omniauth-saml 2.2.3 → 2.2.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 74e6f8ffd71deca8c0cf5a47561df7c878b200af810dbf893f89677eb49da313
-  data.tar.gz: 217c895d6d946983062dc1f66f362f98aa394c94a8f0267e69e2af9f1555cbc4
+  metadata.gz: 7d346f41f4069110547ddd73e4d9f7b23196d8519871da44f0eb42f2176c5fe6
+  data.tar.gz: 7451c766a513d52948fc07e0ac971e6e5d1b4392d822991444db38d72a66c835
 SHA512:
-  metadata.gz: '0825de571d12121384accff0a106c4d76420308d007698632dd2661f030942cc4ed570e649f8b455ddcf2340d9109d26422de44ec3eb36f06978b732023409b4'
-  data.tar.gz: 5229a183ad1d335f01b9de5111293925d5be4d8e461de89e2d5f4924a14939eb4286fe4d307af7c7e5db2b126a0ff495a0c3c9ba064f6d430624f207c25119df
+  metadata.gz: f93c043e99ccd8521877c45d2627cc87a150c42fb086b394172be4a12d02c28b816fec390810f934bdf10b07f68049ee222d15dc2a1e50e623e155b90951fca1
+  data.tar.gz: ae4440bfcb758760cd1f15b797d2f9b0b339a4ecfebd16e80834359c247cb335c15459fd509acf71364971ed5ef9d8d7009224f2996c3fbfd1ad54a92b26282d

data/CHANGELOG.md

@@ -1,10 +1,28 @@
+<a name="v2.2.5"></a>
+### v2.2.5 (2023-07-25)
+
+
+#### Features
+
+* Support RelayState binding by default during SSO	 ([a508436](/../../commit/a508436))
+
+
+<a name="v2.2.4"></a>
+### v2.2.4 (2025-05-14)
+
+
+#### Bug Fixes
+
+* remove :idp_cert_fingerprint_validator	 ([c573690](/../../commit/c573690))
+* Fix GHSA-cgp2-2cmh-pf7x
+
 <a name="v2.2.3"></a>
 ### v2.2.3 (2025-03-12)
 
 
 #### Features
 
-* new release 2.2.3	 ([0d06a3c](/../../commit/0d06a3c))
+* new release 2.2.3	 ([34eb354](/../../commit/34eb354))
 
 
 #### Bug Fixes

data/README.md

@@ -39,7 +39,6 @@ use OmniAuth::Strategies::SAML,
                                            :encryption => []
                                          },
   :idp_cert_fingerprint               => "E7:91:B2:E1:...",
-  :idp_cert_fingerprint_validator     => lambda { |fingerprint| fingerprint },
   :name_identifier_format             => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
 ```
 
@@ -66,7 +65,6 @@ Rails.application.config.middleware.use OmniAuth::Builder do
                                              :encryption => []
                                            },
     :idp_cert_fingerprint               => "E7:91:B2:E1:...",
-    :idp_cert_fingerprint_validator     => lambda { |fingerprint| fingerprint },
     :name_identifier_format             => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
 end
 ```
@@ -103,7 +101,18 @@ Note that when [integrating with Devise](#devise-integration), the URL path will
 * `:slo_default_relay_state` - The value to use as default `RelayState` for single log outs. The
   value can be a string, or a `Proc` (or other object responding to `call`). The `request`
   instance will be passed to this callable if it has an arity of 1. If the value is a string,
-  the string will be returned, when the `RelayState` is called. Optional.
+  the string will be returned, when the `RelayState` is called.
+  The value is assumed to be safe and is not validated by `:slo_relay_state_validator`.
+  Optional.
+
+* `:slo_enabled` - Enables or disables Single Logout (SLO). Set to `false` to disable SLO. Defaults to `true`. Optional.
+
+* `:slo_relay_state_validator` - A callable used to validate any `RelayState` before performing the redirect
+  in Single Logout flows. The callable receives the RelayState value and the current Rack request.
+  If unset, the default validator is used. The default validator allows only relative paths beginning
+  with `/` and rejects absolute URLs, invalid URIs, protocol-relative URLs, and other schemes.
+  If the given `RelayState` is considered invalid then the `slo_default_relay_state` value is used for the SLO redirect.
+  Optional.
 
 * `:idp_sso_service_url_runtime_params` - A dynamic mapping of request params that exist
   during the request phase of OmniAuth that should to be sent to the IdP after a specific
@@ -112,20 +121,16 @@ Note that when [integrating with Devise](#devise-integration), the URL path will
   `original_param_value`. Optional.
 
 * `:idp_cert` - The identity provider's certificate in PEM format. Takes precedence
-  over the fingerprint option below. This option or `:idp_cert_multi` or `:idp_cert_fingerprint` or `:idp_cert_fingerprint_validator` must
+  over the fingerprint option below. This option or `:idp_cert_multi` or `:idp_cert_fingerprint` must
   be present.
-  
+
 * `:idp_cert_multi` - Multiple identity provider certificates in PEM format. Takes precedence
-over the fingerprint option below. This option `:idp_cert` or `:idp_cert_fingerprint` or `:idp_cert_fingerprint_validator` must
+over the fingerprint option below. This option `:idp_cert` or `:idp_cert_fingerprint` must
 be present.
 
 * `:idp_cert_fingerprint` - The SHA1 fingerprint of the certificate, e.g.
   "90:CC:16:F0:8D:...". This is provided from the identity provider when setting up
-  the relationship. This option or `:idp_cert` or `:idp_cert_multi` or `:idp_cert_fingerprint_validator` MUST be present.
-
-* `:idp_cert_fingerprint_validator` - A lambda that MUST accept one parameter
-  (the fingerprint), verify if it is valid and return it if successful. This option
-  or `:idp_cert` or `:idp_cert_multi` or `:idp_cert_fingerprint` MUST be present.
+  the relationship. This option or `:idp_cert` or `:idp_cert_multi` MUST be present.
 
 * `:name_identifier_format` - Used during SP-initiated SSO. Describes the format of
   the username required by this application. If you need the email address, use
@@ -198,7 +203,9 @@ Single Logout can be Service Provider initiated or Identity Provider initiated.
 For SP initiated logout, the `idp_slo_service_url` option must be set to the logout url on the IdP,
 and users directed to `user_saml_omniauth_authorize_path + '/spslo'` after logging out locally. For
 IdP initiated logout, logout requests from the IdP should go to `/auth/saml/slo` (this can be
-advertised in metadata by setting the `single_logout_service_url` config option).
+advertised in metadata by setting the `single_logout_service_url` config option). If you wish to
+disable Single Logout entirely (both SP and IdP initiated), set `:slo_enabled => false`; the `/auth/saml/slo`
+and `/auth/saml/spslo` endpoints will then respond with HTTP 501 Not Implemented.
 
 When using Devise as an authentication solution, the SP initiated flow can be integrated
 in the `SessionsController#destroy` action.

data/lib/omniauth/strategies/saml.rb

@@ -1,5 +1,6 @@
 require 'omniauth'
 require 'ruby-saml'
+require 'uri'
 
 module OmniAuth
   module Strategies
@@ -13,7 +14,7 @@ module OmniAuth
       RUBYSAML_RESPONSE_OPTIONS = OneLogin::RubySaml::Response::AVAILABLE_OPTIONS
 
       option :name_identifier_format, nil
-      option :idp_sso_service_url_runtime_params, {}
+      option :idp_sso_service_url_runtime_params, { RelayState: 'RelayState' }
       option :request_attributes, [
         { :name => 'email', :name_format => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', :friendly_name => 'Email address' },
         { :name => 'name', :name_format => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', :friendly_name => 'Full name' },
@@ -27,7 +28,26 @@ module OmniAuth
         first_name: ["first_name", "firstname", "firstName"],
         last_name: ["last_name", "lastname", "lastName"]
       }
+      DEFAULT_SLO_RELAY_STATE_VALIDATOR = lambda do |relay_state, _request|
+        return true if relay_state.nil? || relay_state == ""
+
+        return false if relay_state.start_with?("//")
+
+        begin
+          uri = URI.parse(relay_state)
+        rescue URI::Error
+          return false
+        end
+
+        return false unless uri.relative?
+
+        path = uri.path
+        path && path.start_with?("/")
+      end
+
       option :slo_default_relay_state
+      option :slo_enabled, true
+      option :slo_relay_state_validator, DEFAULT_SLO_RELAY_STATE_VALIDATOR
       option :uid_attribute
       option :idp_slo_session_destroy, proc { |_env, session| session.clear }
 
@@ -43,9 +63,6 @@ module OmniAuth
         raise OmniAuth::Strategies::SAML::ValidationError.new("SAML response missing") unless request.params["SAMLResponse"]
 
         with_settings do |settings|
-          # Call a fingerprint validation method if there's one
-          validate_fingerprint(settings) if options.idp_cert_fingerprint_validator
-
           handle_response(request.params["SAMLResponse"], options_for_response_object, settings) do
             super
           end
@@ -76,8 +93,12 @@ module OmniAuth
           if on_subpath?(:metadata)
             other_phase_for_metadata
           elsif on_subpath?(:slo)
+            return slo_disabled_response unless slo_enabled?
+
             other_phase_for_slo
           elsif on_subpath?(:spslo)
+            return slo_disabled_response unless slo_enabled?
+
             other_phase_for_spslo
           else
             call_app!
@@ -118,6 +139,22 @@ module OmniAuth
         nil
       end
 
+      def mock_request_call
+        # Per SAML 2.0, if a RelayState param is passed, IDPs "MUST place the exact RelayState
+        # data it received with the request into the corresponding RelayState parameter in the response."
+        #
+        # By default, the "mock" `OmniAuth::Strategy` implementation will forward along any URL params,
+        # so we can in turn take any POSTed RelayState params and put them in the GET query string:
+        query_hash = request.GET.merge!(additional_params_for_authn_request.slice('RelayState'))
+        query_string = Rack::Utils.build_query(query_hash)
+
+        request.set_header(Rack::QUERY_STRING, query_string)
+        request.set_header(Rack::RACK_REQUEST_QUERY_STRING, query_string)
+        request.set_header(Rack::RACK_REQUEST_QUERY_HASH, query_hash)
+
+        super
+      end
+
       private
 
       def request_path_pattern
@@ -146,19 +183,34 @@ module OmniAuth
 
       def slo_relay_state
         if request.params.has_key?("RelayState") && request.params["RelayState"] != ""
-          request.params["RelayState"]
-        else
-          slo_default_relay_state = options.slo_default_relay_state
-          if slo_default_relay_state.respond_to?(:call)
-            if slo_default_relay_state.arity == 1
-              slo_default_relay_state.call(request)
-            else
-              slo_default_relay_state.call
-            end
-          else
-            slo_default_relay_state
-          end
+          relay_state = request.params["RelayState"]
+
+          return relay_state if valid_slo_relay_state?(relay_state)
         end
+
+        default_slo_relay_state
+      end
+
+      def valid_slo_relay_state?(relay_state)
+        validator = options.slo_relay_state_validator
+
+        return !!call_slo_relay_state_validator(validator, relay_state) if validator.respond_to?(:call)
+
+        !!validator
+      end
+
+      def call_slo_relay_state_validator(validator, relay_state)
+        return validator.call if validator.arity.zero?
+        return validator.call(relay_state) if validator.arity == 1
+        validator.call(relay_state, request)
+      end
+
+      def default_slo_relay_state
+        slo_default_relay_state = options.slo_default_relay_state
+
+        return slo_default_relay_state unless slo_default_relay_state.respond_to?(:call)
+        return slo_default_relay_state.call if slo_default_relay_state.arity.zero?
+        slo_default_relay_state.call(request)
       end
 
       def handle_logout_response(raw_response, settings)
@@ -218,17 +270,6 @@ module OmniAuth
         yield OneLogin::RubySaml::Settings.new(options)
       end
 
-      def validate_fingerprint(settings)
-        fingerprint_exists = options.idp_cert_fingerprint_validator[response_fingerprint]
-
-        unless fingerprint_exists
-          raise OmniAuth::Strategies::SAML::ValidationError.new("Non-existent fingerprint")
-        end
-
-        # id_cert_fingerprint becomes the given fingerprint if it exists
-        settings.idp_cert_fingerprint = fingerprint_exists
-      end
-
       def options_for_response_object
         # filter options to select only extra parameters
         opts = options.select {|k,_| RUBYSAML_RESPONSE_OPTIONS.include?(k.to_sym)}
@@ -273,6 +314,14 @@ module OmniAuth
         end
       end
 
+      def slo_enabled?
+        !!options[:slo_enabled]
+      end
+
+      def slo_disabled_response
+        Rack::Response.new("Not Implemented", 501, { "Content-Type" => "text/html" }).finish
+      end
+
       def add_request_attributes_to(settings)
         settings.attribute_consuming_service.service_name options.attribute_service_name
         settings.sp_entity_id = options.sp_entity_id

data/lib/omniauth-saml/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module SAML
-    VERSION = '2.2.3'
+    VERSION = '2.2.5'
   end
 end

data/spec/omniauth/strategies/saml_spec.rb

@@ -6,10 +6,6 @@ RSpec::Matchers.define :fail_with do |message|
   end
 end
 
-def post_xml(xml = :example_response, opts = {})
-  post "/auth/saml/callback", opts.merge({'SAMLResponse' => load_xml(xml)})
-end
-
 describe OmniAuth::Strategies::SAML, :type => :strategy do
   include OmniAuth::Test::StrategyTestCase
 
@@ -34,6 +30,55 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
   end
   let(:strategy) { [OmniAuth::Strategies::SAML, saml_options] }
 
+  shared_examples 'validating RelayState param' do
+    context 'when slo_relay_state_validator is not defined and default' do
+      [
+        ['/signed-out', '//attacker.test',                            '%2Fsigned-out'],
+        ['/signed-out', 'javascript:alert(1)',                        '%2Fsigned-out'],
+        ['/signed-out', 'https://example.com/logout',                 '%2Fsigned-out'],
+        ['/signed-out', 'https://example.com/logout?param=1&two=two', '%2Fsigned-out'],
+        ['/signed-out', '/',                                          '%2F'],
+        ['',            '//attacker.test',                            ''],
+        ['',            '/team/logout',                               '%2Fteam%2Flogout'],
+      ].each do |slo_default_relay_state, relay_state_param, expected_relay_state|
+        context "when slo_default_relay_state: #{slo_default_relay_state.inspect}, relay_state_param: #{relay_state_param.inspect}" do
+          let(:saml_options) { super().merge(slo_default_relay_state: slo_default_relay_state) }
+          let(:params) { super().merge('RelayState' => relay_state_param) }
+
+          it { is_expected.to be_redirect.and have_attributes(location: a_string_including("RelayState=#{expected_relay_state}")) }
+        end
+      end
+    end
+
+    context 'when slo_relay_state_validator is overridden' do
+      [
+        ['/signed-out', proc { |state| state.start_with?('https://trusted.example.com') }, 'https://trusted.example.com/logout', 'https%3A%2F%2Ftrusted.example.com%2Flogout'],
+        ['/signed-out', proc { |state| state.start_with?('https://trusted.example.com') }, 'https://attacker.test/logout',       '%2Fsigned-out'],
+        ['/signed-out', proc { |state| state.start_with?('https://trusted.example.com') }, '/safe/path',                         '%2Fsigned-out'],
+        ['/signed-out', proc { |state, req| state == req.params['RelayState'] },           '/team/logout',                       '%2Fteam%2Flogout'],
+        ['/signed-out', nil,                                                               '//attacker.test',                    '%2Fsigned-out'],
+        ['/signed-out', false,                                                             '//attacker.test',                    '%2Fsigned-out'],
+        ['/signed-out', proc { |_| false },                                                '//attacker.test',                    '%2Fsigned-out'],
+        ['/signed-out', proc { |_| true },                                                 'javascript:alert(1)',                'javascript%3Aalert%281%29'],
+        [nil,           true,                                                              'https://example.com/logout',         'https%3A%2F%2Fexample.com%2Flogout'],
+        [nil,           true,                                                              'javascript:alert(1)',                'javascript%3Aalert%281%29'],
+        [nil,           true,                                                              '/',                                  '%2F'],
+      ].each do |slo_default_relay_state, slo_relay_state_validator, relay_state_param, expected_relay_state|
+        context "when slo_default_relay_state: #{slo_default_relay_state.inspect}, slo_relay_state_validator: #{slo_relay_state_validator.inspect}, relay_state_param: #{relay_state_param.inspect}" do
+          let(:saml_options) do
+            super().merge(
+              slo_default_relay_state: slo_default_relay_state,
+              slo_relay_state_validator: slo_relay_state_validator,
+            )
+          end
+          let(:params) { super().merge('RelayState' => relay_state_param) }
+
+          it { is_expected.to be_redirect.and have_attributes(location: a_string_including("RelayState=#{expected_relay_state}")) }
+        end
+      end
+    end
+  end
+
   describe 'POST /auth/saml' do
     context 'without idp runtime params present' do
       before do
@@ -63,6 +108,33 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
       end
     end
 
+    context 'with RelayState param' do
+      before do
+        post '/auth/saml', 'RelayState' => 'RELAY_STATE_VALUE'
+      end
+
+      it 'should get authentication page' do
+        expect(last_response).to be_redirect
+        expect(last_response.location).to match(
+          /\Ahttps:\/\/idp.sso.example.com\/signon\/29490\?SAMLRequest=.*&RelayState=RELAY_STATE_VALUE\z/,
+        )
+      end
+
+      context 'when test_mode is enabled' do
+        around do |example|
+          OmniAuth.config.test_mode = true
+          example.run
+        ensure
+          OmniAuth.config.test_mode = false
+        end
+
+        it 'should redirect to local saml callback page' do
+          expect(last_response).to be_redirect
+          expect(last_response.location).to eq('http://example.org/auth/saml/callback?RelayState=RELAY_STATE_VALUE')
+        end
+      end
+    end
+
     context "when the assertion_consumer_service_url is the default" do
       before :each do
         saml_options[:compress_request] = false
@@ -118,24 +190,27 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
   end
 
   describe 'POST /auth/saml/callback' do
-    subject { last_response }
-
     let(:xml) { :example_response }
+    let(:params) { { 'SAMLResponse' => load_xml(xml) } }
+
+    subject(:post_callback_response) do
+      post "/auth/saml/callback", params
+    end
 
     before :each do
       allow(Time).to receive(:now).and_return(Time.utc(2012, 11, 8, 20, 40, 00))
     end
 
     context "when the response is valid" do
-      before :each do
-        post_xml
-      end
-
       it "should set the uid to the nameID in the SAML response" do
+        post_callback_response
+
         expect(auth_hash['uid']).to eq '_1f6fcf6be5e13b08b1e3610e7ff59f205fbd814f23'
       end
 
       it "should set the raw info to all attributes" do
+        post_callback_response
+
         expect(auth_hash['extra']['raw_info'].all.to_hash).to eq(
           'first_name'   => ['Rajiv'],
           'last_name'    => ['Manglani'],
@@ -146,42 +221,9 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
       end
 
       it "should set the response_object to the response object from ruby_saml response" do
-        expect(auth_hash['extra']['response_object']).to be_kind_of(OneLogin::RubySaml::Response)
-      end
-    end
-
-    context "when fingerprint is empty and there's a fingerprint validator" do
-      before :each do
-        saml_options.delete(:idp_cert_fingerprint)
-        saml_options[:idp_cert_fingerprint_validator] = fingerprint_validator
-      end
-
-      let(:fingerprint_validator) { lambda { |_| "C1:59:74:2B:E8:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB" } }
-
-      context "when the fingerprint validator returns a truthy value" do
-        before { post_xml }
-
-        it "should set the uid to the nameID in the SAML response" do
-          expect(auth_hash['uid']).to eq '_1f6fcf6be5e13b08b1e3610e7ff59f205fbd814f23'
-        end
-
-        it "should set the raw info to all attributes" do
-          expect(auth_hash['extra']['raw_info'].all.to_hash).to eq(
-            'first_name'   => ['Rajiv'],
-            'last_name'    => ['Manglani'],
-            'email'        => ['user@example.com'],
-            'company_name' => ['Example Company'],
-            'fingerprint'  => 'C1:59:74:2B:E8:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB'
-          )
-        end
-      end
-
-      context "when the fingerprint validator returns false" do
-        let(:fingerprint_validator) { lambda { |_| false } }
-
-        before { post_xml }
+        post_callback_response
 
-        it { is_expected.to fail_with(:invalid_ticket) }
+        expect(auth_hash['extra']['response_object']).to be_kind_of(OneLogin::RubySaml::Response)
       end
     end
 
@@ -189,24 +231,22 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
       before :each do
         saml_options.delete(:assertion_consumer_service_url)
         OmniAuth.config.full_host = 'http://localhost:9080'
-        post_xml
       end
 
       it { is_expected.not_to fail_with(:invalid_ticket) }
     end
 
     context "when there is no SAMLResponse parameter" do
-      before :each do
-        post '/auth/saml/callback'
-      end
+      let(:params) { {} }
 
       it { is_expected.to fail_with(:invalid_ticket) }
     end
 
     context "when there is no name id in the XML" do
+      let(:xml) { :no_name_id }
+
       before :each do
         allow(Time).to receive(:now).and_return(Time.utc(2012, 11, 8, 23, 55, 00))
-        post_xml :no_name_id
       end
 
       it { is_expected.to fail_with(:invalid_ticket) }
@@ -215,43 +255,37 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
     context "when the fingerprint is invalid" do
       before :each do
         saml_options[:idp_cert_fingerprint] = "00:00:00:00:00:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB"
-        post_xml
       end
 
       it { is_expected.to fail_with(:invalid_ticket) }
     end
 
     context "when the digest is invalid" do
-      before :each do
-        post_xml :digest_mismatch
-      end
+      let(:xml) { :digest_mismatch }
 
       it { is_expected.to fail_with(:invalid_ticket) }
     end
 
     context "when the signature is invalid" do
-      before :each do
-        post_xml :invalid_signature
-      end
+      let(:xml) { :invalid_signature }
 
       it { is_expected.to fail_with(:invalid_ticket) }
     end
 
     context "when the response is stale" do
+      let(:xml) { :example_response }
+
       before :each do
         allow(Time).to receive(:now).and_return(Time.utc(2012, 11, 8, 20, 45, 00))
       end
 
       context "without :allowed_clock_drift option" do
-        before { post_xml :example_response }
-
         it { is_expected.to fail_with(:invalid_ticket) }
       end
 
       context "with :allowed_clock_drift option" do
         before :each do
           saml_options[:allowed_clock_drift] = 60
-          post_xml :example_response
         end
 
         it { is_expected.to_not fail_with(:invalid_ticket) }
@@ -259,14 +293,16 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
     end
 
     context "when response has custom attributes" do
+      let(:xml) { :custom_attributes }
+
       before :each do
-        saml_options[:idp_cert_fingerprint] = "3B:82:F1:F5:54:FC:A8:FF:12:B8:4B:B8:16:61:1D:E4:8E:9B:E2:3C"
         saml_options[:attribute_statements] = {
           email: ["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"],
           first_name: ["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"],
           last_name: ["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"]
         }
-        post_xml :custom_attributes
+
+        post_callback_response
       end
 
       it "should obey attribute statements mapping" do
@@ -280,10 +316,12 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
     end
 
     context "when using custom user id attribute" do
+      let(:xml) { :custom_attributes }
+
       before :each do
-        saml_options[:idp_cert_fingerprint] = "3B:82:F1:F5:54:FC:A8:FF:12:B8:4B:B8:16:61:1D:E4:8E:9B:E2:3C"
         saml_options[:uid_attribute] = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
-        post_xml :custom_attributes
+
+        post_callback_response
       end
 
       it "should return user id attribute" do
@@ -294,55 +332,146 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
     context "when using custom user id attribute, but it is missing" do
       before :each do
         saml_options[:uid_attribute] = "missing_attribute"
-        post_xml
       end
 
       it "should fail to authenticate" do
-        should fail_with(:invalid_ticket)
+        expect(post_callback_response).to fail_with(:invalid_ticket)
         expect(last_request.env['omniauth.error']).to be_instance_of(OmniAuth::Strategies::SAML::ValidationError)
         expect(last_request.env['omniauth.error'].message).to eq("SAML response missing 'missing_attribute' attribute")
       end
     end
+  end
+
+  describe 'POST /auth/saml/slo' do
+    before do
+      saml_options[:sp_entity_id] = "https://idp.sso.example.com/metadata/29490"
+    end
 
     context "when response is a logout response" do
-      before :each do
-        saml_options[:sp_entity_id] = "https://idp.sso.example.com/metadata/29490"
+      let(:opts) do
+        { "rack.session" => { "saml_transaction_id" => "_3fef1069-d0c6-418a-b68d-6f008a4787e9" } }
+      end
 
