devise_saml_authenticatable 1.0 → 1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4c162a34c36999fce62a2fb2f18cbfd5ce87a488
-  data.tar.gz: 61637ed78f97770f32d07157928127ad40032d2e
+  metadata.gz: 11d475877b3a4f178413861a07e7fd030c65799b
+  data.tar.gz: f73eaa27a49431b435b502185af337668fceaf8e
 SHA512:
-  metadata.gz: 3eeab1c7fdac22674db47e7e71c1c6793243a0e398cf23fe51ba261cf54ee59133d9d0445ec87e804b9c39d8ffd2d893d8369194adc318e38568a206761cea30
-  data.tar.gz: b0306658471a7d121ef6791b74633c24a9ba0e468e283594261c046da776e9d8739235952df27162269480d6f294bbb7b131ab99676a79a99fd69bc66d1f0a9c
+  metadata.gz: 6770f46c7251efd2b1bc7a9c5ed08f665e1653c2abf86de21e66a3783dc0bccde72465975ccceefca619812fc9621726ed68b11f634e1ae4691147fc023d46c4
+  data.tar.gz: 6ce53e6cc7a4b582e0801f595cdd7e42763841fb6c0606935886612692e2929323f29ec00f17e3625d04abdc7f2c22260dc2b3d9be4fffbc1e583cf18852ecf5

data/README.md

@@ -45,6 +45,10 @@ In config/initializers/devise.rb
     # sure that the Authentication Response includes the attribute.
     config.saml_default_user_key = :email
 
+    # Optional. This stores the session index defined by the IDP during login.  If provided it will be used as a salt
+    # for the user's session to facilitate an IDP initiated logout request.
+    config.saml_session_index_key = :session_index
+
     # You can set this value to use Subject or SAML assertation as info to which email will be compared
     # If you don't set it then email will be extracted from SAML assertation attributes
     config.saml_use_subject = true
@@ -115,6 +119,11 @@ There are numerous IdPs that support SAML 2.0, there are propietary (like Micros
 
 Logout support is included by immediately terminating the local session and then redirecting to the IdP.
 
+## Logout Request
+
+Logout requests from the IDP are supported by the `idp_sign_out` end point.  Directing logout requests to `users/saml/idp_sign_out` will logout the respective user by invalidating their current sessions.
+`saml_session_index_key` must be configured to support this feature.
+
 ## Limitations
 
 1. The Authentication Requests (from your app to the IdP) are not signed and encrypted

data/app/controllers/devise/saml_sessions_controller.rb

@@ -17,6 +17,26 @@ class Devise::SamlSessionsController < Devise::SessionsController
     render :xml => meta.generate(@saml_config)
   end
 
+  def idp_sign_out
+    if params[:SAMLRequest] && Devise.saml_session_index_key
+      logout_request = OneLogin::RubySaml::SloLogoutrequest.new(params[:SAMLRequest], @saml_config)
+      resource_class.reset_session_key_for(logout_request.name_id)
+
+      redirect_to generate_idp_logout_response(logout_request)
+    elsif params[:SAMLResponse]
+      #Currently Devise handles the session invalidation when the request is made.
+      #To support a true SP initiated logout response, the request ID would have to be tracked and session invalidated
+      #based on that.
+      if Devise.saml_sign_out_success_url
+        redirect_to Devise.saml_sign_out_success_url
+      else
+        redirect_to action: :new
+      end
+    else
+      head :invalid_request
+    end
+  end
+
   protected
 
   # Override devise to send user to IdP logout for SLO
@@ -24,5 +44,10 @@ class Devise::SamlSessionsController < Devise::SessionsController
     request = OneLogin::RubySaml::Logoutrequest.new
     request.create(@saml_config)
   end
+
+  def generate_idp_logout_response(logout_request)
+    logout_request_id = logout_request.id
+    OneLogin::RubySaml::SloLogoutresponse.new.create(@saml_config, logout_request_id, nil)
+  end
 end
 

data/devise_saml_authenticatable.gemspec

@@ -17,5 +17,5 @@ Gem::Specification.new do |gem|
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
 
   gem.add_dependency("devise","> 2.0.0")
-  gem.add_dependency("ruby-saml",">= 0.8.2")
+  gem.add_dependency("ruby-saml","0.9.2")
 end

data/lib/devise_saml_authenticatable.rb

@@ -5,6 +5,7 @@ require "devise_saml_authenticatable/exception"
 require "devise_saml_authenticatable/logger"
 require "devise_saml_authenticatable/routes"
 require "devise_saml_authenticatable/saml_config"
+
 begin
   Rails::Engine
 rescue
@@ -31,6 +32,12 @@ module Devise
   mattr_accessor :saml_use_subject
   @@saml_use_subject
 
+  mattr_accessor :saml_session_index_key
+  @@saml_session_index_key
+
+  mattr_accessor :saml_sign_out_success_url
+  @@saml_sign_out_success_url
+
   mattr_accessor :saml_config
   @@saml_config = OneLogin::RubySaml::Settings.new
   def self.saml_configure

data/lib/devise_saml_authenticatable/model.rb

@@ -24,6 +24,20 @@ module Devise
         result
       end
 
+      def after_saml_authentication(session_index)
+        if self.respond_to? Devise.saml_session_index_key
+          self.update_attribute(Devise.saml_session_index_key, session_index)
+        end
+      end
+
+      def authenticatable_salt
+        if self.respond_to?(Devise.saml_session_index_key) && self.send(Devise.saml_session_index_key).present?
+          self.send(Devise.saml_session_index_key)
+        else
+          super
+        end
+      end
+
       module ClassMethods
         include DeviseSamlAuthenticatable::SamlConfig
         def authenticate_with_saml(saml_response)
@@ -55,6 +69,11 @@ module Devise
           resource
         end
 
+        def reset_session_key_for(name_id)
+          resource = find_by(Devise.saml_default_user_key => name_id)
+          resource.update_attribute(Devise.saml_session_index_key, nil) unless resource.nil?
+        end
+
         def find_for_shibb_authentication(conditions)
           find_for_authentication(conditions)
         end

data/lib/devise_saml_authenticatable/routes.rb

@@ -6,6 +6,7 @@ ActionDispatch::Routing::Mapper.class_eval do
       post :create, :path=>"saml/auth"
       match :destroy, :path => mapping.path_names[:sign_out], :as => "destroy", :via => mapping.sign_out_via
       get :metadata, :path=>"saml/metadata"
+      match :idp_sign_out, :path=>"saml/idp_sign_out", via: [:get, :post]
     end
   end
 end

data/lib/devise_saml_authenticatable/strategy.rb

@@ -4,13 +4,20 @@ module Devise
     class SamlAuthenticatable < Authenticatable
       include DeviseSamlAuthenticatable::SamlConfig
       def valid?
-        params[:SAMLResponse]
+        if params[:SAMLResponse]
+          response = OneLogin::RubySaml::Logoutresponse.new(params[:SAMLResponse], get_saml_config)
+          !(response.response.include? 'LogoutResponse')
+        else
+          false
+        end
       end
+
       def authenticate!
         @response = OneLogin::RubySaml::Response.new(params[:SAMLResponse])
         @response.settings = get_saml_config
         resource = mapping.to.authenticate_with_saml(@response)
         if @response.is_valid?
+          resource.after_saml_authentication(@response.sessionindex)
           success!(resource)
         else
           fail!(:invalid)

data/lib/devise_saml_authenticatable/version.rb

@@ -1,3 +1,3 @@
 module DeviseSamlAuthenticatable
-  VERSION = "1.0"
+  VERSION = "1.1"
 end

data/spec/controllers/devise/saml_sessions_controller_spec.rb

@@ -2,10 +2,17 @@ require 'rails_helper'
 
 class Devise::SessionsController < ActionController::Base
   # The important parts from devise
+  def resource_class
+    User
+  end
+
   def destroy
     sign_out
     redirect_to after_sign_out_path_for(:user)
   end
+
+  def require_no_authentication
+  end
 end
 
