omniauth-mpassid 0.3.2 → 0.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +1 -1
- data/lib/omniauth/strategies/mpassid.rb +40 -81
- data/lib/omniauth-mpassid/version.rb +1 -1
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 568537fcfc8b851bce49732d5f2ce6dac99cf0b3e8bcd55998f3e852dc7e0039
|
|
4
|
+
data.tar.gz: 53e4061a25662610162a00fad3589422457477b6404620d60b02f28340de1f7b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 32d0f6a89ef0c21992bd1c2da5ea6e2dff25cb756dfad491c18892c8770e5fc279ac53ce12b94623f0e28addc218abe6b98ff2a32209cacfc14d19b48636aa22
|
|
7
|
+
data.tar.gz: 5a45f519cdf497d900a9df55dda573e4221c33be1df2e2f624240d10952cde76bf4bfb137c32142a0d35c24ae18d727cec0f738b9f32b86bfe8dec9a293aacff
|
data/README.md
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
# OmniAuth MPASSid (SAML 2.0)
|
|
2
2
|
|
|
3
|
-
[](https://github.com/mainio/omniauth-mpassid/actions)
|
|
4
4
|
[](https://codecov.io/gh/mainio/omniauth-mpassid)
|
|
5
5
|
|
|
6
6
|
This is an unofficial OmniAuth strategy for authenticating with the MPASSid
|
|
@@ -10,12 +10,6 @@ module OmniAuth
|
|
|
10
10
|
# :test - MPASSid test environment
|
|
11
11
|
option :mode, :production
|
|
12
12
|
|
|
13
|
-
# The certificate file to define the certificate.
|
|
14
|
-
option :certificate_file, nil
|
|
15
|
-
|
|
16
|
-
# The private key file to define the private key.
|
|
17
|
-
option :private_key_file, nil
|
|
18
|
-
|
|
19
13
|
# Defines the lang parameters to check from the request phase request
|
|
20
14
|
# parameters. A valid language will be added to the IdP sign in redirect
|
|
21
15
|
# URL as the last parameter (with the name `lang` as expected by
|
|
@@ -45,15 +39,13 @@ module OmniAuth
|
|
|
45
39
|
# (single value)
|
|
46
40
|
{
|
|
47
41
|
name: 'urn:mpass.id:uid',
|
|
48
|
-
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
|
|
49
|
-
friendly_name: 'mpassUsername'
|
|
42
|
+
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
|
|
50
43
|
},
|
|
51
44
|
# Funet EDU person learner ID
|
|
52
45
|
# (single value)
|
|
53
46
|
{
|
|
54
47
|
name: 'urn:oid:1.3.6.1.4.1.16161.1.1.27',
|
|
55
|
-
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
|
|
56
|
-
friendly_name: 'learnerId'
|
|
48
|
+
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
|
|
57
49
|
},
|
|
58
50
|
# The first/given name of the user.
|
|
59
51
|
# (single value)
|
|
@@ -76,6 +68,26 @@ module OmniAuth
|
|
|
76
68
|
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
|
|
77
69
|
friendly_name: 'sn'
|
|
78
70
|
},
|
|
71
|
+
# The municipality code of the authenticated user. See
|
|
72
|
+
# http://tilastokeskus.fi/meta/luokitukset/kunta/001-2017/index.html
|
|
73
|
+
# for mappings in Finland.
|
|
74
|
+
# (multi value)
|
|
75
|
+
{
|
|
76
|
+
name: 'urn:mpass.id:municipalityCode',
|
|
77
|
+
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
|
|
78
|
+
friendly_name: 'municipalityCode'
|
|
79
|
+
},
|
|
80
|
+
# The human-readable name of the municipality of the authenticated user.
|
|
81
|
+
# (multi value)
|
|
82
|
+
{
|
|
83
|
+
name: 'urn:mpass.id:municipality',
|
|
84
|
+
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
|
|
85
|
+
},
|
|
86
|
+
{
|
|
87
|
+
name: 'urn:educloudalliance.org:municipality',
|
|
88
|
+
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
|
|
89
|
+
friendly_name: 'ecaMunicipality'
|
|
90
|
+
},
|
|
79
91
|
# The school code of the authenticated user. See
|
|
80
92
|
# https://virkailija.opintopolku.fi/koodisto-service/rest/json/oppilaitosnumero/koodi
|
|
81
93
|
# (JSON format)
|
|
@@ -87,8 +99,7 @@ module OmniAuth
|
|
|
87
99
|
# (multi value)
|
|
88
100
|
{
|
|
89
101
|
name: 'urn:mpass.id:schoolCode',
|
|
90
|
-
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
|
|
91
|
-
friendly_name: 'mpassSchoolCode'
|
|
102
|
+
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
|
|
92
103
|
},
|
|
93
104
|
# The human-readable name of the school of the authenticated user.
|
|
94
105
|
# (multi value)
|
|
@@ -97,21 +108,12 @@ module OmniAuth
|
|
|
97
108
|
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
|
|
98
109
|
friendly_name: 'school'
|
|
99
110
|
},
|
|
100
|
-
# Combination of the school code and official name of the educational
|
|
101
|
-
# institution separated with semicolon.
|
|
102
|
-
# For instance: 00000;Tuntematon
|
|
103
|
-
{
|
|
104
|
-
name: 'urn:mpass.id:schoolInfo',
|
|
105
|
-
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
|
|
106
|
-
friendly_name: 'mpassSchoolInfo'
|
|
107
|
-
},
|
|
108
111
|
# The class/group-information of the authenticated user.
|
|
109
112
|
# For instance: 8A or 3B.
|
|
110
113
|
# (multi value)
|
|
111
114
|
{
|
|
112
115
|
name: 'urn:mpass.id:class',
|
|
113
|
-
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
|
|
114
|
-
friendly_name: 'mpassClass'
|
|
116
|
+
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
|
|
115
117
|
},
|
|
116
118
|
{
|
|
117
119
|
name: 'urn:educloudalliance.org:group',
|
|
@@ -123,8 +125,7 @@ module OmniAuth
|
|
|
123
125
|
# (multi value)
|
|
124
126
|
{
|
|
125
127
|
name: 'urn:mpass.id:classLevel',
|
|
126
|
-
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
|
|
127
|
-
friendly_name: 'mpassClassLevel'
|
|
128
|
+
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
|
|
128
129
|
},
|
|
129
130
|
# The role name of the user.
|
|
130
131
|
# For instance Oppilas.
|
|
@@ -135,43 +136,18 @@ module OmniAuth
|
|
|
135
136
|
friendly_name: 'ecaRole'
|
|
136
137
|
},
|
|
137
138
|
# The role of the user in four parts, divided with a semicolon (;)
|
|
138
|
-
# character. First
|
|
139
|
-
#
|
|
140
|
-
# For instance
|
|
139
|
+
# character. First municipality, followed by school code, group and role
|
|
140
|
+
# in the group.
|
|
141
|
+
# For instance Helsinki;32132;9A;Oppilas.
|
|
141
142
|
# (multi value)
|
|
142
|
-
#
|
|
143
|
-
# The educational providers' organization OIDs can be found from:
|
|
144
|
-
# https://github.com/Opetushallitus/aitu/blob/master/ttk-db/resources/db/migration/V11_2__koulutustoimijat.sql
|
|
145
143
|
{
|
|
146
144
|
name: 'urn:mpass.id:role',
|
|
147
|
-
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
|
|
148
|
-
friendly_name: 'mpassRole'
|
|
149
|
-
},
|
|
150
|
-
# The educational provider's permanent organization OID.
|
|
151
|
-
# (multi value)
|
|
152
|
-
#
|
|
153
|
-
# The educational providers' organization OIDs can be found from:
|
|
154
|
-
# https://github.com/Opetushallitus/aitu/blob/master/ttk-db/resources/db/migration/V11_2__koulutustoimijat.sql
|
|
155
|
-
{
|
|
156
|
-
name: 'urn:mpass.id:educationProviderId',
|
|
157
|
-
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
|
|
158
|
-
friendly_name: 'mpassEducationProviderOid'
|
|
159
|
-
},
|
|
160
|
-
# The educational provider's human-readable name.
|
|
161
|
-
# (multi value)
|
|
162
|
-
{
|
|
163
|
-
name: 'urn:mpass.id:educationProvider',
|
|
164
|
-
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
|
|
165
|
-
friendly_name: 'mpassEducationProviderName'
|
|
145
|
+
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
|
|
166
146
|
},
|
|
167
|
-
# Combination of the education provider's organisation-OID and official
|
|
168
|
-
# name. Separated by semicolon.
|
|
169
|
-
# For instance: 1.2.246.562.10.494695390410;Virallinen nimi
|
|
170
|
-
# (multi value)
|
|
171
147
|
{
|
|
172
|
-
name: 'urn:
|
|
148
|
+
name: 'urn:educloudalliance.org:structuredRole',
|
|
173
149
|
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
|
|
174
|
-
friendly_name: '
|
|
150
|
+
friendly_name: 'ecaStructuredRole'
|
|
175
151
|
}
|
|
176
152
|
]
|
|
177
153
|
|
|
@@ -182,8 +158,8 @@ module OmniAuth
|
|
|
182
158
|
# Given name or all first names (in case given name is not found)
|
|
183
159
|
first_name: ['urn:oid:2.5.4.42', 'http://eidas.europa.eu/attributes/naturalperson/CurrentGivenName'],
|
|
184
160
|
last_name: ['urn:oid:2.5.4.4'],
|
|
185
|
-
# The
|
|
186
|
-
location: ['urn:mpass.id:
|
|
161
|
+
# The municipality of the person (literal format in Finnish)
|
|
162
|
+
location: ['urn:mpass.id:municipality', 'urn:educloudalliance.org:municipality']
|
|
187
163
|
)
|
|
188
164
|
|
|
189
165
|
info do
|
|
@@ -211,7 +187,6 @@ module OmniAuth
|
|
|
211
187
|
|
|
212
188
|
option(
|
|
213
189
|
:security_settings,
|
|
214
|
-
authn_requests_signed: true,
|
|
215
190
|
digest_method: XMLSecurity::Document::SHA256,
|
|
216
191
|
signature_method: XMLSecurity::Document::RSA_SHA256
|
|
217
192
|
)
|
|
@@ -222,14 +197,14 @@ module OmniAuth
|
|
|
222
197
|
option(
|
|
223
198
|
:saml_attributes_map,
|
|
224
199
|
given_name: ['urn:oid:2.5.4.42'],
|
|
225
|
-
first_names: ['
|
|
200
|
+
first_names: ['http://eidas.europa.eu/attributes/naturalperson/CurrentGivenName'],
|
|
226
201
|
last_name: ['urn:oid:2.5.4.4'],
|
|
227
|
-
|
|
228
|
-
name: ['urn:mpass.id:
|
|
202
|
+
municipality_code: {
|
|
203
|
+
name: ['urn:mpass.id:municipalityCode'],
|
|
229
204
|
type: :multi
|
|
230
205
|
},
|
|
231
|
-
|
|
232
|
-
name: ['urn:mpass.id:
|
|
206
|
+
municipality_name: {
|
|
207
|
+
name: ['urn:mpass.id:municipality', 'urn:educloudalliance.org:municipality'],
|
|
233
208
|
type: :multi
|
|
234
209
|
},
|
|
235
210
|
school_code: {
|
|
@@ -256,8 +231,7 @@ module OmniAuth
|
|
|
256
231
|
name: ['urn:educloudalliance.org:role'],
|
|
257
232
|
type: :multi
|
|
258
233
|
},
|
|
259
|
-
# Extra
|
|
260
|
-
# Unique learner ID
|
|
234
|
+
# Extra (undocumented)
|
|
261
235
|
funet_person_learner_id: ['urn:oid:1.3.6.1.4.1.16161.1.1.27']
|
|
262
236
|
)
|
|
263
237
|
|
|
@@ -281,7 +255,6 @@ module OmniAuth
|
|
|
281
255
|
@options = OmniAuth::Strategy::Options.new(
|
|
282
256
|
mpassid_options.merge(options)
|
|
283
257
|
)
|
|
284
|
-
options[:security][:authn_requests_signed] = false unless options[:certificate] && options[:private_key]
|
|
285
258
|
end
|
|
286
259
|
|
|
287
260
|
# Override the request phase to be able to pass the lang parameter to
|
|
@@ -322,14 +295,6 @@ module OmniAuth
|
|
|
322
295
|
|
|
323
296
|
private
|
|
324
297
|
|
|
325
|
-
def certificate
|
|
326
|
-
File.read(options.certificate_file) if options.certificate_file
|
|
327
|
-
end
|
|
328
|
-
|
|
329
|
-
def private_key
|
|
330
|
-
File.read(options.private_key_file) if options.private_key_file
|
|
331
|
-
end
|
|
332
|
-
|
|
333
298
|
def idp_metadata_url
|
|
334
299
|
case options.mode
|
|
335
300
|
when :test
|
|
@@ -353,16 +318,10 @@ module OmniAuth
|
|
|
353
318
|
sso_binding: ['urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
|
|
354
319
|
)
|
|
355
320
|
|
|
356
|
-
# Local certificate and private key to decrypt the responses
|
|
357
|
-
settings[:certificate] = certificate
|
|
358
|
-
settings[:private_key] = private_key
|
|
359
|
-
|
|
360
321
|
# Define the security settings as there are some defaults that need to be
|
|
361
322
|
# modified
|
|
362
323
|
security_defaults = OneLogin::RubySaml::Settings::DEFAULTS[:security]
|
|
363
|
-
settings[:security] = security_defaults.merge(
|
|
364
|
-
options.security_settings.to_h.transform_keys(&:to_sym)
|
|
365
|
-
)
|
|
324
|
+
settings[:security] = security_defaults.merge(options.security_settings)
|
|
366
325
|
|
|
367
326
|
settings
|
|
368
327
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: omniauth-mpassid
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.4.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Antti Hukkanen
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2021-12-08 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: omniauth-saml
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - "~>"
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version:
|
|
19
|
+
version: '2.0'
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - "~>"
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version:
|
|
26
|
+
version: '2.0'
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: rake
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|