RubyGems - omniauth-saml - Versions diffs - 1.0.0 → 1.1.0 - Mend

omniauth-saml 1.0.0 → 1.1.0

Potentially problematic release.

This version of omniauth-saml might be problematic. Click here for more details.

Files changed (6) hide show

data/CHANGELOG.md +8 -0
data/README.md +30 -22
data/lib/omniauth-saml/version.rb +1 -1
data/lib/omniauth/strategies/saml.rb +15 -6
data/spec/omniauth/strategies/saml_spec.rb +30 -9
metadata +5 -36

data/CHANGELOG.md CHANGED Viewed

@@ -4,6 +4,14 @@ A generic SAML strategy for OmniAuth.
 https://github.com/PracticallyGreen/omniauth-saml
+## 1.1.0 (2013-11-07)
+* no longer set a default `name_identifier_format`
+* pass strategy options to the underlying ruby-saml library
+* fallback to omniauth callback url if `assertion_consumer_service_url` is not set
+* add `idp_sso_target_url_runtime_params` option
 ## 1.0.0 (2012-11-12)
 * remove SAML code and port to ruby-saml gem

data/README.md CHANGED Viewed

@@ -16,12 +16,13 @@ Use the SAML strategy as a middleware in your application:
 ```ruby
 require 'omniauth'
 use OmniAuth::Strategies::SAML,
-  :assertion_consumer_service_url => "consumer_service_url",
-  :issuer                         => "issuer",
-  :idp_sso_target_url             => "idp_sso_target_url",
-  :idp_cert                       => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
-  :idp_cert_fingerprint           => "E7:91:B2:E1:...",
-  :name_identifier_format         => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+  :assertion_consumer_service_url     => "consumer_service_url",
+  :issuer                             => "issuer",
+  :idp_sso_target_url                 => "idp_sso_target_url",
+  :idp_sso_target_url_runtime_params  => {:original_request_param => :mapped_idp_param},
+  :idp_cert                           => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
+  :idp_cert_fingerprint               => "E7:91:B2:E1:...",
+  :name_identifier_format             => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
 ```
 or in your Rails application:
@@ -37,12 +38,13 @@ and in `config/initializers/omniauth.rb`:
 ```ruby
 Rails.application.config.middleware.use OmniAuth::Builder do
   provider :saml,
-    :assertion_consumer_service_url => "consumer_service_url",
-    :issuer                         => "rails-application",
-    :idp_sso_target_url             => "idp_sso_target_url",
-    :idp_cert                       => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
-    :idp_cert_fingerprint           => "E7:91:B2:E1:...",
-    :name_identifier_format         => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+    :assertion_consumer_service_url     => "consumer_service_url",
+    :issuer                             => "rails-application",
+    :idp_sso_target_url                 => "idp_sso_target_url",
+    :idp_sso_target_url_runtime_params  => {:original_request_param => :mapped_idp_param},
+    :idp_cert                           => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
+    :idp_cert_fingerprint               => "E7:91:B2:E1:...",
+    :name_identifier_format             => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
 end
 ```
@@ -51,8 +53,8 @@ For IdP-initiated SSO, users should directly access the IdP SSO target URL. Set
 ## Options
 * `:assertion_consumer_service_url` - The URL at which the SAML assertion should be
-  received. With OmniAuth this is typically `http://example.com/auth/callback`.
-  **Required**.
+  received. If not provided, defaults to the OmniAuth callback URL (typically
+  `http://example.com/auth/saml/callback`). Optional.
 * `:issuer` - The name of your application. Some identity providers might need this
   to establish the identity of the service provider requesting the login. **Required**.
@@ -60,6 +62,12 @@ For IdP-initiated SSO, users should directly access the IdP SSO target URL. Set
 * `:idp_sso_target_url` - The URL to which the authentication request should be sent.
   This would be on the identity provider. **Required**.
+* `:idp_sso_target_url_runtime_params` - A dynamic mapping of request params that exist
+  during the request phase of OmniAuth that should to be sent to the IdP after a specific
+  mapping. So for example, a param `original_request_param` with value `original_param_value`,
+  could be sent to the IdP on the login request as `mapped_idp_param` with value
+  `original_param_value`. Optional.
 * `:idp_cert` - The identity provider's certificate in PEM format. Takes precedence
   over the fingerprint option below. This option or `:idp_cert_fingerprint` must
   be present.
@@ -68,27 +76,27 @@ For IdP-initiated SSO, users should directly access the IdP SSO target URL. Set
   "90:CC:16:F0:8D:...". This is provided from the identity provider when setting up
   the relationship. This option or `:idp_cert` must be present.
-* `:name_identifier_format` - Describes the format of the username required by this
-  application. If you need the email address, use "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress".
-  See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf section 8.3 for
+* `:name_identifier_format` - Used during SP-initiated SSO. Describes the format of
+  the username required by this application. If you need the email address, use
+  "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress". See
+  http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf section 8.3 for
   other options. Note that the identity provider might not support all options.
-  Used during SP-initiated SSO. Optional.
+  If not specified, the IdP is free to choose the name identifier format used
+  in the response. Optional.
 * See the `Onelogin::Saml::Settings` class in the [Ruby SAML gem](https://github.com/onelogin/ruby-saml) for additional supported options.
 ## Authors
-Authored by Raecoo Cao, Todd W Saxton, Ryan Wilcox, Rajiv Aaron Manglani, and Steven Anderson.
+Authored by Raecoo Cao, Todd W Saxton, Ryan Wilcox, Rajiv Aaron Manglani, Steven Anderson, and Nikos Dimitrakopoulos.
 Maintained by [Rajiv Aaron Manglani](http://www.rajivmanglani.com/).
 ## License
-Copyright (c) 2011-2012 [Practically Green, Inc.](http://www.practicallygreen.com/).
+Copyright (c) 2011-2013 [Practically Green, Inc.](http://www.practicallygreen.com/).
 All rights reserved. Released under the MIT license.
-Portions Copyright (c) 2007 Sun Microsystems Inc.
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights

data/lib/omniauth-saml/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module OmniAuth
   module SAML
-    VERSION = "1.0.0"
+    VERSION = '1.1.0'
   end
 end

data/lib/omniauth/strategies/saml.rb CHANGED Viewed

@@ -6,13 +6,22 @@ module OmniAuth
     class SAML
       include OmniAuth::Strategy
-      option :name_identifier_format, "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+      option :name_identifier_format, nil
+      option :idp_sso_target_url_runtime_params, {}
       def request_phase
-        request = Onelogin::Saml::Authrequest.new
+        options[:assertion_consumer_service_url] ||= callback_url
+        runtime_request_parameters = options.delete(:idp_sso_target_url_runtime_params)
+        additional_params = {}
+        runtime_request_parameters.each_pair do |request_param_key, mapped_param_key|
+          additional_params[mapped_param_key] = request.params[request_param_key.to_s] if request.params.has_key?(request_param_key.to_s)
+        end if runtime_request_parameters
+        authn_request = Onelogin::Saml::Authrequest.new
         settings = Onelogin::Saml::Settings.new(options)
-        redirect(request.create(settings))
+        redirect(authn_request.create(settings, additional_params))
       end
       def callback_phase
@@ -20,7 +29,7 @@ module OmniAuth
           raise OmniAuth::Strategies::SAML::ValidationError.new("SAML response missing")
         end
-        response = Onelogin::Saml::Response.new(request.params['SAMLResponse'])
+        response = Onelogin::Saml::Response.new(request.params['SAMLResponse'], options)
         response.settings = Onelogin::Saml::Settings.new(options)
         @name_id = response.name_id
@@ -45,8 +54,8 @@ module OmniAuth
         {
           :name  => @attributes[:name],
           :email => @attributes[:email] || @attributes[:mail],
-          :first_name => @attributes[:first_name] || @attributes[:firstname],
-          :last_name => @attributes[:last_name] || @attributes[:lastname]
+          :first_name => @attributes[:first_name] || @attributes[:firstname] || @attributes[:firstName],
+          :last_name => @attributes[:last_name] || @attributes[:lastname] || @attributes[:lastName]
         }
       end

data/spec/omniauth/strategies/saml_spec.rb CHANGED Viewed

@@ -16,22 +16,43 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
   let(:auth_hash){ last_request.env['omniauth.auth'] }
   let(:saml_options) do
     {
-      :assertion_consumer_service_url => "http://localhost:3000/auth/saml/callback",
-      :issuer                         => "https://saml.issuer.url/issuers/29490",
-      :idp_sso_target_url             => "https://idp.sso.target_url/signon/29490",
-      :idp_cert_fingerprint           => "C1:59:74:2B:E8:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB",
-      :name_identifier_format         => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+      :assertion_consumer_service_url     => "http://localhost:3000/auth/saml/callback",
+      :issuer                             => "https://saml.issuer.url/issuers/29490",
+      :idp_sso_target_url                 => "https://idp.sso.target_url/signon/29490",
+      :idp_cert_fingerprint               => "C1:59:74:2B:E8:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB",
+      :idp_sso_target_url_runtime_params  => {:original_param_key => :mapped_param_key},
+      :name_identifier_format             => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
     }
   end
   let(:strategy) { [OmniAuth::Strategies::SAML, saml_options] }
   describe 'GET /auth/saml' do
-    before do
-      get '/auth/saml'
+    context 'without idp runtime params present' do
+      before do
+        get '/auth/saml'
+      end
+      it 'should get authentication page' do
+        last_response.should be_redirect
+        last_response.location.should match /https:\/\/idp.sso.target_url\/signon\/29490/
+        last_response.location.should match /\?SAMLRequest=/
+        last_response.location.should_not match /mapped_param_key/
+        last_response.location.should_not match /original_param_key/
+      end
     end
-    it 'should get authentication page' do
-      last_response.should be_redirect
+    context 'with idp runtime params' do
+      before do
+        get '/auth/saml', 'original_param_key' => 'original_param_value', 'mapped_param_key' => 'mapped_param_value'
+      end
+      it 'should get authentication page' do
+        last_response.should be_redirect
+        last_response.location.should match /https:\/\/idp.sso.target_url\/signon\/29490/
+        last_response.location.should match /\?SAMLRequest=/
+        last_response.location.should match /\&mapped_param_key=original_param_value/
+        last_response.location.should_not match /original_param_key/
+      end
     end
   end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-saml
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.0
   prerelease:
 platform: ruby
 authors:
@@ -9,10 +9,11 @@ authors:
 - Ryan Wilcox
 - Rajiv Aaron Manglani
 - Steven Anderson
+- Nikos Dimitrakopoulos
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2012-11-13 00:00:00.000000000 Z
+date: 2013-11-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
@@ -37,7 +38,7 @@ dependencies:
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: '0.6'
+        version: 0.7.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -45,39 +46,7 @@ dependencies:
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: '0.6'
-- !ruby/object:Gem::Dependency
-  name: guard
-  requirement: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '1.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '1.0'
-- !ruby/object:Gem::Dependency
-  name: guard-rspec
-  requirement: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '2.1'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '2.1'
+        version: 0.7.2
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement