    context "when configured to update a user by a proc and the user is found" do
+      let(:user) { Model.new(email: 'old_mail@mail.com', name: 'old name', new_record: false) }
+
+      before do
+        update_user_proc = -> (model_class, _saml_response, auth_value) { model_class == Model && auth_value == 'user@example.com' }
+        allow(Devise).to receive(:saml_update_user).and_return(update_user_proc)
+      end
+
+      context "when the proc returns true" do
+        it "updates user with given attributes" do
+          expect(Model).to receive(:where).with({ email: name_id }).and_return([user])
+          model = Model.authenticate_with_saml(response, nil)
+          expect(model.email).to eq('user@example.com')
+          expect(model.name).to  eq('A User')
+          expect(model.saved).to be(true)
+        end
+      end
+
+      context "when the proc returns false" do
+        let(:name_id) { 'do_not_update@example.com' }
+
+        it "does not update user" do
+          expect(Model).to receive(:where).with({ email: name_id }).and_return([user])
+          model = Model.authenticate_with_saml(response, nil)
+          expect(model.email).to eq('old_mail@mail.com')
+          expect(model.name).to  eq('old name')
+        end
+      end
+    end
   end
 
+
   context "when configured to create an user and the user is not found" do
     before do
       allow(Devise).to receive(:saml_create_user).and_return(true)
     end
 
     it "creates and returns a new user with the given attributes" do
-      expect(Model).to receive(:where).with(email: 'user@example.com').and_return([])
+      expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([])
       model = Model.authenticate_with_saml(response, nil)
       expect(model.email).to eq('user@example.com')
       expect(model.name).to  eq('A User')
@@ -136,19 +193,48 @@ describe Devise::Models::SamlAuthenticatable do
     end
   end
 
+  context "when configured to create a user by a proc and the user is not found" do
+    let(:create_user_proc) { -> (_model_class, saml_response, _auth_value) { saml_response.raw_response.issuers.first == 'to_create_idp' } }
+
+    before do
+      allow(Devise).to receive(:saml_create_user).and_return(create_user_proc)
+    end
+
+    context "when the proc returns true" do
+      let(:response) { double(:response, issuers: ['to_create_idp'], attributes: attributes, name_id: name_id) }
+
+      it "creates and returns a new user with the name identifier and given attributes" do
+        expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([])
+        model = Model.authenticate_with_saml(response, nil)
+        expect(model.email).to eq('user@example.com')
+        expect(model.name).to  eq('A User')
+        expect(model.saved).to be(true)
+      end
+    end
+
+    context "when the proc returns false" do
+      let(:response) { double(:response, issuers: ['do_not_create_idp'], attributes: attributes, name_id: name_id) }
+
+      it "does not creates new user" do
+        expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([])
+        expect(Model.authenticate_with_saml(response, nil)).to be_nil
+      end
+    end
+  end
+
   context "when configured to update an user" do
     before do
       allow(Devise).to receive(:saml_update_user).and_return(true)
     end
 
     it "returns nil if the user is not found" do
-      expect(Model).to receive(:where).with(email: 'user@example.com').and_return([])
+      expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([])
       expect(Model.authenticate_with_saml(response, nil)).to be_nil
     end
 
     it "updates the attributes if the user is found" do
       user = Model.new(email: "old_mail@mail.com", name: "old name", new_record: false)
-      expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+      expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([user])
       model = Model.authenticate_with_saml(response, nil)
       expect(model.email).to eq('user@example.com')
       expect(model.name).to  eq('A User')
@@ -156,6 +242,38 @@ describe Devise::Models::SamlAuthenticatable do
     end
   end
 
+  context "when configured to update a user by a proc and the user is found" do
+    let(:user) { Model.new(email: 'old_mail@mail.com', name: 'old name', new_record: false) }
+    let(:update_user_proc) { -> (_model_class, saml_response, _auth_value) { saml_response.raw_response.issuers.first == 'to_update_idp' } }
+
+    before do
+      allow(Devise).to receive(:saml_update_user).and_return(update_user_proc)
+    end
+
+    context "when the proc returns true" do
+      let(:response) { double(:response, issuers: ['to_update_idp'], attributes: attributes, name_id: name_id) }
+
+      it "updates user with given attributes" do
+        expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([user])
+        model = Model.authenticate_with_saml(response, nil)
+        expect(model.email).to eq('user@example.com')
+        expect(model.name).to  eq('A User')
+        expect(model.saved).to be(true)
+      end
+    end
+
+    context "when the proc returns false" do
+      let(:response) { double(:response, issuers: ['do_not_update_idp'], attributes: attributes, name_id: name_id) }
+
+      it "does not update user" do
+        expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([user])
+        model = Model.authenticate_with_saml(response, nil)
+        expect(model.email).to eq('old_mail@mail.com')
+        expect(model.name).to  eq('old name')
+      end
+    end
+  end
+
   context "when configured with a case-insensitive key" do
     shared_examples "correct downcasing" do
       before do
@@ -164,7 +282,7 @@ describe Devise::Models::SamlAuthenticatable do
 
       it "looks up the user with a downcased value" do
         user = Model.new(new_record: false)
-        expect(Model).to receive(:where).with(email: 'upper@example.com').and_return([user])
+        expect(Model).to receive(:where).with({ email: 'upper@example.com' }).and_return([user])
         expect(Model.authenticate_with_saml(response, nil)).to eq(user)
       end
     end
@@ -202,7 +320,7 @@ describe Devise::Models::SamlAuthenticatable do
       end
 
       it "returns the user" do
-        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+        expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([user])
         expect(Model.authenticate_with_saml(response, nil)).to eq(user)
       end
     end
@@ -213,7 +331,7 @@ describe Devise::Models::SamlAuthenticatable do
       end
 
       it "returns nil" do
-        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+        expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([user])
         expect(Model.authenticate_with_saml(response, nil)).to be_nil
       end
     end
@@ -236,7 +354,7 @@ describe Devise::Models::SamlAuthenticatable do
       end
 
       it "returns the user" do
-        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+        expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([user])
         expect(Model.authenticate_with_saml(response, nil)).to eq(user)
       end
     end
@@ -247,7 +365,7 @@ describe Devise::Models::SamlAuthenticatable do
       end
 
       it "returns nil" do
-        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+        expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([user])
         expect(Model.authenticate_with_saml(response, nil)).to be_nil
       end
     end
@@ -294,7 +412,7 @@ describe Devise::Models::SamlAuthenticatable do
     end
 
     def configure_hook(&block)
-      allow(Model).to receive(:where).with(email: 'user@example.com').and_return([])
+      allow(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([])
       allow(Devise).to receive(:saml_default_user_key).and_return(:email)
       allow(Devise).to receive(:saml_create_user).and_return(true)
       allow(Devise).to receive(:saml_update_resource_hook).and_return(block)
@@ -305,7 +423,7 @@ describe Devise::Models::SamlAuthenticatable do
     let(:name_id) { 'SomeUsername' }
 
     it "can replicate the default behaviour for a new user in a custom locator" do
-      allow(Model).to receive(:where).with(email: attributes['saml-email-format']).and_return([])
+      allow(Model).to receive(:where).with({ email: attributes['saml-email-format'] }).and_return([])
 
       configure_hook do |model, saml_response, auth_value|
         Devise.saml_default_resource_locator.call(model, saml_response, auth_value)
@@ -321,7 +439,7 @@ describe Devise::Models::SamlAuthenticatable do
       user = Model.new(email: attributes['saml-email-format'], name: attributes['saml-name-format'])
       user.save!
 
-      allow(Model).to receive(:where).with(email: attributes['saml-email-format']).and_return([user])
+      allow(Model).to receive(:where).with({ email: attributes['saml-email-format'] }).and_return([user])
 
       configure_hook do |model, saml_response, auth_value|
         Devise.saml_default_resource_locator.call(model, saml_response, auth_value)
@@ -335,7 +453,7 @@ describe Devise::Models::SamlAuthenticatable do
     end
 
     it "can change the default behaviour for a new user from the saml response" do
-      allow(Model).to receive(:where).with(foo: attributes['saml-email-format'], bar: name_id).and_return([])
+      allow(Model).to receive(:where).with({ foo: attributes['saml-email-format'], bar: name_id }).and_return([])
 
       configure_hook do |model, saml_response, auth_value|
         name_id = saml_response.raw_response.name_id
@@ -352,7 +470,7 @@ describe Devise::Models::SamlAuthenticatable do
       user = Model.new(email: attributes['saml-email-format'], name: attributes['saml-name-format'])
       user.save!
 
