omniauth-saml 1.7.0 → 1.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f00284ea5fdac55a5ea5cd48980d48e31534f07d
-  data.tar.gz: 2b0e57bbc925087f1bc0f2e50d95123b10767536
+  metadata.gz: 27f7eb61023b2810a4d90cad719720226d018107
+  data.tar.gz: 2e44a8f6da13660d0a32ddf08b1418f7c4122f1f
 SHA512:
-  metadata.gz: e9b49c5336256abad932cd797e884a221424574eb4bdeda60fabef9d9fd97cfde9b4910feb823bfd3f2a89b95cc05a3bc6f8eb19591e32f1b155dfac0c0a474b
-  data.tar.gz: 4cc832476d2f55e103cf138770f14175d9a193b06e9e58816f3ca5ea31e001acb02dfcc5246df07aad291efb67cf8b910cce601666ed258b353b523ba5f1c32b
+  metadata.gz: fa98d4ddc896effb77f572ab5222f4bb1db9f1c1dc03891a718db4a18b1144a25130ac9c1e1aee6772137b98fe117c3e38a71065f417743c5a050109f823f0c0
+  data.tar.gz: 692fb62fb8a14d99b700c9152ba02a7dcc17d8157c0f06e1b36565c41f69d265df87ff3603a302026e340755e9886a1358cb9e55acdbe87bab83682c09aa59b1

data/CHANGELOG.md

@@ -1,6 +1,16 @@
-<a name="v1.7.0"></a>
-### v1.7.0 (2016-09-18)
+<a name="v1.8.0"></a>
+### v1.8.0 (2017-06-07)
+
+
+#### Features
 
+* include SessionIndex in logout requests	 ([fb6ad86](/../../commit/fb6ad86))
+* Support for configurable IdP SLO session destruction	 ([586bf89](/../../commit/586bf89))
+* Add `uid_attribute` option to control the attribute used for the user id.	 ([eacc536](/../../commit/eacc536))
+
+
+<a name="v1.7.0"></a>
+### v1.7.0 (2016-10-19)
 
 #### Features
 
@@ -12,7 +22,6 @@
 
 * Update `ruby-saml` to 1.4.0 to address security fixes. ([638212](/../../commit/638212))
 
-
 <a name="v1.6.0"></a>
 ### v1.6.0 (2016-06-27)
 * Ensure that subclasses of `OmniAuth::Stategies::SAML` are registered with OmniAuth as strategies (https://github.com/omniauth/omniauth-saml/pull/95)

data/README.md

@@ -19,7 +19,7 @@ https://github.com/omniauth/omniauth-saml
 ## Requirements
 
 * [OmniAuth](http://www.omniauth.org/) 1.3+
-* Ruby 1.9.x or Ruby 2.1.x+
+* Ruby 2.1.x+
 
 ## Versioning
 
@@ -70,10 +70,12 @@ For IdP-initiated SSO, users should directly access the IdP SSO target URL. Set
 
 A `OneLogin::RubySaml::Response` object is added to the `env['omniauth.auth']` extra attribute, so we can use it in the controller via `env['omniauth.auth'].extra.response_object`
 
-## Metadata
+## SP Metadata
 
 The service provider metadata used to ease configuration of the SAML SP in the IdP can be retrieved from `http://example.com/auth/saml/metadata`. Send this URL to the administrator of the IdP.
 
+Note that when [integrating with Devise](#devise-integration), the URL path will be scoped according to the name of the Devise resource.  For example, if the app's user model calls `devise_for :users`, the metadata URL will be `http://example.com/users/auth/saml/metadata`.
+
 ## Options
 
 * `:assertion_consumer_service_url` - The URL at which the SAML assertion should be
@@ -89,6 +91,10 @@ The service provider metadata used to ease configuration of the SAML SP in the I
 * `:idp_slo_target_url` - The URL to which the single logout request and response should
   be sent. This would be on the identity provider. Optional.
 
+* `:idp_slo_session_destroy` - A proc that accepts up to two parameters (the rack environment, and the session),
+  and performs whatever tasks are necessary to log out the current user from your application.
+  See the example listed under "Single Logout." Defaults to calling `#clear` on the session. Optional.
+
 * `:slo_default_relay_state` - The value to use as default `RelayState` for single log outs. The
   value can be a string, or a `Proc` (or other object responding to `call`). The `request`
   instance will be passed to this callable if it has an arity of 1. If the value is a string,
@@ -135,8 +141,31 @@ The service provider metadata used to ease configuration of the SAML SP in the I
   *Note*: All attributes can also be found in an array under `auth_hash[:extra][:raw_info]`,
   so this setting should only be used to map attributes that are part of the OmniAuth info hash schema.
 
+* `:uid_attribute` - Attribute that uniquely identifies the user. If unset, the name identifier returned by the IdP is used.
+
 * See the `OneLogin::RubySaml::Settings` class in the [Ruby SAML gem](https://github.com/onelogin/ruby-saml) for additional supported options.
 
+## IdP Metadata
+
+You can use the `OneLogin::RubySaml::IdpMetadataParser` to configure some options:
+
+```ruby
+require 'omniauth'
+idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+idp_metadata = idp_metadata_parser.parse_remote_to_hash("http://idp.example.com/saml/metadata")
+
+# or, if you have the metadata in a String:
+# idp_metadata = idp_metadata_parser.parse_to_hash(idp_metadata_xml)
+
+use OmniAuth::Strategies::SAML,
+  idp_metadata.merge(
+    :assertion_consumer_service_url => "consumer_service_url",
+    :issuer                         => "issuer"
+  )
+```
+
+See the [Ruby SAML gem's README](https://github.com/onelogin/ruby-saml#metadata-based-configuration) for more details.
+
 ## Devise Integration
 
 Straightforward integration with [Devise](https://github.com/plataformatec/devise), the widely-used authentication solution for Rails.
@@ -156,6 +185,12 @@ Then follow Devise's general [OmniAuth tutorial](https://github.com/plataformate
 ## Single Logout
 
 Single Logout can be Service Provider initiated or Identity Provider initiated.
+
+For SP initiated logout, the `idp_slo_target_url` option must be set to the logout url on the IdP,
+and users directed to `user_saml_omniauth_authorize_path + '/spslo'` after logging out locally. For
+IdP initiated logout, logout requests from the IdP should go to `/auth/saml/slo` (this can be
+advertised in metadata by setting the `single_logout_service_url` config option).
+
 When using Devise as an authentication solution, the SP initiated flow can be integrated
 in the `SessionsController#destroy` action.
 
@@ -173,12 +208,30 @@ class SessionsController < Devise::SessionsController
     saml_uid = session["saml_uid"]
     super do
       session["saml_uid"] = saml_uid
-      if SAML_SETTINGS.idp_slo_target_url
-        spslo_url = user_omniauth_authorize_url(:saml) + "/spslo"
-        redirect_to(spslo_url)
-      end
     end
   end
+
+  # ...
+
+  def after_sign_out_path_for(_)
+    if session['saml_uid'] && SAML_SETTINGS.idp_slo_target_url
+      user_saml_omniauth_authorize_path + "/spslo"
+    else
+      super
+    end
+  end
+end
+```
+
+By default, omniauth-saml attempts to log the current user out of your application by clearing the session.
+This may not be enough for some authentication solutions (e.g. [Clearance](https://github.com/thoughtbot/clearance/)).
+Instead, you may set the `:idp_slo_session_destroy` option to a proc that performs the necessary logout tasks.
+
+Example `:idp_slo_session_destroy` setting for Clearance compatibility:
+
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :saml, idp_slo_session_destroy: proc { |env, _session| env[:clearance].sign_out }, ...
 end
 ```
 

data/lib/omniauth-saml/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module SAML
-    VERSION = '1.7.0'
+    VERSION = '1.8.0'
   end
 end

data/lib/omniauth/strategies/saml.rb

@@ -28,54 +28,30 @@ module OmniAuth
         last_name: ["last_name", "lastname", "lastName"]
       }
       option :slo_default_relay_state
+      option :uid_attribute
+      option :idp_slo_session_destroy, proc { |_env, session| session.clear }
 
       def request_phase
         options[:assertion_consumer_service_url] ||= callback_url
-        runtime_request_parameters = options.delete(:idp_sso_target_url_runtime_params)
-
-        additional_params = {}
-
-        if runtime_request_parameters
-          runtime_request_parameters.each_pair do |request_param_key, mapped_param_key|
-            additional_params[mapped_param_key] = request.params[request_param_key.to_s] if request.params.has_key?(request_param_key.to_s)
-          end
-        end
 
         authn_request = OneLogin::RubySaml::Authrequest.new
-        settings = OneLogin::RubySaml::Settings.new(options)
 
-        redirect(authn_request.create(settings, additional_params))
+        with_settings do |settings|
+          redirect(authn_request.create(settings, additional_params_for_authn_request))
+        end
       end
 
       def callback_phase
         raise OmniAuth::Strategies::SAML::ValidationError.new("SAML response missing") unless request.params["SAMLResponse"]
 
-        # Call a fingerprint validation method if there's one
-        if options.idp_cert_fingerprint_validator
-          fingerprint_exists = options.idp_cert_fingerprint_validator[response_fingerprint]
-          unless fingerprint_exists
-            raise OmniAuth::Strategies::SAML::ValidationError.new("Non-existent fingerprint")
-          end
-          # id_cert_fingerprint becomes the given fingerprint if it exists
-          options.idp_cert_fingerprint = fingerprint_exists
-        end
-
-        settings = OneLogin::RubySaml::Settings.new(options)
-
-        # filter options to select only extra parameters
-        opts = options.select {|k,_| OTHER_REQUEST_OPTIONS.include?(k.to_sym)}
+        with_settings do |settings|
+          # Call a fingerprint validation method if there's one
+          validate_fingerprint(settings) if options.idp_cert_fingerprint_validator
 
-        # symbolize keys without activeSupport/symbolize_keys (ruby-saml use symbols)
-        opts =
-          opts.inject({}) do |new_hash, (key, value)|
-            new_hash[key.to_sym] = value
-            new_hash
+          handle_response(request.params["SAMLResponse"], options_for_response_object, settings) do
+            super
           end
-
-        handle_response(request.params["SAMLResponse"], opts, settings) do
-          super
         end
-
       rescue OmniAuth::Strategies::SAML::ValidationError
         fail!(:invalid_ticket, $!)
       rescue OneLogin::RubySaml::ValidationError
@@ -98,36 +74,13 @@ module OmniAuth
         if current_path.start_with?(request_path)
           @env['omniauth.strategy'] ||= self
           setup_phase
-          settings = OneLogin::RubySaml::Settings.new(options)
 
           if on_subpath?(:metadata)
-            # omniauth does not set the strategy on the other_phase
-            response = OneLogin::RubySaml::Metadata.new
-
-            if options.request_attributes.length > 0
-              settings.attribute_consuming_service.service_name options.attribute_service_name
-              settings.issuer = options.issuer
-
-              options.request_attributes.each do |attribute|
-                settings.attribute_consuming_service.add_attribute attribute
-              end
-            end
-
-            Rack::Response.new(response.generate(settings), 200, { "Content-Type" => "application/xml" }).finish
+            other_phase_for_metadata
           elsif on_subpath?(:slo)
-            if request.params["SAMLResponse"]
-              handle_logout_response(request.params["SAMLResponse"], settings)
-            elsif request.params["SAMLRequest"]
