RubyGems - omniauth-saml - Versions diffs - 1.0.0 → 1.1.0 - Mend

omniauth-saml 1.0.0 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of omniauth-saml might be problematic. Click here for more details.

Files changed (6) hide show

data/CHANGELOG.md +8 -0
data/README.md +30 -22
data/lib/omniauth-saml/version.rb +1 -1
data/lib/omniauth/strategies/saml.rb +15 -6
data/spec/omniauth/strategies/saml_spec.rb +30 -9
metadata +5 -36

data/CHANGELOG.md CHANGED Viewed

@@ -4,6 +4,14 @@ A generic SAML strategy for OmniAuth.
 https://github.com/PracticallyGreen/omniauth-saml
+## 1.1.0 (2013-11-07)
+* no longer set a default `name_identifier_format`
+* pass strategy options to the underlying ruby-saml library
+* fallback to omniauth callback url if `assertion_consumer_service_url` is not set
+* add `idp_sso_target_url_runtime_params` option
 ## 1.0.0 (2012-11-12)
 * remove SAML code and port to ruby-saml gem

data/README.md CHANGED Viewed

@@ -16,12 +16,13 @@ Use the SAML strategy as a middleware in your application:
 ```ruby
 require 'omniauth'
 use OmniAuth::Strategies::SAML,
-  :assertion_consumer_service_url => "consumer_service_url",
-  :issuer                         => "issuer",
-  :idp_sso_target_url             => "idp_sso_target_url",
-  :idp_cert                       => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
-  :idp_cert_fingerprint           => "E7:91:B2:E1:...",
-  :name_identifier_format         => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+  :assertion_consumer_service_url     => "consumer_service_url",
+  :issuer                             => "issuer",
+  :idp_sso_target_url                 => "idp_sso_target_url",
+  :idp_sso_target_url_runtime_params  => {:original_request_param => :mapped_idp_param},
+  :idp_cert                           => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
+  :idp_cert_fingerprint               => "E7:91:B2:E1:...",
+  :name_identifier_format             => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
 ```
 or in your Rails application:
@@ -37,12 +38,13 @@ and in `config/initializers/omniauth.rb`:
 ```ruby
 Rails.application.config.middleware.use OmniAuth::Builder do
   provider :saml,
-    :assertion_consumer_service_url => "consumer_service_url",
-    :issuer                         => "rails-application",
-    :idp_sso_target_url             => "idp_sso_target_url",
-    :idp_cert                       => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
-    :idp_cert_fingerprint           => "E7:91:B2:E1:...",
-    :name_identifier_format         => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+    :assertion_consumer_service_url     => "consumer_service_url",
+    :issuer                             => "rails-application",
+    :idp_sso_target_url                 => "idp_sso_target_url",
+    :idp_sso_target_url_runtime_params  => {:original_request_param => :mapped_idp_param},
+    :idp_cert                           => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
+    :idp_cert_fingerprint               => "E7:91:B2:E1:...",
+    :name_identifier_format             => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
 end
 ```
@@ -51,8 +53,8 @@ For IdP-initiated SSO, users should directly access the IdP SSO target URL. Set
 ## Options
 * `:assertion_consumer_service_url` - The URL at which the SAML assertion should be
-  received. With OmniAuth this is typically `http://example.com/auth/callback`.
-  **Required**.
+  received. If not provided, defaults to the OmniAuth callback URL (typically
+  `http://example.com/auth/saml/callback`). Optional.
 * `:issuer` - The name of your application. Some identity providers might need this
   to establish the identity of the service provider requesting the login. **Required**.
@@ -60,6 +62,12 @@ For IdP-initiated SSO, users should directly access the IdP SSO target URL. Set
 * `:idp_sso_target_url` - The URL to which the authentication request should be sent.
   This would be on the identity provider. **Required**.
+* `:idp_sso_target_url_runtime_params` - A dynamic mapping of request params that exist
+  during the request phase of OmniAuth that should to be sent to the IdP after a specific
+  mapping. So for example, a param `original_request_param` with value `original_param_value`,
+  could be sent to the IdP on the login request as `mapped_idp_param` with value
+  `original_param_value`. Optional.
 * `:idp_cert` - The identity provider's certificate in PEM format. Takes precedence
   over the fingerprint option below. This option or `:idp_cert_fingerprint` must
   be present.
@@ -68,27 +76,27 @@ For IdP-initiated SSO, users should directly access the IdP SSO target URL. Set
   "90:CC:16:F0:8D:...". This is provided from the identity provider when setting up
   the relationship. This option or `:idp_cert` must be present.
-* `:name_identifier_format` - Describes the format of the username required by this
-  application. If you need the email address, use "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress".
-  See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf section 8.3 for
+* `:name_identifier_format` - Used during SP-initiated SSO. Describes the format of
+  the username required by this application. If you need the email address, use
+  "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress". See
+  http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf section 8.3 for
   other options. Note that the identity provider might not support all options.
-  Used during SP-initiated SSO. Optional.
+  If not specified, the IdP is free to choose the name identifier format used
+  in the response. Optional.
 * See the `Onelogin::Saml::Settings` class in the [Ruby SAML gem](https://github.com/onelogin/ruby-saml) for additional supported options.
 ## Authors
-Authored by Raecoo Cao, Todd W Saxton, Ryan Wilcox, Rajiv Aaron Manglani, and Steven Anderson.
+Authored by Raecoo Cao, Todd W Saxton, Ryan Wilcox, Rajiv Aaron Manglani, Steven Anderson, and Nikos Dimitrakopoulos.
 Maintained by [Rajiv Aaron Manglani](http://www.rajivmanglani.com/).
 ## License
-Copyright (c) 2011-2012 [Practically Green, Inc.](http://www.practicallygreen.com/).
+Copyright (c) 2011-2013 [Practically Green, Inc.](http://www.practicallygreen.com/).
 All rights reserved. Released under the MIT license.
-Portions Copyright (c) 2007 Sun Microsystems Inc.
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights

data/lib/omniauth-saml/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module OmniAuth
   module SAML
-    VERSION = "1.0.0"
+    VERSION = '1.1.0'
   end
 end

data/lib/omniauth/strategies/saml.rb CHANGED Viewed

@@ -6,13 +6,22 @@ module OmniAuth
     class SAML
       include OmniAuth::Strategy
-      option :name_identifier_format, "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+      option :name_identifier_format, nil
+      option :idp_sso_target_url_runtime_params, {}
       def request_phase
-        request = Onelogin::Saml::Authrequest.new
+        options[:assertion_consumer_service_url] ||= callback_url
+        runtime_request_parameters = options.delete(:idp_sso_target_url_runtime_params)
+        additional_params = {}
+        runtime_request_parameters.each_pair do |request_param_key, mapped_param_key|
+          additional_params[mapped_param_key] = request.params[request_param_key.to_s] if request.params.has_key?(request_param_key.to_s)
+        end if runtime_request_parameters
+        authn_request = Onelogin::Saml::Authrequest.new
         settings = Onelogin::Saml::Settings.new(options)
-        redirect(request.create(settings))
+        redirect(authn_request.create(settings, additional_params))
       end
       def callback_phase
@@ -20,7 +29,7 @@ module OmniAuth
           raise OmniAuth::Strategies::SAML::ValidationError.new("SAML response missing")
         end
-        response = Onelogin::Saml::Response.new(request.params['SAMLResponse'])
+        response = Onelogin::Saml::Response.new(request.params['SAMLResponse'], options)
         response.settings = Onelogin::Saml::Settings.new(options)
         @name_id = response.name_id
@@ -45,8 +54,8 @@ module OmniAuth
         {
           :name  => @attributes[:name],
           :email => @attributes[:email] || @attributes[:mail],
-          :first_name => @attributes[:first_name] || @attributes[:firstname],
-          :last_name => @attributes[:last_name] || @attributes[:lastname]
+          :first_name => @attributes[:first_name] || @attributes[:firstname] || @attributes[:firstName],
+          :last_name => @attributes[:last_name] || @attributes[:lastname] || @attributes[:lastName]
         }
       end

data/spec/omniauth/strategies/saml_spec.rb CHANGED Viewed

@@ -16,22 +16,43 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
   let(:auth_hash){ last_request.env['omniauth.auth'] }
   let(:saml_options) do
     {
-      :assertion_consumer_service_url => "http://localhost:3000/auth/saml/callback",
-      :issuer                         => "https://saml.issuer.url/issuers/29490",
-      :idp_sso_target_url             => "https://idp.sso.target_url/signon/29490",
-      :idp_cert_fingerprint           => "C1:59:74:2B:E8:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB",
-      :name_identifier_format         => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+      :assertion_consumer_service_url     => "http://localhost:3000/auth/saml/callback",
+      :issuer                             => "https://saml.issuer.url/issuers/29490",
+      :idp_sso_target_url                 => "https://idp.sso.target_url/signon/29490",
+      :idp_cert_fingerprint               => "C1:59:74:2B:E8:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB",
+      :idp_sso_target_url_runtime_params  => {:original_param_key => :mapped_param_key},
+      :name_identifier_format             => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
     }
   end
   let(:strategy) { [OmniAuth::Strategies::SAML, saml_options] }
   describe 'GET /auth/saml' do
-    before do
-      get '/auth/saml'
+    context 'without idp runtime params present' do
+      before do
+        get '/auth/saml'
+      end
+      it 'should get authentication page' do
+        last_response.should be_redirect
+        last_response.location.should match /https:\/\/idp.sso.target_url\/signon\/29490/
+        last_response.location.should match /\?SAMLRequest=/
+        last_response.location.should_not match /mapped_param_key/
+        last_response.location.should_not match /original_param_key/
+      end
     end
-    it 'should get authentication page' do
-      last_response.should be_redirect
+    context 'with idp runtime params' do
+      before do
+        get '/auth/saml', 'original_param_key' => 'original_param_value', 'mapped_param_key' => 'mapped_param_value'
+      end
+      it 'should get authentication page' do
+        last_response.should be_redirect
+        last_response.location.should match /https:\/\/idp.sso.target_url\/signon\/29490/
+        last_response.location.should match /\?SAMLRequest=/
+        last_response.location.should match /\&mapped_param_key=original_param_value/
+        last_response.location.should_not match /original_param_key/
+      end
     end
   end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-saml
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.0
   prerelease:
 platform: ruby
 authors:
@@ -9,10 +9,11 @@ authors:
 - Ryan Wilcox
 - Rajiv Aaron Manglani
 - Steven Anderson
+- Nikos Dimitrakopoulos
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2012-11-13 00:00:00.000000000 Z
+date: 2013-11-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
@@ -37,7 +38,7 @@ dependencies:
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: '0.6'
+        version: 0.7.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -45,39 +46,7 @@ dependencies:
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: '0.6'
-- !ruby/object:Gem::Dependency
-  name: guard
-  requirement: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '1.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '1.0'
-- !ruby/object:Gem::Dependency
-  name: guard-rspec
-  requirement: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '2.1'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '2.1'
+        version: 0.7.2
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement