omniauth-saml 1.10.0 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of omniauth-saml might be problematic. Click here for more details.
- checksums.yaml +5 -5
- data/CHANGELOG.md +38 -0
- data/README.md +25 -13
- data/lib/omniauth/strategies/saml.rb +3 -3
- data/lib/omniauth-saml/version.rb +1 -1
- data/spec/omniauth/strategies/saml_spec.rb +11 -11
- data/spec/spec_helper.rb +1 -0
- metadata +27 -26
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
|
-
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: 36019dbb0985207e4a8e6faa24f50abed3f707d3d4c8ad1370403e658b708730
|
|
4
|
+
data.tar.gz: '042845e9351550c797149bfdba0f395059a0a8d590d70cdcec19828e9cc4a6c6'
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 5f8100b1f45f5e09e778bb6ccf96bffdf041b5dc7da72a67fe5063fe30eb01c7a61481c8b5c8e3700b91af362e3a5f8915c5797d97eb3f2e3197333a1117bb49
|
|
7
|
+
data.tar.gz: 71c78f0ff383876af1fe15d471e35ea70bedbabccc6e2b7b79bf7c6f643c5f5330bbe706b24b25c92f47fb68d85ec062c9e12819a5430cbff9e91fb7e08c3055
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,41 @@
|
|
|
1
|
+
<a name="v2.0.0"></a>
|
|
2
|
+
### v2.0.0 (2021-01-13)
|
|
3
|
+
|
|
4
|
+
|
|
5
|
+
#### Chores
|
|
6
|
+
|
|
7
|
+
* Allow OmniAuth 2.0.0 ([f7ec7ee](/../../commit/f7ec7ee))
|
|
8
|
+
|
|
9
|
+
|
|
10
|
+
<a name="v1.10.3"></a>
|
|
11
|
+
### v1.10.3 (2020-10-06)
|
|
12
|
+
|
|
13
|
+
|
|
14
|
+
#### Bug Fixes
|
|
15
|
+
|
|
16
|
+
* add options to logout_request initialization ([c271a37](/../../commit/c271a37))
|
|
17
|
+
|
|
18
|
+
|
|
19
|
+
<a name="v1.10.2"></a>
|
|
20
|
+
### v1.10.2 (2018-05-23)
|
|
21
|
+
|
|
22
|
+
|
|
23
|
+
#### Features
|
|
24
|
+
|
|
25
|
+
* **saml**
|
|
26
|
+
* inherits allows response options from ruby-saml instead of whitelist ([a0eedd6](/../../commit/a0eedd6))
|
|
27
|
+
|
|
28
|
+
|
|
29
|
+
<a name="v1.10.1"></a>
|
|
30
|
+
### v1.10.1 (2018-06-07)
|
|
31
|
+
|
|
32
|
+
|
|
33
|
+
#### Features
|
|
34
|
+
|
|
35
|
+
* **saml-response**
|
|
36
|
+
* whitelist more response options ([575198d](/../../commit/575198d))
|
|
37
|
+
|
|
38
|
+
|
|
1
39
|
<a name="v1.10.0"></a>
|
|
2
40
|
### v1.10.0 (2018-02-19)
|
|
3
41
|
|
data/README.md
CHANGED
|
@@ -2,14 +2,12 @@
|
|
|
2
2
|
|
|
3
3
|
[][gem]
|
|
4
4
|
[][travis]
|
|
5
|
-
[][codeclimate]
|
|
5
|
+
[][codeclimate]
|
|
7
6
|
[][coveralls]
|
|
8
7
|
|
|
9
8
|
[gem]: https://rubygems.org/gems/omniauth-saml
|
|
10
9
|
[travis]: http://travis-ci.org/omniauth/omniauth-saml
|
|
11
|
-
[
|
|
12
|
-
[codeclimate]: https://codeclimate.com/github/omniauth/omniauth-saml
|
|
10
|
+
[codeclimate]: https://codeclimate.com/github/omniauth/omniauth-saml/maintainability
|
|
13
11
|
[coveralls]: https://coveralls.io/r/omniauth/omniauth-saml
|
|
14
12
|
|
|
15
13
|
A generic SAML strategy for OmniAuth available under the [MIT License](LICENSE.md)
|
|
@@ -19,7 +17,7 @@ https://github.com/omniauth/omniauth-saml
|
|
|
19
17
|
## Requirements
|
|
20
18
|
|
|
21
19
|
* [OmniAuth](http://www.omniauth.org/) 1.3+
|
|
22
|
-
* Ruby 2.
|
|
20
|
+
* Ruby 2.4.x+
|
|
23
21
|
|
|
24
22
|
## Versioning
|
|
25
23
|
|
|
@@ -37,6 +35,10 @@ use OmniAuth::Strategies::SAML,
|
|
|
37
35
|
:idp_sso_target_url => "idp_sso_target_url",
|
|
38
36
|
:idp_sso_target_url_runtime_params => {:original_request_param => :mapped_idp_param},
|
|
39
37
|
:idp_cert => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
|
|
38
|
+
:idp_cert_multi => {
|
|
39
|
+
:signing => ["-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", ...],
|
|
40
|
+
:encryption => []
|
|
41
|
+
}
|
|
40
42
|
:idp_cert_fingerprint => "E7:91:B2:E1:...",
|
|
41
43
|
:idp_cert_fingerprint_validator => lambda { |fingerprint| fingerprint },
|
|
42
44
|
:name_identifier_format => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
|
|
@@ -60,6 +62,10 @@ Rails.application.config.middleware.use OmniAuth::Builder do
|
|
|
60
62
|
:idp_sso_target_url => "idp_sso_target_url",
|
|
61
63
|
:idp_sso_target_url_runtime_params => {:original_request_param => :mapped_idp_param},
|
|
62
64
|
:idp_cert => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
|
|
65
|
+
:idp_cert_multi => {
|
|
66
|
+
:signing => ["-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", ...],
|
|
67
|
+
:encryption => []
|
|
68
|
+
}
|
|
63
69
|
:idp_cert_fingerprint => "E7:91:B2:E1:...",
|
|
64
70
|
:idp_cert_fingerprint_validator => lambda { |fingerprint| fingerprint },
|
|
65
71
|
:name_identifier_format => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
|
|
@@ -107,16 +113,20 @@ Note that when [integrating with Devise](#devise-integration), the URL path will
|
|
|
107
113
|
`original_param_value`. Optional.
|
|
108
114
|
|
|
109
115
|
* `:idp_cert` - The identity provider's certificate in PEM format. Takes precedence
|
|
110
|
-
over the fingerprint option below. This option or `:idp_cert_fingerprint` or `:idp_cert_fingerprint_validator` must
|
|
116
|
+
over the fingerprint option below. This option or `:idp_cert_multi` or `:idp_cert_fingerprint` or `:idp_cert_fingerprint_validator` must
|
|
111
117
|
be present.
|
|
118
|
+
|
|
119
|
+
* `:idp_cert_multi` - Multiple identity provider certificates in PEM format. Takes precedence
|
|
120
|
+
over the fingerprint option below. This option `:idp_cert` or `:idp_cert_fingerprint` or `:idp_cert_fingerprint_validator` must
|
|
121
|
+
be present.
|
|
112
122
|
|
|
113
123
|
* `:idp_cert_fingerprint` - The SHA1 fingerprint of the certificate, e.g.
|
|
114
124
|
"90:CC:16:F0:8D:...". This is provided from the identity provider when setting up
|
|
115
|
-
the relationship. This option or `:idp_cert` or `:idp_cert_fingerprint_validator` MUST be present.
|
|
125
|
+
the relationship. This option or `:idp_cert` or `:idp_cert_multi` or `:idp_cert_fingerprint_validator` MUST be present.
|
|
116
126
|
|
|
117
127
|
* `:idp_cert_fingerprint_validator` - A lambda that MUST accept one parameter
|
|
118
128
|
(the fingerprint), verify if it is valid and return it if successful. This option
|
|
119
|
-
or `:idp_cert` or `:idp_cert_fingerprint` MUST be present.
|
|
129
|
+
or `:idp_cert` or `:idp_cert_multi` or `:idp_cert_fingerprint` MUST be present.
|
|
120
130
|
|
|
121
131
|
* `:name_identifier_format` - Used during SP-initiated SSO. Describes the format of
|
|
122
132
|
the username required by this application. If you need the email address, use
|
|
@@ -194,7 +204,7 @@ advertised in metadata by setting the `single_logout_service_url` config option)
|
|
|
194
204
|
When using Devise as an authentication solution, the SP initiated flow can be integrated
|
|
195
205
|
in the `SessionsController#destroy` action.
|
|
196
206
|
|
|
197
|
-
For this to work it is important to preserve the `saml_uid` value before Devise
|
|
207
|
+
For this to work it is important to preserve the `saml_uid` and `saml_session_index` value before Devise
|
|
198
208
|
clears the session and redirect to the `/spslo` sub-path to initiate the single logout.
|
|
199
209
|
|
|
200
210
|
Example `destroy` action in `sessions_controller.rb`:
|
|
@@ -204,17 +214,19 @@ class SessionsController < Devise::SessionsController
|
|
|
204
214
|
# ...
|
|
205
215
|
|
|
206
216
|
def destroy
|
|
207
|
-
# Preserve the saml_uid in the session
|
|
208
|
-
saml_uid = session[
|
|
217
|
+
# Preserve the saml_uid and saml_session_index in the session
|
|
218
|
+
saml_uid = session['saml_uid']
|
|
219
|
+
saml_session_index = session['saml_session_index']
|
|
209
220
|
super do
|
|
210
|
-
session[
|
|
221
|
+
session['saml_uid'] = saml_uid
|
|
222
|
+
session['saml_session_index'] = saml_session_index
|
|
211
223
|
end
|
|
212
224
|
end
|
|
213
225
|
|
|
214
226
|
# ...
|
|
215
227
|
|
|
216
228
|
def after_sign_out_path_for(_)
|
|
217
|
-
if session['saml_uid'] && SAML_SETTINGS.idp_slo_target_url
|
|
229
|
+
if session['saml_uid'] && session['saml_session_index'] && SAML_SETTINGS.idp_slo_target_url
|
|
218
230
|
user_saml_omniauth_authorize_path + "/spslo"
|
|
219
231
|
else
|
|
220
232
|
super
|
|
@@ -10,7 +10,7 @@ module OmniAuth
|
|
|
10
10
|
OmniAuth::Strategy.included(subclass)
|
|
11
11
|
end
|
|
12
12
|
|
|
13
|
-
|
|
13
|
+
RUBYSAML_RESPONSE_OPTIONS = OneLogin::RubySaml::Response::AVAILABLE_OPTIONS
|
|
14
14
|
|
|
15
15
|
option :name_identifier_format, nil
|
|
16
16
|
option :idp_sso_target_url_runtime_params, {}
|
|
@@ -177,7 +177,7 @@ module OmniAuth
|
|
|
177
177
|
end
|
|
178
178
|
|
|
179
179
|
def handle_logout_request(raw_request, settings)
|
|
180
|
-
logout_request = OneLogin::RubySaml::SloLogoutrequest.new(raw_request)
|
|
180
|
+
logout_request = OneLogin::RubySaml::SloLogoutrequest.new(raw_request, {}.merge(settings: settings).merge(get_params: @request.params))
|
|
181
181
|
|
|
182
182
|
if logout_request.is_valid? &&
|
|
183
183
|
logout_request.name_id == session["saml_uid"]
|
|
@@ -231,7 +231,7 @@ module OmniAuth
|
|
|
231
231
|
|
|
232
232
|
def options_for_response_object
|
|
233
233
|
# filter options to select only extra parameters
|
|
234
|
-
opts = options.select {|k,_|
|
|
234
|
+
opts = options.select {|k,_| RUBYSAML_RESPONSE_OPTIONS.include?(k.to_sym)}
|
|
235
235
|
|
|
236
236
|
# symbolize keys without activeSupport/symbolize_keys (ruby-saml use symbols)
|
|
237
237
|
opts.inject({}) do |new_hash, (key, value)|
|
|
@@ -6,7 +6,7 @@ RSpec::Matchers.define :fail_with do |message|
|
|
|
6
6
|
end
|
|
7
7
|
end
|
|
8
8
|
|
|
9
|
-
def post_xml(xml
|
|
9
|
+
def post_xml(xml = :example_response, opts = {})
|
|
10
10
|
post "/auth/saml/callback", opts.merge({'SAMLResponse' => load_xml(xml)})
|
|
11
11
|
end
|
|
12
12
|
|
|
@@ -34,10 +34,10 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
34
34
|
end
|
|
35
35
|
let(:strategy) { [OmniAuth::Strategies::SAML, saml_options] }
|
|
36
36
|
|
|
37
|
-
describe '
|
|
37
|
+
describe 'POST /auth/saml' do
|
|
38
38
|
context 'without idp runtime params present' do
|
|
39
39
|
before do
|
|
40
|
-
|
|
40
|
+
post '/auth/saml'
|
|
41
41
|
end
|
|
42
42
|
|
|
43
43
|
it 'should get authentication page' do
|
|
@@ -51,7 +51,7 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
51
51
|
|
|
52
52
|
context 'with idp runtime params' do
|
|
53
53
|
before do
|
|
54
|
-
|
|
54
|
+
post '/auth/saml', 'original_param_key' => 'original_param_value', 'mapped_param_key' => 'mapped_param_value'
|
|
55
55
|
end
|
|
56
56
|
|
|
57
57
|
it 'should get authentication page' do
|
|
@@ -71,7 +71,7 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
71
71
|
|
|
72
72
|
it 'should send the current callback_url as the assertion_consumer_service_url' do
|
|
73
73
|
%w(foo.example.com bar.example.com).each do |host|
|
|
74
|
-
|
|
74
|
+
post "https://#{host}/auth/saml"
|
|
75
75
|
|
|
76
76
|
expect(last_response).to be_redirect
|
|
77
77
|
|
|
@@ -89,7 +89,7 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
89
89
|
end
|
|
90
90
|
|
|
91
91
|
context 'when authn request signing is requested' do
|
|
92
|
-
subject {
|
|
92
|
+
subject { post '/auth/saml' }
|
|
93
93
|
|
|
94
94
|
let(:private_key) { OpenSSL::PKey::RSA.new 2048 }
|
|
95
95
|
|
|
@@ -402,10 +402,10 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
402
402
|
end
|
|
403
403
|
end
|
|
404
404
|
|
|
405
|
-
describe '
|
|
405
|
+
describe 'POST /auth/saml/metadata' do
|
|
406
406
|
before do
|
|
407
407
|
saml_options[:issuer] = 'http://example.com/SAML'
|
|
408
|
-
|
|
408
|
+
post '/auth/saml/metadata'
|
|
409
409
|
end
|
|
410
410
|
|
|
411
411
|
it 'should get SP metadata page' do
|
|
@@ -424,19 +424,19 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
424
424
|
end
|
|
425
425
|
|
|
426
426
|
context 'when hitting an unknown route in our sub path' do
|
|
427
|
-
before {
|
|
427
|
+
before { post '/auth/saml/unknown' }
|
|
428
428
|
|
|
429
429
|
specify { expect(last_response.status).to eql 404 }
|
|
430
430
|
end
|
|
431
431
|
|
|
432
432
|
context 'when hitting a completely unknown route' do
|
|
433
|
-
before {
|
|
433
|
+
before { post '/unknown' }
|
|
434
434
|
|
|
435
435
|
specify { expect(last_response.status).to eql 404 }
|
|
436
436
|
end
|
|
437
437
|
|
|
438
438
|
context 'when hitting a route that contains a substring match for the strategy name' do
|
|
439
|
-
before {
|
|
439
|
+
before { post '/auth/saml2/metadata' }
|
|
440
440
|
|
|
441
441
|
it 'should not set the strategy' do
|
|
442
442
|
expect(last_request.env['omniauth.strategy']).to be_nil
|
data/spec/spec_helper.rb
CHANGED
|
@@ -16,6 +16,7 @@ require 'base64'
|
|
|
16
16
|
TEST_LOGGER = Logger.new(StringIO.new)
|
|
17
17
|
OneLogin::RubySaml::Logging.logger = TEST_LOGGER
|
|
18
18
|
OmniAuth.config.logger = TEST_LOGGER
|
|
19
|
+
OmniAuth.config.request_validation_phase = proc {}
|
|
19
20
|
|
|
20
21
|
RSpec.configure do |config|
|
|
21
22
|
config.include Rack::Test::Methods
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: omniauth-saml
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version:
|
|
4
|
+
version: 2.0.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Raecoo Cao
|
|
@@ -11,10 +11,10 @@ authors:
|
|
|
11
11
|
- Nikos Dimitrakopoulos
|
|
12
12
|
- Rudolf Vriend
|
|
13
13
|
- Bruno Pedro
|
|
14
|
-
autorequire:
|
|
14
|
+
autorequire:
|
|
15
15
|
bindir: bin
|
|
16
16
|
cert_chain: []
|
|
17
|
-
date:
|
|
17
|
+
date: 2021-01-14 00:00:00.000000000 Z
|
|
18
18
|
dependencies:
|
|
19
19
|
- !ruby/object:Gem::Dependency
|
|
20
20
|
name: omniauth
|
|
@@ -22,54 +22,42 @@ dependencies:
|
|
|
22
22
|
requirements:
|
|
23
23
|
- - "~>"
|
|
24
24
|
- !ruby/object:Gem::Version
|
|
25
|
-
version: '
|
|
26
|
-
- - ">="
|
|
27
|
-
- !ruby/object:Gem::Version
|
|
28
|
-
version: 1.3.2
|
|
25
|
+
version: '2.0'
|
|
29
26
|
type: :runtime
|
|
30
27
|
prerelease: false
|
|
31
28
|
version_requirements: !ruby/object:Gem::Requirement
|
|
32
29
|
requirements:
|
|
33
30
|
- - "~>"
|
|
34
31
|
- !ruby/object:Gem::Version
|
|
35
|
-
version: '
|
|
36
|
-
- - ">="
|
|
37
|
-
- !ruby/object:Gem::Version
|
|
38
|
-
version: 1.3.2
|
|
32
|
+
version: '2.0'
|
|
39
33
|
- !ruby/object:Gem::Dependency
|
|
40
34
|
name: ruby-saml
|
|
41
35
|
requirement: !ruby/object:Gem::Requirement
|
|
42
36
|
requirements:
|
|
43
37
|
- - "~>"
|
|
44
38
|
- !ruby/object:Gem::Version
|
|
45
|
-
version: '1.
|
|
39
|
+
version: '1.9'
|
|
46
40
|
type: :runtime
|
|
47
41
|
prerelease: false
|
|
48
42
|
version_requirements: !ruby/object:Gem::Requirement
|
|
49
43
|
requirements:
|
|
50
44
|
- - "~>"
|
|
51
45
|
- !ruby/object:Gem::Version
|
|
52
|
-
version: '1.
|
|
46
|
+
version: '1.9'
|
|
53
47
|
- !ruby/object:Gem::Dependency
|
|
54
48
|
name: rake
|
|
55
49
|
requirement: !ruby/object:Gem::Requirement
|
|
56
50
|
requirements:
|
|
57
51
|
- - ">="
|
|
58
52
|
- !ruby/object:Gem::Version
|
|
59
|
-
version:
|
|
60
|
-
- - "<"
|
|
61
|
-
- !ruby/object:Gem::Version
|
|
62
|
-
version: '12'
|
|
53
|
+
version: 12.3.3
|
|
63
54
|
type: :development
|
|
64
55
|
prerelease: false
|
|
65
56
|
version_requirements: !ruby/object:Gem::Requirement
|
|
66
57
|
requirements:
|
|
67
58
|
- - ">="
|
|
68
59
|
- !ruby/object:Gem::Version
|
|
69
|
-
version:
|
|
70
|
-
- - "<"
|
|
71
|
-
- !ruby/object:Gem::Version
|
|
72
|
-
version: '12'
|
|
60
|
+
version: 12.3.3
|
|
73
61
|
- !ruby/object:Gem::Dependency
|
|
74
62
|
name: rspec
|
|
75
63
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -132,6 +120,20 @@ dependencies:
|
|
|
132
120
|
- - "~>"
|
|
133
121
|
- !ruby/object:Gem::Version
|
|
134
122
|
version: '1.2'
|
|
123
|
+
- !ruby/object:Gem::Dependency
|
|
124
|
+
name: coveralls
|
|
125
|
+
requirement: !ruby/object:Gem::Requirement
|
|
126
|
+
requirements:
|
|
127
|
+
- - ">="
|
|
128
|
+
- !ruby/object:Gem::Version
|
|
129
|
+
version: 0.8.23
|
|
130
|
+
type: :development
|
|
131
|
+
prerelease: false
|
|
132
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
133
|
+
requirements:
|
|
134
|
+
- - ">="
|
|
135
|
+
- !ruby/object:Gem::Version
|
|
136
|
+
version: 0.8.23
|
|
135
137
|
description: A generic SAML strategy for OmniAuth.
|
|
136
138
|
email: rajiv@alum.mit.edu
|
|
137
139
|
executables: []
|
|
@@ -151,7 +153,7 @@ homepage: https://github.com/omniauth/omniauth-saml
|
|
|
151
153
|
licenses:
|
|
152
154
|
- MIT
|
|
153
155
|
metadata: {}
|
|
154
|
-
post_install_message:
|
|
156
|
+
post_install_message:
|
|
155
157
|
rdoc_options: []
|
|
156
158
|
require_paths:
|
|
157
159
|
- lib
|
|
@@ -159,16 +161,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
159
161
|
requirements:
|
|
160
162
|
- - ">="
|
|
161
163
|
- !ruby/object:Gem::Version
|
|
162
|
-
version: '2.
|
|
164
|
+
version: '2.4'
|
|
163
165
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
164
166
|
requirements:
|
|
165
167
|
- - ">="
|
|
166
168
|
- !ruby/object:Gem::Version
|
|
167
169
|
version: '0'
|
|
168
170
|
requirements: []
|
|
169
|
-
|
|
170
|
-
|
|
171
|
-
signing_key:
|
|
171
|
+
rubygems_version: 3.1.2
|
|
172
|
+
signing_key:
|
|
172
173
|
specification_version: 4
|
|
173
174
|
summary: A generic SAML strategy for OmniAuth.
|
|
174
175
|
test_files:
|