omniauth-saml 2.0.0 → 2.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of omniauth-saml might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +12 -0
- data/README.md +16 -17
- data/lib/omniauth/strategies/saml.rb +4 -4
- data/lib/omniauth-saml/version.rb +1 -1
- data/spec/omniauth/strategies/saml_spec.rb +8 -8
- metadata +6 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 032f34c12924a5666a189462f819b871c2e321891cbe23b45e56c47acdbfc53c
|
|
4
|
+
data.tar.gz: 17bb6e9741181862fcb34f3ca0a47084b9805aba71b3dd5dadfb951c7cd20d27
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: eb87a7392dc23407ab0064b67efd4ffefd9ec3fbbca18b32e96bf973281dffb9477bffc3765d8b4c3e278df7aedca255a95aa03deb44053b33c3cfff5af9435e
|
|
7
|
+
data.tar.gz: 22daef0cc26447f27023c5dc2e6f816e1f79c57c0538b86ffae0f8a2ea9d08492bc351aa31838ca7b4a272ae577aea3f914a87dba0656e1ac2e098f49f034041
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,15 @@
|
|
|
1
|
+
<a name="v2.1.0"></a>
|
|
2
|
+
### v2.1.0 (2022-03-01)
|
|
3
|
+
|
|
4
|
+
|
|
5
|
+
#### Refactor
|
|
6
|
+
|
|
7
|
+
* Rename usage of deprecated SAML options ([74ed8df](/../../commit/74ed8df))
|
|
8
|
+
|
|
9
|
+
#### Chores
|
|
10
|
+
|
|
11
|
+
* bump ruby-saml to 1.12 ([15c156a](/../../commit/15c156a))
|
|
12
|
+
|
|
1
13
|
<a name="v2.0.0"></a>
|
|
2
14
|
### v2.0.0 (2021-01-13)
|
|
3
15
|
|
data/README.md
CHANGED
|
@@ -1,12 +1,11 @@
|
|
|
1
1
|
# OmniAuth SAML
|
|
2
2
|
|
|
3
3
|
[][gem]
|
|
4
|
-
[](https://github.com/omniauth/omniauth-saml/actions/workflows/ruby.yml)
|
|
5
5
|
[][codeclimate]
|
|
6
6
|
[][coveralls]
|
|
7
7
|
|
|
8
8
|
[gem]: https://rubygems.org/gems/omniauth-saml
|
|
9
|
-
[travis]: http://travis-ci.org/omniauth/omniauth-saml
|
|
10
9
|
[codeclimate]: https://codeclimate.com/github/omniauth/omniauth-saml/maintainability
|
|
11
10
|
[coveralls]: https://coveralls.io/r/omniauth/omniauth-saml
|
|
12
11
|
|
|
@@ -31,9 +30,9 @@ Use the SAML strategy as a middleware in your application:
|
|
|
31
30
|
require 'omniauth'
|
|
32
31
|
use OmniAuth::Strategies::SAML,
|
|
33
32
|
:assertion_consumer_service_url => "consumer_service_url",
|
|
34
|
-
:
|
|
35
|
-
:
|
|
36
|
-
:
|
|
33
|
+
:sp_entity_id => "sp_entity_id",
|
|
34
|
+
:idp_sso_service_url => "idp_sso_service_url",
|
|
35
|
+
:idp_sso_service_url_runtime_params => {:original_request_param => :mapped_idp_param},
|
|
37
36
|
:idp_cert => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
|
|
38
37
|
:idp_cert_multi => {
|
|
39
38
|
:signing => ["-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", ...],
|
|
@@ -58,9 +57,9 @@ and in `config/initializers/omniauth.rb`:
|
|
|
58
57
|
Rails.application.config.middleware.use OmniAuth::Builder do
|
|
59
58
|
provider :saml,
|
|
60
59
|
:assertion_consumer_service_url => "consumer_service_url",
|
|
61
|
-
:
|
|
62
|
-
:
|
|
63
|
-
:
|
|
60
|
+
:sp_entity_id => "rails-application",
|
|
61
|
+
:idp_sso_service_url => "idp_sso_service_url",
|
|
62
|
+
:idp_sso_service_url_runtime_params => {:original_request_param => :mapped_idp_param},
|
|
64
63
|
:idp_cert => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
|
|
65
64
|
:idp_cert_multi => {
|
|
66
65
|
:signing => ["-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", ...],
|
|
@@ -72,7 +71,7 @@ Rails.application.config.middleware.use OmniAuth::Builder do
|
|
|
72
71
|
end
|
|
73
72
|
```
|
|
74
73
|
|
|
75
|
-
For IdP-initiated SSO, users should directly access the IdP SSO
|
|
74
|
+
For IdP-initiated SSO, users should directly access the IdP SSO service URL. Set the `href` of your application's login link to the value of `idp_sso_service_url`. For SP-initiated SSO, link to `/auth/saml`.
|
|
76
75
|
|
|
77
76
|
A `OneLogin::RubySaml::Response` object is added to the `env['omniauth.auth']` extra attribute, so we can use it in the controller via `env['omniauth.auth'].extra.response_object`
|
|
78
77
|
|
|
@@ -88,13 +87,13 @@ Note that when [integrating with Devise](#devise-integration), the URL path will
|
|
|
88
87
|
received. If not provided, defaults to the OmniAuth callback URL (typically
|
|
89
88
|
`http://example.com/auth/saml/callback`). Optional.
|
|
90
89
|
|
|
91
|
-
* `:
|
|
90
|
+
* `:sp_entity_id` - The name of your application. Some identity providers might need this
|
|
92
91
|
to establish the identity of the service provider requesting the login. **Required**.
|
|
93
92
|
|
|
94
|
-
* `:
|
|
93
|
+
* `:idp_sso_service_url` - The URL to which the authentication request should be sent.
|
|
95
94
|
This would be on the identity provider. **Required**.
|
|
96
95
|
|
|
97
|
-
* `:
|
|
96
|
+
* `:idp_slo_service_url` - The URL to which the single logout request and response should
|
|
98
97
|
be sent. This would be on the identity provider. Optional.
|
|
99
98
|
|
|
100
99
|
* `:idp_slo_session_destroy` - A proc that accepts up to two parameters (the rack environment, and the session),
|
|
@@ -106,7 +105,7 @@ Note that when [integrating with Devise](#devise-integration), the URL path will
|
|
|
106
105
|
instance will be passed to this callable if it has an arity of 1. If the value is a string,
|
|
107
106
|
the string will be returned, when the `RelayState` is called. Optional.
|
|
108
107
|
|
|
109
|
-
* `:
|
|
108
|
+
* `:idp_sso_service_url_runtime_params` - A dynamic mapping of request params that exist
|
|
110
109
|
during the request phase of OmniAuth that should to be sent to the IdP after a specific
|
|
111
110
|
mapping. So for example, a param `original_request_param` with value `original_param_value`,
|
|
112
111
|
could be sent to the IdP on the login request as `mapped_idp_param` with value
|
|
@@ -170,7 +169,7 @@ idp_metadata = idp_metadata_parser.parse_remote_to_hash("http://idp.example.com/
|
|
|
170
169
|
use OmniAuth::Strategies::SAML,
|
|
171
170
|
idp_metadata.merge(
|
|
172
171
|
:assertion_consumer_service_url => "consumer_service_url",
|
|
173
|
-
:
|
|
172
|
+
:sp_entity_id => "sp_entity_id"
|
|
174
173
|
)
|
|
175
174
|
```
|
|
176
175
|
|
|
@@ -186,7 +185,7 @@ In `config/initializers/devise.rb`:
|
|
|
186
185
|
Devise.setup do |config|
|
|
187
186
|
config.omniauth :saml,
|
|
188
187
|
idp_cert_fingerprint: 'fingerprint',
|
|
189
|
-
|
|
188
|
+
idp_sso_service_url: 'idp_sso_service_url'
|
|
190
189
|
end
|
|
191
190
|
```
|
|
192
191
|
|
|
@@ -196,7 +195,7 @@ Then follow Devise's general [OmniAuth tutorial](https://github.com/plataformate
|
|
|
196
195
|
|
|
197
196
|
Single Logout can be Service Provider initiated or Identity Provider initiated.
|
|
198
197
|
|
|
199
|
-
For SP initiated logout, the `
|
|
198
|
+
For SP initiated logout, the `idp_slo_service_url` option must be set to the logout url on the IdP,
|
|
200
199
|
and users directed to `user_saml_omniauth_authorize_path + '/spslo'` after logging out locally. For
|
|
201
200
|
IdP initiated logout, logout requests from the IdP should go to `/auth/saml/slo` (this can be
|
|
202
201
|
advertised in metadata by setting the `single_logout_service_url` config option).
|
|
@@ -226,7 +225,7 @@ class SessionsController < Devise::SessionsController
|
|
|
226
225
|
# ...
|
|
227
226
|
|
|
228
227
|
def after_sign_out_path_for(_)
|
|
229
|
-
if session['saml_uid'] && session['saml_session_index'] && SAML_SETTINGS.
|
|
228
|
+
if session['saml_uid'] && session['saml_session_index'] && SAML_SETTINGS.idp_slo_service_url
|
|
230
229
|
user_saml_omniauth_authorize_path + "/spslo"
|
|
231
230
|
else
|
|
232
231
|
super
|
|
@@ -13,7 +13,7 @@ module OmniAuth
|
|
|
13
13
|
RUBYSAML_RESPONSE_OPTIONS = OneLogin::RubySaml::Response::AVAILABLE_OPTIONS
|
|
14
14
|
|
|
15
15
|
option :name_identifier_format, nil
|
|
16
|
-
option :
|
|
16
|
+
option :idp_sso_service_url_runtime_params, {}
|
|
17
17
|
option :request_attributes, [
|
|
18
18
|
{ :name => 'email', :name_format => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', :friendly_name => 'Email address' },
|
|
19
19
|
{ :name => 'name', :name_format => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', :friendly_name => 'Full name' },
|
|
@@ -264,7 +264,7 @@ module OmniAuth
|
|
|
264
264
|
end
|
|
265
265
|
|
|
266
266
|
def other_phase_for_spslo
|
|
267
|
-
if options.
|
|
267
|
+
if options.idp_slo_service_url
|
|
268
268
|
with_settings do |settings|
|
|
269
269
|
redirect(generate_logout_request(settings))
|
|
270
270
|
end
|
|
@@ -275,7 +275,7 @@ module OmniAuth
|
|
|
275
275
|
|
|
276
276
|
def add_request_attributes_to(settings)
|
|
277
277
|
settings.attribute_consuming_service.service_name options.attribute_service_name
|
|
278
|
-
settings.
|
|
278
|
+
settings.sp_entity_id = options.sp_entity_id
|
|
279
279
|
|
|
280
280
|
options.request_attributes.each do |attribute|
|
|
281
281
|
settings.attribute_consuming_service.add_attribute attribute
|
|
@@ -284,7 +284,7 @@ module OmniAuth
|
|
|
284
284
|
|
|
285
285
|
def additional_params_for_authn_request
|
|
286
286
|
{}.tap do |additional_params|
|
|
287
|
-
runtime_request_parameters = options.delete(:
|
|
287
|
+
runtime_request_parameters = options.delete(:idp_sso_service_url_runtime_params)
|
|
288
288
|
|
|
289
289
|
if runtime_request_parameters
|
|
290
290
|
runtime_request_parameters.each_pair do |request_param_key, mapped_param_key|
|
|
@@ -18,10 +18,10 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
18
18
|
{
|
|
19
19
|
:assertion_consumer_service_url => "http://localhost:9080/auth/saml/callback",
|
|
20
20
|
:single_logout_service_url => "http://localhost:9080/auth/saml/slo",
|
|
21
|
-
:
|
|
22
|
-
:
|
|
21
|
+
:idp_sso_service_url => "https://idp.sso.example.com/signon/29490",
|
|
22
|
+
:idp_slo_service_url => "https://idp.sso.example.com/signoff/29490",
|
|
23
23
|
:idp_cert_fingerprint => "C1:59:74:2B:E8:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB",
|
|
24
|
-
:
|
|
24
|
+
:idp_sso_service_url_runtime_params => {:original_param_key => :mapped_param_key},
|
|
25
25
|
:name_identifier_format => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
|
|
26
26
|
:request_attributes => [
|
|
27
27
|
{ :name => 'email', :name_format => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', :friendly_name => 'Email address' },
|
|
@@ -306,7 +306,7 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
306
306
|
|
|
307
307
|
context "when response is a logout response" do
|
|
308
308
|
before :each do
|
|
309
|
-
saml_options[:
|
|
309
|
+
saml_options[:sp_entity_id] = "https://idp.sso.example.com/metadata/29490"
|
|
310
310
|
|
|
311
311
|
post "/auth/saml/slo", {
|
|
312
312
|
SAMLResponse: load_xml(:example_logout_response),
|
|
@@ -323,7 +323,7 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
323
323
|
subject { post "/auth/saml/slo", params, "rack.session" => { "saml_uid" => "username@example.com" } }
|
|
324
324
|
|
|
325
325
|
before :each do
|
|
326
|
-
saml_options[:
|
|
326
|
+
saml_options[:sp_entity_id] = "https://idp.sso.example.com/metadata/29490"
|
|
327
327
|
end
|
|
328
328
|
|
|
329
329
|
let(:params) do
|
|
@@ -392,8 +392,8 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
392
392
|
end
|
|
393
393
|
end
|
|
394
394
|
|
|
395
|
-
it "should give not implemented without an
|
|
396
|
-
saml_options.delete(:
|
|
395
|
+
it "should give not implemented without an idp_slo_service_url" do
|
|
396
|
+
saml_options.delete(:idp_slo_service_url)
|
|
397
397
|
post "/auth/saml/spslo"
|
|
398
398
|
|
|
399
399
|
expect(last_response.status).to eq 501
|
|
@@ -404,7 +404,7 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
404
404
|
|
|
405
405
|
describe 'POST /auth/saml/metadata' do
|
|
406
406
|
before do
|
|
407
|
-
saml_options[:
|
|
407
|
+
saml_options[:sp_entity_id] = 'http://example.com/SAML'
|
|
408
408
|
post '/auth/saml/metadata'
|
|
409
409
|
end
|
|
410
410
|
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: omniauth-saml
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.
|
|
4
|
+
version: 2.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Raecoo Cao
|
|
@@ -14,7 +14,7 @@ authors:
|
|
|
14
14
|
autorequire:
|
|
15
15
|
bindir: bin
|
|
16
16
|
cert_chain: []
|
|
17
|
-
date:
|
|
17
|
+
date: 2022-03-01 00:00:00.000000000 Z
|
|
18
18
|
dependencies:
|
|
19
19
|
- !ruby/object:Gem::Dependency
|
|
20
20
|
name: omniauth
|
|
@@ -36,14 +36,14 @@ dependencies:
|
|
|
36
36
|
requirements:
|
|
37
37
|
- - "~>"
|
|
38
38
|
- !ruby/object:Gem::Version
|
|
39
|
-
version: '1.
|
|
39
|
+
version: '1.12'
|
|
40
40
|
type: :runtime
|
|
41
41
|
prerelease: false
|
|
42
42
|
version_requirements: !ruby/object:Gem::Requirement
|
|
43
43
|
requirements:
|
|
44
44
|
- - "~>"
|
|
45
45
|
- !ruby/object:Gem::Version
|
|
46
|
-
version: '1.
|
|
46
|
+
version: '1.12'
|
|
47
47
|
- !ruby/object:Gem::Dependency
|
|
48
48
|
name: rake
|
|
49
49
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -168,10 +168,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
168
168
|
- !ruby/object:Gem::Version
|
|
169
169
|
version: '0'
|
|
170
170
|
requirements: []
|
|
171
|
-
rubygems_version: 3.
|
|
171
|
+
rubygems_version: 3.2.32
|
|
172
172
|
signing_key:
|
|
173
173
|
specification_version: 4
|
|
174
174
|
summary: A generic SAML strategy for OmniAuth.
|
|
175
175
|
test_files:
|
|
176
|
-
- spec/spec_helper.rb
|
|
177
176
|
- spec/omniauth/strategies/saml_spec.rb
|
|
177
|
+
- spec/spec_helper.rb
|