omniauth-wsfed 0.1.0

data/.gitignore

@@ -0,0 +1,5 @@
+# Rubymine
+.idea
+
+#RVM
+.rvmrc

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in omniauth-wsfed.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,43 @@
+PATH
+  remote: .
+  specs:
+    omniauth-wsfed (0.1.0)
+      omniauth (~> 1.1.0)
+      typhoeus (~> 0.4.2)
+      xmlcanonicalizer (= 0.1.1)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    diff-lcs (1.1.3)
+    ffi (1.1.0)
+    hashie (1.2.0)
+    mime-types (1.19)
+    omniauth (1.1.0)
+      hashie (~> 1.2)
+      rack
+    rack (1.4.1)
+    rack-test (0.6.1)
+      rack (>= 1.0)
+    rake (0.9.2.2)
+    rspec (2.10.0)
+      rspec-core (~> 2.10.0)
+      rspec-expectations (~> 2.10.0)
+      rspec-mocks (~> 2.10.0)
+    rspec-core (2.10.1)
+    rspec-expectations (2.10.0)
+      diff-lcs (~> 1.1.3)
+    rspec-mocks (2.10.1)
+    typhoeus (0.4.2)
+      ffi (~> 1.0)
+      mime-types (~> 1.18)
+    xmlcanonicalizer (0.1.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  omniauth-wsfed!
+  rack-test (~> 0.6.1)
+  rake (~> 0.9.2)
+  rspec (~> 2.10.0)

data/LICENSE

@@ -0,0 +1,24 @@
+Copyright (c) 2011-2012 Keith Beckman, http://www.coding4streetcred.com/blog
+All rights reserved. Released under the MIT license.
+
+Portions Copyright (c) 2007 Sun Microsystems Inc.
+
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,131 @@
+# OmniAuth WS-Fed #
+
+#### This gem is currently under construction... Expect an official v1 release by the the end of July 2012. ####
+
+The OmniAuth-WSFed authentication strategy can be used with the following technologies
+under scenarios requiring the [WS-Federation protocol](http://msdn.microsoft.com/en-us/library/bb498017.aspx)
+for authentication. These services are typically used for Identity Federation and Single
+Sign-On across large organizations or authentication domains.
+
+* [Windows Azure ACS](http://msdn.microsoft.com/en-us/library/windowsazure/gg429786.aspx)
+* [ADFS 2.0](http://msdn.microsoft.com/en-us/magazine/ee335705.aspx)
+* Corporate Secure Token Servers (STSs)
+
+
+## Installation ##
+
+Add this line to your application's Gemfile:
+```ruby
+    gem 'omniauth-wsfed'
+```
+
+And then execute:
+
+    $ bundle install
+
+Or install it globally as:
+
+    $ gem install omniauth-wsfed
+
+
+## Configuration ##
+
+Use the WSFed strategy as a middleware in your application:
+
+```ruby
+require 'omniauth'
+
+use OmniAuth::Strategies::WSFed,
+  :issuer_name           => "http://your-azure-acs-namespace.accesscontrol.windows.net",
+  :issuer                => "https://your-azure-acs-namespace.accesscontrol.windows.net/v2/wsfederation",
+  :realm                 => "http://my.relyingparty/realm",
+  :reply                 => "http://localhost:3000/auth/wsfed/callback",
+  :id_claim              => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
+  :idp_cert_fingerprint  => "FC96D2983…"
+```
+
+or in your Rails application:
+
+in `Gemfile`:
+
+```ruby
+gem 'omniauth-wsfed'
+```
+
+and in `config/initializers/omniauth.rb`:
+
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+
+  provider :wsfed,
+    :issuer_name           => "http://your-azure-acs-namespace.accesscontrol.windows.net",
+    :issuer                => "https://your-azure-acs-namespace.accesscontrol.windows.net/v2/wsfederation",
+    :realm                 => "http://my.relyingparty/realm",
+    :reply                 => "http://localhost:3000/auth/wsfed/callback",
+    :id_claim              => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
+    :idp_cert_fingerprint  => "FC96D2983…"
+
+end
+```
+
+
+## Configuration Options ##
+
+* `:issuer_name` - The name of your Identity Provider (IdP). This option is not required,
+but can be a nice way to differentiate your IdP configurations if you are testing with
+multiple providers in multiple enviornments. **Optional**
+
+* `:issuer` - The IdP web endpoint (URL) to which the authentication request should be
+sent. **Required**.
+
+* `:idp_cert_fingerprint` - The SHA1 fingerprint of the IdP's signing certificate
+(e.g. "90:CC:16:F0:8D:…"). This is provided by the IdP when setting up the trust
+relationship. This option or `:idp_cert` must be present.
+
+* `:idp_cert` - The IdP's certificate in PEM format. This option or
+`:idp_cert_fingerprint` must be present.
+
+* `:realm` - Your site's security realm. This is a URI defining the realm to which the
+IdP must issue a secure token. **Required**
+
+* `:reply` - The reply-to URL in your application for which a WSFed response should be
+posted. **Required**
+
+* `:id_claim` - Name of the authentication claim that you want to use as OmniAuth's
+**uid** property.
+
+
+## Authors and Credits ##
+
+Authored by [Keith Beckman](https://github.com/kbeckman).
+
+Special thanks to the developers of the following projects from which I borrowed from for omniauth-wsfed:
+
+* [PracticallyGreen / omniauth-saml](https://github.com/PracticallyGreen/omniauth-saml)
+* [onelogin / ruby-saml](https://github.com/onelogin/ruby-saml)
+
+
+## License ##
+
+Copyright (c) 2011-2012 Keith Beckman, [Coding4StreetCred.com](http://www.coding4streetcred.com/blog)
+All rights reserved. Released under the MIT license.
+
+Portions Copyright (c) 2007 Sun Microsystems Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,2 @@
+#!/usr/bin/env rake
+require "bundler/gem_tasks"

data/lib/azure_acs/idp_feed.rb

@@ -0,0 +1,16 @@
+module AzureACS
+
+  class IdPFeed
+
+    def initialize(idp_json_feed_url)
+      raise ArgumentError.new("Azure ACS JSON feed URL cannot be null.") if idp_json_feed_url.nil?
+      @json_feed_url = idp_json_feed_url
+    end
+
+    def identity_providers
+      @json_feed ||= Typhoeus::Request.get(@json_feed_url).body
+    end
+
+  end
+
+end

data/lib/omniauth/strategies/wsfed/auth_request.rb

@@ -0,0 +1,32 @@
+require 'erb'
+
+module OmniAuth
+  module Strategies
+    class WSFed
+
+      class AuthRequest
+        include ERB::Util
+
+        SIGNIN_PARAM = 'wsignin1.0'
+
+        def create (settings, args = {})
+          wa      = SIGNIN_PARAM
+          wtrealm = url_encode(settings[:realm])
+          wreply  = url_encode(settings[:reply])
+          wct     = url_encode(Time.now.utc)
+          whr     = url_encode(args[:whr])
+
+          query_string = "?wa=#{wa}&wtrealm=#{wtrealm}&wreply=#{wreply}&wctx=#{}&wct=#{wct}"
+
+          unless whr.nil? or whr.empty?
+            query_string = "#{query_string}&whr=#{whr}"
+          end
+
+          settings[:issuer] + query_string
+        end
+
+      end
+
+    end
+  end
+end

data/lib/omniauth/strategies/wsfed/auth_response.rb

@@ -0,0 +1,159 @@
+require "time"
+require "hashie"
+
+module OmniAuth
+  module Strategies
+    class WSFed
+
+      class AuthResponse
+
+        ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
+        PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
+        DSIG      = "http://www.w3.org/2000/09/xmldsig#"
+
+        attr_accessor :options, :response, :document, :settings
+
+        def initialize(response, settings, options = {})
+          raise ArgumentError.new("Response cannot be nil.") if response.nil?
+          raise ArgumentError.new("WSFed settings cannot be nil.") if settings.nil?
+
+          self.options  = options
+          self.response = response
+          self.settings = settings
+          self.document = OmniAuth::Strategies::WSFed::XMLSecurity::SignedDocument.new(response)
+        end
+
+        def valid?
+          validate(soft = true)
+        end
+
+        def validate!
+          validate(soft = false)
+        end
+
+        # The value of the user identifier as defined by the id_claim setting...
+        def name_id
+          @name_id ||= begin
+            attributes.has_key?(settings[:id_claim]) ? attributes.fetch(settings[:id_claim]) : nil
+          end
+        end
+
+        # A hash of all the claims provided by the response.
+        def attributes
+          @attr_statements ||= begin
+            stmt_element = REXML::XPath.first(document, "//Assertion/AttributeStatement")
+            return {} if stmt_element.nil?
+
+            {}.tap do |result|
+              stmt_element.elements.each do |attr_element|
+                name  = attr_element.attributes["Name"]
+
+                if attr_element.elements.count > 1
+                  value = []
+                  attr_element.elements.each { |element| value << element.text }
+                else
+                  value = attr_element.elements.first.text.lstrip.rstrip
+                end
+
+                result[name] = value
+              end
+            end
+          end
+        end
+
+        # When this user session should expire at latest
+        def session_expires_at
+          @expires_at ||= begin
+            node = xpath("/p:Response/a:Assertion/a:AuthnStatement")
+            parse_time(node, "SessionNotOnOrAfter")
+          end
+        end
+
+        # Conditions (if any) for the assertion to run
+        def conditions
+          @conditions ||= begin
+            xpath("/p:Response/a:Assertion[@ID='#{signed_element_id}']/a:Conditions")
+          end
+        end
+
+      private
+
+        def validation_error(message)
+          raise OmniAuth::Strategies::WSFed::ValidationError.new(message)
+        end
+
+        def validate(soft = true)
+          validate_response_state(soft) &&
+              validate_conditions(soft)     &&
+              document.validate(get_fingerprint, soft)
+        end
+
+        def validate_response_state(soft = true)
+          if response.empty?
+            return soft ? false : validation_error("Blank response")
+          end
+
+          if settings.nil?
+            return soft ? false : validation_error("No settings on response")
+          end
+
+          if settings[:idp_cert_fingerprint].nil? && settings[:idp_cert].nil?
+            return soft ? false : validation_error("No fingerprint or certificate on settings")
+          end
+
+          true
+        end
+
+        def get_fingerprint
+          if settings[:idp_cert_fingerprint]
+            settings[:idp_cert_fingerprint]
+          else
+            cert = OpenSSL::X509::Certificate.new(settings[:idp_cert].gsub(/^ +/, ''))
+            Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(":")
+          end
+        end
+
+        def validate_conditions(soft = true)
+          return true if conditions.nil?
+          return true if options[:skip_conditions]
+
+          if not_before = parse_time(conditions, "NotBefore")
+            if Time.now.utc < not_before
+              return soft ? false : validation_error("Current time is earlier than NotBefore condition")
+            end
+          end
+
+          if not_on_or_after = parse_time(conditions, "NotOnOrAfter")
+            if Time.now.utc >= not_on_or_after
+              return soft ? false : validation_error("Current time is on or after NotOnOrAfter condition")
+            end
+          end
+
+          true
+        end
+
+        def parse_time(node, attribute)
+          if node && node.attributes[attribute]
+            Time.parse(node.attributes[attribute])
+          end
+        end
+
+        #def strip(string)
+        #  return string unless string
+        #  string.gsub(/^\s+/, '').gsub(/\s+$/, '')
+        #end
+
+        def xpath(path)
+          #REXML::XPath.first(document, path, { "p" => PROTOCOL, "a" => ASSERTION })
+          REXML::XPath.first(document, path, { "saml" => ASSERTION })
+        end
+
+        def signed_element_id
+          doc_id = document.signed_element_id
+          doc_id[1, doc_id.size]
+        end
+      end
+
+    end
+  end
+end

data/lib/omniauth/strategies/wsfed/validation_error.rb

@@ -0,0 +1,10 @@
+module OmniAuth
+  module Strategies
+    class WSFed
+
+      class ValidationError < OmniAuth::Error
+      end
+
+    end
+  end
+end

data/lib/omniauth/strategies/wsfed/xml_security.rb

@@ -0,0 +1,149 @@
+# The contents of this file are subject to the terms
+# of the Common Development and Distribution License
+# (the License). You may not use this file except in
+# compliance with the License.
+#
+# You can obtain a copy of the License at
+# https://opensso.dev.java.net/public/CDDLv1.0.html or
+# opensso/legal/CDDLv1.0.txt
+# See the License for the specific language governing
+# permission and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL
+# Header Notice in each file and include the License file
+# at opensso/legal/CDDLv1.0.txt.
+# If applicable, add the following below the CDDL Header,
+# with the fields enclosed by brackets [] replaced by
+# your own identifying information:
+# "Portions Copyrighted [year] [name of copyright owner]"
+#
+# $Id: xml_sec.rb,v 1.6 2007/10/24 00:28:41 todddd Exp $
+#
+# Copyright 2007 Sun Microsystems Inc. All Rights Reserved
+# Portions Copyrighted 2007 Todd W Saxton.
+
+require 'rubygems'
+require "rexml/document"
+require "rexml/xpath"
+require "openssl"
+require "xmlcanonicalizer"
+require "digest/sha1"
+require "digest/sha2"
+
+module OmniAuth
+  module Strategies
+    class WSFed
+
+      module XMLSecurity
+
+        class SignedDocument < REXML::Document
+          DSIG = "http://www.w3.org/2000/09/xmldsig#"
+
+          attr_accessor :signed_element_id
+
+          def initialize(response)
+            super(response)
+            extract_signed_element_id
+          end
+
+          def validate(idp_cert_fingerprint, soft = true)
+            # get cert from response
+            base64_cert = self.elements["//ds:X509Certificate"].text
+            cert_text   = Base64.decode64(base64_cert)
+            cert        = OpenSSL::X509::Certificate.new(cert_text)
+
+            # check cert matches registered idp cert
+            fingerprint = Digest::SHA1.hexdigest(cert.to_der)
+
+            if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
+              return soft ? false : (raise OmniAuth::Strategies::WSFed::ValidationError.new("Fingerprint mismatch"))
+            end
+
+            validate_doc(base64_cert, soft)
+          end
+
+          def validate_doc(base64_cert, soft = true)
+            # validate references
+
+            # check for inclusive namespaces
+
+            inclusive_namespaces            = []
+            inclusive_namespace_element     = REXML::XPath.first(self, "//ec:InclusiveNamespaces")
+
+            if inclusive_namespace_element
+              prefix_list                   = inclusive_namespace_element.attributes.get_attribute('PrefixList').value
+              inclusive_namespaces          = prefix_list.split(" ")
+            end
+
+            # remove signature node
+            sig_element = REXML::XPath.first(self, "//ds:Signature", {"ds"=>DSIG})
+            sig_element.remove
+
+            # check digests
+            REXML::XPath.each(sig_element, "//ds:Reference", {"ds"=>DSIG}) do |ref|
+              uri                           = ref.attributes.get_attribute("URI").value
+              hashed_element                = REXML::XPath.first(self, "//[@ID='#{uri[1,uri.size]}']")
+              canoner                       = XML::Util::XmlCanonicalizer.new(false, true)
+              canoner.inclusive_namespaces  = inclusive_namespaces if canoner.respond_to?(:inclusive_namespaces) && !inclusive_namespaces.empty?
+              canon_hashed_element          = canoner.canonicalize(hashed_element)
+	            digest_algorithm              = algorithm(REXML::XPath.first(ref, "//ds:DigestMethod"))
+              hash                          = Base64.encode64(digest_algorithm.digest(canon_hashed_element)).chomp
+              digest_value                  = REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}).text
+
+              unless digests_match?(hash, digest_value)
+                return soft ? false : (raise OmniAuth::Strategies::WSFed::ValidationError.new("Digest mismatch"))
+              end
+            end
+
+            # verify signature
+            canoner                 = XML::Util::XmlCanonicalizer.new(false, true)
+            signed_info_element     = REXML::XPath.first(sig_element, "//ds:SignedInfo", {"ds"=>DSIG})
+            canon_string            = canoner.canonicalize(signed_info_element)
+
+            base64_signature        = REXML::XPath.first(sig_element, "//ds:SignatureValue", {"ds"=>DSIG}).text
+            signature               = Base64.decode64(base64_signature)
+
+            # get certificate object
+            cert_text               = Base64.decode64(base64_cert)
+            cert                    = OpenSSL::X509::Certificate.new(cert_text)
+
+            # signature method
+            signature_algorithm     = algorithm(REXML::XPath.first(signed_info_element, "//ds:SignatureMethod", {"ds"=>DSIG}))
+
+            unless cert.public_key.verify(signature_algorithm.new, signature, canon_string)
+              return soft ? false : (raise OmniAuth::Strategies::WSFed::ValidationError.new("Key validation error"))
+            end
+
+            return true
+          end
+
+        private
+
+          def digests_match?(hash, digest_value)
+            hash == digest_value
+          end
+
+          def extract_signed_element_id
+            reference_element       = REXML::XPath.first(self, "//ds:Signature/ds:SignedInfo/ds:Reference", {"ds"=>DSIG})
+            self.signed_element_id  = reference_element.attribute("URI").value unless reference_element.nil?
+          end
+
+          def algorithm(element)
+            algorithm = element.attribute("Algorithm").value if element
+            algorithm = algorithm && algorithm =~ /sha(.*?)$/i && $1.to_i
+            case algorithm
+            when 256 then OpenSSL::Digest::SHA256
+            when 384 then OpenSSL::Digest::SHA384
+            when 512 then OpenSSL::Digest::SHA512
+            else
+              OpenSSL::Digest::SHA1
+            end
+          end
+        end
+
+      end
+
+    end
+  end
+end
+

data/lib/omniauth/strategies/wsfed.rb

@@ -0,0 +1,56 @@
+require 'omniauth'
+
+module OmniAuth
+  module Strategies
+
+    class WSFed
+      include OmniAuth::Strategy
+
+      autoload :AuthRequest,      'omniauth/strategies/wsfed/auth_request'
+      autoload :AuthResponse,     'omniauth/strategies/wsfed/auth_response'
+      autoload :ValidationError,  'omniauth/strategies/wsfed/validation_error'
+      autoload :XMLSecurity,      'omniauth/strategies/wsfed/xml_security'
+
+      # Issues passive WS-Federation redirect for authentication...
+      def request_phase
+        whr = @request.params['whr']
+
+        if !whr.nil?
+          request = OmniAuth::Strategies::WSFed::AuthRequest.new
+          redirect(request.create(options, :whr => whr))
+        elsif !options[:home_realm_discovery_path].nil?
+          redirect(options[:home_realm_discovery_path])
+        else
+          request = OmniAuth::Strategies::WSFed::AuthRequest.new
+          redirect(request.create(options))
+        end
+
+      end
+
+      # Parse SAML token...
+      def callback_phase
+        begin
+          response = OmniAuth::Strategies::WSFed::AuthResponse.new(request.params['wresult'], options)
+
+          @name_id  = response.name_id
+          @claims   = response.attributes
+
+          return fail!(:invalid_ticket, OmniAuth::Strategies::WSFed::ValidationError('Invalid SAML Token') ) if @claims.nil? || @claims.empty? || !response.valid?
+          super
+        rescue ArgumentError => e
+          fail!(:invalid_ticket, 'Invalid WSFed Response')
+        end
+      end
+
+      # OmniAuth DSL methods...
+      uid { @name_id }
+
+      info { @claims }
+
+      extra { { :wresult => request.params['wresult'] } }
+
+    end
+  end
+end
+
+OmniAuth.config.add_camelization 'wsfed', 'WSFed'

data/lib/omniauth-wsfed/version.rb

@@ -0,0 +1,5 @@
+module OmniAuth
+  module WSFed
+    VERSION = "0.1.0"
+  end
+end

data/lib/omniauth-wsfed.rb

@@ -0,0 +1,2 @@
+require 'omniauth/strategies/wsfed'
+require 'azure_acs/idp_feed'

data/omniauth-wsfed.gemspec

@@ -0,0 +1,28 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/omniauth-wsfed/version', __FILE__)
+
+Gem::Specification.new do |gem|
+
+  gem.name          = "omniauth-wsfed"
+  gem.version       = OmniAuth::WSFed::VERSION
+  gem.description   = %q{A WS-Federation + WS-Trust strategy for OmniAuth.}
+  gem.summary       = %q{OmniAuth WS-Federation strategy enabling integration with Windows Azure Access Control Service (ACS), Active Directory Federation Services (ADFS) 2.0, custom Identity Providers built with Windows Identity Foundation (WIF) or any other Identity Provider supporting the WS-Federation protocol.}
+
+  gem.authors       = ["Keith Beckman"]
+  gem.email         = ["kbeckman.c4sc@gmail.com"]
+  gem.homepage      = "https://github.com/kbeckman/omniauth-wsfed"
+
+  gem.add_runtime_dependency 'omniauth', '~> 1.1.0'
+  gem.add_runtime_dependency 'xmlcanonicalizer', '0.1.1'
+  gem.add_runtime_dependency 'typhoeus', '~> 0.4.2'
+
+  gem.add_development_dependency 'rspec', '~> 2.10.0'
+  gem.add_development_dependency 'rake', '~> 0.9.2'
+  gem.add_development_dependency 'rack-test', '~> 0.6.1'
+
+  gem.files         = `git ls-files`.split($\)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ["lib"]
+
+end

data/spec/azure_acs/idp_feed_spec.rb

@@ -0,0 +1,18 @@
+require 'spec_helper'
+require 'erb'
+
+describe AzureACS::IdPFeed do
+
+describe "Initialization" do
+
+  context "with Invalid Context" do
+
+    it "should raise an exception when IdP JSON feed URL is nil" do
+      expect { described_class.new(nil) }.to raise_error ArgumentError
+    end
+
+  end
+
+end
+
+end

data/spec/omniauth/strategies/wsfed/auth_request_spec.rb

@@ -0,0 +1,70 @@
+require 'spec_helper'
+require 'erb'
+
+describe OmniAuth::Strategies::WSFed::AuthRequest do
+
+  context 'Valid Request' do
+
+    let(:wsfed_settings) do
+      {
+          issuer: "https://c4sc.accesscontrol.windows.net.com/v2/wsfederation",
+          realm:  "http://c4sc.com/security_realm",
+          reply:  "http://rp.c4sc.com/auth/wsfed"
+      }
+    end
+
+    describe 'WsFed Auth Request URL' do
+
+      let :request do
+        OmniAuth::Strategies::WSFed::AuthRequest.new.create(wsfed_settings)
+      end
+
+      it 'should include the issuer URL followed by WsFed query string params' do
+        request.should start_with "#{wsfed_settings[:issuer]}?"
+      end
+
+      it 'should include the sign-in param [wa]' do
+        request.should include 'wa=wsignin1.0'
+      end
+
+      it 'should include the url-encoded security realm param [wtrealm]' do
+        request.should include "wtrealm=#{ERB::Util::url_encode(wsfed_settings[:realm])}"
+      end
+
+      it 'should include the url-encoded reply param [wreply]' do
+        request.should include "wreply=#{ERB::Util::url_encode(wsfed_settings[:reply])}"
+      end
+
+      it 'should include an empty context param [wctx]' do
+        request.should include "wctx=&"
+      end
+
+      it 'should include the request creation instant time param [wtc]' do
+        time = Time.now.utc
+        Time.now.stub(:utc).and_return(time)
+
+        request.should include "wct=#{ERB::Util.url_encode(time)}"
+      end
+
+      describe 'Url-Encoded Home Realm Parameter [whr]' do
+
+        let(:home_realm) { "http://identity.c4sc.com/trust" }
+
+        it 'should include [whr] if provided in the options' do
+          request = OmniAuth::Strategies::WSFed::AuthRequest.new.create(wsfed_settings, :whr => home_realm)
+          request.should include "whr=#{ERB::Util::url_encode(home_realm)}"
+        end
+
+        it 'should exclude [whr] if ignored in the options' do
+          request = OmniAuth::Strategies::WSFed::AuthRequest.new.create(wsfed_settings, :whr => nil)
+          request.should_not include "whr=#{ERB::Util::url_encode(home_realm)}"
+          request.should_not include "whr="
+        end
+
+      end
+
+    end
+
+  end
+
+end

data/spec/omniauth/strategies/wsfed/auth_response_spec.rb

@@ -0,0 +1,67 @@
+require 'spec_helper'
+
+describe OmniAuth::Strategies::WSFed::AuthResponse do
+
+  describe "Initialization" do
+
+    context "with Invalid Context" do
+
+      it "should raise an exception when response is nil" do
+        expect { described_class.new(nil, {}) }.to raise_error ArgumentError
+      end
+
+      it "should raise an exception when settings are nil" do
+        expect { described_class.new({}, nil) }.to raise_error ArgumentError
+      end
+
+    end
+
+  end
+
+  describe "Response Parsing" do
+
+    before(:each) do
+      @wsfed_settings = {
+          issuer_name:  "http://identity.c4sc.com/trust/",
+          issuer:       "https://identity.c4sc.com/issue/wsfed",
+          realm:        "http://rp.c4sc/security_realm",
+          reply:        "http://rp.c4sc/callback",
+      }
+    end
+
+    context "name_id" do
+
+      it "should load the proper value from various id_claim settings" do
+        id_claims = [
+            { id_claim: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", value: "kbeckman.c4sc@gmail.com" },
+            { id_claim: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", value: "kbeckman.c4sc" }
+        ]
+
+        id_claims.each do |claim_setting|
+          @wsfed_settings.merge!(claim_setting.select { |k,v| k == :id_claim })
+          response = described_class.new(load_support_xml(:acs_example), @wsfed_settings)
+
+          response.name_id.should == claim_setting[:value]
+        end
+      end
+
+    end
+
+    context "attributes" do
+
+      it "should extract the authentication claims" do
+        expected_claims = {
+            "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" => "kbeckman.c4sc@gmail.com",
+            "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" => "kbeckman.c4sc",
+            "http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider" => "http://identity.c4sc.com/trust/"
+        }
+        response = described_class.new(load_support_xml(:acs_example), @wsfed_settings)
+
+        response.attributes.should == expected_claims
+      end
+
+    end
+
+  end
+
+end

data/spec/omniauth/strategies/wsfed_spec.rb

@@ -0,0 +1,82 @@
+require 'spec_helper'
+
+# Had to split these tests into two different classes because the OmniAuth::Test::StrategyTestCase only sets up one
+# instance of the strategy settings per spec description. In other words, any time you need to make changes to the
+# OmniAuth initialization settings, you need a new spec description to re-initialize the test strategy.
+
+describe OmniAuth::Strategies::WSFed, :type => :strategy do
+  include OmniAuth::Test::StrategyTestCase
+
+  let(:auth_hash){ last_request.env['omniauth.auth'] }
+  let(:wsfed_settings) do
+    {
+        issuer: "https://c4sc.accesscontrol.windows.net.com/v2/wsfederation",
+        realm:  "http://c4sc.com/security_realm",
+        reply:  "http://rp.c4sc.com/auth/wsfed"
+    }
+  end
+  let(:strategy) { [OmniAuth::Strategies::WSFed, wsfed_settings] }
+  let(:home_realm) { "http://identity.c4sc.com/trust" }
+
+
+  describe 'request_phase: GET /auth/wsfed' do
+
+    context 'no :home_realm_discovery_path' do
+
+      it 'should redirect to the IdP/FP issuer URL without [whr] param'  do
+        get '/auth/wsfed'
+
+        last_response.should be_redirect
+        last_response.location.should include wsfed_settings[:issuer]
+      end
+
+      it 'should redirect to the IdP/FP Issuer URL and maintain [whr] param' do
+        get "auth/wsfed?whr=#{home_realm}"
+
+        last_response.should be_redirect
+        last_response.location.should include wsfed_settings[:issuer]
+        last_response.location.should include "whr=#{ERB::Util::url_encode(home_realm)}"
+      end
+
+    end
+
+  end
+
+end
+
+describe OmniAuth::Strategies::WSFed, :type => :strategy do
+  include OmniAuth::Test::StrategyTestCase
+
+  let(:home_realm_discovery) { "/auth/wsfed/home_realm_discovery" }
+  let(:wsfed_settings) do
+    {
+        issuer:                     "https://c4sc.accesscontrol.windows.net.com/v2/wsfederation",
+        realm:                      "http://c4sc.com/security_realm",
+        reply:                      "http://rp.c4sc.com/auth/wsfed",
+        home_realm_discovery_path:  home_realm_discovery
+    }
+  end
+  let(:strategy) { [OmniAuth::Strategies::WSFed, wsfed_settings] }
+  let(:home_realm) { "http://identity.c4sc.com/trust" }
+
+  context ':home_realm_discovery_path configured' do
+
+    it 'should redirect to the local home realm discovery path without [whr] param'  do
+      get '/auth/wsfed'
+
+      last_response.should be_redirect
+      last_response.location.should == home_realm_discovery
+    end
+
+    it 'should redirect to the IdP/FP Issuer URL and maintain [whr] param' do
+      get "auth/wsfed?whr=#{home_realm}"
+
+      last_response.should be_redirect
+      last_response.location.should include wsfed_settings[:issuer]
+      last_response.location.should include "whr=#{ERB::Util::url_encode(home_realm)}"
+    end
+
+  end
+end
+
+

data/spec/spec_helper.rb

@@ -0,0 +1,12 @@
+require 'omniauth-wsfed'
+require 'rack/test'
+
+RSpec.configure do |config|
+  config.include Rack::Test::Methods
+end
+
+# Loads WSFed WResult XML files located in the spec/support directory...
+def load_support_xml(filename)
+  filename = File.expand_path(File.join('..', 'support', "#{filename.to_s}.xml"), __FILE__)
+  IO.read(filename)
+end

data/spec/support/acs_example.xml

@@ -0,0 +1,68 @@
+<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
+  <t:Lifetime>
+    <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2012-06-29T21:07:14.766Z</wsu:Created>
+    <wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2012-06-29T21:17:14.766Z</wsu:Expires>
+  </t:Lifetime>
+  <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
+    <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
+      <Address>http://rp.coding4streetcred.com/sample</Address>
+    </EndpointReference>
+  </wsp:AppliesTo>
+  <t:RequestedSecurityToken>
+    <Assertion ID="_fa0de02b-b5a1-49c5-a8c0-4b391295a789" IssueInstant="2012-06-29T21:07:14.782Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
+      <Issuer>https://c4sc-identity.accesscontrol.windows.net/</Issuer>
+      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:SignedInfo>
+          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
+          <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
+          <ds:Reference URI="#_fa0de02b-b5a1-49c5-a8c0-4b391295a789">
+            <ds:Transforms>
+              <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
+              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
+            </ds:Transforms>
+            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
+            <ds:DigestValue>bdwpOR25Tiw03Y5gZsz/NDSrN2T1XAEUQl9/B2aDVjs=</ds:DigestValue>
+          </ds:Reference>
+        </ds:SignedInfo>
+        <ds:SignatureValue>O3dJ5YtFIJJHk8SKAqdI2goSJUj7/oZebGwrm5yjVz8WT9TdHfJT2e/rygKLz9MBujZoZ13oGaVq6NVJLvmvR+IrKsUIuUeXwk4X2UexYxJL9VGZD6RnXR+p0Jne+jGUIlVOb2zMr29Ew27wLfnw3za+Zf5ravQZ/bv3LoL/LFIYFb7iR4XlJ5bjlMhO41euUp/6NTntIC90utugpjqcPryxNbIto6nk3w57IrKmw9rFpRJudoXbw7BsA3t69dmzu2MQzjILbFcfmkUgtEXDQyGM/ziXqxNFEGNHkycEsO37NO4/t5Hk1zPufBbbhSm+5K6tVqZ2Nl1e5yNciBwo6g==</ds:SignatureValue>
+        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+          <X509Data>
+            <X509Certificate>MIIDHDCCAgSgAwIBAgIQXMOBsrQ1QJpNmYFiiW5+PjANBgkqhkiG9w0BAQUFADAyMTAwLgYDVQQDEydjNHNjLWlkZW50aXR5LmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwHhcNMTIwNjI5MjAzNTA2WhcNMTMwNjMwMDIzNTA2WjAyMTAwLgYDVQQDEydjNHNjLWlkZW50aXR5LmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrieSwMYpW73fJtHiBw1yQFWcFZwvDbltFfdb4xzC+MuC8KU/QJzKGBzxixwmvTUKTbH4W4gKNzi7+/gGk9my1UFnDLsnJBooGjx6lCXMU9HoOQA0tXVGkyYeD11Lb2KYWoivvGFI6dun84JY1n1hbAnuyqr+8VUfKpBk3bO6s3xLf2eojAHKhUiw2E+ZBFZWqlTMtSoNupe8I4Zs5Kkp5Xe1hrDjCzHWTHRf880y8f6KOvieQuGO2a2dBSYJVY3IHr1cLlk/o9Dwks4zSjYDABE8NDKer7aq2pnXl0/0XeXeYsDsZFrwfuRtf06pqGgMuqo1aFRiQ2+gm4naZn7D3AgMBAAGjLjAsMAsGA1UdDwQEAwIE8DAdBgNVHQ4EFgQUIBxPC4SJIAWTt6Q4htDcvHDgatAwDQYJKoZIhvcNAQEFBQADggEBAB2RNPpJMNotdKMKtQkV/tEhttOOq+bXlMa42UQu6r+ikgJ6WcSecBxOs4KHw3lj7wO0l8CIOfvXy5KBePLQsUuk8tWCdKdpa+7uuGntIHdlTAvjlcVhXXAQQvyS+wUbnwj8rCN85e76EWMWCAVXzqwMURt5Rzmb+SdU40hRi+7u+HmZaQW5kDXD3CIm+1eOU7oyWpz6Ltx1DEJ88qt4xB2e6IGQUTdvq2jUnyzC1f9jdtRtZ3LiiVkA29rfRROJQb/PeEinUON0hP7/6VS9LZPL4vB1EIOBNahY1V4/75Hb+NGzb05w71hMUiJK2eu8w1WwqcRqUlu7GI921Od1oFQ=</X509Certificate>
+          </X509Data>
+        </KeyInfo>
+      </ds:Signature>
+      <Subject>
+        <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" />
+      </Subject>
+      <Conditions NotBefore="2012-06-29T21:07:14.766Z" NotOnOrAfter="2012-06-29T21:17:14.766Z">
+        <AudienceRestriction>
+          <Audience>http://rp.coding4streetcred.com/sample</Audience>
+        </AudienceRestriction>
+      </Conditions>
+      <AttributeStatement>
+        <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
+          <AttributeValue>kbeckman.c4sc@gmail.com</AttributeValue>
+        </Attribute>
+        <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
+          <AttributeValue>kbeckman.c4sc</AttributeValue>
+        </Attribute>
+        <Attribute Name="http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider">
+          <AttributeValue>http://identity.c4sc.com/trust/</AttributeValue>
+        </Attribute>
+      </AttributeStatement>
+    </Assertion>
+  </t:RequestedSecurityToken>
+  <t:RequestedAttachedReference>
+    <SecurityTokenReference d3p1:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" xmlns:d3p1="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
+      <KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_fa0de02b-b5a1-49c5-a8c0-4b391295a789</KeyIdentifier>
+    </SecurityTokenReference>
+  </t:RequestedAttachedReference>
+  <t:RequestedUnattachedReference>
+    <SecurityTokenReference d3p1:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" xmlns:d3p1="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
+      <KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_fa0de02b-b5a1-49c5-a8c0-4b391295a789</KeyIdentifier>
+    </SecurityTokenReference>
+  </t:RequestedUnattachedReference>
+  <t:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</t:TokenType>
+  <t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
+  <t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>
+</t:RequestSecurityTokenResponse>

metadata

@@ -0,0 +1,171 @@
+--- !ruby/object:Gem::Specification
+name: omniauth-wsfed
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+  prerelease: 
+platform: ruby
+authors:
+- Keith Beckman
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-09-07 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.1.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.1.0
+- !ruby/object:Gem::Dependency
+  name: xmlcanonicalizer
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.1.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.1.1
+- !ruby/object:Gem::Dependency
+  name: typhoeus
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.4.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.4.2
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 2.10.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 2.10.0
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.9.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.9.2
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.6.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.6.1
+description: A WS-Federation + WS-Trust strategy for OmniAuth.
+email:
+- kbeckman.c4sc@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- README.md
+- Rakefile
+- lib/azure_acs/idp_feed.rb
+- lib/omniauth-wsfed.rb
+- lib/omniauth-wsfed/version.rb
+- lib/omniauth/strategies/wsfed.rb
+- lib/omniauth/strategies/wsfed/auth_request.rb
+- lib/omniauth/strategies/wsfed/auth_response.rb
+- lib/omniauth/strategies/wsfed/validation_error.rb
+- lib/omniauth/strategies/wsfed/xml_security.rb
+- omniauth-wsfed.gemspec
+- spec/azure_acs/idp_feed_spec.rb
+- spec/omniauth/strategies/wsfed/auth_request_spec.rb
+- spec/omniauth/strategies/wsfed/auth_response_spec.rb
+- spec/omniauth/strategies/wsfed_spec.rb
+- spec/spec_helper.rb
+- spec/support/acs_example.xml
+homepage: https://github.com/kbeckman/omniauth-wsfed
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.24
+signing_key: 
+specification_version: 3
+summary: OmniAuth WS-Federation strategy enabling integration with Windows Azure Access
+  Control Service (ACS), Active Directory Federation Services (ADFS) 2.0, custom Identity
+  Providers built with Windows Identity Foundation (WIF) or any other Identity Provider
+  supporting the WS-Federation protocol.
+test_files:
+- spec/azure_acs/idp_feed_spec.rb
+- spec/omniauth/strategies/wsfed/auth_request_spec.rb
+- spec/omniauth/strategies/wsfed/auth_response_spec.rb
+- spec/omniauth/strategies/wsfed_spec.rb
+- spec/spec_helper.rb
+- spec/support/acs_example.xml