-        post "/auth/saml/slo", {
-          SAMLResponse: load_xml(:example_logout_response),
-          RelayState: "https://example.com/",
-        }, "rack.session" => {"saml_transaction_id" => "_3fef1069-d0c6-418a-b68d-6f008a4787e9"}
+      let(:params) { { SAMLResponse: load_xml(:example_logout_response) } }
+
+      subject(:post_slo_response) { post "/auth/saml/slo", params, opts }
+
+      context "when relay state is relative" do
+        let(:params) { super().merge(RelayState: "/signed-out") }
+
+        it "redirects to the relaystate" do
+          post_slo_response
+
+          expect(last_response).to be_redirect
+          expect(last_response.location).to eq "/signed-out"
+        end
       end
-      it "should redirect to relaystate" do
-        expect(last_response).to be_redirect
-        expect(last_response.location).to match /https:\/\/example.com\//
+
+      context "when relay state is an absolute https URL" do
+        let(:params) { super().merge(RelayState: "https://example.com/") }
+
+        it "redirects without a location header" do
+          post_slo_response
+
+          expect(last_response).to be_redirect
+          expect(last_response.headers.fetch("Location")).to be_nil
+        end
+      end
+
+      context 'when slo_default_relay_state is present' do
+        let(:saml_options) { super().merge(slo_default_relay_state: '/signed-out') }
+
+        context "when response relay state is valid" do
+          let(:params) { super().merge(RelayState: "/safe/logout") }
+
+          it { is_expected.to be_redirect.and have_attributes(location: '/safe/logout') }
+        end
+
+        context "when response relay state is invalid" do
+          let(:params) { super().merge(RelayState: "javascript:alert(1)") }
+
+          it { is_expected.to be_redirect.and have_attributes(location: '/signed-out') }
+        end
+      end
+
+      context 'when slo_default_relay_state is blank' do
+        let(:saml_options) { super().merge(slo_default_relay_state: nil) }
+
+        context "when response relay state is valid" do
+          let(:params) { super().merge(RelayState: "/safe/logout") }
+
+          it { is_expected.to be_redirect.and have_attributes(location: '/safe/logout') }
+        end
+
+        context "when response relay state is invalid" do
+          let(:params) { super().merge(RelayState: "javascript:alert(1)") }
+
+          it { is_expected.to be_redirect.and have_attributes(location: nil) }
+        end
       end
     end
 
     context "when request is a logout request" do
       subject { post "/auth/saml/slo", params, "rack.session" => { "saml_uid" => "username@example.com" } }
 
-      before :each do
-        saml_options[:sp_entity_id] = "https://idp.sso.example.com/metadata/29490"
-      end
+      let(:relay_state) { "https://example.com/" }
 
       let(:params) do
         {
           "SAMLRequest" => load_xml(:example_logout_request),
-          "RelayState" => "https://example.com/",
+          "RelayState" => relay_state,
         }
       end
 
       context "when logout request is valid" do
+        let(:relay_state) { "/logout" }
+
         before { subject }
 
         it "should redirect to logout response" do
           expect(last_response).to be_redirect
           expect(last_response.location).to match /https:\/\/idp.sso.example.com\/signoff\/29490/
-          expect(last_response.location).to match /RelayState=https%3A%2F%2Fexample.com%2F/
+          expect(last_response.location).to match /RelayState=%2Flogout/
+        end
+      end
+
+      it_behaves_like 'validating RelayState param'
+
+      context 'when slo_default_relay_state is blank' do
+        let(:saml_options) { super().merge(slo_default_relay_state: nil) }
+
+        context "when request relay state is invalid" do
+          let(:params) do
+            {
+              "SAMLRequest" => load_xml(:example_logout_request),
+              "RelayState" => "javascript:alert(1)",
+            }
+          end
+
+          it "redirects without including a RelayState parameter" do
+            subject
+
+            expect(last_response).to be_redirect
+            expect(last_response.location).to match %r{https://idp\.sso\.example\.com/signoff/29490}
+            expect(last_response.location).not_to match(/RelayState=/)
+          end
         end
       end
 
+      context "with a custom relay state validator" do
+        let(:saml_options) do
+          super().merge(
+            slo_relay_state_validator: proc do |relay_state, rack_request|
+              expect(rack_request).to respond_to(:params)
+              relay_state == "custom-state"
+            end,
+          )
+        end
+        let(:params) { super().merge("RelayState" => "custom-state") }
+
+        it { is_expected.to be_redirect.and have_attributes(location: a_string_matching(/RelayState=custom-state/)) }
+      end
+
       context "when request is an invalid logout request" do
         before :each do
           allow_any_instance_of(OneLogin::RubySaml::SloLogoutrequest).to receive(:is_valid?).and_return(false)
@@ -367,38 +496,80 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
       end
     end
 
-    context "when sp initiated SLO" do
-      def test_default_relay_state(static_default_relay_state = nil, &block_default_relay_state)
-        saml_options["slo_default_relay_state"] = static_default_relay_state || block_default_relay_state
-        post "/auth/saml/spslo"
+    context "when SLO is disabled" do
+      before do
+        saml_options[:slo_enabled] = false
+        post "/auth/saml/slo"
+      end
 
-        expect(last_response).to be_redirect
-        expect(last_response.location).to match /https:\/\/idp.sso.example.com\/signoff\/29490/
-        expect(last_response.location).to match /RelayState=https%3A%2F%2Fexample.com%2F/
+      it "should return not implemented" do
+        expect(last_response.status).to eq 501
+        expect(last_response.body).to eq "Not Implemented"
       end
+    end
+  end
+
+  describe 'POST /auth/saml/spslo' do
+    let(:params) { {} }
+    subject { post "/auth/saml/spslo", params }
 
-      it "should redirect to logout request" do
-        test_default_relay_state("https://example.com/")
+    def test_default_relay_state(static_default_relay_state = nil, &block_default_relay_state)
+      saml_options["slo_default_relay_state"] = static_default_relay_state || block_default_relay_state
+      post "/auth/saml/spslo"
+
+      expect(last_response).to be_redirect
+      expect(last_response.location).to match /https:\/\/idp.sso.example.com\/signoff\/29490/
+      expect(last_response.location).to match /RelayState=https%3A%2F%2Fexample.com%2F/
+    end
+
+    it "should redirect to logout request" do
+      test_default_relay_state("https://example.com/")
+    end
+
+    it "should redirect to logout request with a block" do
+      test_default_relay_state do
+        "https://example.com/"
       end
+    end
 
-      it "should redirect to logout request with a block" do
-        test_default_relay_state do
-          "https://example.com/"
-        end
+    it "should redirect to logout request with a block with a request parameter" do
+      test_default_relay_state do |request|
+        "https://example.com/"
       end
+    end
 
-      it "should redirect to logout request with a block with a request parameter" do
-        test_default_relay_state do |request|
-          "https://example.com/"
-        end
+    it_behaves_like 'validating RelayState param'
+
+    context 'when slo_default_relay_state is blank' do
+      let(:saml_options) { super().merge(slo_default_relay_state: nil) }
+      let(:params) { { RelayState: "//example.com" } }
+
+      it "redirects without including a RelayState parameter" do
+        subject
+
+        expect(last_response).to be_redirect
+        expect(last_response.location).to match %r{https://idp\.sso\.example\.com/signoff/29490}
+        expect(last_response.location).not_to match(/RelayState=/)
       end
+    end
+
+    it "should give not implemented without an idp_slo_service_url" do
+      saml_options.delete(:idp_slo_service_url)
+      post "/auth/saml/spslo"
 
-      it "should give not implemented without an idp_slo_service_url" do
-        saml_options.delete(:idp_slo_service_url)
+      expect(last_response.status).to eq 501
+      expect(last_response.body).to match /Not Implemented/
+    end
+
+    context "when SLO is disabled" do
+      before do
+        saml_options[:slo_enabled] = false
         post "/auth/saml/spslo"
+      end
 
+      it "should return not implemented" do
         expect(last_response.status).to eq 501
-        expect(last_response.body).to match /Not Implemented/
+        expect(last_response.body).to eq "Not Implemented"
       end
     end
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-saml
 version: !ruby/object:Gem::Version
-  version: 2.2.3
+  version: 2.2.5
 platform: ruby
 authors:
 - Raecoo Cao
@@ -11,10 +11,9 @@ authors:
 - Nikos Dimitrakopoulos
 - Rudolf Vriend
 - Bruno Pedro
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-03-12 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
@@ -129,7 +128,6 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0.8'
 description: A generic SAML strategy for OmniAuth.
-email:
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -147,7 +145,6 @@ homepage: https://github.com/omniauth/omniauth-saml
 licenses:
 - MIT
 metadata: {}
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -162,8 +159,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.19
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
 summary: A generic SAML strategy for OmniAuth.
 test_files: