okta_saml 0.0.5

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2012 Jared Branum
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,67 @@
+# OktaSaml
+
+[Okta](http://www.okta.com) is an IDP (Identity Provider) that offers enterprise authentication solutions. Okta works by redirecting visitors to your application to a login page that is hosted by Okta. Upon successful authentication Okta sends a POST request with a SAML payload to a Post Back URL (configured by you at setup). The okta_saml gem helps Ruby on Rails applications communicate with Okta.
+
+It is an engine that adds the following features to your application
+
+1. A new helper: okta_authenticate!
+2. Routes
+
+    - /saml/init: Outbound to Okta
+    - /saml/consume: Handles the Okta POST response
+
+3. Session Management
+    - The okta_saml gem will create a signed cookie that expires in 120 minutes
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'okta_saml'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install okta_saml
+
+## Okta Configuration
+The following steps will help you integrate your Okta application with the okta_saml gem
+
+1. When creating your application on Okta use the Template SAML 2.0 App
+2. When specifying the Post Back URL use your hostname/saml/consume. For example http://www.yourdomain.com/saml/consume.  It is important that the Post Back URL is a publically accessible domain. For local development you can use a service such as forwardhq.com to make your localhost port publically accessible
+
+## Configuration
+
+1. The idp\_sso\_target\_url should be set to the Embed Link from Okta
+2. The idp\_cert\_fingerprint needs to be created.
+
+    a. Download the Public certificate from Okta. This can be found from within your application configuration, under the Sign On tab.
+
+    b. Click on the "SAML 2.0 setup instructions for Template SAML 2.0 App".
+
+    c. From that page download the Public certificate.
+
+    d. Run the following command replacing the okta.cert file with the path/name of the downloaded certificate.
+
+        openssl x509 -noout -fingerprint -in "okta.cert"
+
+    e. Copy everything after the "SHA1 Fingerprint=" into the 'okta\_saml.yml' file as the idp_cert_fingerprint
+
+## Usage
+
+The following steps are required when using the okta_saml gem
+
+1. Create an `okta_saml.yml` file in your application's config directory. A sample okta_saml.yml file has been included with this gem in the config directory with some configuration notes
+2. Add a `before_filter` using okta_authenticate! in the controllers where authentication is required
+
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,50 @@
+#!/usr/bin/env rake
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+begin
+  require 'rdoc/task'
+rescue LoadError
+  require 'rdoc/rdoc'
+  require 'rake/rdoctask'
+  RDoc::Task = Rake::RDocTask
+end
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'OktaSaml'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+APP_RAKEFILE = File.expand_path("../test/dummy/Rakefile", __FILE__)
+load 'rails/tasks/engine.rake'
+
+
+
+Bundler::GemHelper.install_tasks
+
+Dir[File.join(File.dirname(__FILE__), 'tasks/**/*.rake')].each{|f| load f}
+
+require 'rspec/core'
+require 'rspec/core/rake_task'
+
+desc "Run all specs in spec directory (excluding plugin specs)"
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec
+
+namespace :gem do
+  task :build do
+    output = IO.popen("gem build okta_saml.gemspec")
+    a = output.readlines
+    a.keep_if{|line| line =~ /File:/}
+    a[0].match(/File:/)
+    filename = $'.strip
+    # puts `echo #{filename}`
+    puts `gem inabox #{filename}`
+  end
+end

data/app/controllers/saml_controller.rb

@@ -0,0 +1,31 @@
+class SamlController < ApplicationController
+  include OktaSaml::SessionHelper, OktaApplicationHelper
+
+  skip_before_filter :okta_authenticate!, :okta_logout
+
+  def init
+    redirect_to(idp_login_request_url(request))
+  end
+
+  def consume
+    response = idp_response(params)
+    response.settings = saml_settings(request)
+    if response.is_valid?
+      sign_in(OktaUser.new({:email => response.name_id}))
+      redirect_to redirect_url
+    else
+      render :text => "Failure"
+    end
+  end
+
+  private
+
+  def redirect_url
+    session[:redirect_url]
+  end
+
+  # Rails override to handle unverified post requests from Okta
+  def handle_unverified_request
+  end
+
+end

data/app/helpers/okta_application_helper.rb

@@ -0,0 +1,26 @@
+module OktaApplicationHelper
+
+  def idp_response(params)
+    Onelogin::Saml::Response.new(params[:SAMLResponse])
+  end
+
+  def saml_settings(request)
+    settings = Onelogin::Saml::Settings.new
+
+    settings.assertion_consumer_service_url = saml_consume_url(host: request.host)
+    settings.issuer                         = "http://#{request.port == 80 ? request.host : request.host_with_port}"
+    settings.idp_sso_target_url             = SAML_SETTINGS[:idp_sso_target_url]
+    settings.idp_cert_fingerprint           = SAML_SETTINGS[:idp_cert_fingerprint]
+    settings.name_identifier_format         = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
+    # Optional for most SAML IdPs
+    settings.authn_context = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+
+    settings
+  end
+
+  def idp_login_request_url(request)
+    idp_request = Onelogin::Saml::Authrequest.new
+    idp_request.create(saml_settings(request))
+  end
+
+end

data/app/models/okta_user.rb

@@ -0,0 +1,21 @@
+class OktaUser
+  attr_accessor :email
+
+  def initialize(params)
+    populate(params)
+  end
+
+  def populate(params)
+    params.each do |k, v|
+      self.send("#{k}=".to_sym, v)
+    end
+  rescue NoMethodError => error
+    p error
+  end
+
+  def self.retrieve_from_cookie(remember_token)
+    return OktaUser.new(:email => remember_token) unless remember_token.blank?
+    return nil
+  end
+
+end

data/config/okta_saml.sample.yml

@@ -0,0 +1,9 @@
+# Copy this file to the Config directory of your application.  Do not put your copy here, put it in your application
+
+development:
+  idp_sso_target_url:  http://www.example.com
+  idp_cert_fingerprint: This is created from your certificate.  See the Readme for the command
+
+test:
+  idp_sso_target_url: http://www.example.com
+  idp_cert_fingerprint: C5:19:85:D9:47:F1:BE:57:08:20:25:05:08:46:EB:27:F6:CA:B7:83

data/config/routes.rb

@@ -0,0 +1,4 @@
+Rails.application.routes.draw do
+  get '/saml/init' => 'saml#init'
+  match '/saml/consume' => 'saml#consume'
+end

data/lib/generators/okta_saml_generator.rb

@@ -0,0 +1,11 @@
+require 'rails/generators'
+
+class OktaSamlGenerator < Rails::Generators::Base
+  def self.source_root
+    File.join(File.dirname(__FILE__), 'templates')
+  end
+
+  def generate_config_file
+    copy_file 'okta_saml.yml', 'config/okta_saml.yml'
+  end
+end

data/lib/okta_saml.rb

@@ -0,0 +1,8 @@
+require "okta_saml/version"
+require "okta_saml/session_helper"
+
+module OktaSaml
+  if defined?(Rails) && Rails::VERSION::MAJOR == 3
+    require "okta_saml/engine"
+  end
+end

data/lib/okta_saml/constants.rb

@@ -0,0 +1,11 @@
+if defined?(Rails)
+  saml = begin
+    YAML::load_file(Rails.root.join("config/okta_saml.yml").to_s)
+  rescue Errno::ENOENT
+    p "Missing okta_saml.yml file in Rails.root/config"
+  end
+  SAML_SETTINGS = {
+    :idp_sso_target_url => saml[Rails.env]['idp_sso_target_url'],
+    :idp_cert_fingerprint => saml[Rails.env]['idp_cert_fingerprint']
+  }
+end

data/lib/okta_saml/engine.rb

@@ -0,0 +1,33 @@
+require 'rubygems'
+require 'ruby-saml'
+require_relative 'session_helper'
+
+class ActionController::Base
+  include OktaSaml::SessionHelper
+
+  def okta_authenticate!
+    session[:redirect_url] = params[:app_referer] || "#{request.protocol}#{request.host_with_port}#{request.fullpath}"
+    redirect_to saml_init_path unless signed_in?
+  end
+
+  def okta_logout
+    redirect_to saml_logout_path
+  end
+
+end
+
+module OktaSaml
+  class Engine < Rails::Engine
+    def initialize
+      require "okta_saml/constants"
+      Rails.application.config.session_store :active_record_store, :key => '_my_key', :domain=> :all
+      add_engine_helpers
+    end
+
+    def add_engine_helpers
+      ActiveSupport.on_load :action_controller do
+        helper OktaSaml::SessionHelper
+      end
+    end
+  end
+end

data/lib/okta_saml/session_helper.rb

@@ -0,0 +1,42 @@
+module OktaSaml
+  module SessionHelper
+    def sign_in(user)
+      cookies.signed[:remember_token] = {
+        :value => user.email,
+        :expires => 120.minutes.from_now
+      }
+      current_user = user
+    end
+
+    def signed_in?
+      !current_user.nil?
+    end
+
+    def current_user=(user)
+      @current_user = user
+    end
+
+    def current_user
+      @current_user ||= user_from_remember_token
+    end
+    alias_method :okta_user, :current_user
+
+    def destroy
+      sign_out
+    end
+
+    def sign_out
+      cookies.delete(:remember_token)
+      current_user = nil
+    end
+
+    private
+      def user_from_remember_token
+        OktaUser.retrieve_from_cookie(remember_token)
+      end
+
+      def remember_token
+        cookies.signed[:remember_token]
+      end
+  end
+end

data/lib/okta_saml/version.rb

@@ -0,0 +1,3 @@
+module OktaSaml
+  VERSION = "0.0.5"
+end

metadata

@@ -0,0 +1,137 @@
+--- !ruby/object:Gem::Specification
+name: okta_saml
+version: !ruby/object:Gem::Version
+  version: 0.0.5
+  prerelease: 
+platform: ruby
+authors:
+- Michael Hoitomt
+- Jared Branum
+- Ed Leung
+- Luke Fender
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-05-03 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 3.2.13
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 3.2.13
+- !ruby/object:Gem::Dependency
+  name: ruby-saml
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.7.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.7.2
+- !ruby/object:Gem::Dependency
+  name: rspec-rails
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: geminabox
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: The okta_saml gem helps Ruby on Rails applications communicate with Okta
+email:
+- mhoitomt@primedia.com
+- jbranum@primedia.com
+- eleung@primedia.com
+- lfender@primedia.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- app/controllers/saml_controller.rb
+- app/helpers/okta_application_helper.rb
+- app/models/okta_user.rb
+- config/okta_saml.sample.yml
+- config/routes.rb
+- lib/generators/okta_saml_generator.rb
+- lib/okta_saml/constants.rb
+- lib/okta_saml/engine.rb
+- lib/okta_saml/session_helper.rb
+- lib/okta_saml/version.rb
+- lib/okta_saml.rb
+- LICENSE.txt
+- Rakefile
+- README.md
+homepage: https://github.com/primedia/okta_saml
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: -2666229237328805024
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: -2666229237328805024
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.25
+signing_key: 
+specification_version: 3
+summary: The okta_saml gem helps Ruby on Rails applications communicate with Okta.
+  The gem properly contstructs the request to Okta and handles the response back from
+  Okta.
+test_files: []