omniauth-saml 1.10.0 → 2.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/CHANGELOG.md +50 -0
- data/README.md +40 -29
- data/lib/omniauth/strategies/saml.rb +7 -7
- data/lib/omniauth-saml/version.rb +1 -1
- data/spec/omniauth/strategies/saml_spec.rb +19 -19
- data/spec/spec_helper.rb +1 -0
- metadata +28 -27
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
|
-
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: 032f34c12924a5666a189462f819b871c2e321891cbe23b45e56c47acdbfc53c
|
|
4
|
+
data.tar.gz: 17bb6e9741181862fcb34f3ca0a47084b9805aba71b3dd5dadfb951c7cd20d27
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: eb87a7392dc23407ab0064b67efd4ffefd9ec3fbbca18b32e96bf973281dffb9477bffc3765d8b4c3e278df7aedca255a95aa03deb44053b33c3cfff5af9435e
|
|
7
|
+
data.tar.gz: 22daef0cc26447f27023c5dc2e6f816e1f79c57c0538b86ffae0f8a2ea9d08492bc351aa31838ca7b4a272ae577aea3f914a87dba0656e1ac2e098f49f034041
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,53 @@
|
|
|
1
|
+
<a name="v2.1.0"></a>
|
|
2
|
+
### v2.1.0 (2022-03-01)
|
|
3
|
+
|
|
4
|
+
|
|
5
|
+
#### Refactor
|
|
6
|
+
|
|
7
|
+
* Rename usage of deprecated SAML options ([74ed8df](/../../commit/74ed8df))
|
|
8
|
+
|
|
9
|
+
#### Chores
|
|
10
|
+
|
|
11
|
+
* bump ruby-saml to 1.12 ([15c156a](/../../commit/15c156a))
|
|
12
|
+
|
|
13
|
+
<a name="v2.0.0"></a>
|
|
14
|
+
### v2.0.0 (2021-01-13)
|
|
15
|
+
|
|
16
|
+
|
|
17
|
+
#### Chores
|
|
18
|
+
|
|
19
|
+
* Allow OmniAuth 2.0.0 ([f7ec7ee](/../../commit/f7ec7ee))
|
|
20
|
+
|
|
21
|
+
|
|
22
|
+
<a name="v1.10.3"></a>
|
|
23
|
+
### v1.10.3 (2020-10-06)
|
|
24
|
+
|
|
25
|
+
|
|
26
|
+
#### Bug Fixes
|
|
27
|
+
|
|
28
|
+
* add options to logout_request initialization ([c271a37](/../../commit/c271a37))
|
|
29
|
+
|
|
30
|
+
|
|
31
|
+
<a name="v1.10.2"></a>
|
|
32
|
+
### v1.10.2 (2018-05-23)
|
|
33
|
+
|
|
34
|
+
|
|
35
|
+
#### Features
|
|
36
|
+
|
|
37
|
+
* **saml**
|
|
38
|
+
* inherits allows response options from ruby-saml instead of whitelist ([a0eedd6](/../../commit/a0eedd6))
|
|
39
|
+
|
|
40
|
+
|
|
41
|
+
<a name="v1.10.1"></a>
|
|
42
|
+
### v1.10.1 (2018-06-07)
|
|
43
|
+
|
|
44
|
+
|
|
45
|
+
#### Features
|
|
46
|
+
|
|
47
|
+
* **saml-response**
|
|
48
|
+
* whitelist more response options ([575198d](/../../commit/575198d))
|
|
49
|
+
|
|
50
|
+
|
|
1
51
|
<a name="v1.10.0"></a>
|
|
2
52
|
### v1.10.0 (2018-02-19)
|
|
3
53
|
|
data/README.md
CHANGED
|
@@ -1,15 +1,12 @@
|
|
|
1
1
|
# OmniAuth SAML
|
|
2
2
|
|
|
3
3
|
[][gem]
|
|
4
|
-
[][codeclimate]
|
|
4
|
+
[](https://github.com/omniauth/omniauth-saml/actions/workflows/ruby.yml)
|
|
5
|
+
[][codeclimate]
|
|
7
6
|
[][coveralls]
|
|
8
7
|
|
|
9
8
|
[gem]: https://rubygems.org/gems/omniauth-saml
|
|
10
|
-
[
|
|
11
|
-
[gemnasium]: https://gemnasium.com/omniauth/omniauth-saml
|
|
12
|
-
[codeclimate]: https://codeclimate.com/github/omniauth/omniauth-saml
|
|
9
|
+
[codeclimate]: https://codeclimate.com/github/omniauth/omniauth-saml/maintainability
|
|
13
10
|
[coveralls]: https://coveralls.io/r/omniauth/omniauth-saml
|
|
14
11
|
|
|
15
12
|
A generic SAML strategy for OmniAuth available under the [MIT License](LICENSE.md)
|
|
@@ -19,7 +16,7 @@ https://github.com/omniauth/omniauth-saml
|
|
|
19
16
|
## Requirements
|
|
20
17
|
|
|
21
18
|
* [OmniAuth](http://www.omniauth.org/) 1.3+
|
|
22
|
-
* Ruby 2.
|
|
19
|
+
* Ruby 2.4.x+
|
|
23
20
|
|
|
24
21
|
## Versioning
|
|
25
22
|
|
|
@@ -33,10 +30,14 @@ Use the SAML strategy as a middleware in your application:
|
|
|
33
30
|
require 'omniauth'
|
|
34
31
|
use OmniAuth::Strategies::SAML,
|
|
35
32
|
:assertion_consumer_service_url => "consumer_service_url",
|
|
36
|
-
:
|
|
37
|
-
:
|
|
38
|
-
:
|
|
33
|
+
:sp_entity_id => "sp_entity_id",
|
|
34
|
+
:idp_sso_service_url => "idp_sso_service_url",
|
|
35
|
+
:idp_sso_service_url_runtime_params => {:original_request_param => :mapped_idp_param},
|
|
39
36
|
:idp_cert => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
|
|
37
|
+
:idp_cert_multi => {
|
|
38
|
+
:signing => ["-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", ...],
|
|
39
|
+
:encryption => []
|
|
40
|
+
}
|
|
40
41
|
:idp_cert_fingerprint => "E7:91:B2:E1:...",
|
|
41
42
|
:idp_cert_fingerprint_validator => lambda { |fingerprint| fingerprint },
|
|
42
43
|
:name_identifier_format => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
|
|
@@ -56,17 +57,21 @@ and in `config/initializers/omniauth.rb`:
|
|
|
56
57
|
Rails.application.config.middleware.use OmniAuth::Builder do
|
|
57
58
|
provider :saml,
|
|
58
59
|
:assertion_consumer_service_url => "consumer_service_url",
|
|
59
|
-
:
|
|
60
|
-
:
|
|
61
|
-
:
|
|
60
|
+
:sp_entity_id => "rails-application",
|
|
61
|
+
:idp_sso_service_url => "idp_sso_service_url",
|
|
62
|
+
:idp_sso_service_url_runtime_params => {:original_request_param => :mapped_idp_param},
|
|
62
63
|
:idp_cert => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
|
|
64
|
+
:idp_cert_multi => {
|
|
65
|
+
:signing => ["-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", ...],
|
|
66
|
+
:encryption => []
|
|
67
|
+
}
|
|
63
68
|
:idp_cert_fingerprint => "E7:91:B2:E1:...",
|
|
64
69
|
:idp_cert_fingerprint_validator => lambda { |fingerprint| fingerprint },
|
|
65
70
|
:name_identifier_format => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
|
|
66
71
|
end
|
|
67
72
|
```
|
|
68
73
|
|
|
69
|
-
For IdP-initiated SSO, users should directly access the IdP SSO
|
|
74
|
+
For IdP-initiated SSO, users should directly access the IdP SSO service URL. Set the `href` of your application's login link to the value of `idp_sso_service_url`. For SP-initiated SSO, link to `/auth/saml`.
|
|
70
75
|
|
|
71
76
|
A `OneLogin::RubySaml::Response` object is added to the `env['omniauth.auth']` extra attribute, so we can use it in the controller via `env['omniauth.auth'].extra.response_object`
|
|
72
77
|
|
|
@@ -82,13 +87,13 @@ Note that when [integrating with Devise](#devise-integration), the URL path will
|
|
|
82
87
|
received. If not provided, defaults to the OmniAuth callback URL (typically
|
|
83
88
|
`http://example.com/auth/saml/callback`). Optional.
|
|
84
89
|
|
|
85
|
-
* `:
|
|
90
|
+
* `:sp_entity_id` - The name of your application. Some identity providers might need this
|
|
86
91
|
to establish the identity of the service provider requesting the login. **Required**.
|
|
87
92
|
|
|
88
|
-
* `:
|
|
93
|
+
* `:idp_sso_service_url` - The URL to which the authentication request should be sent.
|
|
89
94
|
This would be on the identity provider. **Required**.
|
|
90
95
|
|
|
91
|
-
* `:
|
|
96
|
+
* `:idp_slo_service_url` - The URL to which the single logout request and response should
|
|
92
97
|
be sent. This would be on the identity provider. Optional.
|
|
93
98
|
|
|
94
99
|
* `:idp_slo_session_destroy` - A proc that accepts up to two parameters (the rack environment, and the session),
|
|
@@ -100,23 +105,27 @@ Note that when [integrating with Devise](#devise-integration), the URL path will
|
|
|
100
105
|
instance will be passed to this callable if it has an arity of 1. If the value is a string,
|
|
101
106
|
the string will be returned, when the `RelayState` is called. Optional.
|
|
102
107
|
|
|
103
|
-
* `:
|
|
108
|
+
* `:idp_sso_service_url_runtime_params` - A dynamic mapping of request params that exist
|
|
104
109
|
during the request phase of OmniAuth that should to be sent to the IdP after a specific
|
|
105
110
|
mapping. So for example, a param `original_request_param` with value `original_param_value`,
|
|
106
111
|
could be sent to the IdP on the login request as `mapped_idp_param` with value
|
|
107
112
|
`original_param_value`. Optional.
|
|
108
113
|
|
|
109
114
|
* `:idp_cert` - The identity provider's certificate in PEM format. Takes precedence
|
|
110
|
-
over the fingerprint option below. This option or `:idp_cert_fingerprint` or `:idp_cert_fingerprint_validator` must
|
|
115
|
+
over the fingerprint option below. This option or `:idp_cert_multi` or `:idp_cert_fingerprint` or `:idp_cert_fingerprint_validator` must
|
|
111
116
|
be present.
|
|
117
|
+
|
|
118
|
+
* `:idp_cert_multi` - Multiple identity provider certificates in PEM format. Takes precedence
|
|
119
|
+
over the fingerprint option below. This option `:idp_cert` or `:idp_cert_fingerprint` or `:idp_cert_fingerprint_validator` must
|
|
120
|
+
be present.
|
|
112
121
|
|
|
113
122
|
* `:idp_cert_fingerprint` - The SHA1 fingerprint of the certificate, e.g.
|
|
114
123
|
"90:CC:16:F0:8D:...". This is provided from the identity provider when setting up
|
|
115
|
-
the relationship. This option or `:idp_cert` or `:idp_cert_fingerprint_validator` MUST be present.
|
|
124
|
+
the relationship. This option or `:idp_cert` or `:idp_cert_multi` or `:idp_cert_fingerprint_validator` MUST be present.
|
|
116
125
|
|
|
117
126
|
* `:idp_cert_fingerprint_validator` - A lambda that MUST accept one parameter
|
|
118
127
|
(the fingerprint), verify if it is valid and return it if successful. This option
|
|
119
|
-
or `:idp_cert` or `:idp_cert_fingerprint` MUST be present.
|
|
128
|
+
or `:idp_cert` or `:idp_cert_multi` or `:idp_cert_fingerprint` MUST be present.
|
|
120
129
|
|
|
121
130
|
* `:name_identifier_format` - Used during SP-initiated SSO. Describes the format of
|
|
122
131
|
the username required by this application. If you need the email address, use
|
|
@@ -160,7 +169,7 @@ idp_metadata = idp_metadata_parser.parse_remote_to_hash("http://idp.example.com/
|
|
|
160
169
|
use OmniAuth::Strategies::SAML,
|
|
161
170
|
idp_metadata.merge(
|
|
162
171
|
:assertion_consumer_service_url => "consumer_service_url",
|
|
163
|
-
:
|
|
172
|
+
:sp_entity_id => "sp_entity_id"
|
|
164
173
|
)
|
|
165
174
|
```
|
|
166
175
|
|
|
@@ -176,7 +185,7 @@ In `config/initializers/devise.rb`:
|
|
|
176
185
|
Devise.setup do |config|
|
|
177
186
|
config.omniauth :saml,
|
|
178
187
|
idp_cert_fingerprint: 'fingerprint',
|
|
179
|
-
|
|
188
|
+
idp_sso_service_url: 'idp_sso_service_url'
|
|
180
189
|
end
|
|
181
190
|
```
|
|
182
191
|
|
|
@@ -186,7 +195,7 @@ Then follow Devise's general [OmniAuth tutorial](https://github.com/plataformate
|
|
|
186
195
|
|
|
187
196
|
Single Logout can be Service Provider initiated or Identity Provider initiated.
|
|
188
197
|
|
|
189
|
-
For SP initiated logout, the `
|
|
198
|
+
For SP initiated logout, the `idp_slo_service_url` option must be set to the logout url on the IdP,
|
|
190
199
|
and users directed to `user_saml_omniauth_authorize_path + '/spslo'` after logging out locally. For
|
|
191
200
|
IdP initiated logout, logout requests from the IdP should go to `/auth/saml/slo` (this can be
|
|
192
201
|
advertised in metadata by setting the `single_logout_service_url` config option).
|
|
@@ -194,7 +203,7 @@ advertised in metadata by setting the `single_logout_service_url` config option)
|
|
|
194
203
|
When using Devise as an authentication solution, the SP initiated flow can be integrated
|
|
195
204
|
in the `SessionsController#destroy` action.
|
|
196
205
|
|
|
197
|
-
For this to work it is important to preserve the `saml_uid` value before Devise
|
|
206
|
+
For this to work it is important to preserve the `saml_uid` and `saml_session_index` value before Devise
|
|
198
207
|
clears the session and redirect to the `/spslo` sub-path to initiate the single logout.
|
|
199
208
|
|
|
200
209
|
Example `destroy` action in `sessions_controller.rb`:
|
|
@@ -204,17 +213,19 @@ class SessionsController < Devise::SessionsController
|
|
|
204
213
|
# ...
|
|
205
214
|
|
|
206
215
|
def destroy
|
|
207
|
-
# Preserve the saml_uid in the session
|
|
208
|
-
saml_uid = session[
|
|
216
|
+
# Preserve the saml_uid and saml_session_index in the session
|
|
217
|
+
saml_uid = session['saml_uid']
|
|
218
|
+
saml_session_index = session['saml_session_index']
|
|
209
219
|
super do
|
|
210
|
-
session[
|
|
220
|
+
session['saml_uid'] = saml_uid
|
|
221
|
+
session['saml_session_index'] = saml_session_index
|
|
211
222
|
end
|
|
212
223
|
end
|
|
213
224
|
|
|
214
225
|
# ...
|
|
215
226
|
|
|
216
227
|
def after_sign_out_path_for(_)
|
|
217
|
-
if session['saml_uid'] && SAML_SETTINGS.
|
|
228
|
+
if session['saml_uid'] && session['saml_session_index'] && SAML_SETTINGS.idp_slo_service_url
|
|
218
229
|
user_saml_omniauth_authorize_path + "/spslo"
|
|
219
230
|
else
|
|
220
231
|
super
|
|
@@ -10,10 +10,10 @@ module OmniAuth
|
|
|
10
10
|
OmniAuth::Strategy.included(subclass)
|
|
11
11
|
end
|
|
12
12
|
|
|
13
|
-
|
|
13
|
+
RUBYSAML_RESPONSE_OPTIONS = OneLogin::RubySaml::Response::AVAILABLE_OPTIONS
|
|
14
14
|
|
|
15
15
|
option :name_identifier_format, nil
|
|
16
|
-
option :
|
|
16
|
+
option :idp_sso_service_url_runtime_params, {}
|
|
17
17
|
option :request_attributes, [
|
|
18
18
|
{ :name => 'email', :name_format => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', :friendly_name => 'Email address' },
|
|
19
19
|
{ :name => 'name', :name_format => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', :friendly_name => 'Full name' },
|
|
@@ -177,7 +177,7 @@ module OmniAuth
|
|
|
177
177
|
end
|
|
178
178
|
|
|
179
179
|
def handle_logout_request(raw_request, settings)
|
|
180
|
-
logout_request = OneLogin::RubySaml::SloLogoutrequest.new(raw_request)
|
|
180
|
+
logout_request = OneLogin::RubySaml::SloLogoutrequest.new(raw_request, {}.merge(settings: settings).merge(get_params: @request.params))
|
|
181
181
|
|
|
182
182
|
if logout_request.is_valid? &&
|
|
183
183
|
logout_request.name_id == session["saml_uid"]
|
|
@@ -231,7 +231,7 @@ module OmniAuth
|
|
|
231
231
|
|
|
232
232
|
def options_for_response_object
|
|
233
233
|
# filter options to select only extra parameters
|
|
234
|
-
opts = options.select {|k,_|
|
|
234
|
+
opts = options.select {|k,_| RUBYSAML_RESPONSE_OPTIONS.include?(k.to_sym)}
|
|
235
235
|
|
|
236
236
|
# symbolize keys without activeSupport/symbolize_keys (ruby-saml use symbols)
|
|
237
237
|
opts.inject({}) do |new_hash, (key, value)|
|
|
@@ -264,7 +264,7 @@ module OmniAuth
|
|
|
264
264
|
end
|
|
265
265
|
|
|
266
266
|
def other_phase_for_spslo
|
|
267
|
-
if options.
|
|
267
|
+
if options.idp_slo_service_url
|
|
268
268
|
with_settings do |settings|
|
|
269
269
|
redirect(generate_logout_request(settings))
|
|
270
270
|
end
|
|
@@ -275,7 +275,7 @@ module OmniAuth
|
|
|
275
275
|
|
|
276
276
|
def add_request_attributes_to(settings)
|
|
277
277
|
settings.attribute_consuming_service.service_name options.attribute_service_name
|
|
278
|
-
settings.
|
|
278
|
+
settings.sp_entity_id = options.sp_entity_id
|
|
279
279
|
|
|
280
280
|
options.request_attributes.each do |attribute|
|
|
281
281
|
settings.attribute_consuming_service.add_attribute attribute
|
|
@@ -284,7 +284,7 @@ module OmniAuth
|
|
|
284
284
|
|
|
285
285
|
def additional_params_for_authn_request
|
|
286
286
|
{}.tap do |additional_params|
|
|
287
|
-
runtime_request_parameters = options.delete(:
|
|
287
|
+
runtime_request_parameters = options.delete(:idp_sso_service_url_runtime_params)
|
|
288
288
|
|
|
289
289
|
if runtime_request_parameters
|
|
290
290
|
runtime_request_parameters.each_pair do |request_param_key, mapped_param_key|
|
|
@@ -6,7 +6,7 @@ RSpec::Matchers.define :fail_with do |message|
|
|
|
6
6
|
end
|
|
7
7
|
end
|
|
8
8
|
|
|
9
|
-
def post_xml(xml
|
|
9
|
+
def post_xml(xml = :example_response, opts = {})
|
|
10
10
|
post "/auth/saml/callback", opts.merge({'SAMLResponse' => load_xml(xml)})
|
|
11
11
|
end
|
|
12
12
|
|
|
@@ -18,10 +18,10 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
18
18
|
{
|
|
19
19
|
:assertion_consumer_service_url => "http://localhost:9080/auth/saml/callback",
|
|
20
20
|
:single_logout_service_url => "http://localhost:9080/auth/saml/slo",
|
|
21
|
-
:
|
|
22
|
-
:
|
|
21
|
+
:idp_sso_service_url => "https://idp.sso.example.com/signon/29490",
|
|
22
|
+
:idp_slo_service_url => "https://idp.sso.example.com/signoff/29490",
|
|
23
23
|
:idp_cert_fingerprint => "C1:59:74:2B:E8:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB",
|
|
24
|
-
:
|
|
24
|
+
:idp_sso_service_url_runtime_params => {:original_param_key => :mapped_param_key},
|
|
25
25
|
:name_identifier_format => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
|
|
26
26
|
:request_attributes => [
|
|
27
27
|
{ :name => 'email', :name_format => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', :friendly_name => 'Email address' },
|
|
@@ -34,10 +34,10 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
34
34
|
end
|
|
35
35
|
let(:strategy) { [OmniAuth::Strategies::SAML, saml_options] }
|
|
36
36
|
|
|
37
|
-
describe '
|
|
37
|
+
describe 'POST /auth/saml' do
|
|
38
38
|
context 'without idp runtime params present' do
|
|
39
39
|
before do
|
|
40
|
-
|
|
40
|
+
post '/auth/saml'
|
|
41
41
|
end
|
|
42
42
|
|
|
43
43
|
it 'should get authentication page' do
|
|
@@ -51,7 +51,7 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
51
51
|
|
|
52
52
|
context 'with idp runtime params' do
|
|
53
53
|
before do
|
|
54
|
-
|
|
54
|
+
post '/auth/saml', 'original_param_key' => 'original_param_value', 'mapped_param_key' => 'mapped_param_value'
|
|
55
55
|
end
|
|
56
56
|
|
|
57
57
|
it 'should get authentication page' do
|
|
@@ -71,7 +71,7 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
71
71
|
|
|
72
72
|
it 'should send the current callback_url as the assertion_consumer_service_url' do
|
|
73
73
|
%w(foo.example.com bar.example.com).each do |host|
|
|
74
|
-
|
|
74
|
+
post "https://#{host}/auth/saml"
|
|
75
75
|
|
|
76
76
|
expect(last_response).to be_redirect
|
|
77
77
|
|
|
@@ -89,7 +89,7 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
89
89
|
end
|
|
90
90
|
|
|
91
91
|
context 'when authn request signing is requested' do
|
|
92
|
-
subject {
|
|
92
|
+
subject { post '/auth/saml' }
|
|
93
93
|
|
|
94
94
|
let(:private_key) { OpenSSL::PKey::RSA.new 2048 }
|
|
95
95
|
|
|
@@ -306,7 +306,7 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
306
306
|
|
|
307
307
|
context "when response is a logout response" do
|
|
308
308
|
before :each do
|
|
309
|
-
saml_options[:
|
|
309
|
+
saml_options[:sp_entity_id] = "https://idp.sso.example.com/metadata/29490"
|
|
310
310
|
|
|
311
311
|
post "/auth/saml/slo", {
|
|
312
312
|
SAMLResponse: load_xml(:example_logout_response),
|
|
@@ -323,7 +323,7 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
323
323
|
subject { post "/auth/saml/slo", params, "rack.session" => { "saml_uid" => "username@example.com" } }
|
|
324
324
|
|
|
325
325
|
before :each do
|
|
326
|
-
saml_options[:
|
|
326
|
+
saml_options[:sp_entity_id] = "https://idp.sso.example.com/metadata/29490"
|
|
327
327
|
end
|
|
328
328
|
|
|
329
329
|
let(:params) do
|
|
@@ -392,8 +392,8 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
392
392
|
end
|
|
393
393
|
end
|
|
394
394
|
|
|
395
|
-
it "should give not implemented without an
|
|
396
|
-
saml_options.delete(:
|
|
395
|
+
it "should give not implemented without an idp_slo_service_url" do
|
|
396
|
+
saml_options.delete(:idp_slo_service_url)
|
|
397
397
|
post "/auth/saml/spslo"
|
|
398
398
|
|
|
399
399
|
expect(last_response.status).to eq 501
|
|
@@ -402,10 +402,10 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
402
402
|
end
|
|
403
403
|
end
|
|
404
404
|
|
|
405
|
-
describe '
|
|
405
|
+
describe 'POST /auth/saml/metadata' do
|
|
406
406
|
before do
|
|
407
|
-
saml_options[:
|
|
408
|
-
|
|
407
|
+
saml_options[:sp_entity_id] = 'http://example.com/SAML'
|
|
408
|
+
post '/auth/saml/metadata'
|
|
409
409
|
end
|
|
410
410
|
|
|
411
411
|
it 'should get SP metadata page' do
|
|
@@ -424,19 +424,19 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
424
424
|
end
|
|
425
425
|
|
|
426
426
|
context 'when hitting an unknown route in our sub path' do
|
|
427
|
-
before {
|
|
427
|
+
before { post '/auth/saml/unknown' }
|
|
428
428
|
|
|
429
429
|
specify { expect(last_response.status).to eql 404 }
|
|
430
430
|
end
|
|
431
431
|
|
|
432
432
|
context 'when hitting a completely unknown route' do
|
|
433
|
-
before {
|
|
433
|
+
before { post '/unknown' }
|
|
434
434
|
|
|
435
435
|
specify { expect(last_response.status).to eql 404 }
|
|
436
436
|
end
|
|
437
437
|
|
|
438
438
|
context 'when hitting a route that contains a substring match for the strategy name' do
|
|
439
|
-
before {
|
|
439
|
+
before { post '/auth/saml2/metadata' }
|
|
440
440
|
|
|
441
441
|
it 'should not set the strategy' do
|
|
442
442
|
expect(last_request.env['omniauth.strategy']).to be_nil
|
data/spec/spec_helper.rb
CHANGED
|
@@ -16,6 +16,7 @@ require 'base64'
|
|
|
16
16
|
TEST_LOGGER = Logger.new(StringIO.new)
|
|
17
17
|
OneLogin::RubySaml::Logging.logger = TEST_LOGGER
|
|
18
18
|
OmniAuth.config.logger = TEST_LOGGER
|
|
19
|
+
OmniAuth.config.request_validation_phase = proc {}
|
|
19
20
|
|
|
20
21
|
RSpec.configure do |config|
|
|
21
22
|
config.include Rack::Test::Methods
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: omniauth-saml
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 2.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Raecoo Cao
|
|
@@ -11,10 +11,10 @@ authors:
|
|
|
11
11
|
- Nikos Dimitrakopoulos
|
|
12
12
|
- Rudolf Vriend
|
|
13
13
|
- Bruno Pedro
|
|
14
|
-
autorequire:
|
|
14
|
+
autorequire:
|
|
15
15
|
bindir: bin
|
|
16
16
|
cert_chain: []
|
|
17
|
-
date:
|
|
17
|
+
date: 2022-03-01 00:00:00.000000000 Z
|
|
18
18
|
dependencies:
|
|
19
19
|
- !ruby/object:Gem::Dependency
|
|
20
20
|
name: omniauth
|
|
@@ -22,54 +22,42 @@ dependencies:
|
|
|
22
22
|
requirements:
|
|
23
23
|
- - "~>"
|
|
24
24
|
- !ruby/object:Gem::Version
|
|
25
|
-
version: '
|
|
26
|
-
- - ">="
|
|
27
|
-
- !ruby/object:Gem::Version
|
|
28
|
-
version: 1.3.2
|
|
25
|
+
version: '2.0'
|
|
29
26
|
type: :runtime
|
|
30
27
|
prerelease: false
|
|
31
28
|
version_requirements: !ruby/object:Gem::Requirement
|
|
32
29
|
requirements:
|
|
33
30
|
- - "~>"
|
|
34
31
|
- !ruby/object:Gem::Version
|
|
35
|
-
version: '
|
|
36
|
-
- - ">="
|
|
37
|
-
- !ruby/object:Gem::Version
|
|
38
|
-
version: 1.3.2
|
|
32
|
+
version: '2.0'
|
|
39
33
|
- !ruby/object:Gem::Dependency
|
|
40
34
|
name: ruby-saml
|
|
41
35
|
requirement: !ruby/object:Gem::Requirement
|
|
42
36
|
requirements:
|
|
43
37
|
- - "~>"
|
|
44
38
|
- !ruby/object:Gem::Version
|
|
45
|
-
version: '1.
