ndr_authenticate 0.3.5

data/app/controllers/ndr_authenticate/authentication_controller.rb

@@ -0,0 +1,27 @@
+require_relative 'application_controller'
+require 'ndr_authenticate/connector'
+
+module NdrAuthenticate
+  class AuthenticationController < ApplicationController
+    # To check if user is active on AD
+    def check_active
+      email = params[:user_mail]
+      @status = ''
+      flash.clear
+      if email.present?
+        if email.match?(/\b[A-Z0-9._%a-z\-]+@phe\.gov\.uk\z/)
+          begin
+            conn = NdrAuthenticate::Connector.new
+            status = conn.search_for(params[:user_mail])
+            @status = status ? 'Active' : 'Inactive'
+          rescue => e
+            flash[:error] = e.message
+          end
+        else
+          flash[:error] = 'Please provide PHE email address only'
+        end
+      end
+      render :check_active
+    end
+  end
+end

data/app/controllers/ndr_authenticate/saml_sessions_controller.rb

@@ -0,0 +1,46 @@
+module NdrAuthenticate
+  # Manages SAML sessions.
+  class SamlSessionsController < Devise::SamlSessionsController
+    include Authenticatable
+
+    before_action :redirect_unless_sso_enabled, only: %i[new create]
+
+    def new
+      super
+    end
+
+    def create
+      super
+    end
+
+    # Capture NameID and SessionIndex values needed for the SLO request before terminating the
+    # local user session.
+    def destroy
+      @sessionindex = current_user.try(Devise.saml_session_index_key)
+      @nameid       = current_user.try(Devise.saml_default_user_key)
+
+      super
+    end
+
+    private
+
+    def redirect_unless_sso_enabled
+      redirect_to new_user_session_path unless sso_enabled?
+    end
+
+    # Ensure that the SAML logout request contains the correct NameID and SessionIndex values.
+    # DeviseSamlAuthenticatable doesn't appear to do this by default.
+    def after_sign_out_path_for(*)
+      idp_entity_id = get_idp_entity_id(params)
+      settings      = saml_config(idp_entity_id)
+
+      logout_request = OneLogin::RubySaml::Logoutrequest.new
+      logout_request.create(
+        settings.clone.tap do |request_settings|
+          request_settings.sessionindex           = @sessionindex
+          request_settings.name_identifier_value  = @nameid
+        end
+      )
+    end
+  end
+end

data/app/controllers/ndr_authenticate/sessions_controller.rb

@@ -0,0 +1,22 @@
+module NdrAuthenticate
+  # Handles user sessions.
+  class SessionsController < Devise::SessionsController
+    include Authenticatable
+
+    before_action :redirect_if_sso_enabled, only: %i[new create]
+
+    def new
+      super
+    end
+
+    def create
+      super
+    end
+
+    private
+
+    def redirect_if_sso_enabled
+      redirect_to new_saml_user_session_path if sso_enabled?
+    end
+  end
+end

data/app/helpers/ndr_authenticate/application_helper.rb

@@ -0,0 +1,22 @@
+module NdrAuthenticate
+  # NdrAuthenticate view helpers.
+  module ApplicationHelper
+    def sign_in_link(text = 'Sign In', **options)
+      return if user_signed_in?
+
+      link_to text, ndr_authenticate.new_user_session_path, options
+    end
+
+    def sign_out_link(text = 'Sign Out', **options)
+      return unless user_signed_in?
+
+      path = if user_authenticated_with?(:saml_authenticatable)
+               ndr_authenticate.destroy_saml_user_session_path
+             else
+               ndr_authenticate.destroy_user_session_path
+             end
+
+      link_to text, path, options.merge(method: :delete)
+    end
+  end
+end

data/app/helpers/ndr_authenticate/authentication_helper.rb

@@ -0,0 +1,4 @@
+module NdrAuthenticate
+  module AuthenticationHelper
+  end
+end

data/app/jobs/ndr_authenticate/application_job.rb

@@ -0,0 +1,4 @@
+module NdrAuthenticate
+  class ApplicationJob < ActiveJob::Base
+  end
+end

data/app/mailers/ndr_authenticate/application_mailer.rb

@@ -0,0 +1,6 @@
+module NdrAuthenticate
+  class ApplicationMailer < ActionMailer::Base
+    default from: 'from@example.com'
+    layout 'mailer'
+  end
+end

data/app/models/ndr_authenticate/application_record.rb

@@ -0,0 +1,5 @@
+module NdrAuthenticate
+  class ApplicationRecord < ActiveRecord::Base
+    self.abstract_class = true
+  end
+end

data/app/views/devise/passwords/edit.html.erb

@@ -0,0 +1,23 @@
+<h3>Reset your password</h3>
+
+<div class="well">
+  <%= bootstrap_form_for(resource, as: resource_name, url: password_path(resource_name), html: { method: :put }, horizontal: 4) do |f| %>
+    <%= f.hidden_field :reset_password_token %>
+
+    <%= f.control_group :password, 'New password', {}, { class: 'col-md-4' } do %>
+      <%= f.password_field :password, autofocus: true, autocomplete: 'off', :'data-suggestible' => true %>
+    <% end %>
+
+    <%= f.control_group :password_confirmation, 'Confirm new password', {}, { class: 'col-md-4' } do %>
+      <%= f.password_field :password_confirmation, autocomplete: 'off', :'data-suggestible' => true %>
+    <% end %>
+
+    <%= f.control_group nil, nil, {}, { class: 'col-md-4' } do %>
+      <%= f.submit 'Change my password', class: 'btn btn-primary btn-block' %>
+
+      <div style="text-align:center;margin-top:1em;">
+        <%= render "devise/shared/links" %>
+      </div>
+    <% end %>
+  <% end %>
+</div>

data/app/views/devise/passwords/new.html.erb

@@ -0,0 +1,18 @@
+<h3>Forgot your password?</h3>
+
+<div class="well">
+  <%= bootstrap_form_for(resource, as: resource_name, url: password_path(resource_name), html: { method: :post }, horizontal: 4) do |f| %>
+
+    <%= f.control_group :email, nil, {}, { class: 'col-md-4' } do %>
+      <%= f.text_field :email, autofocus: true %>
+    <% end %>
+
+    <%= f.control_group nil, nil, {}, { class: 'col-md-4' } do %>
+      <%= f.submit 'Send me reset password instructions', class: 'btn btn-primary btn-block' %>
+
+      <div style="text-align:center;margin-top:1em;">
+        <%= render "devise/shared/links" %>
+      </div>
+    <% end %>
+  <% end %>
+</div>

data/app/views/devise/sessions/new.html.erb

@@ -0,0 +1,21 @@
+<%= render 'ndr_authenticate/shared/legal_notice' %>
+
+<div class="well">
+  <%= bootstrap_form_for(resource, as: resource_name, url: session_path(resource_name), horizontal: 4) do |f| %>
+    <%= f.control_group :email, nil, {}, { class: 'col-md-4' } do %>
+      <%= f.text_field :email %>
+    <% end %>
+
+    <%= f.control_group :password, nil, {}, { class: 'col-md-4' } do %>
+      <%= f.password_field :password, autocomplete: 'off' %>
+    <% end %>
+
+    <%= f.control_group nil, nil, {}, { class: 'col-md-4' } do %>
+      <%= f.submit 'Log in', class: 'btn btn-primary btn-block' %>
+
+      <div style="text-align:center;margin-top:1em;">
+        <%= render "devise/shared/links" %>
+      </div>
+    <% end %>
+  <% end %>
+</div>

data/app/views/devise/shared/_error_messages.html.erb

@@ -0,0 +1,15 @@
+<% if resource.errors.any? %>
+  <div id="error_explanation">
+    <h2>
+      <%= I18n.t("errors.messages.not_saved",
+                 count: resource.errors.count,
+                 resource: resource.class.model_name.human.downcase)
+       %>
+    </h2>
+    <ul>
+      <% resource.errors.full_messages.each do |message| %>
+        <li><%= message %></li>
+      <% end %>
+    </ul>
+  </div>
+<% end %>

data/app/views/devise/shared/_links.html.erb

@@ -0,0 +1,25 @@
+<%- if controller_name != 'sessions' %>
+  <%= link_to "Log in", new_session_path(resource_name) %><br />
+<% end %>
+
+<%- if devise_mapping.registerable? && controller_name != 'registrations' %>
+  <%= link_to "Sign up", new_registration_path(resource_name) %><br />
+<% end %>
+
+<%- if devise_mapping.recoverable? && controller_name != 'passwords' && controller_name != 'registrations' %>
+  <%= link_to "Forgot your password?", new_password_path(resource_name) %><br />
+<% end %>
+
+<%- if devise_mapping.confirmable? && controller_name != 'confirmations' %>
+  <%= link_to "Didn't receive confirmation instructions?", new_confirmation_path(resource_name) %><br />
+<% end %>
+
+<%- if devise_mapping.lockable? && resource_class.unlock_strategy_enabled?(:email) && controller_name != 'unlocks' %>
+  <%= link_to "Didn't receive unlock instructions?", new_unlock_path(resource_name) %><br />
+<% end %>
+
+<%- if devise_mapping.omniauthable? %>
+  <%- resource_class.omniauth_providers.each do |provider| %>
+    <%= link_to "Sign in with #{OmniAuth::Utils.camelize(provider)}", omniauth_authorize_path(resource_name, provider) %><br />
+  <% end %>
+<% end %>

data/app/views/layouts/ndr_authenticate/ndr_authenticate.html.erb

@@ -0,0 +1,47 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>NdrAuthenticate</title>
+  <%= csrf_meta_tags %>
+  <%= csp_meta_tag %>
+
+  <%= stylesheet_link_tag    "ndr_authenticate/ndr_authenticate", media: "all" %>
+  <%= javascript_include_tag "ndr_authenticate/ndr_authenticate" %>
+</head>
+<body class="bootstrap">
+
+	<div class="navbar navbar-default navbar-fixed-top" role="navigation">
+	  <div class="container-fluid">
+	    <!-- Brand and toggle get grouped for better mobile display -->
+	    <div class="navbar-header">
+	      <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
+	        <span class="sr-only">Toggle navigation</span>
+	        <span class="icon-bar"></span>
+	        <span class="icon-bar"></span>
+	        <span class="icon-bar"></span>
+	      </button>
+
+	      <%= link_to t('system.name', default: '&#171; Back to App'.html_safe), '/', class: "navbar-brand" %>
+	    </div>
+      <ul class="nav navbar-nav navbar-right">
+        <li><p class="navbar-text">NDR Authentication</p></li>
+	  </div>
+	</div>
+
+
+
+<div class="container">
+<!-- An empty div  -->
+	<div>
+		<p>&nbsp;</p>
+		<p>&nbsp;</p>
+	</div>
+  <div>
+    <%= render 'shared/flash_messages' %>
+  </div>
+
+  <%= yield %>
+</div>
+
+</body>
+</html>

data/app/views/ndr_authenticate/authentication/check_active.html.erb

@@ -0,0 +1,30 @@
+<h3>
+  Active directory user search
+</h3>
+
+<%= form_tag({ action: 'check_active' }, class: 'form form-horizontal') do %>
+  <div class="form-group">
+    <%= label_tag 'User PHE e-mail address', nil ,class: 'control-label col-md-3' %>
+    <div class="col-md-3">
+      <%= text_field_tag(:user_mail, params[:user_mail], class: 'form-control', placeholder: 'xxx@phe.gov.uk') %>
+    </div>
+  </div>
+  <%= button_control_group do %>
+    <%= submit_tag 'Search', 'data-disable-with': 'Searching...' , class: 'btn btn-primary bob'%>
+  <% end %>
+<% end %>
+
+<% unless @status.empty? %>
+  <table class="table table-hover">
+    <tr>
+      <th colspan="2">
+        Status in Active Directory
+      <th>
+    </tr>
+    <tr>
+      <td class='info' colspan='2'>
+         <%= @status %>
+      </td>
+    </tr>
+  <table>
+<%end%>

data/app/views/ndr_authenticate/shared/_legal_notice.html.erb

@@ -0,0 +1,13 @@
+<%= bootstrap_alert_tag(:info, dismissible: false) do %>
+  <strong>Legal Notice</strong>
+  This system is a restricted access system; only personnel authorised by
+  <%= t :organisation_abbreviation, scope: :system, default: 'PHE' %> may access this system.
+  Unauthorised access is prohibited and is contrary to the
+  <%= link_to 'Computer Misuse Act 1990', 'http://www.legislation.gov.uk/ukpga/1990/18/contents', :target => :new, :class => 'alert-link' %>,
+  which may result in criminal offences and a claim for damages.
+  All activity on this system is subject to monitoring.
+  If information collected reveals possible criminal activity or
+  activity that exceeds privileges, evidence of such activity may
+  be provided to the relevant authorities for further action.
+  <strong>By continuing past this point you expressly consent to this monitoring.</strong>
+<% end %>

data/app/views/ndr_authenticate/yubikey/protectable/_form.html.erb

@@ -0,0 +1,44 @@
+<%
+  url        = url_for(controller: params[:controller], action: params[:action])
+  method     = params[:_method] || request.method
+  relay      = params.dig(:ndr_authenticate, :relay) || Base64.urlsafe_encode64(
+    params.except(:authenticity_token).to_json
+  )
+  i18n_scope = %i[ndr_authenticate yubikey protectable challenge]
+%>
+
+<% content_for :header do %>
+  <div class="text-center">
+    <h4>
+      <span class="glyphicon glyphicon-lock"></span>
+      <strong><%= t(:title, scope: i18n_scope) %></strong>
+    </h4>
+  </div>
+<% end %>
+
+<% content_for :body do %>
+  <% if params.dig(:ndr_authenticate, :otp) %>
+    <%= bootstrap_alert_tag(:danger, t(:invalid_otp, scope: i18n_scope)) %>
+  <% end %>
+
+  <div class="text-center">
+    <p class="lead"><%= t(:lead, scope: i18n_scope) %></p>
+    <p><%= t(:instructions, scope: i18n_scope) %></p>
+    <br />
+  </div>
+
+  <%= bootstrap_form_with(url: url, scope: :ndr_authenticate, method: method, local: local) do |form| %>
+    <%= form.hidden_field(:relay, value: relay) %>
+
+    <%= form.control_group nil do %>
+      <%= form.password_field(:otp, autofocus: true) %>
+    <% end %>
+
+    <br />
+    <div class="text-center">
+      <%= form.submit 'Submit', class: 'btn btn-primary' %>
+    </div>
+  <% end %>
+<% end %>
+
+<%= render(layout: layout) {} %>

data/app/views/ndr_authenticate/yubikey/protectable/_modal.html.erb

@@ -0,0 +1,10 @@
+<div class="modal" id="yubikey-challenge" tabindex="-1" role="dialog">
+  <div class="modal-dialog" role="document">
+    <div class="modal-content">
+    <%#= bootstrap_modal_dialog_tag id: 'yubikey-challenge' do %>
+      <%= bootstrap_modal_header_tag yield(:header), dismissible: true %>
+      <%= bootstrap_modal_body_tag yield(:body) %>
+    <%# end %>
+    </div>
+  </div>
+</div>

data/app/views/ndr_authenticate/yubikey/protectable/_panel.html.erb

@@ -0,0 +1,13 @@
+<% if defined?(bootstrap_panel_tag) %><%# Old bootstrap 3 codepath %>
+<%= bootstrap_panel_tag yield(:header), id: 'yubikey-challenge', style: 'margin-top: 50px;' do %>
+  <%= bootstrap_panel_body_tag do %>
+    <%= yield(:body) %>
+  <% end %>
+<% end %>
+<% else %><%# New bootstrap 5 codepath %>
+<%= bootstrap_card_tag yield(:header), nil, id: 'yubikey-challenge', style: 'margin-top: 50px;' do %>
+  <%= bootstrap_card_body_tag do %>
+    <%= yield(:body) %>
+  <% end %>
+<% end %>
+<% end %>

data/app/views/ndr_authenticate/yubikey/protectable/challenge.html.erb

@@ -0,0 +1,9 @@
+<%
+  path = 'ndr_authenticate/yubikey/protectable'
+%>
+
+<div class="row">
+  <div class="col-sm-6 col-sm-offset-3">
+    <%= render "#{path}/form", layout: "#{path}/panel", local: true %>
+  </div>
+</div>

data/app/views/ndr_authenticate/yubikey/protectable/challenge.js.erb

@@ -0,0 +1,41 @@
+<%
+  # TODO: This could/should be packaged up as a Stimulus controller.
+  path  = 'ndr_authenticate/yubikey/protectable'
+  form  = render "#{path}/form", layout: "#{path}/modal", local: false
+  alert = bootstrap_alert_tag(:danger, t('ndr_authenticate.yubikey.protectable.challenge.invalid_otp'))
+%>
+
+var form      = '<%= j(form) %>';
+var challenge = '#yubikey-challenge';
+var input     = 'input[name="ndr_authenticate[otp]"';
+
+// New challenge form; add it to the DOM and set up some event listeners...
+if($(challenge).length == 0) {
+  $('body').append(form);
+
+  // Remove the challenge form once it's served it's purpose (or user backs out); we'll replace it
+  // wholesale the next time it's needed.
+  $(challenge).on('hidden.bs.modal', function() {
+    $(challenge).remove();
+  });
+
+  // Seems like Rails UJS doesn't allow these events to bubble?
+  $('form', challenge).on('ajax:complete', function onChallenge(event) {
+    var xhr = (arguments.length == 1 ? event.detail[0] : arguments[1]);
+
+    // If the response has the `yubikey-required` header then a bad OTP must have been submitted
+    // and we should clear form and provide some user feedback...
+    if(xhr.getResponseHeader('yubikey-required')) {
+      if($('.modal-body .alert', challenge).length == 0)
+        $('.modal-body', challenge).prepend('<%= j(alert) %>');
+
+      $(input).val(null);
+    } else {
+      // Successful challenge; close (and trigger removal of) the modal form.
+      $(challenge).modal('hide');
+    }
+  });
+};
+
+$(challenge).modal('show');
+$(input).focus();

data/app/views/shared/_flash_messages.html.erb

@@ -0,0 +1,17 @@
+<div>
+  <% if flash[:notice].present? %>
+    <%= bootstrap_alert_tag(:info, safe_join(Array(flash[:notice]), tag(:br))) %>
+  <% end %>
+
+  <% if flash[:error].present? %>
+    <%= bootstrap_alert_tag(:danger, safe_join(Array(flash[:error]), tag(:br))) %>
+  <% end %>
+
+  <% if flash[:alert].present? %>
+    <%= bootstrap_alert_tag(:danger, safe_join(Array(flash[:alert]), tag(:br))) %>
+  <% end %>
+
+  <% if flash[:warning].present? %>
+    <%= bootstrap_alert_tag(:warning, safe_join(Array(flash[:alert]), tag(:br))) %>
+  <% end %>
+</div>

data/config/certificates/saml/certificate.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDvjCCAqYCCQCR3CjZjsYCszANBgkqhkiG9w0BAQsFADCBoDELMAkGA1UEBhMC
+R0IxDjAMBgNVBAgMBUNhbWJzMRIwEAYDVQQHDAlDYW1icmlkZ2UxDDAKBgNVBAoM
+A1BIRTEMMAoGA1UECwwDTkRSMSYwJAYDVQQDDB1ORFIgQXV0aGVudGljYXRlIFNB
+TUwgU2lnbmluZzEpMCcGCSqGSIb3DQEJARYaYWRtaW5pc3RyYXRvckBlY3JpYy5u
+aHMudWswHhcNMjAwOTA5MDkyNTEzWhcNMzAwOTA3MDkyNTEzWjCBoDELMAkGA1UE
+BhMCR0IxDjAMBgNVBAgMBUNhbWJzMRIwEAYDVQQHDAlDYW1icmlkZ2UxDDAKBgNV
+BAoMA1BIRTEMMAoGA1UECwwDTkRSMSYwJAYDVQQDDB1ORFIgQXV0aGVudGljYXRl
+IFNBTUwgU2lnbmluZzEpMCcGCSqGSIb3DQEJARYaYWRtaW5pc3RyYXRvckBlY3Jp
+Yy5uaHMudWswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXJyFcZER7
+NjBJA93YYdZK3Ck4Yca9td1e++wysP7mpAIKC6wwkcmkkpKQgLvmxIwFhrswpRLm
+HBhex0q3xE1GWOqHO3Ve8c6yki4PxbkLHWhHhaCrrvFAZt0mS5fReezNjAElfVZv
+ZmreH/GqQ4HH7ZR66OkCK3EqlMHSfICDKpjrHswP4GjeXvxf859+r6OC0W+PEnfm
+sxmRdpyX+XKuf13DZ3zZfEaEPwb1Kg74YtaE/d0WdeZGH/d42O4cWGlyCL6xAoE7
+AOHi96ytTqvd6QDcQpUOwQKG4iytehHFtkPZTMD2HL6GUmce6mbQDWyR8/7sI1tg
+Opn+B5/+WpndAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAHv8y6VayX7AW473mhso
+jFHh/PQxcj3iLXIT2xC96tfUiz93RQw1ekdSQqcdRD9sRPx6V+RB8rhCBr3TtUXz
+iyVFXWWtIdVRR4I3iLaw1SQXKhYaWZvaD5fZVl38aqBPzXiF0wdPm138BBo1PjDL
+u8JOh1ArbTsJk7wkmweRsl2NmoBhFGxpvRvN0QqlMsHJIKHw4R7k7i16ETQfLkJo
+WYDj5kGylb8V2aQTf7peZy81VdfQnc2z+/9SvsHQjwDUmjZK8iqirrPgtbxQF/3h
+vO7EkLIbEitDdkvBD5RecEqqpyCR8Z1oTGvQPM28644yMVop3MjSlvwWb06uxlcY
+Vzk=
+-----END CERTIFICATE-----

data/config/certificates/saml/encryption.phe.adfs.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3DCCAcSgAwIBAgIQKl6Cdeu33JVEhYdcQiJWxzANBgkqhkiG9w0BAQsFADAq
+MSgwJgYDVQQDEx9BREZTIEVuY3J5cHRpb24gLSBmcy5waGUuZ292LnVrMB4XDTIw
+MDYyMTIzMjA1NVoXDTIxMDYyMTIzMjA1NVowKjEoMCYGA1UEAxMfQURGUyBFbmNy
+eXB0aW9uIC0gZnMucGhlLmdvdi51azCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAKumzkThSDUSzBMUPqM7hqk7nHKwZf9fsUBhYI+b7kKbjC6+bJFEIPBX
+RKZPkDKb9oCCoFAogZIcxE/RLLAmK4ZC7sfFNd9SYp89bLAoL3sKFM9HEpMYFDKz
+isFH83btch1vXygovL8XdzmIyv7C+jNwviU5bpUDeA+BlNBl0OFb7792HY+dBoGX
+OsoUMsNRrk8n1dj1CnOJp3PvnYgv9YeeF2bN/R/KUn3ejdNdCCfAatpB+8kN2MHq
+vRJXaeJowubf8IUy59iTEP+R4+8r65cjsizTqxyo75GRlLJxDHa8vOjluHvveR0x
+EAbi1G6AFuI2vw6WXtlntca/toEZjSsCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA
+d8BEGKqsg5OcMio3UJZo/CTJjtGBd6thCuAFPGrfno4Et206GqB7MzThzuvI10Vc
+eEx/QLIP9WiVflg8Cq7tZWM8t10gRLW2VeZ/wIqtaoVeHGSRKOJwOPg0ENhHZLod
+AQsIo659STd6BNypNT3p387aNS2vER/mqJC/OgDiqLtSGGcYJQRb6RmWymTo7GM0
+NLwaW/CE3VReiifBKt9s26bs3tinhOMsd2f1r5iamJP0p/bp3dJ/aerkZDgWNaGp
+QYoPT2ywkqa2kSqg3K7McFMbdtC8LdvyOECwbCKUeSIzaCFSx/KaUY7PWGtVDSnf
+S8/WUIRuSH8QoDY5KxxoMw==
+-----END CERTIFICATE-----

data/config/certificates/saml/signing.phe.adfs.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC1jCCAb6gAwIBAgIQJURsk+h0Fo5A+bf3mxtwNDANBgkqhkiG9w0BAQsFADAn
+MSUwIwYDVQQDExxBREZTIFNpZ25pbmcgLSBmcy5waGUuZ292LnVrMB4XDTIwMDYy
+MTIzMjA1N1oXDTIxMDYyMTIzMjA1N1owJzElMCMGA1UEAxMcQURGUyBTaWduaW5n
+IC0gZnMucGhlLmdvdi51azCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AL/DhLdxZobVXZQI858Fo1K1so1StuaygMbqIu3IaMHnpNEN3lXFaUFjJeo17k0B
+V3A6E7A7O/h7Tu//sCUc6tN66+jAOXwB/yVgaMW/DFou01EJMWlBZqzBKkz5nSWJ
+kNlR6f2XB/NoGKyULFbWAt5I8onkjCuawsDP/FameDasMMmpBPKoFqNrHmdcJGAw
+K1JLxdo/Oc6HOImrWgexBiH6xV0KrXf4OE5JrqUC44H5BDM/bxnLQWca2plbVRtf
+yDnqAJ2KmaXZjIYQScRMK1/UocqYmUvPIvCy9gdCQ++4kLbJUtrvxNg8RUEHD9oO
+7RY7mMnmfTyWc78J1CD6lHUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAp1MngXjt
+IRnSqVHoSnzRcQwZ+wxzP/Apgr0yjkno2/0JXDxZWkksIxU5UoBOdZDde0/vl+vS
+VoZmUzv/SPtrdNNJE86TJ6cYbj+VfF6LLhyzr2OAzmgqa2qkDktvTMO5RyksPFXY
+Vx89rkh39SHzi5i5ZNFeOLRBJlyP3rT+aWmX1WgHXdM/OCnqLO7v4NicTsV1woys
+fBN95lmIxM6Mom5WuVNs/LSSASATcyXsfsMtAyNWFB58r+L9vp7QuMSQw3KPGLtX
+Jo+1YldmQNZamd5GAM2NOHNFUKGk473qA8ZYr5wVZX/E5rBU8TNZcYVAob8vbOXJ
+Dm+MNclHHtFmkA==
+-----END CERTIFICATE-----
+

data/config/initializers/devise.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+# Use this hook to configure devise mailer, warden hooks and so forth.
+# Many of these configuration options can be set straight in your model.
+Devise.setup do |config|
+  # ==> Controller configuration
+  # Configure the parent class to the devise controllers.
+  # config.parent_controller = 'DeviseController'
+  config.parent_controller = 'NdrAuthenticate::ApplicationController'
+
+  # ==> Mountable engine configurations
+  # When using Devise inside an engine, let's call it `MyEngine`, and this engine
+  # is mountable, there are some extra configurations to be taken into account.
+  # The following options are available, assuming the engine is mounted as:
+  #
+  #     mount MyEngine, at: '/my_engine'
+  #
+  # The router that invoked `devise_for`, in the example above, would be:
+  # config.router_name = :my_engine
+  config.router_name = :ndr_authenticate
+
+  # ==> Configuration for :saml_authenticatable
+
+  # Create user if the user does not exist. (Default is false)
+  config.saml_create_user = true
+
+  # Update the attributes of the user after a successful login. (Default is false)
+  config.saml_update_user = true
+
+  # Set the default user key. The user will be looked up by this key. Make
+  # sure that the Authentication Response includes the attribute.
+  config.saml_default_user_key = :email
+
+  # Optional. This stores the session index defined by the IDP during login.  If provided it will
+  # be used as a salt for the user's session to facilitate an IDP initiated logout request.
+  config.saml_session_index_key = :session_index
+end

data/config/locales/en.yml

@@ -0,0 +1,15 @@
+en:
+  ndr_authenticate:
+    yubikey:
+      protectable:
+        challenge:
+          title: Authentication Required
+          lead: The action you are trying to perform requires YubiKey authentication.
+          instructions: >
+            Press your YubiKey’s gold contact to insert a one-time password into the field below
+            and then click "Submit" to continue.
+          invalid_otp: Invalid one-time password
+  devise:
+    failure:
+      user:
+        second_factor_failure: There is a problem with your yubikey.

data/config/routes.rb

@@ -0,0 +1,24 @@
+NdrAuthenticate::Engine.routes.draw do
+  get  'check_active', to: 'authentication#check_active'
+  post 'check_active', to: 'authentication#check_active'
+
+  if NdrAuthenticate.sso_enabled_ever?
+    devise_for :users, class_name: NdrAuthenticate.user_class,
+                       module: :devise,
+                       skip: %i[sessions saml_authenticatable]
+
+    devise_scope :user do
+      get    :sign_in,  to: 'sessions#new',     as: :new_user_session
+      post   :sign_in,  to: 'sessions#create',  as: :user_session
+      delete :sign_out, to: 'sessions#destroy', as: :destroy_user_session
+
+      scope :saml, controller: :saml_sessions do
+        get    :metadata,       action: :metadata,      as: :saml_metadata
+        get    :sign_in,        action: :new,           as: :new_saml_user_session
+        post   :auth,           action: :create,        as: :saml_user_session
+        delete :sign_out,       action: :destroy,       as: :destroy_saml_user_session
+        match  '/idp_sign_out', action: :idp_sign_out,  as: :idp_destroy_saml_user_session, via: %i[get post delete]
+      end
+    end
+  end
+end

data/lib/generators/ndr_authenticate/install/USAGE

@@ -0,0 +1,10 @@
+Description:
+  Creates boilerplate configuration for NdrAuthenticate.
+
+Example:
+    rails generate ndr_authenticate:install
+
+    This will create:
+        config/initializers/ndr_authenticate.rb
+        config/initializers/saml_authenticatable.rb
+        config/attribute-map.yml