devise_saml_authenticatable 0.0.1

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in devise_saml_authenticatable.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2013 Josef Sauter
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,119 @@
+# DeviseSamlAuthenticatable
+
+Devise Saml Authenticatable is a Single-Sign-On authentication strategy for devise that relies on SAML. It uses [ruby-saml](https://github.com/onelogin/ruby-saml) to handle all SAML related stuff.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'devise_saml_authenticatable'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install devise_saml_authenticatable
+
+## Usage
+
+In app/models/<YOUR_MODEL>.rb set the :saml_authenticatable strategy. In the example the model is user.rb
+
+```ruby
+  class User < ActiveRecord::Base
+    ...
+    devise :saml_authenticatable, :trackable
+    ...
+  end
+```
+
+In config/initializers/devise.rb
+
+```ruby
+  Devise.setup do |config|
+    ...
+    # ==> DeviseSamlAuthenticatable Configuration
+    
+    # Create user if the user does not exist. (Default is false)
+    config.saml_create_user = true
+    
+    # Set the default user key (default is email). The user will be looked up by this key. Make sure that the Authentication Response includes
+    # the attribute
+    config.saml_default_user_key = :email
+  end
+```
+
+In config directory, create a YAML file (idp.yml) with your SAML settings (see ruby-saml for more information). For example
+
+```ruby
+  # idp.yaml
+  development:
+    idp_metadata: ""
+    idp_metadata_ttl: ""
+    assertion_consumer_service_url: "http://localhost:3000/users/sign_in"
+    assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+    name_identifier_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
+    issuer: "http://localhost:3000"
+    authn_context: ""
+    idp_sso_target_url: "http://localhost/simplesaml/www/saml2/idp/SSOService.php"
+    idp_cert: |-
+      -----BEGIN CERTIFICATE-----
+      1111111111111111111111111111111111111111111111111111111111111111
+      1111111111111111111111111111111111111111111111111111111111111111
+      1111111111111111111111111111111111111111111111111111111111111111
+      1111111111111111111111111111111111111111111111111111111111111111
+      1111111111111111111111111111111111111111111111111111111111111111
+      1111111111111_______IDP_CERTIFICATE________111111111111111111111
+      1111111111111111111111111111111111111111111111111111111111111111
+      1111111111111111111111111111111111111111111111111111111111111111
+      1111111111111111111111111111111111111111111111111111111111111111
+      1111111111111111111111111111111111111111111111111111111111111111
+      1111111111111111111111111111111111111111111111111111111111111111
+      1111111111111111111111111111111111111111111111111111111111111111
+      1111111111111111111111111111111111111111111111111111111111111111
+      111111111111111111
+      -----END CERTIFICATE-----
+```    
+In config directory create a YAML file (attribute-map.yml) that maps SAML attributes with your model's fields
+
+```ruby
+  # attribute-map.yml
+  
+  "urn:mace:dir:attribute-def:uid": "user_name"
+  "urn:mace:dir:attribute-def:email": "email"
+  "urn:mace:dir:attribute-def:name": "last_name"
+  "urn:mace:dir:attribute-def:givenName": "name"
+```
+
+The attribute mappings are very dependent on the way the IdP encodes the attributes. In this example the attributes are given in URN style. Other IdPs might provide them as OID's or other means. 
+
+You are now ready to test it against an IdP. When the user goes to /users/saml/sign_in he will be redirected to the login page of the IdP. Upon successful login the user is redirected to devise user_root_path.
+
+## Identity Provider
+
+If you don't have an identity provider an you would like to test the authentication against your app there are some options:
+
+1. Use [ruby-saml-idp](https://github.com/lawrencepit/ruby-saml-idp). 
+
+You can add your own logic to your IdP, or you can also set it as a dummy IdP that always sends a valid authentication response to your app.
+
+2. Use an online service that can act as an IdP. Onelogin, Salesforce and some others provide you with this functionality
+3. Install your own IdP.
+
+There are numerous IdPs that support SAML 2.0, there are propietary (like Microsoft ADFS 2.0 or Ping federate) and there are also open source solutions like Shibboleth and simplesamlphp.
+
+[SimpleSAMLphp](http://simplesamlphp.org/) was my choice for development since it is a production-ready SAML solution, that is also really easy to install, configure and use.
+
+## Limitations
+
+1. At the moment there is no support for Single Logout (we're working on that)
+2. The Authentication Requests (from your app to the IdP) are not signed and encrypted
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Added some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,2 @@
+#!/usr/bin/env rake
+require "bundler/gem_tasks"

data/app/controllers/devise/saml_sessions_controller.rb

@@ -0,0 +1,20 @@
+require "ruby-saml"
+
+class Devise::SamlSessionsController < Devise::SessionsController
+  include DeviseSamlAuthenticatable::SamlConfig
+  unloadable
+  before_filter :get_saml_config
+  def new
+    resource = build_resource
+    request = Onelogin::Saml::Authrequest.new
+    action = request.create(@saml_config)
+    redirect_to action
+  end
+      
+  def metadata
+    meta = Onelogin::Saml::Metadata.new
+    render :xml => meta.generate(@saml_config)
+  end
+  
+end
+

data/devise_saml_authenticatable.gemspec

@@ -0,0 +1,20 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/devise_saml_authenticatable/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["Josef Sauter"]
+  gem.email         = ["Josef.Sauter@gmail.com"]
+  gem.description   = %q{SAML Authentication for devise}
+  gem.summary       = %q{SAML Authentication for devise }
+  gem.homepage      = ""
+
+  gem.files         = `git ls-files`.split($\)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.name          = "devise_saml_authenticatable"
+  gem.require_paths = ["lib"]
+  gem.version       = DeviseSamlAuthenticatable::VERSION
+  
+  gem.add_dependency("devise","> 2.0.0")
+  gem.add_dependency("ruby-saml","> 0.7.1")
+end

data/lib/devise_saml_authenticatable.rb

@@ -0,0 +1,43 @@
+require "devise"
+
+require "devise_saml_authenticatable/version"
+require "devise_saml_authenticatable/exception"
+require "devise_saml_authenticatable/logger"
+require "devise_saml_authenticatable/routes"
+require "devise_saml_authenticatable/saml_config"
+begin
+  Rails::Engine
+rescue
+else
+  module DeviseSamlAuthenticatable
+    class Engine < Rails::Engine
+    end
+  end
+end
+
+# Get saml information from config/saml.yml now
+module Devise
+  # Allow logging
+  mattr_accessor :saml_logger
+  @@saml_logger = true
+  
+  # Add valid users to database
+  mattr_accessor :saml_create_user
+  @@saml_create_user = false
+  
+  mattr_accessor :saml_config
+  @@saml_config = "#{Rails.root}/config/saml.yml"
+  
+  mattr_accessor :saml_default_user_key
+  @@saml_default_user_key
+end
+
+# Add saml_authenticatable strategy to defaults.
+#
+Devise.add_module(:saml_authenticatable,
+                  :route => :saml_authenticatable, 
+                  :strategy   => true,
+                  :controller => :saml_sessions,
+                  :model  => 'devise_saml_authenticatable/model')
+
+

data/lib/devise_saml_authenticatable/exception.rb

@@ -0,0 +1,6 @@
+module DeviseSamlAuthenticatable
+
+  class SamlException < Exception
+  end
+
+end

data/lib/devise_saml_authenticatable/logger.rb

@@ -0,0 +1,11 @@
+module DeviseSamlAuthenticatable
+
+  class Logger    
+    def self.send(message, logger = Rails.logger)
+      if ::Devise.saml_logger
+        logger.add 0, "  \e[36msaml:\e[0m #{message}"
+      end
+    end
+  end
+
+end

data/lib/devise_saml_authenticatable/model.rb

@@ -0,0 +1,69 @@
+require 'devise_saml_authenticatable/strategy'
+
+module Devise
+  module Models
+    module SamlAuthenticatable
+      extend ActiveSupport::Concern
+      
+      # Need to determine why these need to be included
+      included do
+        attr_reader :password, :current_password
+        attr_accessor :password_confirmation
+      end
+
+      def update_with_password(params={})
+        params.delete(:current_password)
+        self.update_without_password(params)
+      end	
+
+      def update_without_password(params={})
+        params.delete(:password)
+        params.delete(:password_confirmation)
+
+        result = update_attributes(params)
+        result
+      end
+
+      module ClassMethods
+        include DeviseSamlAuthenticatable::SamlConfig
+        def authenticate_with_saml(attributes)
+          key = Devise.saml_default_user_key
+          inv_attr = attribute_map.invert
+					auth_value = attributes[inv_attr[key.to_s]]
+					auth_value.try(:downcase!) if Devise.case_insensitive_keys.include?(key)
+          resource = where(key => auth_value).first
+          if (resource.nil? && !Devise.saml_create_user)
+            logger.info("User(#{attributes[inv_attr[key.to_s]]}) not found.  Not configured to create the user.")
+            return nil 
+          end
+
+	        if (resource.nil? && Devise.saml_create_user)
+            logger.info("Creating user(#{attributes[inv_attr[key.to_s]]}).")
+	          resource = new
+            set_user_saml_attributes(resource,attributes)
+            resource.save!
+          end
+
+          resource
+	      end
+
+        def find_for_shibb_authentication(conditions)
+          find_for_authentication(conditions)
+        end
+        
+        def attribute_map
+          @attribute_map ||= YAML.load(File.read("#{Rails.root}/config/attribute-map.yml"))
+        end
+
+        private
+        
+        def set_user_saml_attributes(user,attributes)
+          attribute_map.each do |k,v|
+            Rails.logger.info "Setting: #{v}, #{attributes[k]}"
+            user.send "#{v}=", attributes[k]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/devise_saml_authenticatable/routes.rb