-      allow(Model).to receive(:where).with(foo: attributes['saml-email-format'], bar: name_id).and_return([user])
+      allow(Model).to receive(:where).with({ foo: attributes['saml-email-format'], bar: name_id }).and_return([user])
 
       configure_hook do |model, saml_response, auth_value|
         name_id = saml_response.raw_response.name_id

data/spec/devise_saml_authenticatable/saml_config_spec.rb

@@ -1,13 +1,16 @@
 require 'spec_helper'
+require 'support/ruby_saml_support'
 
 describe DeviseSamlAuthenticatable::SamlConfig do
+  include RubySamlSupport
+
   let(:saml_config) { controller.saml_config }
   let(:controller) { Class.new { include DeviseSamlAuthenticatable::SamlConfig }.new }
 
   context "when config/idp.yml does not exist" do
     before do
       allow(Rails).to receive(:root).and_return("/railsroot")
-      allow(File).to receive(:exists?).with("/railsroot/config/idp.yml").and_return(false)
+      allow(File).to receive(:exist?).with("/railsroot/config/idp.yml").and_return(false)
     end
 
     it "is the global devise SAML config" do
@@ -26,32 +29,54 @@ describe DeviseSamlAuthenticatable::SamlConfig do
       let(:saml_config) { controller.saml_config(idp_entity_id) }
       let(:idp_providers_adapter) {
         Class.new {
+          extend RubySamlSupport
+
           def self.settings(idp_entity_id)
             #some hash of stuff (by doing a fetch, in our case, but could also be a giant hash keyed by idp_entity_id)
             if idp_entity_id == "http://www.example.com"
-              {
+              base = {
                 assertion_consumer_service_url: "acs_url",
                 assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
                 name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
-                issuer: "sp_issuer",
+                sp_entity_id: "sp_issuer",
                 idp_entity_id: "http://www.example.com",
                 authn_context: "",
-                idp_slo_target_url: "idp_slo_url",
-                idp_sso_target_url: "idp_sso_url",
                 idp_cert: "idp_cert"
               }
+              with_ruby_saml_1_12_or_greater(proc {
+                base.merge!(
+                  idp_slo_service_url: "idp_slo_url",
+                  idp_sso_service_url: "idp_sso_url",
+                )
+              }, else_do: proc {
+                base.merge!(
+                  idp_slo_target_url: "idp_slo_url",
+                  idp_sso_target_url: "idp_sso_url",
+                )
+              })
+              base
             elsif idp_entity_id == "http://www.example.com_other"
-              {
+              base = {
                 assertion_consumer_service_url: "acs_url_other",
                 assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST_other",
                 name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress_other",
-                issuer: "sp_issuer_other",
+                sp_entity_id: "sp_issuer_other",
                 idp_entity_id: "http://www.example.com_other",
                 authn_context: "_other",
-                idp_slo_target_url: "idp_slo_url_other",
-                idp_sso_target_url: "idp_sso_url_other",
                 idp_cert: "idp_cert_other"
               }
+              with_ruby_saml_1_12_or_greater(proc {
+                base.merge!(
+                  idp_slo_service_url: "idp_slo_url_other",
+                  idp_sso_service_url: "idp_sso_url_other",
+                )
+              }, else_do: proc {
+                base.merge!(
+                  idp_slo_target_url: "idp_slo_url_other",
+                  idp_sso_target_url: "idp_sso_url_other",
+                )
+              })
+              base
             else
               {}
             end
@@ -63,7 +88,11 @@ describe DeviseSamlAuthenticatable::SamlConfig do
         let(:idp_entity_id) { "http://www.example.com" }
         it "uses the settings from the adapter for that idp" do
           expect(saml_config.idp_entity_id).to eq (idp_entity_id)
-          expect(saml_config.idp_sso_target_url).to eq ("idp_sso_url")
+          with_ruby_saml_1_12_or_greater(proc {
+            expect(saml_config.idp_sso_service_url).to eq('idp_sso_url')
+          }, else_do: proc {
+            expect(saml_config.idp_sso_target_url).to eq('idp_sso_url')
+          })
           expect(saml_config.class).to eq OneLogin::RubySaml::Settings
         end
       end
@@ -72,7 +101,11 @@ describe DeviseSamlAuthenticatable::SamlConfig do
         let(:idp_entity_id) { "http://www.example.com_other" }
         it "returns the other idp settings" do
           expect(saml_config.idp_entity_id).to eq (idp_entity_id)
-          expect(saml_config.idp_sso_target_url).to eq ("idp_sso_url_other")
+          with_ruby_saml_1_12_or_greater(proc {
+            expect(saml_config.idp_sso_service_url).to eq('idp_sso_url_other')
+          }, else_do: proc {
+            expect(saml_config.idp_sso_target_url).to eq('idp_sso_url_other')
+          })
           expect(saml_config.class).to eq OneLogin::RubySaml::Settings
         end
       end
@@ -80,11 +113,8 @@ describe DeviseSamlAuthenticatable::SamlConfig do
   end
 
