libsaml 2.4.7 → 2.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e33af5e606a9750e235b9c6d1bac4f1eb5711aa1
-  data.tar.gz: 7bfbf31b2a1f8d881cbcd9a588007dfc405e895c
+  metadata.gz: 6366380ef4896c6c119750e48f439ca0e03a5c4e
+  data.tar.gz: b953ecd1d5be90e167ca5a332f52cce0536d1bf1
 SHA512:
-  metadata.gz: ea71dcaefc7622ca57bf15d28d8cbe8114a684506652eae09fd2fe345425e8a79e645d0bb6075002fab4a386af950647b0513d492efd6f52010552a27f5b8841
-  data.tar.gz: f23c1b43226109d43ba3afcf40a20e3f38f6c44593d3b7980fa3df9cdfc4f1f013d5f664c3d686f7795fe251b17fe49b1e0b722667978de7969a56fcda12922e
+  metadata.gz: f36839a1dd5ee94171d0f6078a30c1379b7756e8732e33a91828e7c880ff104db1d7f3926d406a2e9f8edaaa384c8a78db0ec03f6c6704ffffdfab2c249828f8
+  data.tar.gz: 884e2f549a8bcdb9f9af7ba8d28f1eb80890202b4cec3aa752c3f9a0883eeb5fd1146ff8442fa3665cb7d8b6ed9e5cca829575284810a38805d97653a41506fe

data/README.md

@@ -1,7 +1,7 @@
 [![Build status](https://travis-ci.org/digidentity/libsaml.png?branch=master)](https://travis-ci.org/digidentity/libsaml)
 [![Coverage status](https://coveralls.io/repos/digidentity/libsaml/badge.png)](https://coveralls.io/r/digidentity/libsaml)
 [![Code climate](https://codeclimate.com/github/digidentity/libsaml.png)](https://codeclimate.com/github/digidentity/libsaml)
-[![Dependency status](https://gemnasium.com/digidentity/libsaml.png)](https://coveralls.io/r/digidentity/libsaml)
+[![Dependency status](https://gemnasium.com/digidentity/libsaml.png)](https://gemnasium.com/digidentity/libsaml)
 
 # libsaml
 
@@ -102,12 +102,33 @@ class SamlController < ApplicationController
 
     authn_request = Saml::AuthnRequest.new(:destination => destination)
 
+    session[:authn_request_id] = auth_request._id
+
     @saml_attributes = Saml::Bindings::HTTPPost.create_form_attributes(authn_request)
 
     render text: @saml_attributes.to_yaml
   end
 
   def receive_response
+    if params["SAMLart"]
+      # provider should be of type Saml::Provider
+      @response = Saml::Bindings::HTTPArtifact.resolve(request, provider.artifact_resolution_service_url)
+    elsif params["SAMLResponse"]
+      @response = Saml::Bindings::HTTPost.receive_message(request, :response)
+    else
+       # handle invalid request
+    end
+
+    if @response && @response.success?
+      if session[:authn_request_id] == @response.in_response_to
+        @response.assertion.fetch_attribute('any_attribute')
+      else
+        # handle unrecognized response
+      end
+      reset_session # It's good practice to reset sessions after authenticating to mitigate session fixation attacks
+    else
+      # handle failure
+    end
   end
 end
 ```
@@ -117,10 +138,95 @@ Don't forget to define the routes in `config/routes.rb`:
 ```ruby
   get "/saml/request_authentication" => "saml#request_authentication"
   get "/saml/receive_response" => "saml#receive_response"
+  post "/saml/receive_response" => "saml#receive_response"
+```
+
+## Using libsaml as an IDP
+
+Writing a solid identity provider really requires a deeper knowledge of the SAML protocol, so it's recommended to read more on the SAML 2.0 Wiki http://en.wikipedia.org/wiki/SAML_2.0.
+When you understand what it says, read these parts of the specification:
+http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
+http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf
+
+Below is an example of a very primitive IDP Saml Controller
+
+```ruby
+class SamlController < ActionController::Base
+  extend Saml::Rails::ControllerHelper
+  current_provider "entity_id"
+
+  def receive_authn_request
+    authn_request = if request.get?
+      Saml::Bindings::HTTPRedirect.receive_message(request, type: :authn_request)
+    elsif request.post?
+      Saml::Bindings::HTTPPost.receive_message(request, type: :authn_request)
+    else
+      return head :not_allowed
+    end
+    request_id = authn_request._id
+
+    session[:saml_request] = {
+      request_id:    request_id,
+      relay_state:   params['RelayState'],
+      authn_request: authn_request.to_xml
+    }
+
+    if authn_request.invalid?
+      redirect_to send_response_path(request_id: request_id)
+    else
+      redirect_to sign_in_path(return_to: send_response_path(request_id: request_id))
+    end
+  end
+
+  def send_response
+    return head :not_found if session[:saml_request][:request_id] != params[:request_id]
+
+    authn_request = Saml::AuthnRequest.parse(session[:saml_request][:authn_request], single: true)
+
+    response = if authn_request.invalid?
+      build_failure(Saml::TopLevelCodes::REQUESTER, Saml::SubStatusCodes::REQUEST_DENIED)
+    elsif account_signed_in?
+      build_success_response
+    else
+      build_failure(Saml::TopLevelCodes::RESPONDER, Saml::SubStatusCodes::NO_AUTHN_CONTEXT)
+    end
+
+    if authn_request.protocol_binding == Saml::ProtocolBinding::HTTP_POST
+      # render an auto submit form with hidden fields set in the attributes hash
+      @attribute = Saml::Bindings::HTTPPost.create_form_attributes(response, relay_state: session[:saml_request][:relay_state])
+    else
+      # handle unsported binding
+    end
+  end
+
+  private
+
+  def build_failure(status_value, sub_status_value)
+    Saml::Response.new(in_response_to: session[:saml_request][:request_id], status_value: status_value, sub_status_value: sub_status_value)
+  end
+
+  def build_success_response(authn_request)
+    assertion = Saml::Assertion.new(
+      name_id:                 current_account.username, # Return anything that you can link to an account
+      name_id_format:          'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
+      authn_context_class_ref: Saml::ClassRefs::PASSWORD_PROTECTED,
+      in_response_to:          authn_request._id,
+      recipient:               authn_request.assertion_url,
+      audience:                authn_request.issuer
+    }
+
+    # adding custom attributes
+    assertion.add_attribute('name', 'value')
+
+    Saml::Response.new(in_response_to: authn_request._id,
+                       assertion:      assertion,
+                       status_value:   Saml::TopLevelCodes::SUCCESS)
+  end
+end
 ```
 
 ## Contributing
 
 - Fork the project
 - Contribute your changes. Please make sure your changes are properly documented and covered by tests.
-- Send a pull request
+- Send a pull request

data/lib/saml/elements/requested_authn_context.rb

@@ -19,10 +19,18 @@ module Saml
 
       attribute :comparison, String, :tag => "Comparison"
 
-      element :authn_context_class_ref, String, :namespace => 'saml', :tag => "AuthnContextClassRef"
+      has_many :authn_context_class_refs, String, :namespace => "saml", :tag => "AuthnContextClassRef"
 
       validates :authn_context_class_ref, :presence => true, :inclusion => ALL_CLASS_REFS
       validates :comparison, :inclusion => ComparisonTypes::ALL
+
+      def authn_context_class_ref
+        authn_context_class_refs.first if authn_context_class_refs
+      end
+
+      def authn_context_class_ref=(ref)
+        self.authn_context_class_refs = [ref]
+      end
     end
   end
 end

data/lib/saml/version.rb

@@ -1,3 +1,3 @@
 module Saml
-  VERSION = "2.4.7"
+  VERSION = "2.5.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: libsaml
 version: !ruby/object:Gem::Version
-  version: 2.4.7
+  version: 2.5.0
 platform: ruby
 authors:
 - Benoist Claassen
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-11-12 00:00:00.000000000 Z
+date: 2015-04-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -222,7 +222,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 2.4.6
 signing_key: 
 specification_version: 4
 summary: A gem to easily create SAML 2.0 messages.