omniauth-saml 1.10.1 → 1.10.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of omniauth-saml might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +10 -0
- data/README.md +25 -13
- data/lib/omniauth-saml/version.rb +1 -1
- data/lib/omniauth/strategies/saml.rb +2 -5
- metadata +23 -15
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: c80dace14b1650bb9dab761f988bce131b76cc61
|
|
4
|
+
data.tar.gz: 46dec44c01650f34647c34bbe45486e15687a820
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 41666f2cdd6dd0c61642d72e360ada0eb70e26970d02eb126b4b5689537a047bd914e640508d2bf61620ccd78ed5c8d8f46a29b52b39b6a52475d3520e3332e8
|
|
7
|
+
data.tar.gz: f2f579c26fe80b272ff1328c87dc2ba22c7b36c6b28b349072cdaf2e43491f3d4ac42cb6a9a5d76f4338155f077895d9890248f52cddf7d4204333401f3fd8e0
|
data/CHANGELOG.md
CHANGED
data/README.md
CHANGED
|
@@ -2,14 +2,12 @@
|
|
|
2
2
|
|
|
3
3
|
[][gem]
|
|
4
4
|
[][travis]
|
|
5
|
-
[][codeclimate]
|
|
5
|
+
[][codeclimate]
|
|
7
6
|
[][coveralls]
|
|
8
7
|
|
|
9
8
|
[gem]: https://rubygems.org/gems/omniauth-saml
|
|
10
9
|
[travis]: http://travis-ci.org/omniauth/omniauth-saml
|
|
11
|
-
[
|
|
12
|
-
[codeclimate]: https://codeclimate.com/github/omniauth/omniauth-saml
|
|
10
|
+
[codeclimate]: https://codeclimate.com/github/omniauth/omniauth-saml/maintainability
|
|
13
11
|
[coveralls]: https://coveralls.io/r/omniauth/omniauth-saml
|
|
14
12
|
|
|
15
13
|
A generic SAML strategy for OmniAuth available under the [MIT License](LICENSE.md)
|
|
@@ -19,7 +17,7 @@ https://github.com/omniauth/omniauth-saml
|
|
|
19
17
|
## Requirements
|
|
20
18
|
|
|
21
19
|
* [OmniAuth](http://www.omniauth.org/) 1.3+
|
|
22
|
-
* Ruby 2.
|
|
20
|
+
* Ruby 2.4.x+
|
|
23
21
|
|
|
24
22
|
## Versioning
|
|
25
23
|
|
|
@@ -37,6 +35,10 @@ use OmniAuth::Strategies::SAML,
|
|
|
37
35
|
:idp_sso_target_url => "idp_sso_target_url",
|
|
38
36
|
:idp_sso_target_url_runtime_params => {:original_request_param => :mapped_idp_param},
|
|
39
37
|
:idp_cert => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
|
|
38
|
+
:idp_cert_multi => {
|
|
39
|
+
:signing => ["-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", ...],
|
|
40
|
+
:encryption => []
|
|
41
|
+
}
|
|
40
42
|
:idp_cert_fingerprint => "E7:91:B2:E1:...",
|
|
41
43
|
:idp_cert_fingerprint_validator => lambda { |fingerprint| fingerprint },
|
|
42
44
|
:name_identifier_format => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
|
|
@@ -60,6 +62,10 @@ Rails.application.config.middleware.use OmniAuth::Builder do
|
|
|
60
62
|
:idp_sso_target_url => "idp_sso_target_url",
|
|
61
63
|
:idp_sso_target_url_runtime_params => {:original_request_param => :mapped_idp_param},
|
|
62
64
|
:idp_cert => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
|
|
65
|
+
:idp_cert_multi => {
|
|
66
|
+
:signing => ["-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", ...],
|
|
67
|
+
:encryption => []
|
|
68
|
+
}
|
|
63
69
|
:idp_cert_fingerprint => "E7:91:B2:E1:...",
|
|
64
70
|
:idp_cert_fingerprint_validator => lambda { |fingerprint| fingerprint },
|
|
65
71
|
:name_identifier_format => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
|
|
@@ -107,16 +113,20 @@ Note that when [integrating with Devise](#devise-integration), the URL path will
|
|
|
107
113
|
`original_param_value`. Optional.
|
|
108
114
|
|
|
109
115
|
* `:idp_cert` - The identity provider's certificate in PEM format. Takes precedence
|
|
110
|
-
over the fingerprint option below. This option or `:idp_cert_fingerprint` or `:idp_cert_fingerprint_validator` must
|
|
116
|
+
over the fingerprint option below. This option or `:idp_cert_multi` or `:idp_cert_fingerprint` or `:idp_cert_fingerprint_validator` must
|
|
111
117
|
be present.
|
|
118
|
+
|
|
119
|
+
* `:idp_cert_multi` - Multiple identity provider certificates in PEM format. Takes precedence
|
|
120
|
+
over the fingerprint option below. This option `:idp_cert` or `:idp_cert_fingerprint` or `:idp_cert_fingerprint_validator` must
|
|
121
|
+
be present.
|
|
112
122
|
|
|
113
123
|
* `:idp_cert_fingerprint` - The SHA1 fingerprint of the certificate, e.g.
|
|
114
124
|
"90:CC:16:F0:8D:...". This is provided from the identity provider when setting up
|
|
115
|
-
the relationship. This option or `:idp_cert` or `:idp_cert_fingerprint_validator` MUST be present.
|
|
125
|
+
the relationship. This option or `:idp_cert` or `:idp_cert_multi` or `:idp_cert_fingerprint_validator` MUST be present.
|
|
116
126
|
|
|
117
127
|
* `:idp_cert_fingerprint_validator` - A lambda that MUST accept one parameter
|
|
118
128
|
(the fingerprint), verify if it is valid and return it if successful. This option
|
|
119
|
-
or `:idp_cert` or `:idp_cert_fingerprint` MUST be present.
|
|
129
|
+
or `:idp_cert` or `:idp_cert_multi` or `:idp_cert_fingerprint` MUST be present.
|
|
120
130
|
|
|
121
131
|
* `:name_identifier_format` - Used during SP-initiated SSO. Describes the format of
|
|
122
132
|
the username required by this application. If you need the email address, use
|
|
@@ -194,7 +204,7 @@ advertised in metadata by setting the `single_logout_service_url` config option)
|
|
|
194
204
|
When using Devise as an authentication solution, the SP initiated flow can be integrated
|
|
195
205
|
in the `SessionsController#destroy` action.
|
|
196
206
|
|
|
197
|
-
For this to work it is important to preserve the `saml_uid` value before Devise
|
|
207
|
+
For this to work it is important to preserve the `saml_uid` and `saml_session_index` value before Devise
|
|
198
208
|
clears the session and redirect to the `/spslo` sub-path to initiate the single logout.
|
|
199
209
|
|
|
200
210
|
Example `destroy` action in `sessions_controller.rb`:
|
|
@@ -204,17 +214,19 @@ class SessionsController < Devise::SessionsController
|
|
|
204
214
|
# ...
|
|
205
215
|
|
|
206
216
|
def destroy
|
|
207
|
-
# Preserve the saml_uid in the session
|
|
208
|
-
saml_uid = session[
|
|
217
|
+
# Preserve the saml_uid and saml_session_index in the session
|
|
218
|
+
saml_uid = session['saml_uid']
|
|
219
|
+
saml_session_index = session['saml_session_index']
|
|
209
220
|
super do
|
|
210
|
-
session[
|
|
221
|
+
session['saml_uid'] = saml_uid
|
|
222
|
+
session['saml_session_index'] = saml_session_index
|
|
211
223
|
end
|
|
212
224
|
end
|
|
213
225
|
|
|
214
226
|
# ...
|
|
215
227
|
|
|
216
228
|
def after_sign_out_path_for(_)
|
|
217
|
-
if session['saml_uid'] && SAML_SETTINGS.idp_slo_target_url
|
|
229
|
+
if session['saml_uid'] && session['saml_session_index'] && SAML_SETTINGS.idp_slo_target_url
|
|
218
230
|
user_saml_omniauth_authorize_path + "/spslo"
|
|
219
231
|
else
|
|
220
232
|
super
|
|
@@ -10,10 +10,7 @@ module OmniAuth
|
|
|
10
10
|
OmniAuth::Strategy.included(subclass)
|
|
11
11
|
end
|
|
12
12
|
|
|
13
|
-
|
|
14
|
-
:skip_conditions, :allowed_clock_drift, :matches_request_id,
|
|
15
|
-
:skip_subject_confirmation, :skip_destination, :skip_recipient_check
|
|
16
|
-
].freeze
|
|
13
|
+
RUBYSAML_RESPONSE_OPTIONS = OneLogin::RubySaml::Response::AVAILABLE_OPTIONS
|
|
17
14
|
|
|
18
15
|
option :name_identifier_format, nil
|
|
19
16
|
option :idp_sso_target_url_runtime_params, {}
|
|
@@ -234,7 +231,7 @@ module OmniAuth
|
|
|
234
231
|
|
|
235
232
|
def options_for_response_object
|
|
236
233
|
# filter options to select only extra parameters
|
|
237
|
-
opts = options.select {|k,_|
|
|
234
|
+
opts = options.select {|k,_| RUBYSAML_RESPONSE_OPTIONS.include?(k.to_sym)}
|
|
238
235
|
|
|
239
236
|
# symbolize keys without activeSupport/symbolize_keys (ruby-saml use symbols)
|
|
240
237
|
opts.inject({}) do |new_hash, (key, value)|
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: omniauth-saml
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.10.
|
|
4
|
+
version: 1.10.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Raecoo Cao
|
|
@@ -14,7 +14,7 @@ authors:
|
|
|
14
14
|
autorequire:
|
|
15
15
|
bindir: bin
|
|
16
16
|
cert_chain: []
|
|
17
|
-
date:
|
|
17
|
+
date: 2020-07-04 00:00:00.000000000 Z
|
|
18
18
|
dependencies:
|
|
19
19
|
- !ruby/object:Gem::Dependency
|
|
20
20
|
name: omniauth
|
|
@@ -42,34 +42,28 @@ dependencies:
|
|
|
42
42
|
requirements:
|
|
43
43
|
- - "~>"
|
|
44
44
|
- !ruby/object:Gem::Version
|
|
45
|
-
version: '1.
|
|
45
|
+
version: '1.9'
|
|
46
46
|
type: :runtime
|
|
47
47
|
prerelease: false
|
|
48
48
|
version_requirements: !ruby/object:Gem::Requirement
|
|
49
49
|
requirements:
|
|
50
50
|
- - "~>"
|
|
51
51
|
- !ruby/object:Gem::Version
|
|
52
|
-
version: '1.
|
|
52
|
+
version: '1.9'
|
|
53
53
|
- !ruby/object:Gem::Dependency
|
|
54
54
|
name: rake
|
|
55
55
|
requirement: !ruby/object:Gem::Requirement
|
|
56
56
|
requirements:
|
|
57
57
|
- - ">="
|
|
58
58
|
- !ruby/object:Gem::Version
|
|
59
|
-
version:
|
|
60
|
-
- - "<"
|
|
61
|
-
- !ruby/object:Gem::Version
|
|
62
|
-
version: '12'
|
|
59
|
+
version: 12.3.3
|
|
63
60
|
type: :development
|
|
64
61
|
prerelease: false
|
|
65
62
|
version_requirements: !ruby/object:Gem::Requirement
|
|
66
63
|
requirements:
|
|
67
64
|
- - ">="
|
|
68
65
|
- !ruby/object:Gem::Version
|
|
69
|
-
version:
|
|
70
|
-
- - "<"
|
|
71
|
-
- !ruby/object:Gem::Version
|
|
72
|
-
version: '12'
|
|
66
|
+
version: 12.3.3
|
|
73
67
|
- !ruby/object:Gem::Dependency
|
|
74
68
|
name: rspec
|
|
75
69
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -132,6 +126,20 @@ dependencies:
|
|
|
132
126
|
- - "~>"
|
|
133
127
|
- !ruby/object:Gem::Version
|
|
134
128
|
version: '1.2'
|
|
129
|
+
- !ruby/object:Gem::Dependency
|
|
130
|
+
name: coveralls
|
|
131
|
+
requirement: !ruby/object:Gem::Requirement
|
|
132
|
+
requirements:
|
|
133
|
+
- - ">="
|
|
134
|
+
- !ruby/object:Gem::Version
|
|
135
|
+
version: 0.8.23
|
|
136
|
+
type: :development
|
|
137
|
+
prerelease: false
|
|
138
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
139
|
+
requirements:
|
|
140
|
+
- - ">="
|
|
141
|
+
- !ruby/object:Gem::Version
|
|
142
|
+
version: 0.8.23
|
|
135
143
|
description: A generic SAML strategy for OmniAuth.
|
|
136
144
|
email: rajiv@alum.mit.edu
|
|
137
145
|
executables: []
|
|
@@ -159,7 +167,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
159
167
|
requirements:
|
|
160
168
|
- - ">="
|
|
161
169
|
- !ruby/object:Gem::Version
|
|
162
|
-
version: '2.
|
|
170
|
+
version: '2.4'
|
|
163
171
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
164
172
|
requirements:
|
|
165
173
|
- - ">="
|
|
@@ -167,10 +175,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
167
175
|
version: '0'
|
|
168
176
|
requirements: []
|
|
169
177
|
rubyforge_project:
|
|
170
|
-
rubygems_version: 2.
|
|
178
|
+
rubygems_version: 2.6.14
|
|
171
179
|
signing_key:
|
|
172
180
|
specification_version: 4
|
|
173
181
|
summary: A generic SAML strategy for OmniAuth.
|
|
174
182
|
test_files:
|
|
175
|
-
- spec/spec_helper.rb
|
|
176
183
|
- spec/omniauth/strategies/saml_spec.rb
|
|
184
|
+
- spec/spec_helper.rb
|