   context "when config/idp.yml exists" do
-    before do
-      allow(Rails).to receive(:env).and_return("environment")
-      allow(Rails).to receive(:root).and_return("/railsroot")
-      allow(File).to receive(:exists?).with("/railsroot/config/idp.yml").and_return(true)
-      allow(File).to receive(:read).with("/railsroot/config/idp.yml").and_return(<<-IDP)
+    let(:idp_yaml) {
+      yaml = <<-IDP
 ---
 environment:
   assertion_consumer_logout_service_binding: assertion_consumer_logout_service_binding
@@ -104,9 +134,7 @@ environment:
   idp_cert_fingerprint: idp_cert_fingerprint
   idp_cert_fingerprint_algorithm: idp_cert_fingerprint_algorithm
   idp_entity_id: idp_entity_id
-  idp_slo_target_url: idp_slo_target_url
-  idp_sso_target_url: idp_sso_target_url
-  issuer: issuer
+  sp_entity_id: issuer
   name_identifier_format: name_identifier_format
   name_identifier_value: name_identifier_value
   passive: passive
@@ -116,6 +144,20 @@ environment:
   sessionindex: sessionindex
   sp_name_qualifier: sp_name_qualifier
       IDP
+    with_ruby_saml_1_12_or_greater(proc { yaml << <<SERVICE_URLS }, else_do: proc { yaml << <<TARGET_URLS })
+  idp_slo_service_url: idp_slo_service_url
+  idp_sso_service_url: idp_sso_service_url
+SERVICE_URLS
+  idp_slo_target_url: idp_slo_service_url
+  idp_sso_target_url: idp_sso_service_url
+TARGET_URLS
+      yaml
+    }
+    before do
+      allow(Rails).to receive(:env).and_return("environment")
+      allow(Rails).to receive(:root).and_return("/railsroot")
+      allow(File).to receive(:exist?).with("/railsroot/config/idp.yml").and_return(true)
+      allow(File).to receive(:read).with("/railsroot/config/idp.yml").and_return(idp_yaml)
     end
 
     it "uses that file's contents" do
@@ -136,9 +178,14 @@ environment:
       expect(saml_config.idp_cert_fingerprint).to eq('idp_cert_fingerprint')
       expect(saml_config.idp_cert_fingerprint_algorithm).to eq('idp_cert_fingerprint_algorithm')
       expect(saml_config.idp_entity_id).to eq('idp_entity_id')
-      expect(saml_config.idp_slo_target_url).to eq('idp_slo_target_url')
-      expect(saml_config.idp_sso_target_url).to eq('idp_sso_target_url')
-      expect(saml_config.issuer).to eq('issuer')
+      with_ruby_saml_1_12_or_greater(proc {
+        expect(saml_config.idp_slo_service_url).to eq('idp_slo_service_url')
+        expect(saml_config.idp_sso_service_url).to eq('idp_sso_service_url')
+      }, else_do: proc {
+        expect(saml_config.idp_slo_target_url).to eq('idp_slo_service_url')
+        expect(saml_config.idp_sso_target_url).to eq('idp_sso_service_url')
+      })
+      expect(saml_config.sp_entity_id).to eq('issuer')
       expect(saml_config.name_identifier_format).to eq('name_identifier_format')
       expect(saml_config.name_identifier_value).to eq('name_identifier_value')
       expect(saml_config.passive).to eq('passive')

data/spec/devise_saml_authenticatable/strategy_spec.rb

@@ -1,6 +1,9 @@
 require 'rails_helper'
+require 'support/ruby_saml_support'
 
 describe Devise::Strategies::SamlAuthenticatable do
+  include RubySamlSupport
+
   subject(:strategy) { described_class.new(env, :user) }
   let(:env) { {} }
   let(:errors) { ["Test1", "Test2"] }
@@ -16,7 +19,7 @@ describe Devise::Strategies::SamlAuthenticatable do
   let(:user) { double(:user) }
   before do
     allow(strategy).to receive(:mapping).and_return(mapping)
-    allow(user).to receive(:after_saml_authentication)
+    allow(user).to(receive(:after_saml_authentication)) if user
   end
 
   let(:params) { {} }
@@ -53,18 +56,28 @@ describe Devise::Strategies::SamlAuthenticatable do
     context "when saml config uses an idp_adapter" do
       let(:idp_providers_adapter) {
         Class.new {
-          def self.settings(idp_entity_id)
-            {
-              assertion_consumer_service_url: "acs_url",
+          def self.settings(idp_entity_id, request)
+            base = {
+              assertion_consumer_service_url: "acs url",
               assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
               name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
-              issuer: "sp_issuer",
+              sp_entity_id: "sp_issuer",
               idp_entity_id: "http://www.example.com",
               authn_context: "",
-              idp_slo_target_url: "idp_slo_url",
-              idp_sso_target_url: "http://idp_sso_url",
               idp_cert: "idp_cert"
             }
+            with_ruby_saml_1_12_or_greater(proc {
+              base.merge!(
+                idp_slo_service_url: "idp_slo_url",
+                idp_sso_service_url: "http://idp_sso_url",
+              )
+            }, else_do: proc {
+              base.merge!(
+                idp_slo_target_url: "idp_slo_url",
+                idp_sso_target_url: "http://idp_sso_url",
+              )
+            })
+            base
           end
         }
       }
@@ -80,7 +93,7 @@ describe Devise::Strategies::SamlAuthenticatable do
 
       it "authenticates with the response for the corresponding idp" do
         expect(OneLogin::RubySaml::Response).to receive(:new).with(params[:SAMLResponse], anything)
-        expect(idp_providers_adapter).to receive(:settings).with(idp_entity_id)
+        expect(idp_providers_adapter).to receive(:settings).with(idp_entity_id, anything)
         expect(user_class).to receive(:authenticate_with_saml).with(response, params[:RelayState])
         expect(user).to receive(:after_saml_authentication).with(response.sessionindex)
 
@@ -93,8 +106,10 @@ describe Devise::Strategies::SamlAuthenticatable do
       let(:user) { nil }
 
       it "fails to authenticate" do
-        expect(strategy).to receive(:fail!).with(:invalid)
         strategy.authenticate!
+        expect(strategy).to be_halted
+        expect(strategy.message).to be(:invalid)
+        expect(strategy.result).to be(:failure)
       end
 
       it 'logs the error' do
@@ -152,6 +167,40 @@ describe Devise::Strategies::SamlAuthenticatable do
         strategy.authenticate!
       end
     end
+
+    context "when saml_validate_in_response_to is opted-in to" do
+      let(:transaction_id) { "abc123" }
+
+      before do
+        allow(Devise).to receive(:saml_validate_in_response_to).and_return(true)
+        allow_any_instance_of(ActionDispatch::Request).to receive(:session).and_return(session)
+      end
+
+      context "when the session has a saml_transaction_id" do
+        let(:session) { { saml_transaction_id: transaction_id }}
+
+        it "is valid with the matches_request_id parameter" do
+          expect(OneLogin::RubySaml::Response).to receive(:new).with(params[:SAMLResponse], hash_including(matches_request_id: transaction_id))
+          expect(strategy).to be_valid
+        end
+
+        it "authenticates with the matches_request_id parameter" do
+          expect(OneLogin::RubySaml::Response).to receive(:new).with(params[:SAMLResponse], hash_including(matches_request_id: transaction_id))
+
+          expect(strategy).to receive(:success!).with(user)
+          strategy.authenticate!
+        end
+      end
+
+      context "when the session is missing a saml_transaction_id" do
+        let(:session) { { } }
+
+        it "uses 'ID_MISSING' for matches_request_id so validation will fail" do
+          expect(OneLogin::RubySaml::Response).to receive(:new).with(params[:SAMLResponse], hash_including(matches_request_id: "ID_MISSING"))
+          strategy.authenticate!
+        end
+      end
+    end
   end
 
   it "is not valid without a SAMLResponse parameter" do

data/spec/features/saml_authentication_spec.rb

@@ -3,8 +3,21 @@ require 'net/http'
 require 'timeout'
 require 'uri'
 require 'capybara/rspec'
-require 'capybara/poltergeist'
-Capybara.default_driver = :poltergeist
+require 'selenium-webdriver'
+
+Capybara.register_driver :chrome do |app|
+  options = Selenium::WebDriver::Chrome::Options.new
+  options.add_argument('--headless')
+  options.add_argument('--allow-insecure-localhost')
+  options.add_argument('--ignore-certificate-errors')
+
+  Capybara::Selenium::Driver.new(
+    app,
+    browser: :chrome,
+    capabilities: [options]
+  )
+end
+Capybara.default_driver = :chrome
 Capybara.server = :webrick
 
 describe "SAML Authentication", type: :feature do
@@ -141,7 +154,7 @@ describe "SAML Authentication", type: :feature do
   context "when the idp_settings_adapter key is set" do
     before(:each) do
       create_app('idp', 'INCLUDE_SUBJECT_IN_ATTRIBUTES' => "false")
-      create_app('sp', 'USE_SUBJECT_TO_AUTHENTICATE' => "true", 'IDP_SETTINGS_ADAPTER' => "IdpSettingsAdapter", 'IDP_ENTITY_ID_READER' => "OurEntityIdReader")
+      create_app('sp', 'USE_SUBJECT_TO_AUTHENTICATE' => "true", 'IDP_SETTINGS_ADAPTER' => '"IdpSettingsAdapter"', 'IDP_ENTITY_ID_READER' => '"OurEntityIdReader"')
 
       # use a different port for this entity ID; configured in spec/support/idp_settings_adapter.rb.erb
       @idp_pid = start_app('idp', 8010)
@@ -165,7 +178,7 @@ describe "SAML Authentication", type: :feature do
     let(:valid_destination) { "true" }
     before(:each) do
       create_app('idp', 'INCLUDE_SUBJECT_IN_ATTRIBUTES' => "false", 'VALID_DESTINATION' => valid_destination)
-      create_app('sp', 'USE_SUBJECT_TO_AUTHENTICATE' => "true", 'SAML_FAILED_CALLBACK' => "OurSamlFailedCallbackHandler")
+      create_app('sp', 'USE_SUBJECT_TO_AUTHENTICATE' => "true", 'SAML_FAILED_CALLBACK' => '"OurSamlFailedCallbackHandler"')
 
       @idp_pid = start_app('idp', idp_port)
       @sp_pid  = start_app('sp',  sp_port)
@@ -204,7 +217,7 @@ describe "SAML Authentication", type: :feature do
       )
       create_app(
         "sp",
-        "ATTRIBUTE_MAP_RESOLVER" => "AttributeMapResolver",
+        "ATTRIBUTE_MAP_RESOLVER" => '"AttributeMapResolver"',
         "USE_SUBJECT_TO_AUTHENTICATE" => "true",
       )
       @idp_pid = start_app("idp", idp_port)
@@ -224,7 +237,7 @@ describe "SAML Authentication", type: :feature do
   end
 
   def sign_in(entity_id: "")
-    visit "http://localhost:8020/users/saml/sign_in/?entity_id=#{URI.escape(entity_id)}"
+    visit "http://localhost:8020/users/saml/sign_in/?entity_id=#{URI.encode_www_form_component(entity_id)}"
     fill_in "Email", with: "you@example.com"
     fill_in "Password", with: "asdf"
     click_on "Sign in"

data/spec/support/Gemfile.rails5.2

@@ -6,20 +6,9 @@ gemspec path: '../..'
 group :test do
   gem 'rake'
   gem 'rspec', '~> 3.0'
-  gem 'rails', '~> 5.2'
+  gem 'rails', '~> 5.2.0'
   gem 'rspec-rails', '~> 3.9'
   gem 'sqlite3', '~> 1.3.6'
   gem 'capybara'
-  gem 'poltergeist'
-
-  # Lock down versions of gems for older versions of Ruby
-  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
-    gem 'responders', '~> 2.4'
-  end
-
-  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.3")
-    gem 'byebug', '~> 10.0'
-  elsif Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
-    gem 'byebug', '~> 11.0.0'
-  end
+  gem 'selenium-webdriver'
 end