 require_relative '../../../app/controllers/devise/saml_sessions_controller'
@@ -39,4 +46,64 @@ describe Devise::SamlSessionsController, type: :controller do
       expect(response).to redirect_to(%r(\Ahttp://localhost:8009/saml/logout\?SAMLRequest=))
     end
   end
+
+  describe '#idp_sign_out' do
+    let(:name_id) { '12312312' }
+    let(:saml_request) { double(:logout_request, {
+        id: 42,
+        name_id: name_id
+      }) }
+    let(:sam_response) { double(:logout_response)}
+    let(:response_url) { 'http://localhost/logout_response' }
+
+
+    before do
+      allow(OneLogin::RubySaml::SloLogoutrequest).to receive(:new).and_return(saml_request)
+      allow(OneLogin::RubySaml::SloLogoutresponse).to receive(:new).and_return(sam_response)
+      allow(sam_response).to receive(:create).and_return(response_url)
+    end
+
+    it 'returns invalid request if SAMLRequest is not passed' do
+      expect(User).not_to receive(:reset_session_key_for).with(name_id)
+      post :idp_sign_out
+      expect(response.status).to eq 500
+    end
+
+    it 'accepts a LogoutResponse and redirects sign_in' do
+      post :idp_sign_out, SAMLResponse: 'stubbed_response'
+      expect(response.status).to eq 302
+      expect(response).to redirect_to '/users/saml/sign_in'
+    end
+
+    context 'when saml_sign_out_success_url is configured' do
+      let(:test_url) { '/test/url' }
+      before do
+        Devise.saml_sign_out_success_url = test_url
+      end
+
+      it 'accepts a LogoutResponse and returns success' do
+        post :idp_sign_out, SAMLResponse: 'stubbed_response'
+        expect(response.status).to eq 302
+        expect(response).to redirect_to test_url
+      end
+    end
+
+    context 'when saml_session_index_key is not configured' do
+      before do
+        Devise.saml_session_index_key = nil
+      end
+
+      it 'returns invalid request' do
+        expect(User).not_to receive(:reset_session_key_for).with(name_id)
+        post :idp_sign_out, SAMLRequest: 'stubbed_request'
+        expect(response.status).to eq 500
+      end
+    end
+
+    it 'direct the resource to reset the session key' do
+      expect(User).to receive(:reset_session_key_for).with(name_id)
+      post :idp_sign_out, SAMLRequest: 'stubbed_request'
+      expect(response).to redirect_to response_url
+    end
+  end
 end

data/spec/devise_saml_authenticatable/strategy_spec.rb

@@ -1,10 +1,10 @@
-require 'spec_helper'
+require 'rails_helper'
 
 describe Devise::Strategies::SamlAuthenticatable do
   subject(:strategy) { described_class.new(env, :user) }
   let(:env) { {} }
 
-  let(:response) { double(:response, :settings= => nil, is_valid?: true) }
+  let(:response) { double(:response, :settings= => nil, is_valid?: true, sessionindex: '123123123') }
   before do
     allow(OneLogin::RubySaml::Response).to receive(:new).and_return(response)
   end
@@ -19,6 +19,7 @@ describe Devise::Strategies::SamlAuthenticatable do
   let(:user) { double(:user) }
   before do
     allow(strategy).to receive(:mapping).and_return(mapping)
+    allow(user).to receive(:after_saml_authentication)
   end
 
   let(:params) { {} }
@@ -26,8 +27,8 @@ describe Devise::Strategies::SamlAuthenticatable do
     allow(strategy).to receive(:params).and_return(params)
   end
 
-  context "with a SAMLResponse parameter" do
-    let(:params) { {SAMLResponse: ""} }
+  context "with a login SAMLResponse parameter" do
+    let(:params) { {SAMLResponse: "PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIElEPSIxMjMxMjMxMjMxMjMxMjMiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDE1LTA2LTMwVDE0OjQyOjI3WiIgRGVzdGluYXRpb249IntyZWNpcGllbnR9Ij48c2FtbDpJc3N1ZXI+aHR0cHM6Ly90ZXN0L3NhbWwvbWV0YWRhdGEvMTIzMTIzPC9zYW1sOklzc3Vlcj48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24geG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiBWZXJzaW9uPSIyLjAiIElEPSIyMzQyNDMyMzQxMjQxMjM0MTI0MyIgSXNzdWVJbnN0YW50PSIyMDE1LTA2LTMwVDE0OjQyOjI3WiI+PHNhbWw6SXNzdWVyPmh0dHBzOi8vYXBwLm9uZWxvZ2luLmNvbS9zYW1sL21ldGFkYXRhLzQ1MzA2MTwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8+PGRzOlJlZmVyZW5jZSBVUkk9IiNwZnhlOWJkZTYzNS01OWFhLTZjNTEtMWEzMS1mMzAyZjgzNGQ0ZDciPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPjZhMkxraGMyYjN6elFaQlIwYkFoQ0hrZkt1az08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+Zk1qdThCYnpqaWV2OXBpbXlvM0lpVkNEU2R4dkNMMEhHQmZ4bGxVMmJ6WHVMMXRZcnZ5bkxFcVVSVUptL3k1SlZPRWVwbjdkbVhnanNnTVVUSkl0WTg0dTJlbUU0eXRGaFN6L203UFE5MitvTkN6RFpxMy9waGQ2UlR3RC9RSEJQdzFYV0ltMUxlOE42NldSZlZwNTc5YmZQc2pXMmhWSm1kUXU1cmVRTzVpTlVad0ZwNTFVUFBiZkhNUis1QnhPWkVsL0p6TkJOWk5jQzRkT0ErMDM1SkJ6WmlBb2liK1phUWJwdDVTMWxkQjZpanoyTGJJdGFHQ2E0MzVOc1p6MkQwakxsRmU0T0hYajJqcFdOa05leTZ4SEtBZ1o0a0FDbkVIQ08yN0t1dXdac3pLSFpqOFpTRUdhRWNIVld0eC9MbGRWK2NveUNNdUE4OXh6V0lOajJ3PT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUVNakNDQXhxZ0F3SUJBZ0lVY2NjNmczMU9RcnRaNHdJQkVUKzV2Z2c4Y0xNd0RRWUpLb1pJaHZjTkFRRUZCUUF3WVRFTE1Ba0dBMVVFQmhNQ1ZWTXhHakFZQmdOVkJBb01FVTl1WlNCTlpXUnBZMkZzSUVkeWIzVndNUlV3RXdZRFZRUUxEQXhQYm1WTWIyZHBiaUJKWkZBeEh6QWRCZ05WQkFNTUZrOXVaVXh2WjJsdUlFRmpZMjkxYm5RZ016Y3pPREV3SGhjTk1UUXdNVEl5TVRrek56UTJXaGNOTVRrd01USXpNVGt6TnpRMldqQmhNUXN3Q1FZRFZRUUdFd0pWVXpFYU1CZ0dBMVVFQ2d3UlQyNWxJRTFsWkdsallXd2dSM0p2ZFhBeEZUQVRCZ05WQkFzTURFOXVaVXh2WjJsdUlFbGtVREVmTUIwR0ExVUVBd3dXVDI1bFRHOW5hVzRnUVdOamIzVnVkQ0F6TnpNNE1UQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU5BUUJqZWdFTXo3MW1yZktWUkdXUlBObU1EeXdIZ010YjFlWWJoZ3YxRnNLd1hSTWVjdFdwQmtHc0FKb3dMU2hSWEtoYUg1Vm80VE5QYzFzTTNWK3dFcWlXYjRQcWRaMW1lZDJ3YXhSeUhOUnloR3NTN1ZvbUFpR041QWpCMU1IVFJQREJzY3J5d1N5RkZBNHVaQzZ0TkVrdWFYTjVTeElZTFNHUWJRNkF5RzJOQlpZWCttelVvRm9EOFRManVHSEVlUDFpdTJvWkpsVHBRZFhsL3VvakthRXFPWGo4ZjV6VlhQWUNhVm05ejg0WkgyWFFKY25Lc01pTzJTVllzQjlVaEdJV3NPRU9nYzFMOXN4bGkvR0xSSWRoc0poZW5QbWxsY2RBQ1BuN0hOU3hQM0tuSVRjcGJoc3hsN0pSVE1wSUd6ZzVoWTFLVTBrcXRtcGlnSzBIRUNBd0VBQWFPQjRUQ0IzakFNQmdOVkhSTUJBZjhFQWpBQU1CMEdBMVVkRGdRV0JCU2pnVlpON3lPRTZmV0E0anB5RHFQamtyOC9aakNCbmdZRFZSMGpCSUdXTUlHVGdCU2pnVlpON3lPRTZmV0E0anB5RHFQamtyOC9acUZscEdNd1lURUxNQWtHQTFVRUJoTUNWVk14R2pBWUJnTlZCQW9NRVU5dVpTQk5aV1JwWTJGc0lFZHliM1Z3TVJVd0V3WURWUVFMREF4UGJtVk1iMmRwYmlCSlpGQXhIekFkQmdOVkJBTU1Gazl1WlV4dloybHVJRUZqWTI5MWJuUWdNemN6T0RHQ0ZISEhPb045VGtLN1dlTUNBUkUvdWI0SVBIQ3pNQTRHQTFVZER3RUIvd1FFQXdJSGdEQU5CZ2txaGtpRzl3MEJBUVVGQUFPQ0FRRUFOWkhFTG03NnoreHBuOXlTUXdZNGZ4bVg2SnZEWDdXTUZQaVc2ZGgwcW13MzI1UW9TbkpWcDQ1a010TUs5UXpGaldaK2cwa0VmRnlocUh2RnUrSUs1NnpmVEpvRVIyNUpBblVCb01CNGJaS1lkbHQwYS9sSFVDZDJWYzM1dStWNHR5QmhOOTRPYTg0L2NnSnRRdFd0bVh4bVlrOVE3S25DN3lQTFhTelh2OW9wODg1OUM4akswbUFwQmlEcnpsSFA2QUt6SmxzWFVBQjUzbDdnOVBUYW55alNoWE9lOXZjVzBMU3FLakRnbHNtS2p4WG0vcFhHNUE2MXFqU1MwQytObnYzVmJOcDlCbFBnekpMc1lvZGNVaGROSkpjK0h5RS9BK2o5d2h0VjhENzdNWTlTTHR6YU5kdTZUMnNqdWVUQUNMNFR2bVdISGlMWnNqY3FnZHJMNGc9PTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sOlN1YmplY3Q+PHNhbWw6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6ZW1haWxBZGRyZXNzIj50ZXN0QHRlc3QuY29tPC9zYW1sOk5hbWVJRD48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDE1LTA2LTMwVDE0OjQ1OjI3WiIgUmVjaXBpZW50PSJ7cmVjaXBpZW50fSIvPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDpTdWJqZWN0PjxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE1LTA2LTMwVDE0OjM5OjI3WiIgTm90T25PckFmdGVyPSIyMDE1LTA2LTMwVDE0OjQ1OjI3WiI+PHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDpBdWRpZW5jZT57YXVkaWVuY2V9PC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNS0wNi0zMFQxNDo0MjoyNloiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMTUtMDctMDFUMTQ6NDI6MjdaIiBTZXNzaW9uSW5kZXg9Il8xZGEzNThkMC0wMTY0LTAxMzMtMGEwMy01NGFlNTI2NTZmNzgiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZFByb3RlY3RlZFRyYW5zcG9ydDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiIE5hbWU9IkVtYWlsIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5tbGluZHNheUBvbmVtZWRpY2FsLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg0KDQo="} }
 
     it "is valid" do
       expect(strategy).to be_valid
@@ -37,6 +38,7 @@ describe Devise::Strategies::SamlAuthenticatable do
       expect(OneLogin::RubySaml::Response).to receive(:new).with(params[:SAMLResponse])
       expect(response).to receive(:settings=).with(saml_config)
       expect(user_class).to receive(:authenticate_with_saml).with(response)
+      expect(user).to receive(:after_saml_authentication).with(response.sessionindex)
 
       expect(strategy).to receive(:success!).with(user)
       strategy.authenticate!
@@ -54,6 +56,15 @@ describe Devise::Strategies::SamlAuthenticatable do
     end
   end
 
+  context "with a logout SAMLResponse parameter" do
+    let(:params) { {SAMLResponse: "PHNhbWxwOkxvZ291dFJlc3BvbnNlIFZlcnNpb249JzIuMCcgSW5SZXNwb25zZVRvPSdfMTM0MjQzMjQzMjQzMicgeG1sbnM6c2FtbHA9J3VybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCcgSXNzdWVJbnN0YW50PScyMDE1LTA2LTMwVDE0OjQzOjQ0JyBJRD0nXzY5OTc2OTc5Nzk4Nzk4Nzk3OTg3Jz48c2FtbDpJc3N1ZXIgeG1sbnM6c2FtbD0ndXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbic+aHR0cHM6Ly90ZXN0L3NhbWwvbWV0YWRhdGEvMTQzMjQzMjwvc2FtbDpJc3N1ZXI+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0ndXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzJy8+PHNhbWxwOlN0YXR1c01lc3NhZ2U+U3VjY2Vzc2Z1bGx5IGxvZ2dlZCBvdXQgZnJvbSBzZXJ2aWNlIDwvc2FtbHA6U3RhdHVzTWVzc2FnZT48L3NhbWxwOlN0YXR1cz48L3NhbWxwOkxvZ291dFJlc3BvbnNlPg=="} }
+
+    it "is valid" do
+      expect(strategy).not_to be_valid
+    end
+  end
+
+
   it "is not valid without a SAMLResponse parameter" do
     expect(strategy).not_to be_valid
   end

data/spec/features/saml_authentication_spec.rb

@@ -43,11 +43,22 @@ describe "SAML Authentication", type: :feature do
       expect(current_url).to eq("http://localhost:8020/")
 
       click_on "Log out"
+      #confirm the logout response redirected to the SP which in turn attempted to sign th e
+      expect(current_url).to match(%r(\Ahttp://localhost:8009/saml/auth\?SAMLRequest=))
 
       # prove user is now signed out
       visit 'http://localhost:8020/'
       expect(current_url).to match(%r(\Ahttp://localhost:8009/saml/auth\?SAMLRequest=))
     end
+
+    it 'logs a user out of the SP via the IpD' do
+      sign_in
+
+      visit "http://localhost:#{idp_port}/saml/sp_sign_out"
+
+      visit 'http://localhost:8020/'
+      expect(current_url).to match(%r(\Ahttp://localhost:8009/saml/auth\?SAMLRequest=))
+    end
   end
 
   context "when the attributes are used to authenticate" do

data/spec/rails_helper.rb

@@ -13,3 +13,8 @@ ActiveRecord::Migrator.migrate(File.expand_path("../support/sp/db/migrate/", __F
 RSpec.configure do |config|
   config.use_transactional_fixtures = true
 end
+
+Devise.setup do |config|
+  config.saml_default_user_key = :email
+  config.saml_session_index_key = :session_index
+end

data/spec/support/idp_template.rb

@@ -3,10 +3,19 @@
 @include_subject_in_attributes = ask("Include the subject in the attributes?", limit: %w(y n)) == "y"
 
 gem 'ruby-saml-idp'
+gem 'thin'
 
 route "get '/saml/auth' => 'saml_idp#new'"
 route "post '/saml/auth' => 'saml_idp#create'"
 route "get '/saml/logout' => 'saml_idp#logout'"
+route "get '/saml/sp_sign_out' => 'saml_idp#sp_sign_out'"
 
 template File.expand_path('../saml_idp_controller.rb.erb', __FILE__), 'app/controllers/saml_idp_controller.rb'
 copy_file File.expand_path('../saml_idp-saml_slo_post.html.erb', __FILE__), 'app/views/saml_idp/saml_slo_post.html.erb'
+create_file 'public/stylesheets/application.css', ''
+
+gsub_file 'config/application.rb', /end[\n\w]*end$/, <<-CONFIG
+    config.slo_sp_url = "http://localhost:8020/users/saml/idp_sign_out"
+  end
+end
+CONFIG

data/spec/support/saml_idp_controller.rb.erb

@@ -27,9 +27,16 @@ class SamlIdpController < SamlIdp::IdpController
 
   private
 
+  def session_index
+    Rails.cache.fetch('session_key') {
+      UUID.generate
+    }
+  end
+
+
   def encode_SAMLResponse(nameID, opts = {})
     now = Time.now.utc
-    response_id, reference_id = UUID.generate, UUID.generate
+    response_id = UUID.generate
     audience_uri = opts[:audience_uri] || saml_acs_url[/^(.*?\/\/.*?\/)/, 1]
     issuer_uri = opts[:issuer_uri] || (defined?(request) && request.url) || "http://example.com"
 
@@ -43,11 +50,11 @@ class SamlIdpController < SamlIdp::IdpController
       attribute_statement = ""
     end
 
-    assertion = %[<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_#{reference_id}" IssueInstant="#{now.iso8601}" Version="2.0"><Issuer>#{issuer_uri}</Issuer><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">#{nameID}</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="#{@saml_request_id}" NotOnOrAfter="#{(now+3*60).iso8601}" Recipient="#{@saml_acs_url}"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore="#{(now-5).iso8601}" NotOnOrAfter="#{(now+60*60).iso8601}"><AudienceRestriction><Audience>#{audience_uri}</Audience></AudienceRestriction></Conditions>#{attribute_statement}<AuthnStatement AuthnInstant="#{now.iso8601}" SessionIndex="_#{reference_id}"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>]
+    assertion = %[<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_#{session_index}" IssueInstant="#{now.iso8601}" Version="2.0"><Issuer>#{issuer_uri}</Issuer><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">#{nameID}</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="#{@saml_request_id}" NotOnOrAfter="#{(now+3*60).iso8601}" Recipient="#{@saml_acs_url}"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore="#{(now-5).iso8601}" NotOnOrAfter="#{(now+60*60).iso8601}"><AudienceRestriction><Audience>#{audience_uri}</Audience></AudienceRestriction></Conditions>#{attribute_statement}<AuthnStatement AuthnInstant="#{now.iso8601}" SessionIndex="_#{session_index}"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>]
 
     digest_value = Base64.encode64(algorithm.digest(assertion)).gsub(/\n/, '')
 
-    signed_info = %[<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-#{algorithm_name}"></ds:SignatureMethod><ds:Reference URI="#_#{reference_id}"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig##{algorithm_name}"></ds:DigestMethod><ds:DigestValue>#{digest_value}</ds:DigestValue></ds:Reference></ds:SignedInfo>]
+    signed_info = %[<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-#{algorithm_name}"></ds:SignatureMethod><ds:Reference URI="#_#{session_index}"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig##{algorithm_name}"></ds:DigestMethod><ds:DigestValue>#{digest_value}</ds:DigestValue></ds:Reference></ds:SignedInfo>]
 
     signature_value = sign(signed_info).gsub(/\n/, '')
 
@@ -65,7 +72,7 @@ class SamlIdpController < SamlIdp::IdpController
   end
 
   # == SLO functionality, see https://github.com/lawrencepit/ruby-saml-idp/pull/10
-  skip_before_filter :validate_saml_request, :only => [:logout]
+  skip_before_filter :validate_saml_request, :only => [:logout, :sp_sign_out]
   before_filter :validate_saml_slo_request, :only => [:logout]
 
   public
@@ -79,13 +86,21 @@ class SamlIdpController < SamlIdp::IdpController
       logger.error "User with email #{params[:name_id]} not found"
       @saml_slo_response = encode_SAML_SLO_Response(params[:name_id])
     end
-    if @saml_slo_acs_url
-      render :template => "saml_idp/idp/saml_slo_post", :layout => false
+    if Idp::Application.config.slo_sp_url
+      redirect_to "#{Idp::Application.config.slo_sp_url}?SAMLResponse=#{@saml_slo_response}"
     else
       redirect_to 'http://example.com'
     end
   end
 
+  def sp_sign_out
+    idp_slo_authenticate(params[:name_id])
+    saml_slo_request = encode_SAML_SLO_Request("you@example.com")
+    uri = URI.parse("http://localhost:8020/users/saml/idp_sign_out")
+    Net::HTTP.post_form(uri, {"SAMLRequest" => saml_slo_request})
+    head :no_content
+  end
+
   def idp_slo_authenticate(email)
     session.delete :user_id
     true
@@ -111,20 +126,19 @@ class SamlIdpController < SamlIdp::IdpController
     zstream.finish
     zstream.close
     @saml_slo_request_id = @saml_slo_request[/ID=['"](.+?)['"]/, 1]
-    @saml_slo_acs_url = @saml_slo_request[/AssertionConsumerLogoutServiceURL=['"](.+?)['"]/, 1]
   end
 
   def encode_SAML_SLO_Response(nameID, opts = {})
     now = Time.now.utc
-    response_id, reference_id = UUID.generate, UUID.generate
+    response_id = UUID.generate
     audience_uri = opts[:audience_uri] || (@saml_slo_acs_url && @saml_slo_acs_url[/^(.*?\/\/.*?\/)/, 1])
     issuer_uri = opts[:issuer_uri] || (defined?(request) && request.url.split("?")[0]) || "http://example.com"
 
-    assertion = %[<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_#{reference_id}" IssueInstant="#{now.iso8601}" Version="2.0"><Issuer>#{issuer_uri}</Issuer><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">#{nameID}</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="#{@saml_slo_request_id}" NotOnOrAfter="#{(now+3*60).iso8601}" Recipient="#{@saml_slo_acs_url}"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore="#{(now-5).iso8601}" NotOnOrAfter="#{(now+60*60).iso8601}"><AudienceRestriction><Audience>#{audience_uri}</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"><AttributeValue>#{nameID}</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="#{now.iso8601}" SessionIndex="_#{reference_id}"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>]
+    assertion = %[<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_#{session_index}" IssueInstant="#{now.iso8601}" Version="2.0"><Issuer2>#{issuer_uri}</Issuer2><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">#{nameID}</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="#{@saml_slo_request_id}" NotOnOrAfter="#{(now+3*60).iso8601}" Recipient="#{@saml_slo_acs_url}"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore="#{(now-5).iso8601}" NotOnOrAfter="#{(now+60*60).iso8601}"><AudienceRestriction><Audience>#{audience_uri}</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"><AttributeValue>#{nameID}</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="#{now.iso8601}" SessionIndex="_#{session_index}"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>]
 
     digest_value = Base64.encode64(algorithm.digest(assertion)).gsub(/\n/, '')
 
-    signed_info = %[<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-#{algorithm_name}"></ds:SignatureMethod><ds:Reference URI="#_#{reference_id}"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig##{algorithm_name}"></ds:DigestMethod><ds:DigestValue>#{digest_value}</ds:DigestValue></ds:Reference></ds:SignedInfo>]
+    signed_info = %[<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-#{algorithm_name}"></ds:SignatureMethod><ds:Reference URI="#_#{session_index}"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig##{algorithm_name}"></ds:DigestMethod><ds:DigestValue>#{digest_value}</ds:DigestValue></ds:Reference></ds:SignedInfo>]
 
     signature_value = sign(signed_info).gsub(/\n/, '')
 
@@ -132,7 +146,38 @@ class SamlIdpController < SamlIdp::IdpController
 
     assertion_and_signature = assertion.sub(/Issuer\>\<Subject/, "Issuer>#{signature}<Subject")
 
-    xml = %[<samlp:LogoutResponse ID="_#{response_id}" Version="2.0" IssueInstant="#{now.iso8601}" Destination="#{@saml_slo_acs_url}" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="#{@saml_slo_request_id}" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">#{issuer_uri}</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status>#{assertion_and_signature}</samlp:LogoutResponse>]
+    xml = %[<samlp:LogoutResponse
+    ID="_#{response_id}"
+    Version="2.0"
+    IssueInstant="#{now.iso8601}"
+    Destination="#{@saml_slo_acs_url}"
+    Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
+    InResponseTo="#{@saml_slo_request_id}"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
+    <Issuer2 xmlns="urn:oasis:names:tc:SAML:2.0:assertion">#{issuer_uri}</Issuer2>
+    <samlp:Status>
+    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
+    </samlp:Status>
+    #{assertion_and_signature}
+    </samlp:LogoutResponse>]
+
+    Base64.encode64(xml)
+  end
+
+  def encode_SAML_SLO_Request(nameID, opts = {})
+    now = Time.now.utc
+    response_id = UUID.generate
+    issuer_uri = opts[:issuer_uri] || (defined?(request) && request.url.split("?")[0]) || "http://example.com"
+    xml = %[<samlp:LogoutRequest
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    ID="_#{response_id}" Version="2.0"
+    Destination="#{@saml_slo_acs_url}"
+    IssueInstant="#{now.iso8601}">
+    <saml:Issuer >#{issuer_uri}</saml:Issuer>
+    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">#{nameID}</saml:NameID>
+    <samlp:SessionIndex>_#{session_index}</samlp:SessionIndex>
+</samlp:LogoutRequest>]
 
     Base64.encode64(xml)
   end

data/spec/support/sp_template.rb

@@ -3,6 +3,7 @@
 use_subject_to_authenticate = ask("Use subject to authenticate?", limit: %w(y n)) == "y"
 
 gem 'devise_saml_authenticatable', path: '../../..'
+gem 'thin'
 
 create_file 'config/attribute-map.yml', <<-ATTRIBUTES
 ---
@@ -31,6 +32,7 @@ after_bundle do
   generate 'devise:install'
   gsub_file 'config/initializers/devise.rb', /^end$/, <<-CONFIG
   config.saml_default_user_key = :email
+  config.saml_session_index_key = :session_index
 
   config.saml_use_subject = #{use_subject_to_authenticate}
   config.saml_create_user = true
@@ -45,7 +47,7 @@ after_bundle do
 end
   CONFIG
 
-  generate :devise, "user", "email:string", "name:string"
+  generate :devise, "user", "email:string", "name:string", "session_index:string"
   gsub_file 'app/models/user.rb', /database_authenticatable.*\n.*/, 'saml_authenticatable'
   route "resources :users, only: [:create]"
   create_file('app/controllers/users_controller.rb', <<-USERS)
@@ -61,3 +63,5 @@ end
   rake "db:create"
   rake "db:migrate"
 end
+
+create_file 'public/stylesheets/application.css', ''

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise_saml_authenticatable
 version: !ruby/object:Gem::Version
-  version: '1.0'
+  version: '1.1'
 platform: ruby
 authors:
 - Josef Sauter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-06-17 00:00:00.000000000 Z
+date: 2015-07-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
@@ -28,16 +28,16 @@ dependencies:
   name: ruby-saml
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '='
       - !ruby/object:Gem::Version
-        version: 0.8.2
+        version: 0.9.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '='
       - !ruby/object:Gem::Version
-        version: 0.8.2
+        version: 0.9.2
 description: SAML Authentication for devise
 email:
 - Josef.Sauter@gmail.com