devise_saml_authenticatable 1.3.0 → 1.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 811f4c9c0306a1c5ba28080ac773ba88022b79cc
-  data.tar.gz: f2571561eb9c3ba05832e65d1b8ab15d3c9c408c
+  metadata.gz: eeabad37a5473557499db0b8de604afb7740608d
+  data.tar.gz: 952108992254613cdf27f72aedbf6e2a772f95a3
 SHA512:
-  metadata.gz: c21a2ac40153fcb51c843fcdfa081ba2caab761c94a43cf1ebe297d1260021fc54409fe6cdac9cc3c6340db077ba3c8d2cb15e2f83a9af8886cff90ac128cb58
-  data.tar.gz: dc0c2d6f2174e0f5bef4a6b4590ed90558741a8a86af2754bb5c1094d039c29cd9da726f804bbd78a1693023ac4f50ad81d095956ad728272144d4977bb25eec
+  metadata.gz: 720d7b21c40596b762a85c5c0df2f9dc3d1af7fdce86a7c8562428b866e79eab6a768e070c648fd4c657415bca175102d4eaa0dff6866c7cc8b14025d1bf5101
+  data.tar.gz: c3368984264f54a99a37ce9e4b546b7bbd2460a834bc57300dfaf242232619bad50f51bb66adc4d2e1e41d287ce4f3f7f85923697835a06bf14f73968a31f1ed

data/.gitignore

@@ -4,7 +4,7 @@
 .config
 .idea/
 .yardoc
-Gemfile.lock
+Gemfile*.lock
 InstalledFiles
 _yardoc
 coverage

data/.travis.yml

@@ -2,11 +2,30 @@ language: ruby
 rvm:
   - "1.9.3"
   - "2.0.0"
-  - "2.1.0"
-  - "2.2.0"
+  - "2.1.9"
+  - "2.2.5"
+  - "2.3.1"
+gemfile:
+  - Gemfile
+  - spec/support/Gemfile.rails4
+  - spec/support/Gemfile.ruby-saml-1.3
+matrix:
+  allow_failures:
+    - rvm: "1.9.3"
+      gemfile: Gemfile
+    - rvm: "1.9.3"
+      gemfile: spec/support/Gemfile.ruby-saml-1.3
+    - rvm: "2.0.0"
+      gemfile: Gemfile
+    - rvm: "2.0.0"
+      gemfile: spec/support/Gemfile.ruby-saml-1.3
+    - rvm: "2.1.9"
+      gemfile: Gemfile
+    - rvm: "2.1.9"
+      gemfile: spec/support/Gemfile.ruby-saml-1.3
 
 script:
-  - xvfb-run bundle exec rake
+  - bundle exec rake
 
 notifications:
   hipchat:
@@ -15,4 +34,4 @@ notifications:
     template:
       - '%{repository}<a href="%{build_url}">#%{build_number}</a> (%{branch} - <a href="%{compare_url}">%{commit}</a> : %{author}): %{message}'
     format: html
-    on_pull_requests: false
+    on_pull_requests: true

data/Gemfile

@@ -6,10 +6,11 @@ gemspec
 group :test do
   gem 'rake'
   gem 'rspec', '~> 3.0'
-  gem 'rails', '~> 4.0'
+  gem 'rails', '~> 5.0'
   gem 'rspec-rails'
   gem 'sqlite3'
-  gem 'capybara-webkit'
+  gem 'capybara'
+  gem 'poltergeist'
 
   # Lock down versions of gems for older versions of Ruby
   if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.0")

data/README.md

@@ -160,6 +160,7 @@ end
 Detecting the entity ID passed to the `settings` method is done by `config.idp_entity_id_reader`.
 By default this will find the `Issuer` in the SAML request.
 You can support more use cases by writing your own and implementing the `.entity_id` method.
+If you use encrypted assertions, your entity ID reader will need to understand how to decrypt the response from each of the possible IdPs.
 
