omniauth-saml 1.10.0 → 2.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +5 -5
- data/CHANGELOG.md +50 -0
- data/README.md +40 -29
- data/lib/omniauth/strategies/saml.rb +7 -7
- data/lib/omniauth-saml/version.rb +1 -1
- data/spec/omniauth/strategies/saml_spec.rb +19 -19
- data/spec/spec_helper.rb +1 -0
- metadata +28 -27
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
|
-
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: 032f34c12924a5666a189462f819b871c2e321891cbe23b45e56c47acdbfc53c
|
|
4
|
+
data.tar.gz: 17bb6e9741181862fcb34f3ca0a47084b9805aba71b3dd5dadfb951c7cd20d27
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: eb87a7392dc23407ab0064b67efd4ffefd9ec3fbbca18b32e96bf973281dffb9477bffc3765d8b4c3e278df7aedca255a95aa03deb44053b33c3cfff5af9435e
|
|
7
|
+
data.tar.gz: 22daef0cc26447f27023c5dc2e6f816e1f79c57c0538b86ffae0f8a2ea9d08492bc351aa31838ca7b4a272ae577aea3f914a87dba0656e1ac2e098f49f034041
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,53 @@
|
|
|
1
|
+
<a name="v2.1.0"></a>
|
|
2
|
+
### v2.1.0 (2022-03-01)
|
|
3
|
+
|
|
4
|
+
|
|
5
|
+
#### Refactor
|
|
6
|
+
|
|
7
|
+
* Rename usage of deprecated SAML options ([74ed8df](/../../commit/74ed8df))
|
|
8
|
+
|
|
9
|
+
#### Chores
|
|
10
|
+
|
|
11
|
+
* bump ruby-saml to 1.12 ([15c156a](/../../commit/15c156a))
|
|
12
|
+
|
|
13
|
+
<a name="v2.0.0"></a>
|
|
14
|
+
### v2.0.0 (2021-01-13)
|
|
15
|
+
|
|
16
|
+
|
|
17
|
+
#### Chores
|
|
18
|
+
|
|
19
|
+
* Allow OmniAuth 2.0.0 ([f7ec7ee](/../../commit/f7ec7ee))
|
|
20
|
+
|
|
21
|
+
|
|
22
|
+
<a name="v1.10.3"></a>
|
|
23
|
+
### v1.10.3 (2020-10-06)
|
|
24
|
+
|
|
25
|
+
|
|
26
|
+
#### Bug Fixes
|
|
27
|
+
|
|
28
|
+
* add options to logout_request initialization ([c271a37](/../../commit/c271a37))
|
|
29
|
+
|
|
30
|
+
|
|
31
|
+
<a name="v1.10.2"></a>
|
|
32
|
+
### v1.10.2 (2018-05-23)
|
|
33
|
+
|
|
34
|
+
|
|
35
|
+
#### Features
|
|
36
|
+
|
|
37
|
+
* **saml**
|
|
38
|
+
* inherits allows response options from ruby-saml instead of whitelist ([a0eedd6](/../../commit/a0eedd6))
|
|
39
|
+
|
|
40
|
+
|
|
41
|
+
<a name="v1.10.1"></a>
|
|
42
|
+
### v1.10.1 (2018-06-07)
|
|
43
|
+
|
|
44
|
+
|
|
45
|
+
#### Features
|
|
46
|
+
|
|
47
|
+
* **saml-response**
|
|
48
|
+
* whitelist more response options ([575198d](/../../commit/575198d))
|
|
49
|
+
|
|
50
|
+
|
|
1
51
|
<a name="v1.10.0"></a>
|
|
2
52
|
### v1.10.0 (2018-02-19)
|
|
3
53
|
|
data/README.md
CHANGED
|
@@ -1,15 +1,12 @@
|
|
|
1
1
|
# OmniAuth SAML
|
|
2
2
|
|
|
3
3
|
[][gem]
|
|
4
|
-
[][codeclimate]
|
|
4
|
+
[](https://github.com/omniauth/omniauth-saml/actions/workflows/ruby.yml)
|
|
5
|
+
[][codeclimate]
|
|
7
6
|
[][coveralls]
|
|
8
7
|
|
|
9
8
|
[gem]: https://rubygems.org/gems/omniauth-saml
|
|
10
|
-
[
|
|
11
|
-
[gemnasium]: https://gemnasium.com/omniauth/omniauth-saml
|
|
12
|
-
[codeclimate]: https://codeclimate.com/github/omniauth/omniauth-saml
|
|
9
|
+
[codeclimate]: https://codeclimate.com/github/omniauth/omniauth-saml/maintainability
|
|
13
10
|
[coveralls]: https://coveralls.io/r/omniauth/omniauth-saml
|
|
14
11
|
|
|
15
12
|
A generic SAML strategy for OmniAuth available under the [MIT License](LICENSE.md)
|
|
@@ -19,7 +16,7 @@ https://github.com/omniauth/omniauth-saml
|
|
|
19
16
|
## Requirements
|
|
20
17
|
|
|
21
18
|
* [OmniAuth](http://www.omniauth.org/) 1.3+
|
|
22
|
-
* Ruby 2.
|
|
19
|
+
* Ruby 2.4.x+
|
|
23
20
|
|
|
24
21
|
## Versioning
|
|
25
22
|
|
|
@@ -33,10 +30,14 @@ Use the SAML strategy as a middleware in your application:
|
|
|
33
30
|
require 'omniauth'
|
|
34
31
|
use OmniAuth::Strategies::SAML,
|
|
35
32
|
:assertion_consumer_service_url => "consumer_service_url",
|
|
36
|
-
:
|
|
37
|
-
:
|
|
38
|
-
:
|
|
33
|
+
:sp_entity_id => "sp_entity_id",
|
|
34
|
+
:idp_sso_service_url => "idp_sso_service_url",
|
|
35
|
+
:idp_sso_service_url_runtime_params => {:original_request_param => :mapped_idp_param},
|
|
39
36
|
:idp_cert => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
|
|
37
|
+
:idp_cert_multi => {
|
|
38
|
+
:signing => ["-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", ...],
|
|
39
|
+
:encryption => []
|
|
40
|
+
}
|
|
40
41
|
:idp_cert_fingerprint => "E7:91:B2:E1:...",
|
|
41
42
|
:idp_cert_fingerprint_validator => lambda { |fingerprint| fingerprint },
|
|
42
43
|
:name_identifier_format => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
|
|
@@ -56,17 +57,21 @@ and in `config/initializers/omniauth.rb`:
|
|
|
56
57
|
Rails.application.config.middleware.use OmniAuth::Builder do
|
|
57
58
|
provider :saml,
|
|
58
59
|
:assertion_consumer_service_url => "consumer_service_url",
|
|
59
|
-
:
|
|
60
|
-
:
|
|
61
|
-
:
|
|
60
|
+
:sp_entity_id => "rails-application",
|
|
61
|
+
:idp_sso_service_url => "idp_sso_service_url",
|
|
62
|
+
:idp_sso_service_url_runtime_params => {:original_request_param => :mapped_idp_param},
|
|
62
63
|
:idp_cert => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
|
|
64
|
+
:idp_cert_multi => {
|
|
65
|
+
:signing => ["-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", ...],
|
|
66
|
+
:encryption => []
|
|
67
|
+
}
|
|
63
68
|
:idp_cert_fingerprint => "E7:91:B2:E1:...",
|
|
64
69
|
:idp_cert_fingerprint_validator => lambda { |fingerprint| fingerprint },
|
|
65
70
|
:name_identifier_format => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
|
|
66
71
|
end
|
|
67
72
|
```
|
|
68
73
|
|
|
69
|
-
For IdP-initiated SSO, users should directly access the IdP SSO
|
|
74
|
+
For IdP-initiated SSO, users should directly access the IdP SSO service URL. Set the `href` of your application's login link to the value of `idp_sso_service_url`. For SP-initiated SSO, link to `/auth/saml`.
|
|
70
75
|
|
|
71
76
|
A `OneLogin::RubySaml::Response` object is added to the `env['omniauth.auth']` extra attribute, so we can use it in the controller via `env['omniauth.auth'].extra.response_object`
|
|
72
77
|
|
|
@@ -82,13 +87,13 @@ Note that when [integrating with Devise](#devise-integration), the URL path will
|
|
|
82
87
|
received. If not provided, defaults to the OmniAuth callback URL (typically
|
|
83
88
|
`http://example.com/auth/saml/callback`). Optional.
|
|
84
89
|
|
|
85
|
-
* `:
|
|
90
|
+
* `:sp_entity_id` - The name of your application. Some identity providers might need this
|
|
86
91
|
to establish the identity of the service provider requesting the login. **Required**.
|
|
87
92
|
|
|
88
|
-
* `:
|
|
93
|
+
* `:idp_sso_service_url` - The URL to which the authentication request should be sent.
|
|
89
94
|
This would be on the identity provider. **Required**.
|
|
90
95
|
|
|
91
|
-
* `:
|
|
96
|
+
* `:idp_slo_service_url` - The URL to which the single logout request and response should
|
|
92
97
|
be sent. This would be on the identity provider. Optional.
|
|
93
98
|
|
|
94
99
|
* `:idp_slo_session_destroy` - A proc that accepts up to two parameters (the rack environment, and the session),
|
|
@@ -100,23 +105,27 @@ Note that when [integrating with Devise](#devise-integration), the URL path will
|
|
|
100
105
|
instance will be passed to this callable if it has an arity of 1. If the value is a string,
|
|
101
106
|
the string will be returned, when the `RelayState` is called. Optional.
|
|
102
107
|
|
|
103
|
-
* `:
|
|
108
|
+
* `:idp_sso_service_url_runtime_params` - A dynamic mapping of request params that exist
|
|
104
109
|
during the request phase of OmniAuth that should to be sent to the IdP after a specific
|
|
105
110
|
mapping. So for example, a param `original_request_param` with value `original_param_value`,
|
|
106
111
|
could be sent to the IdP on the login request as `mapped_idp_param` with value
|
|
107
112
|
`original_param_value`. Optional.
|
|
108
113
|
|
|
109
114
|
* `:idp_cert` - The identity provider's certificate in PEM format. Takes precedence
|
|
110
|
-
over the fingerprint option below. This option or `:idp_cert_fingerprint` or `:idp_cert_fingerprint_validator` must
|
|
115
|
+
over the fingerprint option below. This option or `:idp_cert_multi` or `:idp_cert_fingerprint` or `:idp_cert_fingerprint_validator` must
|
|
111
116
|
be present.
|
|
117
|
+
|
|
118
|
+
* `:idp_cert_multi` - Multiple identity provider certificates in PEM format. Takes precedence
|
|
119
|
+
over the fingerprint option below. This option `:idp_cert` or `:idp_cert_fingerprint` or `:idp_cert_fingerprint_validator` must
|
|
120
|
+
be present.
|
|
112
121
|
|
|
113
122
|
* `:idp_cert_fingerprint` - The SHA1 fingerprint of the certificate, e.g.
|
|
114
123
|
"90:CC:16:F0:8D:...". This is provided from the identity provider when setting up
|
|
115
|
-
the relationship. This option or `:idp_cert` or `:idp_cert_fingerprint_validator` MUST be present.
|
|
124
|
+
the relationship. This option or `:idp_cert` or `:idp_cert_multi` or `:idp_cert_fingerprint_validator` MUST be present.
|
|
116
125
|
|
|
117
126
|
* `:idp_cert_fingerprint_validator` - A lambda that MUST accept one parameter
|
|
118
127
|
(the fingerprint), verify if it is valid and return it if successful. This option
|
|
119
|
-
or `:idp_cert` or `:idp_cert_fingerprint` MUST be present.
|
|
128
|
+
or `:idp_cert` or `:idp_cert_multi` or `:idp_cert_fingerprint` MUST be present.
|
|
120
129
|
|
|
121
130
|
* `:name_identifier_format` - Used during SP-initiated SSO. Describes the format of
|
|
122
131
|
the username required by this application. If you need the email address, use
|
|
@@ -160,7 +169,7 @@ idp_metadata = idp_metadata_parser.parse_remote_to_hash("http://idp.example.com/
|
|
|
160
169
|
use OmniAuth::Strategies::SAML,
|
|
161
170
|
idp_metadata.merge(
|
|
162
171
|
:assertion_consumer_service_url => "consumer_service_url",
|
|
163
|
-
:
|
|
172
|
+
:sp_entity_id => "sp_entity_id"
|
|
164
173
|
)
|
|
165
174
|
```
|
|
166
175
|
|
|
@@ -176,7 +185,7 @@ In `config/initializers/devise.rb`:
|
|
|
176
185
|
Devise.setup do |config|
|
|
177
186
|
config.omniauth :saml,
|
|
178
187
|
idp_cert_fingerprint: 'fingerprint',
|
|
179
|
-
|
|
188
|
+
idp_sso_service_url: 'idp_sso_service_url'
|
|
180
189
|
end
|
|
181
190
|
```
|
|
182
191
|
|
|
@@ -186,7 +195,7 @@ Then follow Devise's general [OmniAuth tutorial](https://github.com/plataformate
|
|
|
186
195
|
|
|
187
196
|
Single Logout can be Service Provider initiated or Identity Provider initiated.
|
|
188
197
|
|
|
189
|
-
For SP initiated logout, the `
|
|
198
|
+
For SP initiated logout, the `idp_slo_service_url` option must be set to the logout url on the IdP,
|
|
190
199
|
and users directed to `user_saml_omniauth_authorize_path + '/spslo'` after logging out locally. For
|
|
191
200
|
IdP initiated logout, logout requests from the IdP should go to `/auth/saml/slo` (this can be
|
|
192
201
|
advertised in metadata by setting the `single_logout_service_url` config option).
|
|
@@ -194,7 +203,7 @@ advertised in metadata by setting the `single_logout_service_url` config option)
|
|
|
194
203
|
When using Devise as an authentication solution, the SP initiated flow can be integrated
|
|
195
204
|
in the `SessionsController#destroy` action.
|
|
196
205
|
|
|
197
|
-
For this to work it is important to preserve the `saml_uid` value before Devise
|
|
206
|
+
For this to work it is important to preserve the `saml_uid` and `saml_session_index` value before Devise
|
|
198
207
|
clears the session and redirect to the `/spslo` sub-path to initiate the single logout.
|
|
199
208
|
|
|
200
209
|
Example `destroy` action in `sessions_controller.rb`:
|
|
@@ -204,17 +213,19 @@ class SessionsController < Devise::SessionsController
|
|
|
204
213
|
# ...
|
|
205
214
|
|
|
206
215
|
def destroy
|
|
207
|
-
# Preserve the saml_uid in the session
|
|
208
|
-
saml_uid = session[
|
|
216
|
+
# Preserve the saml_uid and saml_session_index in the session
|
|
217
|
+
saml_uid = session['saml_uid']
|
|
218
|
+
saml_session_index = session['saml_session_index']
|
|
209
219
|
super do
|
|
210
|
-
session[
|
|
220
|
+
session['saml_uid'] = saml_uid
|
|
221
|
+
session['saml_session_index'] = saml_session_index
|
|
211
222
|
end
|
|
212
223
|
end
|
|
213
224
|
|
|
214
225
|
# ...
|
|
215
226
|
|
|
216
227
|
def after_sign_out_path_for(_)
|
|
217
|
-
if session['saml_uid'] && SAML_SETTINGS.
|
|
228
|
+
if session['saml_uid'] && session['saml_session_index'] && SAML_SETTINGS.idp_slo_service_url
|
|
218
229
|
user_saml_omniauth_authorize_path + "/spslo"
|
|
219
230
|
else
|
|
220
231
|
super
|
|
@@ -10,10 +10,10 @@ module OmniAuth
|
|
|
10
10
|
OmniAuth::Strategy.included(subclass)
|
|
11
11
|
end
|
|
12
12
|
|
|
13
|
-
|
|
13
|
+
RUBYSAML_RESPONSE_OPTIONS = OneLogin::RubySaml::Response::AVAILABLE_OPTIONS
|
|
14
14
|
|
|
15
15
|
option :name_identifier_format, nil
|
|
16
|
-
option :
|
|
16
|
+
option :idp_sso_service_url_runtime_params, {}
|
|
17
17
|
option :request_attributes, [
|
|
18
18
|
{ :name => 'email', :name_format => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', :friendly_name => 'Email address' },
|
|
19
19
|
{ :name => 'name', :name_format => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', :friendly_name => 'Full name' },
|
|
@@ -177,7 +177,7 @@ module OmniAuth
|
|
|
177
177
|
end
|
|
178
178
|
|
|
179
179
|
def handle_logout_request(raw_request, settings)
|
|
180
|
-
logout_request = OneLogin::RubySaml::SloLogoutrequest.new(raw_request)
|
|
180
|
+
logout_request = OneLogin::RubySaml::SloLogoutrequest.new(raw_request, {}.merge(settings: settings).merge(get_params: @request.params))
|
|
181
181
|
|
|
182
182
|
if logout_request.is_valid? &&
|
|
183
183
|
logout_request.name_id == session["saml_uid"]
|
|
@@ -231,7 +231,7 @@ module OmniAuth
|
|
|
231
231
|
|
|
232
232
|
def options_for_response_object
|
|
233
233
|
# filter options to select only extra parameters
|
|
234
|
-
opts = options.select {|k,_|
|
|
234
|
+
opts = options.select {|k,_| RUBYSAML_RESPONSE_OPTIONS.include?(k.to_sym)}
|
|
235
235
|
|
|
236
236
|
# symbolize keys without activeSupport/symbolize_keys (ruby-saml use symbols)
|
|
237
237
|
opts.inject({}) do |new_hash, (key, value)|
|
|
@@ -264,7 +264,7 @@ module OmniAuth
|
|
|
264
264
|
end
|
|
265
265
|
|
|
266
266
|
def other_phase_for_spslo
|
|
267
|
-
if options.
|
|
267
|
+
if options.idp_slo_service_url
|
|
268
268
|
with_settings do |settings|
|
|
269
269
|
redirect(generate_logout_request(settings))
|
|
270
270
|
end
|
|
@@ -275,7 +275,7 @@ module OmniAuth
|
|
|
275
275
|
|
|
276
276
|
def add_request_attributes_to(settings)
|
|
277
277
|
settings.attribute_consuming_service.service_name options.attribute_service_name
|
|
278
|
-
settings.
|
|
278
|
+
settings.sp_entity_id = options.sp_entity_id
|
|
279
279
|
|
|
280
280
|
options.request_attributes.each do |attribute|
|
|
281
281
|
settings.attribute_consuming_service.add_attribute attribute
|
|
@@ -284,7 +284,7 @@ module OmniAuth
|
|
|
284
284
|
|
|
285
285
|
def additional_params_for_authn_request
|
|
286
286
|
{}.tap do |additional_params|
|
|
287
|
-
runtime_request_parameters = options.delete(:
|
|
287
|
+
runtime_request_parameters = options.delete(:idp_sso_service_url_runtime_params)
|
|
288
288
|
|
|
289
289
|
if runtime_request_parameters
|
|
290
290
|
runtime_request_parameters.each_pair do |request_param_key, mapped_param_key|
|
|
@@ -6,7 +6,7 @@ RSpec::Matchers.define :fail_with do |message|
|
|
|
6
6
|
end
|
|
7
7
|
end
|
|
8
8
|
|
|
9
|
-
def post_xml(xml
|
|
9
|
+
def post_xml(xml = :example_response, opts = {})
|
|
10
10
|
post "/auth/saml/callback", opts.merge({'SAMLResponse' => load_xml(xml)})
|
|
11
11
|
end
|
|
12
12
|
|
|
@@ -18,10 +18,10 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
18
18
|
{
|
|
19
19
|
:assertion_consumer_service_url => "http://localhost:9080/auth/saml/callback",
|
|
20
20
|
:single_logout_service_url => "http://localhost:9080/auth/saml/slo",
|
|
21
|
-
:
|
|
22
|
-
:
|
|
21
|
+
:idp_sso_service_url => "https://idp.sso.example.com/signon/29490",
|
|
22
|
+
:idp_slo_service_url => "https://idp.sso.example.com/signoff/29490",
|
|
23
23
|
:idp_cert_fingerprint => "C1:59:74:2B:E8:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB",
|
|
24
|
-
:
|
|
24
|
+
:idp_sso_service_url_runtime_params => {:original_param_key => :mapped_param_key},
|
|
25
25
|
:name_identifier_format => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
|
|
26
26
|
:request_attributes => [
|
|
27
27
|
{ :name => 'email', :name_format => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', :friendly_name => 'Email address' },
|
|
@@ -34,10 +34,10 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
34
34
|
end
|
|
35
35
|
let(:strategy) { [OmniAuth::Strategies::SAML, saml_options] }
|
|
36
36
|
|
|
37
|
-
describe '
|
|
37
|
+
describe 'POST /auth/saml' do
|
|
38
38
|
context 'without idp runtime params present' do
|
|
39
39
|
before do
|
|
40
|
-
|
|
40
|
+
post '/auth/saml'
|
|
41
41
|
end
|
|
42
42
|
|
|
43
43
|
it 'should get authentication page' do
|
|
@@ -51,7 +51,7 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
51
51
|
|
|
52
52
|
context 'with idp runtime params' do
|
|
53
53
|
before do
|
|
54
|
-
|
|
54
|
+
post '/auth/saml', 'original_param_key' => 'original_param_value', 'mapped_param_key' => 'mapped_param_value'
|
|
55
55
|
end
|
|
56
56
|
|
|
57
57
|
it 'should get authentication page' do
|
|
@@ -71,7 +71,7 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
71
71
|
|
|
72
72
|
it 'should send the current callback_url as the assertion_consumer_service_url' do
|
|
73
73
|
%w(foo.example.com bar.example.com).each do |host|
|
|
74
|
-
|
|
74
|
+
post "https://#{host}/auth/saml"
|
|
75
75
|
|
|
76
76
|
expect(last_response).to be_redirect
|
|
77
77
|
|
|
@@ -89,7 +89,7 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
89
89
|
end
|
|
90
90
|
|
|
91
91
|
context 'when authn request signing is requested' do
|
|
92
|
-
subject {
|
|
92
|
+
subject { post '/auth/saml' }
|
|
93
93
|
|
|
94
94
|
let(:private_key) { OpenSSL::PKey::RSA.new 2048 }
|
|
95
95
|
|
|
@@ -306,7 +306,7 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
306
306
|
|
|
307
307
|
context "when response is a logout response" do
|
|
308
308
|
before :each do
|
|
309
|
-
saml_options[:
|
|
309
|
+
saml_options[:sp_entity_id] = "https://idp.sso.example.com/metadata/29490"
|
|
310
310
|
|
|
311
311
|
post "/auth/saml/slo", {
|
|
312
312
|
SAMLResponse: load_xml(:example_logout_response),
|
|
@@ -323,7 +323,7 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
323
323
|
subject { post "/auth/saml/slo", params, "rack.session" => { "saml_uid" => "username@example.com" } }
|
|
324
324
|
|
|
325
325
|
before :each do
|
|
326
|
-
saml_options[:
|
|
326
|
+
saml_options[:sp_entity_id] = "https://idp.sso.example.com/metadata/29490"
|
|
327
327
|
end
|
|
328
328
|
|
|
329
329
|
let(:params) do
|
|
@@ -392,8 +392,8 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
392
392
|
end
|
|
393
393
|
end
|
|
394
394
|
|
|
395
|
-
it "should give not implemented without an
|
|
396
|
-
saml_options.delete(:
|
|
395
|
+
it "should give not implemented without an idp_slo_service_url" do
|
|
396
|
+
saml_options.delete(:idp_slo_service_url)
|
|
397
397
|
post "/auth/saml/spslo"
|
|
398
398
|
|
|
399
399
|
expect(last_response.status).to eq 501
|
|
@@ -402,10 +402,10 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
402
402
|
end
|
|
403
403
|
end
|
|
404
404
|
|
|
405
|
-
describe '
|
|
405
|
+
describe 'POST /auth/saml/metadata' do
|
|
406
406
|
before do
|
|
407
|
-
saml_options[:
|
|
408
|
-
|
|
407
|
+
saml_options[:sp_entity_id] = 'http://example.com/SAML'
|
|
408
|
+
post '/auth/saml/metadata'
|
|
409
409
|
end
|
|
410
410
|
|
|
411
411
|
it 'should get SP metadata page' do
|
|
@@ -424,19 +424,19 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
424
424
|
end
|
|
425
425
|
|
|
426
426
|
context 'when hitting an unknown route in our sub path' do
|
|
427
|
-
before {
|
|
427
|
+
before { post '/auth/saml/unknown' }
|
|
428
428
|
|
|
429
429
|
specify { expect(last_response.status).to eql 404 }
|
|
430
430
|
end
|
|
431
431
|
|
|
432
432
|
context 'when hitting a completely unknown route' do
|
|
433
|
-
before {
|
|
433
|
+
before { post '/unknown' }
|
|
434
434
|
|
|
435
435
|
specify { expect(last_response.status).to eql 404 }
|
|
436
436
|
end
|
|
437
437
|
|
|
438
438
|
context 'when hitting a route that contains a substring match for the strategy name' do
|
|
439
|
-
before {
|
|
439
|
+
before { post '/auth/saml2/metadata' }
|
|
440
440
|
|
|
441
441
|
it 'should not set the strategy' do
|
|
442
442
|
expect(last_request.env['omniauth.strategy']).to be_nil
|
data/spec/spec_helper.rb
CHANGED
|
@@ -16,6 +16,7 @@ require 'base64'
|
|
|
16
16
|
TEST_LOGGER = Logger.new(StringIO.new)
|
|
17
17
|
OneLogin::RubySaml::Logging.logger = TEST_LOGGER
|
|
18
18
|
OmniAuth.config.logger = TEST_LOGGER
|
|
19
|
+
OmniAuth.config.request_validation_phase = proc {}
|
|
19
20
|
|
|
20
21
|
RSpec.configure do |config|
|
|
21
22
|
config.include Rack::Test::Methods
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: omniauth-saml
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 2.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Raecoo Cao
|
|
@@ -11,10 +11,10 @@ authors:
|
|
|
11
11
|
- Nikos Dimitrakopoulos
|
|
12
12
|
- Rudolf Vriend
|
|
13
13
|
- Bruno Pedro
|
|
14
|
-
autorequire:
|
|
14
|
+
autorequire:
|
|
15
15
|
bindir: bin
|
|
16
16
|
cert_chain: []
|
|
17
|
-
date:
|
|
17
|
+
date: 2022-03-01 00:00:00.000000000 Z
|
|
18
18
|
dependencies:
|
|
19
19
|
- !ruby/object:Gem::Dependency
|
|
20
20
|
name: omniauth
|
|
@@ -22,54 +22,42 @@ dependencies:
|
|
|
22
22
|
requirements:
|
|
23
23
|
- - "~>"
|
|
24
24
|
- !ruby/object:Gem::Version
|
|
25
|
-
version: '
|
|
26
|
-
- - ">="
|
|
27
|
-
- !ruby/object:Gem::Version
|
|
28
|
-
version: 1.3.2
|
|
25
|
+
version: '2.0'
|
|
29
26
|
type: :runtime
|
|
30
27
|
prerelease: false
|
|
31
28
|
version_requirements: !ruby/object:Gem::Requirement
|
|
32
29
|
requirements:
|
|
33
30
|
- - "~>"
|
|
34
31
|
- !ruby/object:Gem::Version
|
|
35
|
-
version: '
|
|
36
|
-
- - ">="
|
|
37
|
-
- !ruby/object:Gem::Version
|
|
38
|
-
version: 1.3.2
|
|
32
|
+
version: '2.0'
|
|
39
33
|
- !ruby/object:Gem::Dependency
|
|
40
34
|
name: ruby-saml
|
|
41
35
|
requirement: !ruby/object:Gem::Requirement
|
|
42
36
|
requirements:
|
|
43
37
|
- - "~>"
|
|
44
38
|
- !ruby/object:Gem::Version
|
|
45
|
-
version: '1.
|
|
39
|
+
version: '1.12'
|
|
46
40
|
type: :runtime
|
|
47
41
|
prerelease: false
|
|
48
42
|
version_requirements: !ruby/object:Gem::Requirement
|
|
49
43
|
requirements:
|
|
50
44
|
- - "~>"
|
|
51
45
|
- !ruby/object:Gem::Version
|
|
52
|
-
version: '1.
|
|
46
|
+
version: '1.12'
|
|
53
47
|
- !ruby/object:Gem::Dependency
|
|
54
48
|
name: rake
|
|
55
49
|
requirement: !ruby/object:Gem::Requirement
|
|
56
50
|
requirements:
|
|
57
51
|
- - ">="
|
|
58
52
|
- !ruby/object:Gem::Version
|
|
59
|
-
version:
|
|
60
|
-
- - "<"
|
|
61
|
-
- !ruby/object:Gem::Version
|
|
62
|
-
version: '12'
|
|
53
|
+
version: 12.3.3
|
|
63
54
|
type: :development
|
|
64
55
|
prerelease: false
|
|
65
56
|
version_requirements: !ruby/object:Gem::Requirement
|
|
66
57
|
requirements:
|
|
67
58
|
- - ">="
|
|
68
59
|
- !ruby/object:Gem::Version
|
|
69
|
-
version:
|
|
70
|
-
- - "<"
|
|
71
|
-
- !ruby/object:Gem::Version
|
|
72
|
-
version: '12'
|
|
60
|
+
version: 12.3.3
|
|
73
61
|
- !ruby/object:Gem::Dependency
|
|
74
62
|
name: rspec
|
|
75
63
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -132,6 +120,20 @@ dependencies:
|
|
|
132
120
|
- - "~>"
|
|
133
121
|
- !ruby/object:Gem::Version
|
|
134
122
|
version: '1.2'
|
|
123
|
+
- !ruby/object:Gem::Dependency
|
|
124
|
+
name: coveralls
|
|
125
|
+
requirement: !ruby/object:Gem::Requirement
|
|
126
|
+
requirements:
|
|
127
|
+
- - ">="
|
|
128
|
+
- !ruby/object:Gem::Version
|
|
129
|
+
version: 0.8.23
|
|
130
|
+
type: :development
|
|
131
|
+
prerelease: false
|
|
132
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
133
|
+
requirements:
|
|
134
|
+
- - ">="
|
|
135
|
+
- !ruby/object:Gem::Version
|
|
136
|
+
version: 0.8.23
|
|
135
137
|
description: A generic SAML strategy for OmniAuth.
|
|
136
138
|
email: rajiv@alum.mit.edu
|
|
137
139
|
executables: []
|
|
@@ -151,7 +153,7 @@ homepage: https://github.com/omniauth/omniauth-saml
|
|
|
151
153
|
licenses:
|
|
152
154
|
- MIT
|
|
153
155
|
metadata: {}
|
|
154
|
-
post_install_message:
|
|
156
|
+
post_install_message:
|
|
155
157
|
rdoc_options: []
|
|
156
158
|
require_paths:
|
|
157
159
|
- lib
|
|
@@ -159,18 +161,17 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
159
161
|
requirements:
|
|
160
162
|
- - ">="
|
|
161
163
|
- !ruby/object:Gem::Version
|
|
162
|
-
version: '2.
|
|
164
|
+
version: '2.4'
|
|
163
165
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
164
166
|
requirements:
|
|
165
167
|
- - ">="
|
|
166
168
|
- !ruby/object:Gem::Version
|
|
167
169
|
version: '0'
|
|
168
170
|
requirements: []
|
|
169
|
-
|
|
170
|
-
|
|
171
|
-
signing_key:
|
|
171
|
+
rubygems_version: 3.2.32
|
|
172
|
+
signing_key:
|
|
172
173
|
specification_version: 4
|
|
173
174
|
summary: A generic SAML strategy for OmniAuth.
|
|
174
175
|
test_files:
|
|
175
|
-
- spec/spec_helper.rb
|
|
176
176
|
- spec/omniauth/strategies/saml_spec.rb
|
|
177
|
+
- spec/spec_helper.rb
|