devise_saml_authenticatable 1.2.2 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d2e501ba6f2facaaa55601864a66fbf5799f2b93
-  data.tar.gz: 644a41f1ef4dafdac806600b8a5646e3a00acbf6
+  metadata.gz: 811f4c9c0306a1c5ba28080ac773ba88022b79cc
+  data.tar.gz: f2571561eb9c3ba05832e65d1b8ab15d3c9c408c
 SHA512:
-  metadata.gz: a4096feb553134033f04079e7c10a1ace113fc048f79dbf712ee0fe5b478ce6696ccd4434c5c05f4aecced1c55e79f13415027bfa613ca2937a216e8bb6949cd
-  data.tar.gz: 20c0f29acc30f4db788fa8ada4bfbff4df88421d48403f52b39cdb9876f1907be732a3641a0d9cdd7e3997f63809f71894769e8791014183a226333bedc2353e
+  metadata.gz: c21a2ac40153fcb51c843fcdfa081ba2caab761c94a43cf1ebe297d1260021fc54409fe6cdac9cc3c6340db077ba3c8d2cb15e2f83a9af8886cff90ac128cb58
+  data.tar.gz: dc0c2d6f2174e0f5bef4a6b4590ed90558741a8a86af2754bb5c1094d039c29cd9da726f804bbd78a1693023ac4f50ad81d095956ad728272144d4977bb25eec

data/Gemfile

@@ -10,4 +10,12 @@ group :test do
   gem 'rspec-rails'
   gem 'sqlite3'
   gem 'capybara-webkit'
+
+  # Lock down versions of gems for older versions of Ruby
+  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.0")
+    gem 'mime-types', '~> 2.99'
+  end
+  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
+    gem 'devise', '~> 3.5'
+  end
 end

data/README.md

@@ -56,6 +56,18 @@ In config/initializers/devise.rb
     # If you don't set it then email will be extracted from SAML assertation attributes
     config.saml_use_subject = true
 
+    # You can support multiple IdPs by setting this value to a class that implements a #settings method which takes
+    # an IdP entity id as an argument and returns a hash of idp settings for the corresponding IdP.
+    config.idp_settings_adapter = nil
+
+    # You provide you own method to find the idp_entity_id in a SAML message in the case of multiple IdPs
+    # by setting this to a custom reader class, or use the default.
+    # config.idp_entity_id_reader = DeviseSamlAuthenticatable::DefaultIdpEntityIdReader
+
+    # You can set a handler object that takes the response for a failed SAML request and the strategy,
+    # and implements a #handle method. This method can then redirect the user, return error messages, etc.
+    # config.saml_failed_callback = nil
+
     # Configure with your SAML settings (see [ruby-saml][] for more information).
     config.saml_configure do |settings|
       settings.assertion_consumer_service_url     = "http://localhost:3000/users/saml/auth"
@@ -106,12 +118,55 @@ You are now ready to test it against an IdP.
 When the user goes to `/users/saml/sign_in` he will be redirected to the login page of the IdP.
 Upon successful login the user is redirected to devise `user_root_path`.
 
+## Supporting Multiple IdPs
+
+If you must support multiple Identity Providers you can implement an adapter class with a `#settings` method that takes an IdP entity id and returns a hash of settings for the corresponding IdP. The `config.idp_settings_adapter` then must be set to point to your adapter in config/initializers/devise.rb. The implementation of the adapter is up to you. A simple example may look like this:
+
+```ruby
+class IdPSettingsAdapter
+  def self.settings(idp_entity_id)
+    case idp_entity_id
+    when "http://www.example_idp_entity_id.com"
+      {
+        assertion_consumer_service_url: "http://localhost:3000/users/saml/auth",
+        assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+        name_identifier_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
+        issuer: "http://localhost:3000/saml/metadata",
+        idp_entity_id: "http://www.example_idp_entity_id.com",
+        authn_context: "",
+        idp_slo_target_url: "http://example_idp_slo_target_url.com",
+        idp_sso_target_url: "http://example_idp_sso_target_url.com",
+        idp_cert: "example_idp_cert"
+      }
+    when "http://www.another_idp_entity_id.biz"
+      {
+        assertion_consumer_service_url: "http://localhost:3000/users/saml/auth",
+        assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+        name_identifier_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
+        issuer: "http://localhost:3000/saml/metadata",
+        idp_entity_id: "http://www.another_idp_entity_id.biz",
+        authn_context: "",
+        idp_slo_target_url: "http://another_idp_slo_target_url.com",
+        idp_sso_target_url: "http://another_idp_sso_target_url.com",
+        idp_cert: "another_idp_cert"
+      }
+    else
+      {}
+    end
+  end
+end
+```
+
+Detecting the entity ID passed to the `settings` method is done by `config.idp_entity_id_reader`.
+By default this will find the `Issuer` in the SAML request.
+You can support more use cases by writing your own and implementing the `.entity_id` method.
+
 ## Identity Provider
 
 If you don't have an identity provider an you would like to test the authentication against your app there are some options:
 
 1. Use [ruby-saml-idp](https://github.com/lawrencepit/ruby-saml-idp). You can add your own logic to your IdP, or you can also set it as a dummy IdP that always sends a valid authentication response to your app.
-2. Use an online service that can act as an IdP. Onelogin, Salesforce and some others provide you with this functionality
+2. Use an online service that can act as an IdP. Onelogin, Salesforce, Okta and some others provide you with this functionality
 3. Install your own IdP.
 
 There are numerous IdPs that support SAML 2.0, there are propietary (like Microsoft ADFS 2.0 or Ping federate) and there are also open source solutions like Shibboleth and simplesamlphp.

data/app/controllers/devise/saml_sessions_controller.rb

@@ -6,8 +6,9 @@ class Devise::SamlSessionsController < Devise::SessionsController
   skip_before_filter :verify_authenticity_token
 
   def new
+    idp_entity_id = get_idp_entity_id(params)
     request = OneLogin::RubySaml::Authrequest.new
-    action = request.create(saml_config)
+    action = request.create(saml_config(idp_entity_id))
     redirect_to action
   end
 
@@ -18,10 +19,11 @@ class Devise::SamlSessionsController < Devise::SessionsController
 
   def idp_sign_out
     if params[:SAMLRequest] && Devise.saml_session_index_key
+      saml_config = saml_config(get_idp_entity_id(params))
       logout_request = OneLogin::RubySaml::SloLogoutrequest.new(params[:SAMLRequest], settings: saml_config)
       resource_class.reset_session_key_for(logout_request.name_id)
 
-      redirect_to generate_idp_logout_response(logout_request)
+      redirect_to generate_idp_logout_response(saml_config, logout_request.id)
     elsif params[:SAMLResponse]
       #Currently Devise handles the session invalidation when the request is made.
       #To support a true SP initiated logout response, the request ID would have to be tracked and session invalidated
@@ -44,8 +46,7 @@ class Devise::SamlSessionsController < Devise::SessionsController
     request.create(saml_config)
   end
 
-  def generate_idp_logout_response(logout_request)
-    logout_request_id = logout_request.id
+  def generate_idp_logout_response(saml_config, logout_request_id)
     OneLogin::RubySaml::SloLogoutresponse.new.create(saml_config, logout_request_id, nil)
   end
 end

data/devise_saml_authenticatable.gemspec

@@ -17,5 +17,5 @@ Gem::Specification.new do |gem|
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
 
   gem.add_dependency("devise","> 2.0.0")
-  gem.add_dependency("ruby-saml","~> 1.0")
+  gem.add_dependency("ruby-saml","~> 1.3")
 end

data/lib/devise_saml_authenticatable.rb

@@ -5,6 +5,7 @@ require "devise_saml_authenticatable/exception"
 require "devise_saml_authenticatable/logger"
 require "devise_saml_authenticatable/routes"
 require "devise_saml_authenticatable/saml_config"
+require "devise_saml_authenticatable/default_idp_entity_id_reader"
 
 begin
   Rails::Engine
@@ -36,12 +37,26 @@ module Devise
   mattr_accessor :saml_use_subject
   @@saml_use_subject
 
+  # Key used to index sessions for later retrieval
   mattr_accessor :saml_session_index_key
   @@saml_session_index_key
 
+  # Redirect after signout (redirects to 'users/saml/sign_in' by default)
   mattr_accessor :saml_sign_out_success_url
   @@saml_sign_out_success_url
 
+  # Adapter for multiple IdP support
+  mattr_accessor :idp_settings_adapter
+  @@idp_settings_adapter
+
+  # Reader that can parse entity id from a SAMLMessage
+  mattr_accessor :idp_entity_id_reader
+  @@idp_entity_id_reader ||= ::DeviseSamlAuthenticatable::DefaultIdpEntityIdReader
+
+  # Implements a #handle method that takes the response and strategy as an argument
+  mattr_accessor :saml_failed_callback
+  @@saml_failed_callback
+
   mattr_accessor :saml_config
   @@saml_config = OneLogin::RubySaml::Settings.new
   def self.saml_configure

data/lib/devise_saml_authenticatable/default_idp_entity_id_reader.rb

@@ -0,0 +1,11 @@
+module DeviseSamlAuthenticatable
+  class DefaultIdpEntityIdReader
+    def self.entity_id(params)
+      if params[:SAMLRequest]
+        OneLogin::RubySaml::SloLogoutrequest.new(params[:SAMLRequest]).issuer
+      elsif params[:SAMLResponse]
+        OneLogin::RubySaml::Response.new(params[:SAMLResponse]).issuers.first
+      end
+    end
+  end
+end

data/lib/devise_saml_authenticatable/model.rb

@@ -11,19 +11,6 @@ module Devise
         attr_accessor :password_confirmation
       end
 
-      def update_with_password(params={})
-        params.delete(:current_password)
-        self.update_without_password(params)
-      end
-
-      def update_without_password(params={})
-        params.delete(:password)
-        params.delete(:password_confirmation)
-
-        result = update_attributes(params)
-        result
-      end
-
       def after_saml_authentication(session_index)
         if Devise.saml_session_index_key && self.respond_to?(Devise.saml_session_index_key)
           self.update_attribute(Devise.saml_session_index_key, session_index)
@@ -41,7 +28,6 @@ module Devise
       end
 
       module ClassMethods
-        include DeviseSamlAuthenticatable::SamlConfig
         def authenticate_with_saml(saml_response)
           key = Devise.saml_default_user_key
           attributes = saml_response.attributes

data/lib/devise_saml_authenticatable/saml_config.rb

@@ -1,16 +1,39 @@
 require 'ruby-saml'
 module DeviseSamlAuthenticatable
   module SamlConfig
-    def saml_config
-      return @saml_config if @saml_config
+    def saml_config(idp_entity_id = nil)
+      return file_based_config if file_based_config
+      return adapter_based_config(idp_entity_id) if Devise.idp_settings_adapter
 
+      Devise.saml_config
+    end
+
+    private
+
+    def file_based_config
+      return @file_based_config if @file_based_config
       idp_config_path = "#{Rails.root}/config/idp.yml"
-      # Support 0.0.x-style configuration via a YAML file
+
       if File.exists?(idp_config_path)
-        Devise.saml_config = OneLogin::RubySaml::Settings.new(YAML.load(File.read(idp_config_path))[Rails.env])
+        @file_based_config ||= OneLogin::RubySaml::Settings.new(YAML.load(File.read(idp_config_path))[Rails.env])
+      end
+    end
+
+    def adapter_based_config(idp_entity_id)
+      config = Marshal.load(Marshal.dump(Devise.saml_config))
+
+      Devise.idp_settings_adapter.settings(idp_entity_id).each do |k,v|
+        acc = "#{k.to_s}=".to_sym
+
+        if config.respond_to? acc
+          config.send(acc, v)
+        end
       end
+      config
+    end
 
-      @saml_config = Devise.saml_config
+    def get_idp_entity_id(params)
+      Devise.idp_entity_id_reader.entity_id(params)
     end
   end
 end

data/lib/devise_saml_authenticatable/strategy.rb

@@ -6,21 +6,21 @@ module Devise
       include DeviseSamlAuthenticatable::SamlConfig
       def valid?
         if params[:SAMLResponse]
-          response = OneLogin::RubySaml::Logoutresponse.new(params[:SAMLResponse], saml_config)
-          !(response.response.include? 'LogoutResponse')
+          OneLogin::RubySaml::Response.new(params[:SAMLResponse])
         else
           false
         end
       end
 
       def authenticate!
-        @response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], settings: saml_config)
+        @response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], settings: saml_config(get_idp_entity_id(params)))
         resource = mapping.to.authenticate_with_saml(@response)
         if @response.is_valid? && resource
           resource.after_saml_authentication(@response.sessionindex)
           success!(resource)
         else
           fail!(:invalid)
+          Devise.saml_failed_callback.new.handle(@response, self) if Devise.saml_failed_callback
         end
       end
 

data/lib/devise_saml_authenticatable/version.rb

@@ -1,3 +1,3 @@
 module DeviseSamlAuthenticatable
-  VERSION = "1.2.2"
+  VERSION = "1.3.0"
 end

data/spec/controllers/devise/saml_sessions_controller_spec.rb

@@ -17,25 +17,106 @@ end
 
 require_relative '../../../app/controllers/devise/saml_sessions_controller'
 
-
 describe Devise::SamlSessionsController, type: :controller do
   let(:saml_config) { Devise.saml_config }
+  let(:idp_providers_adapter) { spy("Stub IDPSettings Adaptor") }
+
+  before do
+    allow(idp_providers_adapter).to receive(:settings).and_return({
+      assertion_consumer_service_url: "acs_url",
+      assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+      name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+      issuer: "sp_issuer",
+      idp_entity_id: "http://www.example.com",
+      authn_context: "",
+      idp_slo_target_url: "http://idp_slo_url",
+      idp_sso_target_url: "http://idp_sso_url",
+      idp_cert: "idp_cert"
+    })
+  end
 
   describe '#new' do
-    it 'redirects to the SAML Auth Request endpoint' do
-      get :new
-      expect(response).to redirect_to(%r(\Ahttp://localhost:8009/saml/auth\?SAMLRequest=))
+    let(:saml_response) { File.read(File.join(File.dirname(__FILE__), '../../support', 'response_encrypted_nameid.xml.base64')) }
+
+    context "when using the default saml config" do
+      it "redirects to the IdP SSO target url" do
+        get :new, "SAMLResponse" => saml_response
+        expect(response).to redirect_to(%r(\Ahttp://localhost:8009/saml/auth\?SAMLRequest=))
+      end
+    end
+
+    context "with a specified idp" do
+      before do
+        Devise.idp_settings_adapter = idp_providers_adapter
+      end
+
+      it "redirects to the associated IdP SSO target url" do
+        get :new, "SAMLResponse" => saml_response
+        expect(response).to redirect_to(%r(\Ahttp://idp_sso_url\?SAMLRequest=))
+      end
+
+      it "uses the DefaultIdpEntityIdReader" do
+        expect(DeviseSamlAuthenticatable::DefaultIdpEntityIdReader).to receive(:entity_id)
+        get :new, "SAMLResponse" => saml_response
+      end
+
+      context "with a specified idp entity id reader" do
+        class OurIdpEntityIdReader
+          def self.entity_id(params)
+            params[:entity_id]
+          end
+        end
+
+        before do
+          @default_reader = Devise.idp_entity_id_reader
+          Devise.idp_entity_id_reader = OurIdpEntityIdReader # which will have some different behavior
+        end
+
+        after do
+          Devise.idp_entity_id_reader = @default_reader
+        end
+
+        it "redirects to the associated IdP SSO target url" do
+          get :new, entity_id: "http://www.example.com"
+          expect(response).to redirect_to(%r(\Ahttp://idp_sso_url\?SAMLRequest=))
+        end
+      end
     end
   end
 
   describe '#metadata' do
-    it 'generates metadata' do
-      get :metadata
+    context "with the default configuration" do
+      it 'generates metadata' do
+        get :metadata
+
+        # Remove ID that can vary across requests
+        expected_metadata = OneLogin::RubySaml::Metadata.new.generate(saml_config)
+        metadata_pattern = Regexp.escape(expected_metadata).gsub(/ ID='[^']+'/, " ID='[\\w-]+'")
+        expect(response.body).to match(Regexp.new(metadata_pattern))
+      end
+    end
+
+    context "with a specified IDP" do
+      let(:saml_config) { controller.saml_config("anything") }
+
+      before do
+        Devise.idp_settings_adapter = idp_providers_adapter
+        Devise.saml_configure do |settings|
+          settings.assertion_consumer_service_url = "http://localhost:3000/users/saml/auth"
+          settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+          settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+          settings.issuer = "http://localhost:3000"
+        end
+      end
+
+      it "generates the same service metadata" do
+        get :metadata
 
-      # Remove ID that can vary across requests
-      expected_metadata = OneLogin::RubySaml::Metadata.new.generate(saml_config)
-      metadata_pattern = Regexp.escape(expected_metadata).gsub(/ ID='[^']+'/, " ID='[\\w-]+'")
-      expect(response.body).to match(Regexp.new(metadata_pattern))
+        # Remove ID that can vary across requests
+        expected_metadata = OneLogin::RubySaml::Metadata.new.generate(saml_config)
+        metadata_pattern = Regexp.escape(expected_metadata).gsub(/ ID='[^']+'/, " ID='[\\w-]+'")
+        expect(response.body).to match(Regexp.new(metadata_pattern))
+      end
     end
   end
 
@@ -49,18 +130,18 @@ describe Devise::SamlSessionsController, type: :controller do
 
   describe '#idp_sign_out' do
     let(:name_id) { '12312312' }
-    let(:saml_request) { double(:logout_request, {
-        id: 42,
-        name_id: name_id
-      }) }
-    let(:sam_response) { double(:logout_response)}
+    let(:saml_request) { double(:slo_logoutrequest, {
+      id: 42,
+      name_id: name_id,
+      issuer: "http://www.example.com"
+    }) }
+    let(:saml_response) { double(:slo_logoutresponse) }
     let(:response_url) { 'http://localhost/logout_response' }
 
-
     before do
       allow(OneLogin::RubySaml::SloLogoutrequest).to receive(:new).and_return(saml_request)
-      allow(OneLogin::RubySaml::SloLogoutresponse).to receive(:new).and_return(sam_response)
-      allow(sam_response).to receive(:create).and_return(response_url)
+      allow(OneLogin::RubySaml::SloLogoutresponse).to receive(:new).and_return(saml_response)
+      allow(saml_response).to receive(:create).and_return(response_url)
     end
 
     it 'returns invalid request if SAMLRequest is not passed' do
@@ -75,6 +156,20 @@ describe Devise::SamlSessionsController, type: :controller do
       expect(response).to redirect_to '/users/saml/sign_in'
     end
 
+    context "with a specified idp" do
+      let(:idp_entity_id) { "http://www.example.com" }
+      before do
+        Devise.idp_settings_adapter = idp_providers_adapter
+      end
+
+      it "accepts a LogoutResponse for the associated slo_target_url and redirects to sign_in" do
+        post :idp_sign_out, SAMLRequest: "stubbed_logout_request"
+        expect(response.status).to eq 302
+        expect(idp_providers_adapter).to have_received(:settings).with(idp_entity_id)
+        expect(response).to redirect_to "http://localhost/logout_response"
+      end
+    end
+
     context 'when saml_sign_out_success_url is configured' do
       let(:test_url) { '/test/url' }
       before do

data/spec/devise_saml_authenticatable/default_idp_entity_id_reader_spec.rb

@@ -0,0 +1,23 @@
+require "spec_helper"
+
+describe DeviseSamlAuthenticatable::DefaultIdpEntityIdReader do
+  describe ".entity_id" do
+    context "when there is a SAMLRequest in the params" do
+      let(:params) { {SAMLRequest: "logout request"} }
+      let(:slo_logout_request) { double('slo_logout_request', issuer: 'meow')}
+      it "uses an OneLogin::RubySaml::SloLogoutrequest to get the idp_entity_id" do
+        expect(OneLogin::RubySaml::SloLogoutrequest).to receive(:new).and_return(slo_logout_request)
+        described_class.entity_id(params)
+      end
+    end
+
+    context "when there is a SAMLResponse in the params" do
+      let(:params) { {SAMLResponse: "auth response"} }
+      let(:response) { double('response', issuers: ['meow'] )}
+      it "uses an OneLogin::RubySaml::Response to get the idp_entity_id" do
+        expect(OneLogin::RubySaml::Response).to receive(:new).and_return(response)
+        described_class.entity_id(params)
+      end
+    end
+  end
+end

data/spec/devise_saml_authenticatable/saml_config_spec.rb

@@ -1,17 +1,9 @@
 require 'spec_helper'
 
 describe DeviseSamlAuthenticatable::SamlConfig do
-  subject(:saml_config) { controller.saml_config }
+  let(:saml_config) { controller.saml_config }
   let(:controller) { Class.new { include DeviseSamlAuthenticatable::SamlConfig }.new }
 
-  # Replace global config since this test changes it
-  before do
-    @original_saml_config = Devise.saml_config
-  end
-  after do
-    Devise.saml_config = @original_saml_config
-  end
-
   context "when config/idp.yml does not exist" do
     before do
       allow(Rails).to receive(:root).and_return("/railsroot")
@@ -25,6 +17,66 @@ describe DeviseSamlAuthenticatable::SamlConfig do
       expect(saml_config).to be(Devise.saml_config)
       expect(saml_config.assertion_consumer_logout_service_binding).to eq('test')
     end
+
+    context "when the idp_providers_adapter key exists" do
+      before do
+        Devise.idp_settings_adapter = idp_providers_adapter
+      end
+
+      let(:saml_config) { controller.saml_config(idp_entity_id) }
+      let(:idp_providers_adapter) {
+        Class.new {
+          def self.settings(idp_entity_id)
+            #some hash of stuff (by doing a fetch, in our case, but could also be a giant hash keyed by idp_entity_id)
+            if idp_entity_id == "http://www.example.com"
+              {
+                assertion_consumer_service_url: "acs_url",
+                assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+                name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+                issuer: "sp_issuer",
+                idp_entity_id: "http://www.example.com",
+                authn_context: "",
+                idp_slo_target_url: "idp_slo_url",
+                idp_sso_target_url: "idp_sso_url",
+                idp_cert: "idp_cert"
+              }
+            elsif idp_entity_id == "http://www.example.com_other"
+              {
+                assertion_consumer_service_url: "acs_url_other",
+                assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST_other",
+                name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress_other",
+                issuer: "sp_issuer_other",
+                idp_entity_id: "http://www.example.com_other",
+                authn_context: "_other",
+                idp_slo_target_url: "idp_slo_url_other",
+                idp_sso_target_url: "idp_sso_url_other",
+                idp_cert: "idp_cert_other"
+              }
+            else
+              {}
+            end
+          end
+        }
+      }
+
+      context "when a specific idp_entity_id is requested" do
+        let(:idp_entity_id) { "http://www.example.com" }
+        it "uses the settings from the adapter for that idp" do
+          expect(saml_config.idp_entity_id).to eq (idp_entity_id)
+          expect(saml_config.idp_sso_target_url).to eq ("idp_sso_url")
+          expect(saml_config.class).to eq OneLogin::RubySaml::Settings
+        end
+      end
+
+      context "when another idp_entity_id is requested" do
+        let(:idp_entity_id) { "http://www.example.com_other" }
+        it "returns the other idp settings" do
+          expect(saml_config.idp_entity_id).to eq (idp_entity_id)
+          expect(saml_config.idp_sso_target_url).to eq ("idp_sso_url_other")
+          expect(saml_config.class).to eq OneLogin::RubySaml::Settings
+        end
+      end
+    end
   end
 
   context "when config/idp.yml exists" do
@@ -66,7 +118,7 @@ environment:
       IDP
     end
 
-    it "stores the configured IdP settings" do
+    it "uses that file's contents" do
       expect(saml_config.assertion_consumer_logout_service_binding).to eq('assertion_consumer_logout_service_binding')
       expect(saml_config.assertion_consumer_logout_service_url).to eq('assertion_consumer_logout_service_url')
       expect(saml_config.assertion_consumer_service_binding).to eq('assertion_consumer_service_binding')

data/spec/devise_saml_authenticatable/strategy_spec.rb

@@ -4,16 +4,12 @@ describe Devise::Strategies::SamlAuthenticatable do
   subject(:strategy) { described_class.new(env, :user) }
   let(:env) { {} }
 
-  let(:response) { double(:response, :settings= => nil, is_valid?: true, sessionindex: '123123123') }
+  let(:response) { double(:response, issuers: [idp_entity_id], :settings= => nil, is_valid?: true, sessionindex: '123123123') }
+  let(:idp_entity_id) { "https://test/saml/metadata/123123" }
   before do
     allow(OneLogin::RubySaml::Response).to receive(:new).and_return(response)
   end
 
-  let(:saml_config) { OneLogin::RubySaml::Settings.new }
-  before do
-    allow(strategy).to receive(:saml_config).and_return(saml_config)
-  end
-
   let(:mapping) { double(:mapping, to: user_class) }
   let(:user_class) { double(:user_class, authenticate_with_saml: user) }
   let(:user) { double(:user) }
@@ -35,7 +31,7 @@ describe Devise::Strategies::SamlAuthenticatable do
     end
 
     it "authenticates with the response" do
-      expect(OneLogin::RubySaml::Response).to receive(:new).with(params[:SAMLResponse], settings: saml_config)
+      expect(OneLogin::RubySaml::Response).to receive(:new).with(params[:SAMLResponse], anything)
       expect(user_class).to receive(:authenticate_with_saml).with(response)
       expect(user).to receive(:after_saml_authentication).with(response.sessionindex)
 
@@ -43,7 +39,46 @@ describe Devise::Strategies::SamlAuthenticatable do
       strategy.authenticate!
     end
 
-    context "and the resource cannot does not exist" do
+    context "when saml config uses an idp_adapter" do
+      let(:idp_providers_adapter) {
+        Class.new {
+          def self.settings(idp_entity_id)
+            {
+              assertion_consumer_service_url: "acs_url",
+              assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+              name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+              issuer: "sp_issuer",
+              idp_entity_id: "http://www.example.com",
+              authn_context: "",
+              idp_slo_target_url: "idp_slo_url",
+              idp_sso_target_url: "http://idp_sso_url",
+              idp_cert: "idp_cert"
+            }
+          end
+        }
+      }
+
+      before do
+        Devise.idp_settings_adapter = idp_providers_adapter
+        allow(idp_providers_adapter).to receive(:settings).and_return({})
+      end
+
+      it "is valid" do
+        expect(strategy).to be_valid
+      end
+
+      it "authenticates with the response for the corresponding idp" do
+        expect(OneLogin::RubySaml::Response).to receive(:new).with(params[:SAMLResponse], anything)
+        expect(idp_providers_adapter).to receive(:settings).with(idp_entity_id)
+        expect(user_class).to receive(:authenticate_with_saml).with(response)
+        expect(user).to receive(:after_saml_authentication).with(response.sessionindex)
+
+        expect(strategy).to receive(:success!).with(user)
+        strategy.authenticate!
+      end
+    end
+
+    context "and the resource does not exist" do
       let(:user) { nil }
 
       it "fails to authenticate" do
@@ -53,26 +88,33 @@ describe Devise::Strategies::SamlAuthenticatable do
     end
 
     context "and the SAML response is not valid" do
+      class CallbackHandler
+        def handle(response, strategy)
+        end
+      end
+
       before do
         allow(response).to receive(:is_valid?).and_return(false)
+        @saml_failed_login = Devise.saml_failed_callback
+        Devise.saml_failed_callback = CallbackHandler
+      end
+
+      after do
+        Devise.saml_failed_callback = @saml_failed_login
       end
 
       it "fails to authenticate" do
         expect(strategy).to receive(:fail!).with(:invalid)
         strategy.authenticate!
       end
-    end
-  end
-
-  context "with a logout SAMLResponse parameter" do
-    let(:params) { {SAMLResponse: "PHNhbWxwOkxvZ291dFJlc3BvbnNlIFZlcnNpb249JzIuMCcgSW5SZXNwb25zZVRvPSdfMTM0MjQzMjQzMjQzMicgeG1sbnM6c2FtbHA9J3VybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCcgSXNzdWVJbnN0YW50PScyMDE1LTA2LTMwVDE0OjQzOjQ0JyBJRD0nXzY5OTc2OTc5Nzk4Nzk4Nzk3OTg3Jz48c2FtbDpJc3N1ZXIgeG1sbnM6c2FtbD0ndXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbic+aHR0cHM6Ly90ZXN0L3NhbWwvbWV0YWRhdGEvMTQzMjQzMjwvc2FtbDpJc3N1ZXI+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0ndXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzJy8+PHNhbWxwOlN0YXR1c01lc3NhZ2U+U3VjY2Vzc2Z1bGx5IGxvZ2dlZCBvdXQgZnJvbSBzZXJ2aWNlIDwvc2FtbHA6U3RhdHVzTWVzc2FnZT48L3NhbWxwOlN0YXR1cz48L3NhbWxwOkxvZ291dFJlc3BvbnNlPg=="} }
 
-    it "is valid" do
-      expect(strategy).not_to be_valid
+      it "redirects" do
+        expect_any_instance_of(CallbackHandler).to receive(:handle).with(response, strategy)
+        strategy.authenticate!
+      end
     end
   end
 
-
   it "is not valid without a SAMLResponse parameter" do
     expect(strategy).not_to be_valid
   end

data/spec/features/saml_authentication_spec.rb

@@ -137,6 +137,62 @@ describe "SAML Authentication", type: :feature do
     it_behaves_like "it authenticates and creates users"
   end
 
+  context "when the idp_settings_adapter key is set" do
+
+    before(:each) do
+      create_app('idp', 'INCLUDE_SUBJECT_IN_ATTRIBUTES' => "false")
+      create_app('sp', 'USE_SUBJECT_TO_AUTHENTICATE' => "true", 'IDP_SETTINGS_ADAPTER' => "IdpSettingsAdapter", 'IDP_ENTITY_ID_READER' => "OurEntityIdReader")
+
+      @idp_pid = start_app('idp', idp_port)
+      @sp_pid  = start_app('sp',  sp_port)
+    end
+
+    after(:each) do
+      stop_app(@idp_pid)
+      stop_app(@sp_pid)
+    end
+
+    it "authenticates an existing user on a SP via an IdP" do
+      create_user("you@example.com")
+
+      visit 'http://localhost:8020/users/saml/sign_in/?entity_id=http%3A%2F%2Flocalhost%3A8020%2Fsaml%2Fmetadata'
+      expect(current_url).to match(%r(\Ahttp://www.example.com/\?SAMLRequest=))
+    end
+  end
+
+  context "when the saml_failed_callback is set" do
+    let(:valid_destination) { "true" }
+    before(:each) do
+      create_app('idp', 'INCLUDE_SUBJECT_IN_ATTRIBUTES' => "false", 'VALID_DESTINATION' => valid_destination)
+      create_app('sp', 'USE_SUBJECT_TO_AUTHENTICATE' => "true", 'SAML_FAILED_CALLBACK' => "OurSamlFailedCallbackHandler")
+
+      @idp_pid = start_app('idp', idp_port)
+      @sp_pid  = start_app('sp',  sp_port)
+    end
+
+    after(:each) do
+      stop_app(@idp_pid)
+      stop_app(@sp_pid)
+    end
+
+    it_behaves_like "it authenticates and creates users"
+
+    context "a bad SAML Request" do
+      let(:valid_destination) { "false" }
+      it "redirects to the callback handler's redirect destination" do
+        create_user("you@example.com")
+
+        visit 'http://localhost:8020/'
+        expect(current_url).to match(%r(\Ahttp://localhost:8009/saml/auth\?SAMLRequest=))
+        fill_in "Email", with: "you@example.com"
+        fill_in "Password", with: "asdf"
+        click_on "Sign in"
+        expect(page).to have_content("Example Domain This domain is established to be used for illustrative examples in documents. You may use this domain in examples without prior coordination or asking for permission.")
+        expect(current_url).to eq("http://www.example.com/")
+      end
+    end
+  end
+
   def create_user(email)
     response = Net::HTTP.post_form(URI('http://localhost:8020/users'), email: email)
     expect(response.code).to eq('201')

data/spec/spec_helper.rb

@@ -15,6 +15,19 @@ RSpec.configure do |config|
     # `true` in RSpec 4.
     mocks.verify_partial_doubles = true
   end
+
+  config.before :each do
+    @original_saml_config = Devise.saml_config
+    @original_sign_out_success_url = Devise.saml_sign_out_success_url
+    @original_saml_session_index_key = Devise.saml_session_index_key
+  end
+
+  config.after :each do
+    Devise.saml_config = @original_saml_config
+    Devise.saml_sign_out_success_url = @original_sign_out_success_url
+    Devise.saml_session_index_key = @original_saml_session_index_key
+    Devise.idp_settings_adapter = nil
+  end
 end
 
 require 'support/rails_app'

data/spec/support/idp_settings_adapter.rb.erb

@@ -0,0 +1,19 @@
+class IdpSettingsAdapter
+  def self.settings(idp_entity_id)
+    if idp_entity_id == "http://localhost:8020/saml/metadata"
+      {
+          assertion_consumer_service_url: "acs_url",
+          assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+          name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+          issuer: "sp_issuer",
+          idp_entity_id: "http://localhost:8020/saml/metadata",
+          authn_context: "",
+          idp_slo_target_url: "http://www.example.com",
+          idp_sso_target_url: "http://www.example.com",
+          idp_cert: "idp_cert"
+      }
+    else
+      {}
+    end
+  end
+end

data/spec/support/idp_template.rb

@@ -1,16 +1,30 @@
 # Set up a SAML IdP
 
 @include_subject_in_attributes = ENV.fetch('INCLUDE_SUBJECT_IN_ATTRIBUTES')
+@valid_destination = ENV.fetch('VALID_DESTINATION', "true")
 
 gem 'ruby-saml-idp'
 gem 'thin'
 
+insert_into_file('Gemfile', after: /\z/) {
+  <<-GEMFILE
+# Lock down versions of gems for older versions of Ruby
+if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.0")
+  gem 'mime-types', '~> 2.99'
+end
+if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
+  gem 'devise', '~> 3.5'
+end
+  GEMFILE
+}
+
 route "get '/saml/auth' => 'saml_idp#new'"
 route "post '/saml/auth' => 'saml_idp#create'"
 route "get '/saml/logout' => 'saml_idp#logout'"
 route "get '/saml/sp_sign_out' => 'saml_idp#sp_sign_out'"
 
 template File.expand_path('../saml_idp_controller.rb.erb', __FILE__), 'app/controllers/saml_idp_controller.rb'
+
 copy_file File.expand_path('../saml_idp-saml_slo_post.html.erb', __FILE__), 'app/views/saml_idp/saml_slo_post.html.erb'
 create_file 'public/stylesheets/application.css', ''
 

data/spec/support/response_encrypted_nameid.xml.base64

@@ -0,0 +1 @@
+PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgSUQ9InBmeDUxOWI1Y2JiLWNiNmYtOTQzNS0xNjNmLWJkMzVjZTM1YzNmMCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDYtMDRUMDI6MjI6MDJaIiBEZXN0aW5hdGlvbj0iaHR0cDovL2FwcC5tdWRhLm5vL3Nzby9jb25zdW1lIiBJblJlc3BvbnNlVG89Il9mYzRhMzRiMC03ZWZiLTAxMmUtY2FhZS03ODJiY2IxM2JiMzgiPjxzYW1sOklzc3Vlcj5odHRwczovL2FwcC5vbmVsb2dpbi5jb20vc2FtbDI8L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPg0KICA8ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPg0KICAgIDxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4NCiAgPGRzOlJlZmVyZW5jZSBVUkk9IiNwZng1MTliNWNiYi1jYjZmLTk0MzUtMTYzZi1iZDM1Y2UzNWMzZjAiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPjBTRFRrNXNYWjdoMW9YUWVRMm5YY3BLZnZoTT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+WENPVmk4U2c0MllRS25oMWpNTWYvV0dVcDh5Q1dFQWV4UE5taVNWT0M2dUFBUGc5WWwySUt4Um1SeGczcHpVK0o5SzlTRUVEOEJWenJERTZ4VDlxV1JUbXZ1WExqemE0TndvRmFGWllIc3ZzN0FPR3l5UEJjT3Z2R3JoM2RGWmVTUzF5U2tVc3FBWW5Wck54emRkRVFZa2trRmNxQkNqZ3dnd0Z5Vlpvbkc4PTwvZHM6U2lnbmF0dXJlVmFsdWU+DQo8ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlDR3pDQ0FZUUNDUUNOTmNRWG9tMzJWREFOQmdrcWhraUc5dzBCQVFVRkFEQlNNUXN3Q1FZRFZRUUdFd0pWVXpFTE1Ba0dBMVVFQ0JNQ1NVNHhGVEFUQmdOVkJBY1RERWx1WkdsaGJtRndiMnhwY3pFUk1BOEdBMVVFQ2hNSVQyNWxURzluYVc0eEREQUtCZ05WQkFzVEEwVnVaekFlRncweE5EQTBNak14T0RReE1ERmFGdzB4TlRBME1qTXhPRFF4TURGYU1GSXhDekFKQmdOVkJBWVRBbFZUTVFzd0NRWURWUVFJRXdKSlRqRVZNQk1HQTFVRUJ4TU1TVzVrYVdGdVlYQnZiR2x6TVJFd0R3WURWUVFLRXdoUGJtVk1iMmRwYmpFTU1Bb0dBMVVFQ3hNRFJXNW5NSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0JnUURvNm0rUVp2WVEveEwwRWxMZ3VwSzFRRGNZTDRmNVBja3dzTmdTOXBVdlY3ZnpUcUNIazhUaEx4VGs0Mk1RMk1jSnNPZVVKVlA3MjhLaHltakZDcXhnUDRWdXdSazlycEFsMCttaHk2TVBkeWp5QTZHMTRqckRXUzY1eXNMY2hLNHQvdndwRUR6MFNRbEVvRzFrTXpsbFNtN3paUzNYcmVnQTdEak5hVVlRcXdJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQlFVQUE0R0JBTE0ydkdDaVEvdm0rYTZ2NDArVlgyemRxSEEyUS8xdkYxaWJReko1NE1KQ09WV3ZzK3ZRWGZaRmhkbTBPUE0ySXJEVTdvcXZLUHFQNnhPQWVKSzZIMHlQN000WUwzZmF0U3ZJWW1tZnlYQzlrdDNTdnovTnlySHpQaFVuSjB5ZS9zVVNYeG56UXh3Y20vOVB3QXFyUWFBM1FwUWtINTd5YkYvT29yeVBlKzJoPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgVmVyc2lvbj0iMi4wIiBJRD0icGZ4OTUxNmIwZjMtNDUzNi0xMGY2LWM2ZmEtOWRkNTIzZTE0OThjIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDYtMDRUMDI6MjI6MDJaIj48c2FtbDpJc3N1ZXI+aHR0cHM6Ly9hcHAub25lbG9naW4uY29tL3NhbWwyPC9zYW1sOklzc3Vlcj48c2FtbDpTdWJqZWN0PjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjIwMzAtMDYtMDRUMDI6Mjc6MDJaIiBSZWNpcGllbnQ9InJlY2lwaWVudCIvPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjxzYW1sOkVuY3J5cHRlZElEPjx4ZW5jOkVuY3J5cHRlZERhdGEgeG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIiB4bWxuczpkc2lnPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIiBUeXBlPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNFbGVtZW50Ij48eGVuYzpFbmNyeXB0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjYWVzMTI4LWNiYyIvPjxkc2lnOktleUluZm8geG1sbnM6ZHNpZz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PHhlbmM6RW5jcnlwdGVkS2V5Pjx4ZW5jOkVuY3J5cHRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNyc2EtMV81Ii8+PHhlbmM6Q2lwaGVyRGF0YT48eGVuYzpDaXBoZXJWYWx1ZT5ZUkdFZGF2dWpSNlYwNUZsWERHbmxCK1VUWTFjak9DallkYlhKN2JBZHFURWxDTyt1eHl0aytnMWVTTGVuczhJcjlZaVBNNUorUWU5cXo0TkdORXdyNjV6aDM5L0ZJVXNMQ3BhaXQ3QjZXM2lFcmR4aVUrSUN1cUw3TCtNSmlGVHZiVG90NVdleWZvVkFnSE94Z1BodDRONlZSL3BhYzRDdFZEQ0ZBbDlEMjA9PC94ZW5jOkNpcGhlclZhbHVlPjwveGVuYzpDaXBoZXJEYXRhPjwveGVuYzpFbmNyeXB0ZWRLZXk+PC9kc2lnOktleUluZm8+DQogICA8eGVuYzpDaXBoZXJEYXRhPg0KICAgICAgPHhlbmM6Q2lwaGVyVmFsdWU+dFdQZEV1dXZmSjh3WVBhOFVUQTRvR2htRENQTjFhQzVkUUFEN0g5SkhWQm5VS3Y0UkljNEQ3SnVJem12bXlyalZGWmRGNW15K3cvUGd3dWlOVGdpOUxid01iSW5adW1HbDhlSndFblBaVXBPQ0w1dDNXbEdKbU85OVVNejZQUVNLeGlGSU1DYzcrQXlRQmpjdTEzaUxWeU5TbFQyWDMxRXBOaW5jQ3FzSldvPTwveGVuYzpDaXBoZXJWYWx1ZT4NCiAgIDwveGVuYzpDaXBoZXJEYXRhPg0KPC94ZW5jOkVuY3J5cHRlZERhdGE+PC9zYW1sOkVuY3J5cHRlZElEPjwvc2FtbDpTdWJqZWN0PjxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDExLTA2LTA0VDAyOjE3OjAyWiIgTm90T25PckFmdGVyPSIyMDMwLTA2LTA0VDAyOjI3OjAyWiI+PHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDpBdWRpZW5jZT5odHRwczovL3NvbWVvbmUuZXhhbXBsZS5jb20vYXVkaWVuY2U8L3NhbWw6QXVkaWVuY2U+PC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sOkNvbmRpdGlvbnM+PHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE0LTA2LTA0VDAyOjIyOjAyWiIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjAzMC0wNi0wNVQwMjoyMjowMloiIFNlc3Npb25JbmRleD0iXzE2ZjU3MGZiYzAzMTUwMDdhMDM1NWRmZWE2YjNjNDZjIj48c2FtbDpBdXRobkNvbnRleHQ+PHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==

data/spec/support/saml_idp_controller.rb.erb

@@ -62,7 +62,7 @@ class SamlIdpController < SamlIdp::IdpController
 
     assertion_and_signature = assertion.sub(/Issuer\>\<Subject/, "Issuer>#{signature}<Subject")
 
-    xml = %[<samlp:Response ID="_#{response_id}" Version="2.0" IssueInstant="#{now.iso8601}" Destination="#{@saml_acs_url}" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="#{@saml_request_id}" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">#{issuer_uri}</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status>#{assertion_and_signature}</samlp:Response>]
+    xml = %[<samlp:Response ID="_#{response_id}" Version="2.0" IssueInstant="#{now.iso8601}" Destination="#{destination(@saml_acs_url)}" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="#{@saml_request_id}" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">#{issuer_uri}</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status>#{assertion_and_signature}</samlp:Response>]
 
     Base64.encode64(xml)
   end
@@ -97,6 +97,7 @@ class SamlIdpController < SamlIdp::IdpController
     idp_slo_authenticate(params[:name_id])
     saml_slo_request = encode_SAML_SLO_Request("you@example.com")
     uri = URI.parse("http://localhost:8020/users/saml/idp_sign_out")
+    require 'net/http'
     Net::HTTP.post_form(uri, {"SAMLRequest" => saml_slo_request})
     head :no_content
   end
@@ -116,6 +117,14 @@ class SamlIdpController < SamlIdp::IdpController
 
   private
 
+  def destination(destination)
+  <% if @valid_destination == "false" %>
+    "{recipient}"
+  <% else %>
+    destination
+  <% end %>
+  end
+
   def validate_saml_slo_request(saml_request = params[:SAMLRequest])
     decode_SAML_SLO_Request(saml_request)
   end
@@ -150,7 +159,7 @@ class SamlIdpController < SamlIdp::IdpController
     ID="_#{response_id}"
     Version="2.0"
     IssueInstant="#{now.iso8601}"
-    Destination="#{@saml_slo_acs_url}"
+    Destination="#{destination(@saml_slo_acs_url)}"
     Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
     InResponseTo="#{@saml_slo_request_id}"
     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
@@ -172,7 +181,7 @@ class SamlIdpController < SamlIdp::IdpController
     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
     ID="_#{response_id}" Version="2.0"
-    Destination="#{@saml_slo_acs_url}"
+    Destination="#{destination(@saml_slo_acs_url)}"
     IssueInstant="#{now.iso8601}">
     <saml:Issuer >#{issuer_uri}</saml:Issuer>
     <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">#{nameID}</saml:NameID>

data/spec/support/sp_template.rb

@@ -2,16 +2,59 @@
 
 saml_session_index_key = ENV.fetch('SAML_SESSION_INDEX_KEY', ":session_index")
 use_subject_to_authenticate = ENV.fetch('USE_SUBJECT_TO_AUTHENTICATE')
+idp_settings_adapter = ENV.fetch('IDP_SETTINGS_ADAPTER', "nil")
+idp_entity_id_reader = ENV.fetch('IDP_ENTITY_ID_READER', "DeviseSamlAuthenticatable::DefaultIdpEntityIdReader")
+saml_failed_callback = ENV.fetch('SAML_FAILED_CALLBACK', "nil")
 
 gem 'devise_saml_authenticatable', path: '../../..'
 gem 'thin'
 
+insert_into_file('Gemfile', after: /\z/) {
+  <<-GEMFILE
+# Lock down versions of gems for older versions of Ruby
+if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.0")
+  gem 'mime-types', '~> 2.99'
+end
+if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
+  gem 'devise', '~> 3.5'
+end
+  GEMFILE
+}
+
+template File.expand_path('../idp_settings_adapter.rb.erb', __FILE__), 'app/lib/idp_settings_adapter.rb'
+
 create_file 'config/attribute-map.yml', <<-ATTRIBUTES
 ---
 "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": email
 "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name":         name
 ATTRIBUTES
 
+create_file('app/lib/our_saml_failed_callback_handler.rb', <<-CALLBACKHANDLER)
+
+class OurSamlFailedCallbackHandler
+  def handle(response, strategy)
+    strategy.redirect! "http://www.example.com"
+  end
+end
+CALLBACKHANDLER
+
+create_file('app/lib/our_entity_id_reader.rb', <<-READER)
+
+class OurEntityIdReader
+  def self.entity_id(params)
+    if params[:entity_id]
+      params[:entity_id]
+    elsif params[:SAMLRequest]
+      OneLogin::RubySaml::SloLogoutrequest.new(params[:SAMLRequest]).issuer
+    elsif params[:SAMLResponse]
+      OneLogin::RubySaml::Response.new(params[:SAMLResponse]).issuers.first
+    else
+      "http://www.cats.com"
+    end
+  end
+end
+READER
+
 after_bundle do
   generate :controller, 'home', 'index'
   insert_into_file('app/controllers/home_controller.rb', after: "class HomeController < ApplicationController\n") {
@@ -38,6 +81,9 @@ after_bundle do
   config.saml_use_subject = #{use_subject_to_authenticate}
   config.saml_create_user = true
   config.saml_update_user = true
+  config.idp_settings_adapter = #{idp_settings_adapter}
+  config.idp_entity_id_reader = #{idp_entity_id_reader}
+  config.saml_failed_callback = #{saml_failed_callback}
 
   config.saml_configure do |settings|
     settings.assertion_consumer_service_url = "http://localhost:8020/users/saml/auth"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise_saml_authenticatable
 version: !ruby/object:Gem::Version
-  version: 1.2.2
+  version: 1.3.0
 platform: ruby
 authors:
 - Josef Sauter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-01-12 00:00:00.000000000 Z
+date: 2016-07-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
@@ -30,14 +30,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1.3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1.3'
 description: SAML Authentication for devise
 email:
 - Josef.Sauter@gmail.com
@@ -55,6 +55,7 @@ files:
 - app/controllers/devise/saml_sessions_controller.rb
 - devise_saml_authenticatable.gemspec
 - lib/devise_saml_authenticatable.rb
+- lib/devise_saml_authenticatable/default_idp_entity_id_reader.rb
 - lib/devise_saml_authenticatable/exception.rb
 - lib/devise_saml_authenticatable/logger.rb
 - lib/devise_saml_authenticatable/model.rb
@@ -64,14 +65,17 @@ files:
 - lib/devise_saml_authenticatable/version.rb
 - rails/init.rb
 - spec/controllers/devise/saml_sessions_controller_spec.rb
+- spec/devise_saml_authenticatable/default_idp_entity_id_reader_spec.rb
 - spec/devise_saml_authenticatable/model_spec.rb
 - spec/devise_saml_authenticatable/saml_config_spec.rb
 - spec/devise_saml_authenticatable/strategy_spec.rb
 - spec/features/saml_authentication_spec.rb
 - spec/rails_helper.rb
 - spec/spec_helper.rb
+- spec/support/idp_settings_adapter.rb.erb
 - spec/support/idp_template.rb
 - spec/support/rails_app.rb
+- spec/support/response_encrypted_nameid.xml.base64
 - spec/support/saml_idp-saml_slo_post.html.erb
 - spec/support/saml_idp_controller.rb.erb
 - spec/support/sp_template.rb
@@ -100,14 +104,17 @@ specification_version: 4
 summary: SAML Authentication for devise
 test_files:
 - spec/controllers/devise/saml_sessions_controller_spec.rb
+- spec/devise_saml_authenticatable/default_idp_entity_id_reader_spec.rb
 - spec/devise_saml_authenticatable/model_spec.rb
 - spec/devise_saml_authenticatable/saml_config_spec.rb
 - spec/devise_saml_authenticatable/strategy_spec.rb
 - spec/features/saml_authentication_spec.rb
 - spec/rails_helper.rb
 - spec/spec_helper.rb
+- spec/support/idp_settings_adapter.rb.erb
 - spec/support/idp_template.rb
 - spec/support/rails_app.rb
+- spec/support/response_encrypted_nameid.xml.base64
 - spec/support/saml_idp-saml_slo_post.html.erb
 - spec/support/saml_idp_controller.rb.erb
 - spec/support/sp_template.rb