|
|
39
|
+
version: '1.12'
|
|
46
40
|
type: :runtime
|
|
47
41
|
prerelease: false
|
|
48
42
|
version_requirements: !ruby/object:Gem::Requirement
|
|
49
43
|
requirements:
|
|
50
44
|
- - "~>"
|
|
51
45
|
- !ruby/object:Gem::Version
|
|
52
|
-
version: '1.
|
|
46
|
+
version: '1.12'
|
|
53
47
|
- !ruby/object:Gem::Dependency
|
|
54
48
|
name: rake
|
|
55
49
|
requirement: !ruby/object:Gem::Requirement
|
|
56
50
|
requirements:
|
|
57
51
|
- - ">="
|
|
58
52
|
- !ruby/object:Gem::Version
|
|
59
|
-
version:
|
|
60
|
-
- - "<"
|
|
61
|
-
- !ruby/object:Gem::Version
|
|
62
|
-
version: '12'
|
|
53
|
+
version: 12.3.3
|
|
63
54
|
type: :development
|
|
64
55
|
prerelease: false
|
|
65
56
|
version_requirements: !ruby/object:Gem::Requirement
|
|
66
57
|
requirements:
|
|
67
58
|
- - ">="
|
|
68
59
|
- !ruby/object:Gem::Version
|
|
69
|
-
version:
|
|
70
|
-
- - "<"
|
|
71
|
-
- !ruby/object:Gem::Version
|
|
72
|
-
version: '12'
|
|
60
|
+
version: 12.3.3
|
|
73
61
|
- !ruby/object:Gem::Dependency
|
|
74
62
|
name: rspec
|
|
75
63
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -132,6 +120,20 @@ dependencies:
|
|
|
132
120
|
- - "~>"
|
|
133
121
|
- !ruby/object:Gem::Version
|
|
134
122
|
version: '1.2'
|
|
123
|
+
- !ruby/object:Gem::Dependency
|
|
124
|
+
name: coveralls
|
|
125
|
+
requirement: !ruby/object:Gem::Requirement
|
|
126
|
+
requirements:
|
|
127
|
+
- - ">="
|
|
128
|
+
- !ruby/object:Gem::Version
|
|
129
|
+
version: 0.8.23
|
|
130
|
+
type: :development
|
|
131
|
+
prerelease: false
|
|
132
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
133
|
+
requirements:
|
|
134
|
+
- - ">="
|
|
135
|
+
- !ruby/object:Gem::Version
|
|
136
|
+
version: 0.8.23
|
|
135
137
|
description: A generic SAML strategy for OmniAuth.
|
|
136
138
|
email: rajiv@alum.mit.edu
|
|
137
139
|
executables: []
|
|
@@ -151,7 +153,7 @@ homepage: https://github.com/omniauth/omniauth-saml
|
|
|
151
153
|
licenses:
|
|
152
154
|
- MIT
|
|
153
155
|
metadata: {}
|
|
154
|
-
post_install_message:
|
|
156
|
+
post_install_message:
|
|
155
157
|
rdoc_options: []
|
|
156
158
|
require_paths:
|
|
157
159
|
- lib
|
|
@@ -159,18 +161,17 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
159
161
|
requirements:
|
|
160
162
|
- - ">="
|
|
161
163
|
- !ruby/object:Gem::Version
|
|
162
|
-
version: '2.
|
|
164
|
+
version: '2.4'
|
|
163
165
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
164
166
|
requirements:
|
|
165
167
|
- - ">="
|
|
166
168
|
- !ruby/object:Gem::Version
|
|
167
169
|
version: '0'
|
|
168
170
|
requirements: []
|
|
169
|
-
|
|
170
|
-
|
|
171
|
-
signing_key:
|
|
171
|
+
rubygems_version: 3.2.32
|
|
172
|
+
signing_key:
|
|
172
173
|
specification_version: 4
|
|
173
174
|
summary: A generic SAML strategy for OmniAuth.
|
|
174
175
|
test_files:
|
|
175
|
-
- spec/spec_helper.rb
|
|
176
176
|
- spec/omniauth/strategies/saml_spec.rb
|
|
177
|
+
- spec/spec_helper.rb
|