 ## Identity Provider
 

data/app/controllers/devise/saml_sessions_controller.rb

@@ -3,12 +3,13 @@ require "ruby-saml"
 class Devise::SamlSessionsController < Devise::SessionsController
   include DeviseSamlAuthenticatable::SamlConfig
   unloadable if Rails::VERSION::MAJOR < 4
-  skip_before_filter :verify_authenticity_token
+  skip_before_filter :verify_authenticity_token, raise: false
 
   def new
     idp_entity_id = get_idp_entity_id(params)
     request = OneLogin::RubySaml::Authrequest.new
-    action = request.create(saml_config(idp_entity_id))
+    auth_params = { RelayState: relay_state } if relay_state
+    action = request.create(saml_config(idp_entity_id), auth_params || {})
     redirect_to action
   end
 
@@ -40,6 +41,12 @@ class Devise::SamlSessionsController < Devise::SessionsController
 
   protected
 
+  def relay_state
+    @relay_state ||= if Devise.saml_relay_state.present?
+      Devise.saml_relay_state.call(request)
+    end
+  end
+
   # Override devise to send user to IdP logout for SLO
   def after_sign_out_path_for(_)
     request = OneLogin::RubySaml::Logoutrequest.new

data/lib/devise_saml_authenticatable.rb

@@ -57,6 +57,11 @@ module Devise
   mattr_accessor :saml_failed_callback
   @@saml_failed_callback
 
+  # lambda that generates the RelayState param for the SAML AuthRequest, takes request
+  # from SamlSessionsController#new action as an argument
+  mattr_accessor :saml_relay_state
+  @@saml_relay_state
+
   mattr_accessor :saml_config
   @@saml_config = OneLogin::RubySaml::Settings.new
   def self.saml_configure

data/lib/devise_saml_authenticatable/model.rb

@@ -28,7 +28,7 @@ module Devise
       end
 
       module ClassMethods
-        def authenticate_with_saml(saml_response)
+        def authenticate_with_saml(saml_response, relay_state)
           key = Devise.saml_default_user_key
           attributes = saml_response.attributes
           if (Devise.saml_use_subject)
@@ -36,8 +36,9 @@ module Devise
           else
             inv_attr = attribute_map.invert
             auth_value = attributes[inv_attr[key.to_s]]
-            auth_value.try(:downcase!) if Devise.case_insensitive_keys.include?(key)
           end
+          auth_value.try(:downcase!) if Devise.case_insensitive_keys.include?(key)
+
           resource = where(key => auth_value).first
 
           if resource.nil?

data/lib/devise_saml_authenticatable/strategy.rb

@@ -13,14 +13,11 @@ module Devise
       end
 
       def authenticate!
-        @response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], settings: saml_config(get_idp_entity_id(params)))
-        resource = mapping.to.authenticate_with_saml(@response)
-        if @response.is_valid? && resource
-          resource.after_saml_authentication(@response.sessionindex)
-          success!(resource)
-        else
-          fail!(:invalid)
-          Devise.saml_failed_callback.new.handle(@response, self) if Devise.saml_failed_callback
+        parse_saml_response
+        retrieve_resource unless self.halted?
+        unless self.halted?
+          @resource.after_saml_authentication(@response.sessionindex)
+          success!(@resource)
         end
       end
 
@@ -28,7 +25,28 @@ module Devise
       # Any known way on how to let the IdP send the CSRF token along with the SAMLResponse ?
       # Please let me know!
       def store?
-        true
+        !mapping.to.skip_session_storage.include?(:saml_auth)
+      end
+
+      private
+      def parse_saml_response
+        @response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], settings: saml_config(get_idp_entity_id(params)))
+        unless @response.is_valid?
+          failed_auth("Auth errors: #{@response.errors.join(', ')}")
+        end
+      end
+
+      def retrieve_resource
+        @resource = mapping.to.authenticate_with_saml(@response, params[:RelayState])
+        if @resource.nil?
+          failed_auth("Resource could not be found")
+        end
+      end
+
+      def failed_auth(msg)
+        DeviseSamlAuthenticatable::Logger.send(msg)
+        fail!(:invalid)
+        Devise.saml_failed_callback.new.handle(@response, self) if Devise.saml_failed_callback
       end
 
     end

data/lib/devise_saml_authenticatable/version.rb

@@ -1,3 +1,3 @@
 module DeviseSamlAuthenticatable
-  VERSION = "1.3.0"
+  VERSION = "1.3.1"
 end

data/spec/controllers/devise/saml_sessions_controller_spec.rb

@@ -38,9 +38,17 @@ describe Devise::SamlSessionsController, type: :controller do
   describe '#new' do
     let(:saml_response) { File.read(File.join(File.dirname(__FILE__), '../../support', 'response_encrypted_nameid.xml.base64')) }
 
+    subject(:do_get) {
+      if Rails::VERSION::MAJOR > 4
+        get :new, params: {"SAMLResponse" => saml_response}
+      else
+        get :new, "SAMLResponse" => saml_response
+      end
+    }
+
     context "when using the default saml config" do
       it "redirects to the IdP SSO target url" do
-        get :new, "SAMLResponse" => saml_response
+        do_get
         expect(response).to redirect_to(%r(\Ahttp://localhost:8009/saml/auth\?SAMLRequest=))
       end
     end
@@ -51,13 +59,23 @@ describe Devise::SamlSessionsController, type: :controller do
       end
 
       it "redirects to the associated IdP SSO target url" do
-        get :new, "SAMLResponse" => saml_response
+        do_get
         expect(response).to redirect_to(%r(\Ahttp://idp_sso_url\?SAMLRequest=))
       end
 
       it "uses the DefaultIdpEntityIdReader" do
         expect(DeviseSamlAuthenticatable::DefaultIdpEntityIdReader).to receive(:entity_id)
-        get :new, "SAMLResponse" => saml_response
+        do_get
+      end
+
+      context "with a relay_state lambda defined" do
+        let(:relay_state) { ->(request) { "123" } }
+
+        it "includes the RelayState param in the request to the IdP" do
+          expect(Devise).to receive(:saml_relay_state).at_least(:once).and_return(relay_state)
+          do_get
+          expect(response).to redirect_to(%r(\Ahttp://idp_sso_url\?SAMLRequest=.*&RelayState=123))
+        end
       end
 
       context "with a specified idp entity id reader" do
@@ -67,6 +85,14 @@ describe Devise::SamlSessionsController, type: :controller do
           end
         end
 
+        subject(:do_get) {
+          if Rails::VERSION::MAJOR > 4
+            get :new, params: {entity_id: "http://www.example.com"}
+          else
+            get :new, entity_id: "http://www.example.com"
+          end
+        }
+
         before do
           @default_reader = Devise.idp_entity_id_reader
           Devise.idp_entity_id_reader = OurIdpEntityIdReader # which will have some different behavior
@@ -77,7 +103,7 @@ describe Devise::SamlSessionsController, type: :controller do
         end
 
         it "redirects to the associated IdP SSO target url" do
-          get :new, entity_id: "http://www.example.com"
+          do_get
           expect(response).to redirect_to(%r(\Ahttp://idp_sso_url\?SAMLRequest=))
         end
       end
@@ -129,76 +155,98 @@ describe Devise::SamlSessionsController, type: :controller do
   end
 
   describe '#idp_sign_out' do
-    let(:name_id) { '12312312' }
-    let(:saml_request) { double(:slo_logoutrequest, {
-      id: 42,
-      name_id: name_id,
-      issuer: "http://www.example.com"
-    }) }
     let(:saml_response) { double(:slo_logoutresponse) }
     let(:response_url) { 'http://localhost/logout_response' }
-
     before do
-      allow(OneLogin::RubySaml::SloLogoutrequest).to receive(:new).and_return(saml_request)
       allow(OneLogin::RubySaml::SloLogoutresponse).to receive(:new).and_return(saml_response)
       allow(saml_response).to receive(:create).and_return(response_url)
     end
 
-    it 'returns invalid request if SAMLRequest is not passed' do
-      expect(User).not_to receive(:reset_session_key_for).with(name_id)
+    it 'returns invalid request if SAMLRequest or SAMLResponse is not passed' do
+      expect(User).not_to receive(:reset_session_key_for)
       post :idp_sign_out
       expect(response.status).to eq 500
     end
 
-    it 'accepts a LogoutResponse and redirects sign_in' do
-      post :idp_sign_out, SAMLResponse: 'stubbed_response'
-      expect(response.status).to eq 302
-      expect(response).to redirect_to '/users/saml/sign_in'
-    end
+    context "when receiving a logout response from the IdP after redirecting an SP logout request" do
+      subject(:do_post) {
+        if Rails::VERSION::MAJOR > 4
+          post :idp_sign_out, params: {SAMLResponse: "stubbed_response"}
+        else
+          post :idp_sign_out, SAMLResponse: "stubbed_response"
+        end
+      }
 
-    context "with a specified idp" do
-      let(:idp_entity_id) { "http://www.example.com" }
-      before do
-        Devise.idp_settings_adapter = idp_providers_adapter
+      it 'accepts a LogoutResponse and redirects sign_in' do
+        do_post
+        expect(response.status).to eq 302
+        expect(response).to redirect_to '/users/saml/sign_in'
       end
 
-      it "accepts a LogoutResponse for the associated slo_target_url and redirects to sign_in" do
-        post :idp_sign_out, SAMLRequest: "stubbed_logout_request"
-        expect(response.status).to eq 302
-        expect(idp_providers_adapter).to have_received(:settings).with(idp_entity_id)
-        expect(response).to redirect_to "http://localhost/logout_response"
+      context 'when saml_sign_out_success_url is configured' do
+        let(:test_url) { '/test/url' }
+        before do
+          Devise.saml_sign_out_success_url = test_url
+        end
+
+        it 'accepts a LogoutResponse and returns success' do
+          do_post
+          expect(response.status).to eq 302
+          expect(response).to redirect_to test_url
+        end
       end
     end
 
-    context 'when saml_sign_out_success_url is configured' do
-      let(:test_url) { '/test/url' }
+    context "when receiving an IdP logout request" do
+      subject(:do_post) {
+        if Rails::VERSION::MAJOR > 4
+          post :idp_sign_out, params: {SAMLRequest: "stubbed_logout_request"}
+        else
+          post :idp_sign_out, SAMLRequest: "stubbed_logout_request"
+        end
+      }
+
+      let(:saml_request) { double(:slo_logoutrequest, {
+        id: 42,
+        name_id: name_id,
+        issuer: "http://www.example.com"
+      }) }
+      let(:name_id) { '12312312' }
       before do
-        Devise.saml_sign_out_success_url = test_url
+        allow(OneLogin::RubySaml::SloLogoutrequest).to receive(:new).and_return(saml_request)
       end
 
-      it 'accepts a LogoutResponse and returns success' do
-        post :idp_sign_out, SAMLResponse: 'stubbed_response'
-        expect(response.status).to eq 302
-        expect(response).to redirect_to test_url
+      it 'direct the resource to reset the session key' do
+        expect(User).to receive(:reset_session_key_for).with(name_id)
+        do_post
+        expect(response).to redirect_to response_url
       end
-    end
 
-    context 'when saml_session_index_key is not configured' do
-      before do
-        Devise.saml_session_index_key = nil
-      end
+      context "with a specified idp" do
+        let(:idp_entity_id) { "http://www.example.com" }
+        before do
+          Devise.idp_settings_adapter = idp_providers_adapter
+        end
 
-      it 'returns invalid request' do
-        expect(User).not_to receive(:reset_session_key_for).with(name_id)
-        post :idp_sign_out, SAMLRequest: 'stubbed_request'
-        expect(response.status).to eq 500
+        it "accepts a LogoutResponse for the associated slo_target_url and redirects to sign_in" do
+          do_post
+          expect(response.status).to eq 302
+          expect(idp_providers_adapter).to have_received(:settings).with(idp_entity_id)
+          expect(response).to redirect_to "http://localhost/logout_response"
+        end
       end
-    end
 
-    it 'direct the resource to reset the session key' do
-      expect(User).to receive(:reset_session_key_for).with(name_id)
-      post :idp_sign_out, SAMLRequest: 'stubbed_request'
-      expect(response).to redirect_to response_url
+      context 'when saml_session_index_key is not configured' do
+        before do
+          Devise.saml_session_index_key = nil
+        end
+
+        it 'returns invalid request' do
+          expect(User).not_to receive(:reset_session_key_for).with(name_id)
+          do_post
+          expect(response.status).to eq 500
+        end
+      end
     end
   end
 end

data/spec/devise_saml_authenticatable/model_spec.rb

@@ -58,12 +58,12 @@ describe Devise::Models::SamlAuthenticatable do
   it "looks up the user by the configured default user key" do
     user = Model.new(new_record: false)
     expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
-    expect(Model.authenticate_with_saml(response)).to eq(user)
+    expect(Model.authenticate_with_saml(response, nil)).to eq(user)
   end
 
   it "returns nil if it cannot find a user" do
     expect(Model).to receive(:where).with(email: 'user@example.com').and_return([])
-    expect(Model.authenticate_with_saml(response)).to be_nil
+    expect(Model.authenticate_with_saml(response, nil)).to be_nil
   end
 
   context "when configured to use the subject" do
@@ -77,12 +77,12 @@ describe Devise::Models::SamlAuthenticatable do
     it "looks up the user by the configured default user key" do
       user = Model.new(new_record: false)
       expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
-      expect(Model.authenticate_with_saml(response)).to eq(user)
+      expect(Model.authenticate_with_saml(response, nil)).to eq(user)
     end
 
     it "returns nil if it cannot find a user" do
       expect(Model).to receive(:where).with(email: 'user@example.com').and_return([])
-      expect(Model.authenticate_with_saml(response)).to be_nil
+      expect(Model.authenticate_with_saml(response, nil)).to be_nil
     end
 
     context "when configured to create a user and the user is not found" do
@@ -92,7 +92,7 @@ describe Devise::Models::SamlAuthenticatable do
 
       it "creates and returns a new user with the name identifier and given attributes" do
         expect(Model).to receive(:where).with(email: 'user@example.com').and_return([])
-        model = Model.authenticate_with_saml(response)
+        model = Model.authenticate_with_saml(response, nil)
         expect(model.email).to eq('user@example.com')
         expect(model.name).to  eq('A User')
         expect(model.saved).to be(true)
@@ -107,7 +107,7 @@ describe Devise::Models::SamlAuthenticatable do
       it "creates and returns a new user with the name identifier and given attributes" do
         user = Model.new(email: "old_mail@mail.com", name: "old name", new_record: false)
         expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
-        model = Model.authenticate_with_saml(response)
+        model = Model.authenticate_with_saml(response, nil)
         expect(model.email).to eq('user@example.com')
         expect(model.name).to  eq('A User')
         expect(model.saved).to be(true)
@@ -122,7 +122,7 @@ describe Devise::Models::SamlAuthenticatable do
 
     it "creates and returns a new user with the given attributes" do
       expect(Model).to receive(:where).with(email: 'user@example.com').and_return([])
-      model = Model.authenticate_with_saml(response)
+      model = Model.authenticate_with_saml(response, nil)
       expect(model.email).to eq('user@example.com')
       expect(model.name).to  eq('A User')
       expect(model.saved).to be(true)
@@ -136,29 +136,46 @@ describe Devise::Models::SamlAuthenticatable do
 
     it "returns nil if the user is not found" do
       expect(Model).to receive(:where).with(email: 'user@example.com').and_return([])
-      expect(Model.authenticate_with_saml(response)).to be_nil
+      expect(Model.authenticate_with_saml(response, nil)).to be_nil
     end
 
     it "updates the attributes if the user is found" do
       user = Model.new(email: "old_mail@mail.com", name: "old name", new_record: false)
       expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
-      model = Model.authenticate_with_saml(response)
+      model = Model.authenticate_with_saml(response, nil)
       expect(model.email).to eq('user@example.com')
       expect(model.name).to  eq('A User')
       expect(model.saved).to be(true)
     end
   end
 
-
   context "when configured with a case-insensitive key" do
-    before do
-      allow(Devise).to receive(:case_insensitive_keys).and_return([:email])
+    shared_examples "correct downcasing" do
+      before do
+        allow(Devise).to receive(:case_insensitive_keys).and_return([:email])
+      end
+
+      it "looks up the user with a downcased value" do
+        user = Model.new(new_record: false)
+        expect(Model).to receive(:where).with(email: 'upper@example.com').and_return([user])
+        expect(Model.authenticate_with_saml(response, nil)).to eq(user)
+      end
     end
 
-    it "looks up the user with a downcased value" do
-      user = Model.new(new_record: false)
-      expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
-      expect(Model.authenticate_with_saml(response)).to eq(user)
+    context "when configured to use the subject" do
+      let(:name_id) { 'UPPER@example.com' }
+
+      before do
+        allow(Devise).to receive(:saml_use_subject).and_return(true)
+      end
+
+      include_examples "correct downcasing"
+    end
+
+    context "when using default user key" do
+      let(:attributes) { OneLogin::RubySaml::Attributes.new('saml-email-format' => ['UPPER@example.com']) }
+
+      include_examples "correct downcasing"
     end
   end
 end

data/spec/devise_saml_authenticatable/strategy_spec.rb

@@ -3,15 +3,16 @@ require 'rails_helper'
 describe Devise::Strategies::SamlAuthenticatable do
   subject(:strategy) { described_class.new(env, :user) }
   let(:env) { {} }
+  let(:errors) { ["Test1", "Test2"] }
 
-  let(:response) { double(:response, issuers: [idp_entity_id], :settings= => nil, is_valid?: true, sessionindex: '123123123') }
+  let(:response) { double(:response, issuers: [idp_entity_id], :settings= => nil, is_valid?: true, sessionindex: '123123123', errors: errors) }
   let(:idp_entity_id) { "https://test/saml/metadata/123123" }
   before do
     allow(OneLogin::RubySaml::Response).to receive(:new).and_return(response)
   end
 
   let(:mapping) { double(:mapping, to: user_class) }
-  let(:user_class) { double(:user_class, authenticate_with_saml: user) }
+  let(:user_class) { double(:user_class, authenticate_with_saml: user, skip_session_storage: []) }
   let(:user) { double(:user) }
   before do
     allow(strategy).to receive(:mapping).and_return(mapping)
@@ -32,13 +33,23 @@ describe Devise::Strategies::SamlAuthenticatable do
 
     it "authenticates with the response" do
       expect(OneLogin::RubySaml::Response).to receive(:new).with(params[:SAMLResponse], anything)
-      expect(user_class).to receive(:authenticate_with_saml).with(response)
+      expect(user_class).to receive(:authenticate_with_saml).with(response, nil)
       expect(user).to receive(:after_saml_authentication).with(response.sessionindex)
 
       expect(strategy).to receive(:success!).with(user)
       strategy.authenticate!
     end
 
+    context "and a RelayState parameter" do
+      let(:params) { super().merge(RelayState: "foo") }
+      it "authenticates with the response" do
+        expect(user_class).to receive(:authenticate_with_saml).with(response, params[:RelayState])
+
+        expect(strategy).to receive(:success!).with(user)
+        strategy.authenticate!
+      end
+    end
+
     context "when saml config uses an idp_adapter" do
       let(:idp_providers_adapter) {
         Class.new {
@@ -70,7 +81,7 @@ describe Devise::Strategies::SamlAuthenticatable do
       it "authenticates with the response for the corresponding idp" do
         expect(OneLogin::RubySaml::Response).to receive(:new).with(params[:SAMLResponse], anything)
         expect(idp_providers_adapter).to receive(:settings).with(idp_entity_id)
-        expect(user_class).to receive(:authenticate_with_saml).with(response)
+        expect(user_class).to receive(:authenticate_with_saml).with(response, params[:RelayState])
         expect(user).to receive(:after_saml_authentication).with(response.sessionindex)
 
         expect(strategy).to receive(:success!).with(user)
@@ -85,6 +96,11 @@ describe Devise::Strategies::SamlAuthenticatable do
         expect(strategy).to receive(:fail!).with(:invalid)
         strategy.authenticate!
       end
+
+      it 'logs the error' do
+        expect(DeviseSamlAuthenticatable::Logger).to receive(:send).with('Resource could not be found')
+        strategy.authenticate!
+      end
     end
 
     context "and the SAML response is not valid" do
@@ -103,6 +119,11 @@ describe Devise::Strategies::SamlAuthenticatable do
         Devise.saml_failed_callback = @saml_failed_login
       end
 
+      it 'logs the error' do
+        expect(DeviseSamlAuthenticatable::Logger).to receive(:send).with('Auth errors: Test1, Test2')
+        strategy.authenticate!
+      end
+
       it "fails to authenticate" do
         expect(strategy).to receive(:fail!).with(:invalid)
         strategy.authenticate!
@@ -122,4 +143,14 @@ describe Devise::Strategies::SamlAuthenticatable do
   it "is permanent" do
     expect(strategy).to be_store
   end
+
+  context "when the user should not be stored in the session" do
+    before do
+      allow(user_class).to receive(:skip_session_storage).and_return([:saml_auth])
+    end
+
+    it "is not stored" do
+      expect(strategy).not_to be_store
+    end
+  end
 end

data/spec/features/saml_authentication_spec.rb

@@ -3,8 +3,8 @@ require 'net/http'
 require 'timeout'
 require 'uri'
 require 'capybara/rspec'
-require 'capybara/webkit'
-Capybara.default_driver = :webkit
+require 'capybara/poltergeist'
+Capybara.default_driver = :poltergeist
 
 describe "SAML Authentication", type: :feature do
   let(:idp_port) { 8009 }

data/spec/support/Gemfile.rails4

@@ -0,0 +1,23 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in devise_saml_authenticatable.gemspec
+gemspec path: '../..'
+
+group :test do
+  gem 'rake'
+  gem 'rspec', '~> 3.0'
+  gem 'rails', '~> 4.0'
+  gem 'rspec-rails'
+  gem 'sqlite3'
+  gem 'capybara'
+  gem 'poltergeist'
+
+  # Lock down versions of gems for older versions of Ruby
+  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.0")
+    gem 'addressable', '~> 2.4.0'
+    gem 'mime-types', '~> 2.99'
+  end
+  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
+    gem 'devise', '~> 3.5'
+  end
+end

data/spec/support/Gemfile.ruby-saml-1.3

@@ -0,0 +1,23 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in devise_saml_authenticatable.gemspec
+gemspec path: '../..'
+
+group :test do
+  gem 'rake'
+  gem 'rspec', '~> 3.0'
+  gem 'rails', '~> 5.0'
+  gem 'rspec-rails'
+  gem 'ruby-saml', '~> 1.3.0'
+  gem 'sqlite3'
+  gem 'capybara'
+  gem 'poltergeist'
+
+  # Lock down versions of gems for older versions of Ruby
+  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.0")
+    gem 'mime-types', '~> 2.99'
+  end
+  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
+    gem 'devise', '~> 3.5'
+  end
+end

data/spec/support/idp_template.rb

@@ -9,9 +9,6 @@ gem 'thin'
 insert_into_file('Gemfile', after: /\z/) {
   <<-GEMFILE
 # Lock down versions of gems for older versions of Ruby
-if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.0")
-  gem 'mime-types', '~> 2.99'
-end
 if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
   gem 'devise', '~> 3.5'
 end

data/spec/support/rails_app.rb

@@ -12,13 +12,11 @@ def app_ready?(pid, port)
 end
 
 def create_app(name, env = {})
-  rails_new_options = %w(-T -J -S --skip-spring)
+  rails_new_options = %w(-T -J -S --skip-spring --skip-listen)
   rails_new_options << "-O" if name == 'idp'
-  Bundler.with_clean_env do
-    Dir.chdir(File.expand_path('../../support', __FILE__)) do
-      FileUtils.rm_rf(name)
-      system(env, "rails", "new", name, *rails_new_options, "-m", "#{name}_template.rb")
-    end
+  Dir.chdir(File.expand_path('../../support', __FILE__)) do
+    FileUtils.rm_rf(name)
+    system(env, "rails", "new", name, *rails_new_options, "-m", "#{name}_template.rb")
   end
 end
 

data/spec/support/sp_template.rb

@@ -1,5 +1,7 @@
 # Set up a SAML Service Provider
 
+require "onelogin/ruby-saml/version"
+
 saml_session_index_key = ENV.fetch('SAML_SESSION_INDEX_KEY', ":session_index")
 use_subject_to_authenticate = ENV.fetch('USE_SUBJECT_TO_AUTHENTICATE')
 idp_settings_adapter = ENV.fetch('IDP_SETTINGS_ADAPTER', "nil")
@@ -7,14 +9,12 @@ idp_entity_id_reader = ENV.fetch('IDP_ENTITY_ID_READER', "DeviseSamlAuthenticata
 saml_failed_callback = ENV.fetch('SAML_FAILED_CALLBACK', "nil")
 
 gem 'devise_saml_authenticatable', path: '../../..'
+gem 'ruby-saml', OneLogin::RubySaml::VERSION
 gem 'thin'
 
 insert_into_file('Gemfile', after: /\z/) {
   <<-GEMFILE
 # Lock down versions of gems for older versions of Ruby
-if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.0")
-  gem 'mime-types', '~> 2.99'
-end
 if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
   gem 'devise', '~> 3.5'
 end
@@ -100,7 +100,7 @@ end
   route "resources :users, only: [:create]"
   create_file('app/controllers/users_controller.rb', <<-USERS)
 class UsersController < ApplicationController
-  skip_before_filter :verify_authenticity_token
+  skip_before_action :verify_authenticity_token
   def create
     User.create!(email: params[:email])
     render nothing: true, status: 201

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise_saml_authenticatable
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 1.3.1
 platform: ruby
 authors:
 - Josef Sauter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-07-07 00:00:00.000000000 Z
+date: 2016-11-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
@@ -72,6 +72,8 @@ files:
 - spec/features/saml_authentication_spec.rb
 - spec/rails_helper.rb
 - spec/spec_helper.rb
+- spec/support/Gemfile.rails4
+- spec/support/Gemfile.ruby-saml-1.3
 - spec/support/idp_settings_adapter.rb.erb
 - spec/support/idp_template.rb
 - spec/support/rails_app.rb
@@ -111,6 +113,8 @@ test_files:
 - spec/features/saml_authentication_spec.rb
 - spec/rails_helper.rb
 - spec/spec_helper.rb
+- spec/support/Gemfile.rails4
+- spec/support/Gemfile.ruby-saml-1.3
 - spec/support/idp_settings_adapter.rb.erb
 - spec/support/idp_template.rb
 - spec/support/rails_app.rb