@@ -0,0 +1,11 @@
+ActionDispatch::Routing::Mapper.class_eval do
+  protected
+  def devise_saml_authenticatable(mapping, controllers)
+    resource :session, :only => [], :controller => controllers[:saml_sessions], :path => "" do
+      get :new, :path => "saml/sign_in", :as => "new"
+      post :create, :path=>"saml/auth"
+      match :destroy, :path => mapping.path_names[:sign_out], :as => "destroy"
+      get :metadata, :path=>"saml/metadata"
+    end
+  end
+end

data/lib/devise_saml_authenticatable/saml_config.rb

@@ -0,0 +1,8 @@
+require 'ruby-saml'
+module DeviseSamlAuthenticatable
+  module SamlConfig
+    def get_saml_config
+      @saml_config = Onelogin::Saml::Settings.new(YAML.load(File.read("#{Rails.root}/config/idp.yml"))[Rails.env])
+    end
+  end
+end

data/lib/devise_saml_authenticatable/strategy.rb

@@ -0,0 +1,31 @@
+require 'devise/strategies/authenticatable' 
+module Devise
+  module Strategies
+    class SamlAuthenticatable < Authenticatable
+      include DeviseSamlAuthenticatable::SamlConfig
+      def valid?
+        params[:SAMLResponse]
+      end
+      def authenticate!
+        @response = Onelogin::Saml::Response.new(params[:SAMLResponse])
+	      @response.settings = get_saml_config
+	      resource = mapping.to.authenticate_with_saml(@response.attributes)
+        if @response.is_valid?
+          success!(resource)
+        else
+          fail!(:invalid)
+        end
+      end
+      
+      # This method should turn off storage whenever CSRF cannot be verified.
+      # Any known way on how to let the IdP send the CSRF token along with the SAMLResponse ?
+      # Please let me know!
+      def store?
+        true
+      end
+            
+    end
+  end
+end
+
+Warden::Strategies.add(:saml_authenticatable, Devise::Strategies::SamlAuthenticatable)

data/lib/devise_saml_authenticatable/version.rb

@@ -0,0 +1,3 @@
+module DeviseSamlAuthenticatable
+  VERSION = "0.0.1"
+end

data/rails/init.rb

@@ -0,0 +1,2 @@
+#Include hook code here
+require 'devise_saml_authenticatable'

metadata

@@ -0,0 +1,94 @@
+--- !ruby/object:Gem::Specification
+name: devise_saml_authenticatable
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+  prerelease: 
+platform: ruby
+authors:
+- Josef Sauter
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-09-10 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: devise
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>'
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>'
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+- !ruby/object:Gem::Dependency
+  name: ruby-saml
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>'
+      - !ruby/object:Gem::Version
+        version: 0.7.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>'
+      - !ruby/object:Gem::Version
+        version: 0.7.1
+description: SAML Authentication for devise
+email:
+- Josef.Sauter@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- app/controllers/devise/saml_sessions_controller.rb
+- devise_saml_authenticatable.gemspec
+- lib/devise_saml_authenticatable.rb
+- lib/devise_saml_authenticatable/exception.rb
+- lib/devise_saml_authenticatable/logger.rb
+- lib/devise_saml_authenticatable/model.rb
+- lib/devise_saml_authenticatable/routes.rb
+- lib/devise_saml_authenticatable/saml_config.rb
+- lib/devise_saml_authenticatable/strategy.rb
+- lib/devise_saml_authenticatable/version.rb
+- rails/init.rb
+homepage: ''
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.24
+signing_key: 
+specification_version: 3
+summary: SAML Authentication for devise
+test_files: []
+has_rdoc: