omniauth-saml 1.6.0 → 1.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: dbc50594dcc8687f230341b090cf59c01c4398de
-  data.tar.gz: 7950589848f80e1016bf3651f45b53f7a22a5867
+  metadata.gz: f00284ea5fdac55a5ea5cd48980d48e31534f07d
+  data.tar.gz: 2b0e57bbc925087f1bc0f2e50d95123b10767536
 SHA512:
-  metadata.gz: 223bf2b718cd9bbede71929f931b4cb2b1ab4c3996ccfd6fea4e898d3f91a061f0e7f8453d0f1a97000901d727861055790461a3902211bcb26519b93c0cb1df
-  data.tar.gz: 735fb8c25ab720ea7a7d8cf53074bfde7aee7ed3554df78e523d964d714b03bde5209a399c28ad409cd204fe0a62f02b29bec5d8a065e6678d624d751cc5020e
+  metadata.gz: e9b49c5336256abad932cd797e884a221424574eb4bdeda60fabef9d9fd97cfde9b4910feb823bfd3f2a89b95cc05a3bc6f8eb19591e32f1b155dfac0c0a474b
+  data.tar.gz: 4cc832476d2f55e103cf138770f14175d9a193b06e9e58816f3ca5ea31e001acb02dfcc5246df07aad291efb67cf8b910cce601666ed258b353b523ba5f1c32b

data/CHANGELOG.md

@@ -1,14 +1,25 @@
-# OmniAuth SAML Version History
+<a name="v1.7.0"></a>
+### v1.7.0 (2016-09-18)
 
-A generic SAML strategy for OmniAuth.
 
-https://github.com/omniauth/omniauth-saml
+#### Features
 
-## 1.6.0 (2016-06-27)
+* Support for Single Logout	 ([cd3fc43](/../../commit/cd3fc43))
+* Add issuer information to the metadata endpoint, to allow IdPs to properly configure themselves.	 ([7bbbb67](/../../commit/7bbbb67))
+* Added the response object to the extra['response_object'], so we can use the raw response object if we want to.	 ([76ed3d6](/../../commit/76ed3d6))
+
+#### Chores
+
+* Update `ruby-saml` to 1.4.0 to address security fixes. ([638212](/../../commit/638212))
+
+
+<a name="v1.6.0"></a>
+### v1.6.0 (2016-06-27)
 * Ensure that subclasses of `OmniAuth::Stategies::SAML` are registered with OmniAuth as strategies (https://github.com/omniauth/omniauth-saml/pull/95)
 * Update ruby-saml to 1.3 to address [CVE-2016-5697](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5697) (Signature wrapping attacks)
 
-## 1.5.0 (2016-02-25)
+<a name="v1.5.0"></a>
+### v1.5.0 (2016-02-25)
 
 * Initialize OneLogin::RubySaml::Response instance with settings
 * Adding "settings" to Response Class at initialization to handle signing verification
@@ -18,56 +29,67 @@ https://github.com/omniauth/omniauth-saml
 * Call validation earlier to get real error instead of 'response missing name_id'
 * Avoid mutation of the options hash during requests and callbacks
 
-## 1.4.2 (2016-02-09)
+<a name="v1.4.2"></a>
+### v1.4.2 (2016-02-09)
 
 * update ruby-saml to 1.1
 
-## 1.4.1 (2015-08-09)
+<a name="v1.4.1"></a>
+### v1.4.1 (2015-08-09)
 
 * Configurable attribute_consuming_service
 
-## 1.4.0 (2015-07-23)
+<a name="v1.4.0"></a>
+### v1.4.0 (2015-07-23)
 
 * update ruby-saml to 1.0.0
 
-## 1.3.1 (2015-02-26)
+<a name="v1.3.1"></a>
+### v1.3.1 (2015-02-26)
 
 * Added missing fingerprint key check
 * Expose fingerprint on the auth_hash
 
-## 1.3.0 (2015-01-23)
+<a name="v1.3.0"></a>
+### v1.3.0 (2015-01-23)
 
 * add `idp_cert_fingerprint_validator` option
 
-## 1.2.0 (2014-03-19)
+<a name="v1.2.0"></a>
+### v1.2.0 (2014-03-19)
 
 * provide SP metadata at `/auth/saml/metadata`
 
-## 1.1.0 (2013-11-07)
+<a name="v1.1.0"></a>
+### v1.1.0 (2013-11-07)
 
 * no longer set a default `name_identifier_format`
 * pass strategy options to the underlying ruby-saml library
 * fallback to omniauth callback url if `assertion_consumer_service_url` is not set
 * add `idp_sso_target_url_runtime_params` option
 
-## 1.0.0 (2012-11-12)
+<a name="v1.0.0"></a>
+### v1.0.0 (2012-11-12)
 
 * remove SAML code and port to ruby-saml gem
 * fix incompatibility with OmniAuth 1.1
 
-## 0.9.2 (2012-03-30)
+<a name="v0.9.2"></a>
+### v0.9.2 (2012-03-30)
 
 * validate the SAML response
 * 100% test coverage
 * now requires ruby 1.9.2+
 
-## 0.9.1 (2012-02-23)
+<a name="v0.9.1"></a>
+### v0.9.1 (2012-02-23)
 
 * return first and last name in the info hash
 * no longer use LDAP OIDs for name and email selection
 * return SAML attributes as the omniauth raw_info hash
 
-## 0.9.0 (2012-02-14)
+<a name="v0.9.0"></a>
+### v0.9.0 (2012-02-14)
 
 * initial release
 * extracts commits from omniauth 0-3-stable branch

data/README.md

@@ -68,6 +68,8 @@ end
 
 For IdP-initiated SSO, users should directly access the IdP SSO target URL. Set the `href` of your application's login link to the value of `idp_sso_target_url`. For SP-initiated SSO, link to `/auth/saml`.
 
+A `OneLogin::RubySaml::Response` object is added to the `env['omniauth.auth']` extra attribute, so we can use it in the controller via `env['omniauth.auth'].extra.response_object`
+
 ## Metadata
 
 The service provider metadata used to ease configuration of the SAML SP in the IdP can be retrieved from `http://example.com/auth/saml/metadata`. Send this URL to the administrator of the IdP.
@@ -84,6 +86,14 @@ The service provider metadata used to ease configuration of the SAML SP in the I
 * `:idp_sso_target_url` - The URL to which the authentication request should be sent.
   This would be on the identity provider. **Required**.
 
+* `:idp_slo_target_url` - The URL to which the single logout request and response should
+  be sent. This would be on the identity provider. Optional.
+
+* `:slo_default_relay_state` - The value to use as default `RelayState` for single log outs. The
+  value can be a string, or a `Proc` (or other object responding to `call`). The `request`
+  instance will be passed to this callable if it has an arity of 1. If the value is a string,
+  the string will be returned, when the `RelayState` is called. Optional.
+
 * `:idp_sso_target_url_runtime_params` - A dynamic mapping of request params that exist
   during the request phase of OmniAuth that should to be sent to the IdP after a specific
   mapping. So for example, a param `original_request_param` with value `original_param_value`,
@@ -143,6 +153,35 @@ end
 
 Then follow Devise's general [OmniAuth tutorial](https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview), replacing references to `facebook` with `saml`.
 
+## Single Logout
+
+Single Logout can be Service Provider initiated or Identity Provider initiated.
+When using Devise as an authentication solution, the SP initiated flow can be integrated
+in the `SessionsController#destroy` action.
+
+For this to work it is important to preserve the `saml_uid` value before Devise
+clears the session and redirect to the `/spslo` sub-path to initiate the single logout.
+
+Example `destroy` action in `sessions_controller.rb`:
+
+```ruby
+class SessionsController < Devise::SessionsController
+  # ...
+
+  def destroy
+    # Preserve the saml_uid in the session
+    saml_uid = session["saml_uid"]
+    super do
+      session["saml_uid"] = saml_uid
+      if SAML_SETTINGS.idp_slo_target_url
+        spslo_url = user_omniauth_authorize_url(:saml) + "/spslo"
+        redirect_to(spslo_url)
+      end
+    end
+  end
+end
+```
+
 ## Authors
 
 Authored by [Rajiv Aaron Manglani](http://www.rajivmanglani.com/), Raecoo Cao, Todd W Saxton, Ryan Wilcox, Steven Anderson, Nikos Dimitrakopoulos, Rudolf Vriend and [Bruno Pedro](http://brunopedro.com/).

data/lib/omniauth-saml/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module SAML
-    VERSION = '1.6.0'
+    VERSION = '1.7.0'
   end
 end

data/lib/omniauth/strategies/saml.rb

@@ -27,15 +27,19 @@ module OmniAuth
         first_name: ["first_name", "firstname", "firstName"],
         last_name: ["last_name", "lastname", "lastName"]
       }
+      option :slo_default_relay_state
 
       def request_phase
         options[:assertion_consumer_service_url] ||= callback_url
         runtime_request_parameters = options.delete(:idp_sso_target_url_runtime_params)
 
         additional_params = {}
-        runtime_request_parameters.each_pair do |request_param_key, mapped_param_key|
-          additional_params[mapped_param_key] = request.params[request_param_key.to_s] if request.params.has_key?(request_param_key.to_s)
-        end if runtime_request_parameters
+
+        if runtime_request_parameters
+          runtime_request_parameters.each_pair do |request_param_key, mapped_param_key|
+            additional_params[mapped_param_key] = request.params[request_param_key.to_s] if request.params.has_key?(request_param_key.to_s)
+          end
+        end
 
         authn_request = OneLogin::RubySaml::Authrequest.new
         settings = OneLogin::RubySaml::Settings.new(options)
@@ -44,9 +48,7 @@ module OmniAuth
       end
 
       def callback_phase
-        unless request.params['SAMLResponse']
-          raise OmniAuth::Strategies::SAML::ValidationError.new("SAML response missing")
-        end
+        raise OmniAuth::Strategies::SAML::ValidationError.new("SAML response missing") unless request.params["SAMLResponse"]
 
         # Call a fingerprint validation method if there's one
         if options.idp_cert_fingerprint_validator
@@ -59,29 +61,21 @@ module OmniAuth
         end
 
         settings = OneLogin::RubySaml::Settings.new(options)
+
         # filter options to select only extra parameters
         opts = options.select {|k,_| OTHER_REQUEST_OPTIONS.include?(k.to_sym)}
+
         # symbolize keys without activeSupport/symbolize_keys (ruby-saml use symbols)
         opts =
           opts.inject({}) do |new_hash, (key, value)|
             new_hash[key.to_sym] = value
             new_hash
           end
-        response = OneLogin::RubySaml::Response.new(request.params['SAMLResponse'], opts.merge(settings: settings))
-        response.attributes['fingerprint'] = options.idp_cert_fingerprint
-
-        # will raise an error since we are not in soft mode
-        response.soft = false
-        response.is_valid?
-
-        @name_id = response.name_id
-        @attributes = response.attributes
 
-        if @name_id.nil? || @name_id.empty?
-          raise OmniAuth::Strategies::SAML::ValidationError.new("SAML response missing 'name_id'")
+        handle_response(request.params["SAMLResponse"], opts, settings) do
+          super
         end
 
-        super
       rescue OmniAuth::Strategies::SAML::ValidationError
         fail!(:invalid_ticket, $!)
       rescue OneLogin::RubySaml::ValidationError
@@ -90,7 +84,7 @@ module OmniAuth
 
       # Obtain an idp certificate fingerprint from the response.
       def response_fingerprint
-        response = request.params['SAMLResponse']
+        response = request.params["SAMLResponse"]
         response = (response =~ /^</) ? response : Base64.decode64(response)
         document = XMLSecurity::SignedDocument::new(response)
         cert_element = REXML::XPath.first(document, "//ds:X509Certificate", { "ds"=> 'http://www.w3.org/2000/09/xmldsig#' })
@@ -100,25 +94,43 @@ module OmniAuth
         Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(':')
       end
 
-      def on_metadata_path?
-        on_path?("#{request_path}/metadata")
-      end
-
       def other_phase
-        if on_metadata_path?
-          # omniauth does not set the strategy on the other_phase
+        if current_path.start_with?(request_path)
           @env['omniauth.strategy'] ||= self
           setup_phase
-
-          response = OneLogin::RubySaml::Metadata.new
           settings = OneLogin::RubySaml::Settings.new(options)
-          if options.request_attributes.length > 0
-            settings.attribute_consuming_service.service_name options.attribute_service_name
-            options.request_attributes.each do |attribute|
-              settings.attribute_consuming_service.add_attribute attribute
+
+          if on_subpath?(:metadata)
+            # omniauth does not set the strategy on the other_phase
+            response = OneLogin::RubySaml::Metadata.new
+
+            if options.request_attributes.length > 0
+              settings.attribute_consuming_service.service_name options.attribute_service_name
+              settings.issuer = options.issuer
+
+              options.request_attributes.each do |attribute|
+                settings.attribute_consuming_service.add_attribute attribute
+              end
             end
+
+            Rack::Response.new(response.generate(settings), 200, { "Content-Type" => "application/xml" }).finish
+          elsif on_subpath?(:slo)
+            if request.params["SAMLResponse"]
+              handle_logout_response(request.params["SAMLResponse"], settings)
+            elsif request.params["SAMLRequest"]
+              handle_logout_request(request.params["SAMLRequest"], settings)
+            else
+              raise OmniAuth::Strategies::SAML::ValidationError.new("SAML logout response/request missing")
+            end
+          elsif on_subpath?(:spslo)
+            if options.idp_slo_target_url
+              redirect(generate_logout_request(settings))
+            else
+              Rack::Response.new("Not Implemented", 501, { "Content-Type" => "text/html" }).finish
+            end
+          else
+            call_app!
           end
-          Rack::Response.new(response.generate(settings), 200, { "Content-Type" => "application/xml" }).finish
         else
           call_app!
         end
@@ -135,7 +147,7 @@ module OmniAuth
         Hash[found_attributes]
       end
 
-      extra { { :raw_info => @attributes } }
+      extra { { :raw_info => @attributes, :response_object =>  @response_object } }
 
       def find_attribute_by(keys)
         keys.each do |key|
@@ -144,6 +156,94 @@ module OmniAuth
 
         nil
       end
+
+      private
+
+      def on_subpath?(subpath)
+        on_path?("#{request_path}/#{subpath}")
+      end
+
+      def handle_response(raw_response, opts, settings)
+        response = OneLogin::RubySaml::Response.new(raw_response, opts.merge(settings: settings))
+        response.attributes["fingerprint"] = options.idp_cert_fingerprint
+        response.soft = false
+
+        response.is_valid?
+        @name_id = response.name_id
+        @attributes = response.attributes
+        @response_object = response
+
+        if @name_id.nil? || @name_id.empty?
+          raise OmniAuth::Strategies::SAML::ValidationError.new("SAML response missing 'name_id'")
+        end
+
+        session["saml_uid"] = @name_id
+        yield
+      end
+
+      def slo_relay_state
+        if request.params.has_key?("RelayState") && request.params["RelayState"] != ""
+          request.params["RelayState"]
+        else
+          slo_default_relay_state = options.slo_default_relay_state
+          if slo_default_relay_state.respond_to?(:call)
+            if slo_default_relay_state.arity == 1
+              slo_default_relay_state.call(request)
+            else
+              slo_default_relay_state.call
+            end
+          else
+            slo_default_relay_state
+          end
+        end
+      end
+
+      def handle_logout_response(raw_response, settings)
+        # After sending an SP initiated LogoutRequest to the IdP, we need to accept
+        # the LogoutResponse, verify it, then actually delete our session.
+
+        logout_response = OneLogin::RubySaml::Logoutresponse.new(raw_response, settings, :matches_request_id => session["saml_transaction_id"])
+        logout_response.soft = false
+        logout_response.validate
+
+        session.delete("saml_uid")
+        session.delete("saml_transaction_id")
+
+        redirect(slo_relay_state)
+      end
+
+      def handle_logout_request(raw_request, settings)
+        logout_request = OneLogin::RubySaml::SloLogoutrequest.new(raw_request)
+
+        if logout_request.is_valid? &&
+          logout_request.name_id == session["saml_uid"]
+
+          # Actually log out this session
+          session.clear
+
+          # Generate a response to the IdP.
+          logout_request_id = logout_request.id
+          logout_response = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, logout_request_id, nil, RelayState: slo_relay_state)
+          redirect(logout_response)
+        else
+          raise OmniAuth::Strategies::SAML::ValidationError.new("SAML failed to process LogoutRequest")
+        end
+      end
+
+      # Create a SP initiated SLO: https://github.com/onelogin/ruby-saml#single-log-out
+      def generate_logout_request(settings)
+        logout_request = OneLogin::RubySaml::Logoutrequest.new()
+
+        # Since we created a new SAML request, save the transaction_id
+        # to compare it with the response we get back
+        session["saml_transaction_id"] = logout_request.uuid
+
+        if settings.name_identifier_value.nil?
+          settings.name_identifier_value = session["saml_uid"]
+        end
+
+        logout_request.create(settings, RelayState: slo_relay_state)
+      end
     end
   end
 end

data/spec/omniauth/strategies/saml_spec.rb

@@ -6,8 +6,8 @@ RSpec::Matchers.define :fail_with do |message|
   end
 end
 
-def post_xml(xml=:example_response)
-  post "/auth/saml/callback", {'SAMLResponse' => load_xml(xml)}
+def post_xml(xml=:example_response, opts = {})
+  post "/auth/saml/callback", opts.merge({'SAMLResponse' => load_xml(xml)})
 end
 
 describe OmniAuth::Strategies::SAML, :type => :strategy do
@@ -17,7 +17,9 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
   let(:saml_options) do
     {
       :assertion_consumer_service_url     => "http://localhost:9080/auth/saml/callback",
+      :single_logout_service_url          => "http://localhost:9080/auth/saml/slo",
       :idp_sso_target_url                 => "https://idp.sso.example.com/signon/29490",
+      :idp_slo_target_url                 => "https://idp.sso.example.com/signoff/29490",
       :idp_cert_fingerprint               => "C1:59:74:2B:E8:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB",
       :idp_sso_target_url_runtime_params  => {:original_param_key => :mapped_param_key},
       :name_identifier_format             => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
@@ -39,11 +41,11 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
       end
 
       it 'should get authentication page' do
-        last_response.should be_redirect
-        last_response.location.should match /https:\/\/idp.sso.example.com\/signon\/29490/
-        last_response.location.should match /\?SAMLRequest=/
-        last_response.location.should_not match /mapped_param_key/
-        last_response.location.should_not match /original_param_key/
+        expect(last_response).to be_redirect
+        expect(last_response.location).to match /https:\/\/idp.sso.example.com\/signon\/29490/
+        expect(last_response.location).to match /\?SAMLRequest=/
+        expect(last_response.location).not_to match /mapped_param_key/
+        expect(last_response.location).not_to match /original_param_key/
       end
     end
 
@@ -53,11 +55,11 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
       end
 
       it 'should get authentication page' do
-        last_response.should be_redirect
-        last_response.location.should match /https:\/\/idp.sso.example.com\/signon\/29490/
-        last_response.location.should match /\?SAMLRequest=/
-        last_response.location.should match /\&mapped_param_key=original_param_value/
-        last_response.location.should_not match /original_param_key/
+        expect(last_response).to be_redirect
+        expect(last_response.location).to match /https:\/\/idp.sso.example.com\/signon\/29490/
+        expect(last_response.location).to match /\?SAMLRequest=/
+        expect(last_response.location).to match /\&mapped_param_key=original_param_value/
+        expect(last_response.location).not_to match /original_param_key/
       end
     end
 
@@ -71,17 +73,17 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
         %w(foo.example.com bar.example.com).each do |host|
           get "https://#{host}/auth/saml"
 
-          last_response.should be_redirect
+          expect(last_response).to be_redirect
 
           location = URI.parse(last_response.location)
           query = Rack::Utils.parse_query location.query
-          query.should have_key('SAMLRequest')
+          expect(query).to have_key('SAMLRequest')
 
           request = REXML::Document.new(Base64.decode64(query['SAMLRequest']))
-          request.root.should_not be_nil
+          expect(request.root).not_to be_nil
 
           acs = request.root.attributes.get_attribute('AssertionConsumerServiceURL')
-          acs.to_s.should == "https://#{host}/auth/saml/callback"
+          expect(acs.to_s).to eq "https://#{host}/auth/saml/callback"
         end
       end
     end
@@ -93,7 +95,7 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
     let(:xml) { :example_response }
 
     before :each do
-      Time.stub(:now).and_return(Time.utc(2012, 11, 8, 20, 40, 00))
+      allow(Time).to receive(:now).and_return(Time.utc(2012, 11, 8, 20, 40, 00))
     end
 
     context "when the response is valid" do
@@ -102,17 +104,21 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
       end
 
       it "should set the uid to the nameID in the SAML response" do
-        auth_hash['uid'].should == '_1f6fcf6be5e13b08b1e3610e7ff59f205fbd814f23'
+        expect(auth_hash['uid']).to eq '_1f6fcf6be5e13b08b1e3610e7ff59f205fbd814f23'
       end
 
       it "should set the raw info to all attributes" do
-        auth_hash['extra']['raw_info'].all.to_hash.should == {
+        expect(auth_hash['extra']['raw_info'].all.to_hash).to eq(
           'first_name'   => ['Rajiv'],
           'last_name'    => ['Manglani'],
           'email'        => ['user@example.com'],
           'company_name' => ['Example Company'],
           'fingerprint'  => saml_options[:idp_cert_fingerprint]
-        }
+        )
+      end
+
+      it "should set the response_object to the response object from ruby_saml response" do
+        expect(auth_hash['extra']['response_object']).to be_kind_of(OneLogin::RubySaml::Response)
       end
     end
 
@@ -124,17 +130,17 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
       end
 
       it "should set the uid to the nameID in the SAML response" do
-        auth_hash['uid'].should == '_1f6fcf6be5e13b08b1e3610e7ff59f205fbd814f23'
+        expect(auth_hash['uid']).to eq '_1f6fcf6be5e13b08b1e3610e7ff59f205fbd814f23'
       end
 
       it "should set the raw info to all attributes" do
-        auth_hash['extra']['raw_info'].all.to_hash.should == {
+        expect(auth_hash['extra']['raw_info'].all.to_hash).to eq(
           'first_name'   => ['Rajiv'],
           'last_name'    => ['Manglani'],
           'email'        => ['user@example.com'],
           'company_name' => ['Example Company'],
           'fingerprint'  => 'C1:59:74:2B:E8:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB'
-        }
+        )
       end
     end
 
@@ -148,6 +154,7 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
 
     context "when there is no name id in the XML" do
       before :each do
+        allow(Time).to receive(:now).and_return(Time.utc(2012, 11, 8, 23, 55, 00))
         post_xml :no_name_id
       end
 
@@ -191,38 +198,103 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
       end
 
       it "should obey attribute statements mapping" do
-        auth_hash[:info].should == {
+        expect(auth_hash[:info]).to eq(
           'first_name'   => 'Rajiv',
           'last_name'    => 'Manglani',
           'email'        => 'user@example.com',
           'name'         => nil
-        }
+        )
+      end
+    end
+
+    context "when response is a logout response" do
+      before :each do
+        saml_options[:issuer] = "https://idp.sso.example.com/metadata/29490"
+
+        post "/auth/saml/slo", {
+          SAMLResponse: load_xml(:example_logout_response),
+          RelayState: "https://example.com/",
+        }, "rack.session" => {"saml_transaction_id" => "_3fef1069-d0c6-418a-b68d-6f008a4787e9"}
+      end
+      it "should redirect to relaystate" do
+        expect(last_response).to be_redirect
+        expect(last_response.location).to match /https:\/\/example.com\//
+      end
+    end
+
+    context "when request is a logout request" do
+      before :each do
+        saml_options[:issuer] = "https://idp.sso.example.com/metadata/29490"
+        post "/auth/saml/slo", {
+          "SAMLRequest" => load_xml(:example_logout_request),
+          "RelayState" => "https://example.com/",
+        }, "rack.session" => {"saml_uid" => "username@example.com"}
+      end
+
+      it "should redirect to logout response" do
+        expect(last_response).to be_redirect
+        expect(last_response.location).to match /https:\/\/idp.sso.example.com\/signoff\/29490/
+        expect(last_response.location).to match /RelayState=https%3A%2F%2Fexample.com%2F/
+      end
+    end
+
+    context "when sp initiated SLO" do
+      def test_default_relay_state(static_default_relay_state = nil, &block_default_relay_state)
+        saml_options["slo_default_relay_state"] = static_default_relay_state || block_default_relay_state
+        post "/auth/saml/spslo"
+
+        expect(last_response).to be_redirect
+        expect(last_response.location).to match /https:\/\/idp.sso.example.com\/signoff\/29490/
+        expect(last_response.location).to match /RelayState=https%3A%2F%2Fexample.com%2F/
+      end
+
+      it "should redirect to logout request" do
+        test_default_relay_state("https://example.com/")
+      end
+
+      it "should redirect to logout request with a block" do
+        test_default_relay_state do
+          "https://example.com/"
+        end
+      end
+
+      it "should redirect to logout request with a block with a request parameter" do
+        test_default_relay_state do |request|
+          "https://example.com/"
+        end
+      end
+
+      it "should give not implemented without an idp_slo_target_url" do
+        saml_options.delete(:idp_slo_target_url)
+        post "/auth/saml/spslo"
+
+        expect(last_response.status).to eq 501
+        expect(last_response.body).to match /Not Implemented/
       end
     end
   end
 
   describe 'GET /auth/saml/metadata' do
     before do
+      saml_options[:issuer] = 'http://example.com/SAML'
       get '/auth/saml/metadata'
     end
 
     it 'should get SP metadata page' do
-      last_response.status.should == 200
-      last_response.header["Content-Type"].should == "application/xml"
+      expect(last_response.status).to eq 200
+      expect(last_response.header["Content-Type"]).to eq "application/xml"
     end
 
     it 'should configure attributes consuming service' do
-      last_response.body.should match /AttributeConsumingService/
-      last_response.body.should match /first_name/
-      last_response.body.should match /last_name/
-      last_response.body.should match /Required attributes/
+      expect(last_response.body).to match /AttributeConsumingService/
+      expect(last_response.body).to match /first_name/
+      expect(last_response.body).to match /last_name/
+      expect(last_response.body).to match /Required attributes/
+      expect(last_response.body).to match /entityID/
+      expect(last_response.body).to match /http:\/\/example.com\/SAML/
     end
   end
 
-  it 'implements #on_metadata_path?' do
-    expect(described_class.new(nil)).to respond_to(:on_metadata_path?)
-  end
-
   describe 'subclass behavior' do
     it 'registers subclasses in OmniAuth.strategies' do
       subclass = Class.new(described_class)

data/spec/spec_helper.rb

@@ -15,6 +15,10 @@ require 'rexml/document'
 require 'rexml/xpath'
 require 'base64'
 
+TEST_LOGGER = Logger.new(StringIO.new)
+OneLogin::RubySaml::Logging.logger = TEST_LOGGER
+OmniAuth.config.logger = TEST_LOGGER
+
 RSpec.configure do |config|
   config.include Rack::Test::Methods
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-saml
 version: !ruby/object:Gem::Version
-  version: 1.6.0
+  version: 1.7.0
 platform: ruby
 authors:
 - Raecoo Cao
@@ -14,7 +14,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-06-27 00:00:00.000000000 Z
+date: 2016-10-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
@@ -36,14 +36,34 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '1.4'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '1.4'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '10'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '10'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '12'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -92,6 +112,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 0.6.3
+- !ruby/object:Gem::Dependency
+  name: conventional-changelog
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
 description: A generic SAML strategy for OmniAuth.
 email: rajiv@alum.mit.edu
 executables: []