-              handle_logout_request(request.params["SAMLRequest"], settings)
-            else
-              raise OmniAuth::Strategies::SAML::ValidationError.new("SAML logout response/request missing")
-            end
+            other_phase_for_slo
           elsif on_subpath?(:spslo)
-            if options.idp_slo_target_url
-              redirect(generate_logout_request(settings))
-            else
-              Rack::Response.new("Not Implemented", 501, { "Content-Type" => "text/html" }).finish
-            end
+            other_phase_for_spslo
           else
             call_app!
           end
@@ -136,7 +89,17 @@ module OmniAuth
         end
       end
 
-      uid { @name_id }
+      uid do
+        if options.uid_attribute
+          ret = find_attribute_by([options.uid_attribute])
+          if ret.nil?
+            raise OmniAuth::Strategies::SAML::ValidationError.new("SAML response missing '#{options.uid_attribute}' attribute")
+          end
+          ret
+        else
+          @name_id
+        end
+      end
 
       info do
         found_attributes = options.attribute_statements.map do |key, values|
@@ -147,7 +110,7 @@ module OmniAuth
         Hash[found_attributes]
       end
 
-      extra { { :raw_info => @attributes, :response_object =>  @response_object } }
+      extra { { :raw_info => @attributes, :session_index => @session_index, :response_object =>  @response_object } }
 
       def find_attribute_by(keys)
         keys.each do |key|
@@ -165,19 +128,17 @@ module OmniAuth
 
       def handle_response(raw_response, opts, settings)
         response = OneLogin::RubySaml::Response.new(raw_response, opts.merge(settings: settings))
-        response.attributes["fingerprint"] = options.idp_cert_fingerprint
+        response.attributes["fingerprint"] = settings.idp_cert_fingerprint
         response.soft = false
 
         response.is_valid?
         @name_id = response.name_id
+        @session_index = response.sessionindex
         @attributes = response.attributes
         @response_object = response
 
-        if @name_id.nil? || @name_id.empty?
-          raise OmniAuth::Strategies::SAML::ValidationError.new("SAML response missing 'name_id'")
-        end
-
         session["saml_uid"] = @name_id
+        session["saml_session_index"] = @session_index
         yield
       end
 
@@ -208,6 +169,7 @@ module OmniAuth
 
         session.delete("saml_uid")
         session.delete("saml_transaction_id")
+        session.delete("saml_session_index")
 
         redirect(slo_relay_state)
       end
@@ -219,7 +181,7 @@ module OmniAuth
           logout_request.name_id == session["saml_uid"]
 
           # Actually log out this session
-          session.clear
+          options[:idp_slo_session_destroy].call @env, session
 
           # Generate a response to the IdP.
           logout_request_id = logout_request.id
@@ -242,8 +204,92 @@ module OmniAuth
           settings.name_identifier_value = session["saml_uid"]
         end
 
+        if settings.sessionindex.nil?
+          settings.sessionindex = session["saml_session_index"]
+        end
+
         logout_request.create(settings, RelayState: slo_relay_state)
       end
+
+      def with_settings
+        yield OneLogin::RubySaml::Settings.new(options)
+      end
+
+      def validate_fingerprint(settings)
+        fingerprint_exists = options.idp_cert_fingerprint_validator[response_fingerprint]
+
+        unless fingerprint_exists
+          raise OmniAuth::Strategies::SAML::ValidationError.new("Non-existent fingerprint")
+        end
+
+        # id_cert_fingerprint becomes the given fingerprint if it exists
+        settings.idp_cert_fingerprint = fingerprint_exists
+      end
+
+      def options_for_response_object
+        # filter options to select only extra parameters
+        opts = options.select {|k,_| OTHER_REQUEST_OPTIONS.include?(k.to_sym)}
+
+        # symbolize keys without activeSupport/symbolize_keys (ruby-saml use symbols)
+        opts.inject({}) do |new_hash, (key, value)|
+          new_hash[key.to_sym] = value
+          new_hash
+        end
+      end
+
+      def other_phase_for_metadata
+        with_settings do |settings|
+          # omniauth does not set the strategy on the other_phase
+          response = OneLogin::RubySaml::Metadata.new
+
+          add_request_attributes_to(settings) if options.request_attributes.length > 0
+
+          Rack::Response.new(response.generate(settings), 200, { "Content-Type" => "application/xml" }).finish
+        end
+      end
+
+      def other_phase_for_slo
+        with_settings do |settings|
+          if request.params["SAMLResponse"]
+            handle_logout_response(request.params["SAMLResponse"], settings)
+          elsif request.params["SAMLRequest"]
+            handle_logout_request(request.params["SAMLRequest"], settings)
+          else
+            raise OmniAuth::Strategies::SAML::ValidationError.new("SAML logout response/request missing")
+          end
+        end
+      end
+
+      def other_phase_for_spslo
+        if options.idp_slo_target_url
+          with_settings do |settings|
+            redirect(generate_logout_request(settings))
+          end
+        else
+          Rack::Response.new("Not Implemented", 501, { "Content-Type" => "text/html" }).finish
+        end
+      end
+
+      def add_request_attributes_to(settings)
+        settings.attribute_consuming_service.service_name options.attribute_service_name
+        settings.issuer = options.issuer
+
+        options.request_attributes.each do |attribute|
+          settings.attribute_consuming_service.add_attribute attribute
+        end
+      end
+
+      def additional_params_for_authn_request
+        {}.tap do |additional_params|
+          runtime_request_parameters = options.delete(:idp_sso_target_url_runtime_params)
+
+          if runtime_request_parameters
+            runtime_request_parameters.each_pair do |request_param_key, mapped_param_key|
+              additional_params[mapped_param_key] = request.params[request_param_key.to_s] if request.params.has_key?(request_param_key.to_s)
+            end
+          end
+        end
+      end
     end
   end
 end

data/spec/omniauth/strategies/saml_spec.rb

@@ -125,22 +125,35 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
     context "when fingerprint is empty and there's a fingerprint validator" do
       before :each do
         saml_options.delete(:idp_cert_fingerprint)
-        saml_options[:idp_cert_fingerprint_validator] = lambda { |fingerprint| "C1:59:74:2B:E8:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB" }
-        post_xml
+        saml_options[:idp_cert_fingerprint_validator] = fingerprint_validator
       end
 
-      it "should set the uid to the nameID in the SAML response" do
-        expect(auth_hash['uid']).to eq '_1f6fcf6be5e13b08b1e3610e7ff59f205fbd814f23'
+      let(:fingerprint_validator) { lambda { |_| "C1:59:74:2B:E8:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB" } }
+
+      context "when the fingerprint validator returns a truthy value" do
+        before { post_xml }
+
+        it "should set the uid to the nameID in the SAML response" do
+          expect(auth_hash['uid']).to eq '_1f6fcf6be5e13b08b1e3610e7ff59f205fbd814f23'
+        end
+
+        it "should set the raw info to all attributes" do
+          expect(auth_hash['extra']['raw_info'].all.to_hash).to eq(
+            'first_name'   => ['Rajiv'],
+            'last_name'    => ['Manglani'],
+            'email'        => ['user@example.com'],
+            'company_name' => ['Example Company'],
+            'fingerprint'  => 'C1:59:74:2B:E8:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB'
+          )
+        end
       end
 
-      it "should set the raw info to all attributes" do
-        expect(auth_hash['extra']['raw_info'].all.to_hash).to eq(
-          'first_name'   => ['Rajiv'],
-          'last_name'    => ['Manglani'],
-          'email'        => ['user@example.com'],
-          'company_name' => ['Example Company'],
-          'fingerprint'  => 'C1:59:74:2B:E8:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB'
-        )
+      context "when the fingerprint validator returns false" do
+        let(:fingerprint_validator) { lambda { |_| false } }
+
+        before { post_xml }
+
+        it { is_expected.to fail_with(:invalid_ticket) }
       end
     end
 
@@ -149,7 +162,7 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
         post '/auth/saml/callback'
       end
 
-      it { should fail_with(:invalid_ticket) }
+      it { is_expected.to fail_with(:invalid_ticket) }
     end
 
     context "when there is no name id in the XML" do
@@ -158,7 +171,7 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
         post_xml :no_name_id
       end
 
-      it { should fail_with(:invalid_ticket) }
+      it { is_expected.to fail_with(:invalid_ticket) }
     end
 
     context "when the fingerprint is invalid" do
@@ -167,7 +180,7 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
         post_xml
       end
 
-      it { should fail_with(:invalid_ticket) }
+      it { is_expected.to fail_with(:invalid_ticket) }
     end
 
     context "when the digest is invalid" do
@@ -175,7 +188,7 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
         post_xml :digest_mismatch
       end
 
-      it { should fail_with(:invalid_ticket) }
+      it { is_expected.to fail_with(:invalid_ticket) }
     end
 
     context "when the signature is invalid" do
@@ -183,7 +196,28 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
         post_xml :invalid_signature
       end
 
-      it { should fail_with(:invalid_ticket) }
+      it { is_expected.to fail_with(:invalid_ticket) }
+    end
+
+    context "when the response is stale" do
+      before :each do
+        allow(Time).to receive(:now).and_return(Time.utc(2012, 11, 8, 20, 45, 00))
+      end
+
+      context "without :allowed_clock_drift option" do
+        before { post_xml :example_response }
+
+        it { is_expected.to fail_with(:invalid_ticket) }
+      end
+
+      context "with :allowed_clock_drift option" do
+        before :each do
+          saml_options[:allowed_clock_drift] = 60
+          post_xml :example_response
+        end
+
+        it { is_expected.to_not fail_with(:invalid_ticket) }
+      end
     end
 
     context "when response has custom attributes" do
@@ -207,6 +241,31 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
       end
     end
 
+    context "when using custom user id attribute" do
+      before :each do
+        saml_options[:idp_cert_fingerprint] = "3B:82:F1:F5:54:FC:A8:FF:12:B8:4B:B8:16:61:1D:E4:8E:9B:E2:3C"
+        saml_options[:uid_attribute] = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
+        post_xml :custom_attributes
+      end
+
+      it "should return user id attribute" do
+        expect(auth_hash[:uid]).to eq("user@example.com")
+      end
+    end
+
+    context "when using custom user id attribute, but it is missing" do
+      before :each do
+        saml_options[:uid_attribute] = "missing_attribute"
+        post_xml
+      end
+
+      it "should fail to authenticate" do
+        should fail_with(:invalid_ticket)
+        expect(last_request.env['omniauth.error']).to be_instance_of(OmniAuth::Strategies::SAML::ValidationError)
+        expect(last_request.env['omniauth.error'].message).to eq("SAML response missing 'missing_attribute' attribute")
+      end
+    end
+
     context "when response is a logout response" do
       before :each do
         saml_options[:issuer] = "https://idp.sso.example.com/metadata/29490"
@@ -223,18 +282,49 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
     end
 
     context "when request is a logout request" do
+      subject { post "/auth/saml/slo", params, "rack.session" => { "saml_uid" => "username@example.com" } }
+
       before :each do
         saml_options[:issuer] = "https://idp.sso.example.com/metadata/29490"
-        post "/auth/saml/slo", {
+      end
+
+      let(:params) do
+        {
           "SAMLRequest" => load_xml(:example_logout_request),
           "RelayState" => "https://example.com/",
-        }, "rack.session" => {"saml_uid" => "username@example.com"}
+        }
       end
 
-      it "should redirect to logout response" do
-        expect(last_response).to be_redirect
-        expect(last_response.location).to match /https:\/\/idp.sso.example.com\/signoff\/29490/
-        expect(last_response.location).to match /RelayState=https%3A%2F%2Fexample.com%2F/
+      context "when logout request is valid" do
+        before { subject }
+
+        it "should redirect to logout response" do
+          expect(last_response).to be_redirect
+          expect(last_response.location).to match /https:\/\/idp.sso.example.com\/signoff\/29490/
+          expect(last_response.location).to match /RelayState=https%3A%2F%2Fexample.com%2F/
+        end
+      end
+
+      context "when request is an invalid logout request" do
+        before :each do
+          allow_any_instance_of(OneLogin::RubySaml::SloLogoutrequest).to receive(:is_valid?).and_return(false)
+        end
+
+        # TODO: Maybe this should not raise an exception, but return some 4xx error instead?
+        it "should raise an exception" do
+          expect { subject }.
+            to raise_error(OmniAuth::Strategies::SAML::ValidationError, 'SAML failed to process LogoutRequest')
+        end
+      end
+
+      context "when request is a logout request but the request param is missing" do
+        let(:params) { {} }
+
+        # TODO: Maybe this should not raise an exception, but return a 422 error instead?
+        it 'should raise an exception' do
+          expect { subject }.
+            to raise_error(OmniAuth::Strategies::SAML::ValidationError, 'SAML logout response/request missing')
+        end
       end
     end
 
@@ -295,6 +385,18 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
     end
   end
 
+  context 'when hitting an unknown route in our sub path' do
+    before { get '/auth/saml/unknown' }
+
+    specify { expect(last_response.status).to eql 404 }
+  end
+
+  context 'when hitting a completely unknown route' do
+    before { get '/unknown' }
+
+    specify { expect(last_response.status).to eql 404 }
+  end
+
   describe 'subclass behavior' do
     it 'registers subclasses in OmniAuth.strategies' do
       subclass = Class.new(described_class)

data/spec/spec_helper.rb

@@ -1,14 +1,12 @@
-if RUBY_VERSION >= '1.9'
-  require 'simplecov'
+require 'simplecov'
 
-  if ENV['TRAVIS']
-    require 'coveralls'
-    Coveralls.wear!
-  end
-
-  SimpleCov.start
+if ENV['TRAVIS']
+  require 'coveralls'
+  Coveralls.wear!
 end
 
+SimpleCov.start
+
 require 'omniauth-saml'
 require 'rack/test'
 require 'rexml/document'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-saml
 version: !ruby/object:Gem::Version
-  version: 1.7.0
+  version: 1.8.0
 platform: ruby
 authors:
 - Raecoo Cao
@@ -14,7 +14,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-10-19 00:00:00.000000000 Z
+date: 2017-06-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
@@ -37,6 +37,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.4'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.4.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -44,6 +47,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.4'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.4.3
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -153,7 +159,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '2.1'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="