rack-saml 0.0.1 → 0.0.2

data/README.md

@@ -1,23 +1,21 @@
 # SAML (Shibboleth SP) middleware for Rack
 
-This project is deeply inspired by rack-shibboleth and ruby-saml. It is recommended to use the defact SAML implementation such as OpenSAML from the security or the functional aspect. However, there are also requirements to use SAML for light weight applications implemented by Ruby. rack-shibboleth may be a candidate to support such kind of objective. However it lacks the configurability to fit OmniAuth and the upgrade path to secure and stable middleware as OpenSAML. So thus I just implemented a prototype to support SAML (Shibboleth SP) for Rack middleware.
+This project is deeply inspired by rack-shibboleth and ruby-saml. It is recommended to use the defact SAML implementation such as OpenSAML from the security or the functional aspect. However, there are also requirements to use SAML for light weight applications implemented by Ruby. rack-shibboleth may be a candidate to support such kind of objective. However it lacks the configurability to fit OmniAuth and OmniAuth Shibboleth Strategy. It also lacks the upgrade path to the secure and the stable SAML implementation like OpenSAML. So thus I just implemented a prototype to support SAML (Shibboleth SP) for Rack middleware.
 
 OmniAuth Shibboleth Strategy
 https://github.com/toyokazu/omniauth-shibboleth
 
-## Limitations
-
-### Signing AuthnRequest
+rack-saml uses external libraries to generate and validate SAML AuthnRequest/Response. It uses Rack functions to implement SAML Transport (HTTP Redirect Binding and HTTP POST Binding).
 
-Current implementation supports only Onelogin SAML assertion handler. It does not support to sign AuthnRequest.
+## Changes
 
-### Encrypted Assertion
+* version 0.0.2: SP session is supported using Rack::Session for Rack applications and ActionDispatch::Session for Rails applications. 
 
-Current implementation does not support assertion encryption. So thus, assertion encription function should be disabled for rack-saml SPs.
+## Limitations
 
-### SP Session
+### AuthnRequest Signing and Response Encryption
 
-Current implementation does not support keeping session at SP side.
+Current implementation supports only Onelogin SAML assertion handler. It does not support to sign AuthnRequest and encrypt Response. So thus, the assertion encription function should be disabled at IdP side for rack-saml SPs.
 
 ## Getting Started
 
@@ -33,15 +31,17 @@ Current implementation does not support keeping session at SP side.
 
 ### Setup Rack::Saml middleware
 
+Rack::Saml uses Rack::Session functions. You have to insert Rack::Session before Rack::Saml middleware. Rack::Session::Cookie is used in the following examples because it is easiest to setup and scale. You can use the other Rack::Session implementation. In a Rails application, it uses ActionDispatch::Session which is compatible with Rack::Session by default. So thus, you do not need to add Rack::Session in the Rails application.
+
 #### For Rack applicaitons
 
 In the following example, config.ru is used to add Rack::Saml middleware into a Rails application.
 
     % vi config.ru
-    use Rack::Saml, {:saml_config => "#{Rails.root}/config/saml.yml",
+    use Rack::Session::Cookie, :secret => 'pass_to_auth_session'
+    use Rack::Saml, {:config => "#{Rails.root}/config/rack-saml.yml",
                      :metadata => "#{Rails.root}/config/metadata.yml",
-                     :attribute_map => "#{Rails.root}/config/attribute-map.yml",
-                     :shib_app_id => "default"}
+                     :attribute_map => "#{Rails.root}/config/attribute-map.yml"}
 
 #### For Ralis applications
 
@@ -50,52 +50,58 @@ In the following example, config/application.rb is used to Rack::Saml middleware
     % vi config/application.rb
     module TestRackSaml
     class Application < Rails::Application
-    config.middleware.use Rack::Saml, {:saml_config => "#{Rails.root}/config/saml.yml",
+      config.middleware.use Rack::Saml, {:config => "#{Rails.root}/config/rack-saml.yml",
                                        :metadata => "#{Rails.root}/config/metadata.yml",
-                                       :attribute_map => "#{Rails.root}/config/attribute-map.yml"
-                                       :shib_app_id => "default"}
+                                       :attribute_map => "#{Rails.root}/config/attribute-map.yml"}
     ...
 
+#### Middleware options
+
+* *:config* path to rack-saml.yml file
+* *:metadata* path to metadata.yml file
+* *:attribute_map* path to attribute-map.yml file
+
 If you just want to test Rack::Saml, you can ommit middleware options in the both example (config.ru or config/application.rb).
 
     use Rack::Saml
 
-However, you can not omit :shib_app_id option if you want to use this middleware with OmniAuth::Shibboleth Strategy.
+It may be useful for a tutorial use. At least, saml_idp or shib_ds in rack-saml.yml and metadata.yml must be configured to fit your environment.
 
 Rack::Saml uses default configurations located in the rack-saml gem path.
 
     $GEM_HOME/rack-saml-x.x.x/config/xxx.yml
 
-#### Middleware options
-
-* *:saml_config* path to saml.yml file
-* *:metadata* path to metadata.yml file
-* *:attribute_map* path to attribute-map.yml file
-* *:shib_app_id* If you want to use the middleware as Shibboleth SP, you should specify an application ID. In the Shibboleth SP default configuration, 'default' is used as the application ID.
-
+Please copy them to an arbitrary directory and edit them if you need. If you want to use your customized configuration file, do not forget to specify the configuration file path by middleware options.
 
 #### Configuration files
 
 You can find default configuration files at
 
-    $GEM_HOME/rack-saml-x.x.x/config/
+    $GEM_HOME/rack-saml-x.x.x/config/xxx.yml
 
-##### saml.yml
+##### rack-saml.yml
 
-Configuration to set SAML parameters.
+Configuration to set SAML parameters. At least, you must configure saml_idp or shib_ds. They depends on your environments.
 
-* *protected_path* string or regular expression of the path name where SAML protects, e.g. /auth/shibboleth/callback or '^\/secure\/[^\s]*'
-* *protected_path_regexp* use regular expression to match protected_path or not e.g. true / false
+* *protected_path* path name where rack-saml protects, e.g. /auth/shibboleth/callback (default path for OmniAuth Shibboleth Strategy)
 * *metadata_path* the path name where SP's metadata is generated
 * *assertion_handler* 'onelogin' / 'opensaml' (not implemented yet)
-* *saml_idp* idp_entity_id
-* *saml_sp* sp_entity_id (self id)
-* *sp_cert* path to the SAML SP's certificate file, e.g. cert.pem (signing AuthnRequest is not supported yet)
-* *sp_key* path to the SAML SP's key file, e.g. key.pem (signing AuthnRequest is not supported yet)
+* *saml_idp* IdP's entity ID which is used to authenticate user. This parameter can be omitted when you use Shibboleth Discovery Service (shib_ds).
+* *saml_sess_timeout* SP session timeout (default: 1800 seconds)
+* *shib_app_id* If you want to use the middleware as Shibboleth SP, you should specify an application ID. In the Shibboleth SP default configuration, 'default' is used as the application ID.
+* *shib_ds* If you want to use the middleware as Shibboleth SP and use discovery service, specify the uri of the Discovery Service.
+* *sp_cert* path to the SAML SP's certificate file, e.g. cert.pem (AuthnRequest Signing and Response Encryption are not supported yet)
+* *sp_key* path to the SAML SP's key file, e.g. key.pem (AuthnRequest Signing and Response Encryption are not supported yet)
+
+SAML SP's entity ID (saml_sp) is automatically generated from request URI and /rack-saml-sp (fixed path name). The Assertion Consumer Service URI is generated from request URI and protected_path.
+
+    saml_sp_prefix = "#{request.scheme}://#{request.host}#{":#{request.port}" if request.port}#{request.script_name}"
+    @config['saml_sp'] = "#{saml_sp_prefix}/rack-saml-sp"
+    @config['assertion_consumer_service_uri'] = "#{saml_sp_prefix}#{@config['protected_path']}"
 
 ##### metadata.yml
 
-To connect to an IdP, you must describe IdP's specification. In rack-saml, it should be written in metadata.yml. metadata.yml file include the following lists.
+To connect to an IdP, you must describe IdP's specification. In rack-saml, it should be written in metadata.yml. metadata.yml file include the following lists. You must generate your own metadata.yml by using conv_metadata.rb.
 
 * *idp_lists* list of IdP metadata
 * *sp_lists* list of SP metadata
@@ -112,7 +118,7 @@ parameters of the sp_lists (currently not used):
 * *certificate* base64 encoded certificate of SP
 * *saml2_http_post* Location attribute of the SP's assertion consumer uri with HTTP POST Binding
 
-These parameters are automatically extracted from SAML metadata. You can use conv_metadata.rb command for extraction.
+These parameters are automatically extracted from SAML metadata (XML). You can use conv_metadata.rb command for extraction.
 
     % $GEM_HOME/rack-saml-x.x.x/bin/conv_metadata.rb metadata.xml > metadata.yml
 
@@ -124,6 +130,8 @@ attribute-map.yml can extract attributes from SAML Response and put attributes o
     "urn:oid:0.9.2342.19200300.100.1.1": "uid"
     ...
 
+You can use default attribute-map.yml file. If you want to add new attributes, please refer the attribute-map.xml file used in Shibboleth SP.
+
 ### Setup IdP to accept rack-saml SP
 
 #### SP Metadata generation
@@ -132,7 +140,7 @@ To connect a new SP to the existing IdP, you need to import SP's metadata into t
 
 #### IdP configuration examples not to encrypt assertion
 
-Current rack-saml implementation does not support assertion encryption because Onelogin::Saml does not support signature and encryption of assertion. So thus, in the followings, we would like to show sample configurations to disable encryption in IdP assertion processing. These are not recommended for sensitive applications.
+Current rack-saml implementation does not support assertion encryption because Onelogin::Saml does not support AuthnRequest signing and Response encryption. So thus, in the followings, we would like to show sample configurations to disable encryption in IdP assertion processing. These are not recommended for sensitive applications.
 
 ##### Shibboleth IdP example
 
@@ -140,12 +148,13 @@ Add the following configuration after <rp:DefaultRelyingParty> in relying-party.
 
     % vi $IDP_HOME/conf/relying-party.xml
     ...
-    <rp:RelyingParty id="http://example.com:3000/auth/shibboleth/callback" provider="http://example.com:3000/auth/shibboleth/callback" defaultSigningCredentialRef="IdPCredential">
+    <rp:RelyingParty id="http://example.com:3000/rack-saml-sp" provider="http://idp.example.com/idp/shibboleth" defaultSigningCredentialRef="IdPCredential">
       <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile" includeAttributeStatement="true" assertionLifetime="PT5M" assertionProxyCount="0" signResponses="never" signAssertions="always" encryptAssertions="never" encryptNameIds="never"/>
     </rp:RelyingParty>
 
 ## TODO
 
+* write spec files
 * ruby-opensaml (I hope someone implement it :)
 
 ## License

data/config/{saml.yml → rack-saml.yml}

@@ -1,6 +1,7 @@
 protected_path: /auth/shibboleth/callback
-# protected_path_regexp: true
 metadata_path: /Shibboleth.sso/Metadata
 assertion_handler: onelogin
 saml_idp: https://localhost/idp/shibboleth
-saml_sp: http://localhost:3000/auth/shibboleth/callback
+saml_sess_timeout: 1800
+shib_app_id: default
+shibb_ds: https://localhost/discovery/WAYF

data/lib/rack/saml/metadata/abstract_metadata.rb

@@ -1,11 +1,11 @@
 module Rack
   class Saml
     class AbstractMetadata
-      attr_reader :request, :saml_config, :metadata
+      attr_reader :request, :config, :metadata
 
-      def initialize(request, saml_config, metadata)
+      def initialize(request, config, metadata)
         @request = request
-        @saml_config = saml_config
+        @config = config
         @metadata = metadata
       end
 

data/lib/rack/saml/metadata/onelogin_metadata.rb

@@ -5,8 +5,8 @@ module Rack
     class OneloginMetadata < AbstractMetadata
       include OneloginSetting
 
-      def initialize(request, saml_config, metadata)
-        super(request, saml_config, metadata)
+      def initialize(request, config, metadata)
+        super(request, config, metadata)
         @sp_metadata = Onelogin::Saml::Metadata.new
       end
 

data/lib/rack/saml/metadata/opensaml_metadata.rb

@@ -2,7 +2,7 @@ module Rack
   class Saml
     class OpensamlMetadata < AbstractMetadata
       # to be implemented
-      def initialize(request, saml_config, metadata)
+      def initialize(request, config, metadata)
       end
 
       def generate

data/lib/rack/saml/metadata_handler.rb

@@ -9,10 +9,10 @@ module Rack
 
       # Rack::Saml::MetadataHandler
       # request: Rack current request instance
-      # saml_config: config/saml.yml 
+      # config: config/rack-saml.yml 
       # metadata: specified idp entity in the config/metadata.yml
-      def initialize(request, saml_config, metadata)
-        @sp_metadata = (eval "Rack::Saml::#{saml_config['assertion_handler'].to_s.capitalize}Metadata").new(request, saml_config, metadata)
+      def initialize(request, config, metadata)
+        @sp_metadata = (eval "Rack::Saml::#{config['assertion_handler'].to_s.capitalize}Metadata").new(request, config, metadata)
       end
     end
   end

data/lib/rack/saml/misc/onelogin_setting.rb

@@ -5,8 +5,8 @@ module Rack
 
       def saml_settings
         settings = Onelogin::Saml::Settings.new
-        settings.assertion_consumer_service_url = "#{@request.scheme}://#{@request.host}#{":#{@request.port}" if @request.port}#{request.script_name}#{@saml_config['protected_path']}"
-        settings.issuer = @saml_config['saml_sp']
+        settings.assertion_consumer_service_url = @config['assertion_consumer_service_uri']
+        settings.issuer = @config['saml_sp']
         settings.idp_sso_target_url = @metadata['saml2_http_redirect']
         settings.idp_cert = @metadata['certificate']
         settings.name_identifier_format = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"

data/lib/rack/saml/request/abstract_request.rb

@@ -1,11 +1,11 @@
 module Rack
   class Saml
     class AbstractRequest
-      attr_reader :request, :saml_config, :metadata
+      attr_reader :request, :config, :metadata
 
-      def initialize(request, saml_config, metadata)
+      def initialize(request, config, metadata)
         @request = request
-        @saml_config = saml_config
+        @config = config
         @metadata = metadata
       end
 

data/lib/rack/saml/request/onelogin_request.rb

@@ -5,8 +5,8 @@ module Rack
     class OneloginRequest < AbstractRequest
       include OneloginSetting
 
-      def initialize(request, saml_config, metadata)
-        super(request, saml_config, metadata)
+      def initialize(request, config, metadata)
+        super(request, config, metadata)
         @authrequest = Onelogin::Saml::Authrequest.new
       end
 

data/lib/rack/saml/request/opensaml_request.rb

@@ -2,7 +2,7 @@ module Rack
   class Saml
     class OpensamlRequest < AbstractRequest
       # To be implemented
-      def initialize(request, saml_config, metadata)
+      def initialize(request, config, metadata)
       end
 
       def redirect_uri

data/lib/rack/saml/request_handler.rb

@@ -9,10 +9,10 @@ module Rack
 
       # Rack::Saml::RequestHandler
       # request: Rack current request instance
-      # saml_config: config/saml.yml 
+      # config: config/saml.yml 
       # metadata: specified idp entity in the config/metadata.yml
-      def initialize(request, saml_config, metadata)
-        @authn_request = (eval "Rack::Saml::#{saml_config['assertion_handler'].to_s.capitalize}Request").new(request, saml_config, metadata)
+      def initialize(request, config, metadata)
+        @authn_request = (eval "Rack::Saml::#{config['assertion_handler'].to_s.capitalize}Request").new(request, config, metadata)
       end
     end
   end

data/lib/rack/saml/response/abstract_response.rb

@@ -1,11 +1,11 @@
 module Rack
   class Saml
     class AbstractResponse
-      attr_reader :request, :saml_config, :metadata
+      attr_reader :request, :config, :metadata
 
-      def initialize(request, saml_config, metadata)
+      def initialize(request, config, metadata)
         @request = request
-        @saml_config = saml_config
+        @config = config
         @metadata = metadata
       end
 

data/lib/rack/saml/response/onelogin_response.rb

@@ -6,8 +6,8 @@ module Rack
       include OneloginSetting
       #extend Forwardable
 
-      def initialize(request, saml_config, metadata)
-        super(request, saml_config, metadata)
+      def initialize(request, config, metadata)
+        super(request, config, metadata)
         @response = Onelogin::Saml::Response.new(@request.params['SAMLResponse'])
         @response.settings = saml_settings
       end

data/lib/rack/saml/response/opensaml_response.rb

@@ -2,7 +2,7 @@ module Rack
   class Saml
     class OpensamlResponse < AbstractResponse
       # To be implemented
-      def initialize(request, saml_config, metadata)
+      def initialize(request, config, metadata)
       end
 
       def redirect_uri

data/lib/rack/saml/response_handler.rb

@@ -9,19 +9,33 @@ module Rack
 
       # Rack::Saml::ResponseHandler
       # request: Rack current request instance
-      # saml_config: config/saml.yml 
+      # config: config/saml.yml 
       # metadata: specified idp entity in the config/metadata.yml
-      def initialize(request, saml_config, metadata)
-        @response = (eval "Rack::Saml::#{saml_config['assertion_handler'].to_s.capitalize}Response").new(request, saml_config, metadata)
+      def initialize(request, config, metadata)
+        @response = (eval "Rack::Saml::#{config['assertion_handler'].to_s.capitalize}Response").new(request, config, metadata)
       end
 
-      def extract_attrs(env, attribute_map, opts = {})
-        attribute_map.each do |attr_name, env_name|
-          attribute = @response.attributes[attr_name]
-          env[env_name] = attribute if !attribute.nil?
+      def extract_attrs(env, session, attribute_map)
+        if session.env.empty?
+          attribute_map.each do |attr_name, env_name|
+            attribute = @response.attributes[attr_name]
+            if !attribute.nil?
+              session.env[env_name] = attribute
+            end
+          end
+          if !@response.config['shib_app_id'].nil?
+            session.env['Shib-Application-ID'] = @response.config['shib_app_id']
+            session.env['Shib-Session-ID'] = session.get_sid('saml_res')
+          end
         end
-        if !opts[:shib_app_id].nil?
-          env['Shib-Application-ID'] = opts[:shib_app_id]
+        session.env.each do |k, v|
+          env[k] = v
+        end
+      end
+
+      def self.extract_attrs(env, session)
+        session.env.each do |k, v|
+          env[k] = v
         end
       end
     end

data/lib/rack/saml.rb

@@ -1,5 +1,6 @@
 require 'rack'
 require 'yaml'
+require 'securerandom'
 
 module Rack
   # Rack::Saml
@@ -10,20 +11,37 @@ module Rack
   # To establish single path behavior, it currently supports only
   # HTTP Redirect Binding from SP to Idp
   # HTTP POST Binding from IdP to SP
+  #
+  # rack-saml uses rack.session to store SAML and Discovery Service
+  # status.
+  # env['rack.session'] = {
+  #   'rack_saml' => {
+  #     'ds.session' => {
+  #       'sid' => temporally_generated_hash,
+  #       'expire_at' => xxxxx # timestamp
+  #     }
+  #     'saml_authreq.session' => {
+  #       'sid' => temporally_generated_hash,
+  #       'expire_at' => xxxxx # timestamp
+  #     }
+  #     'saml_res.session' => {
+  #       'sid' => temporally_generated_hash,
+  #       'expire_at' => xxxxx # timestamp,
+  #       'env' => {}
+  #     }
+  #   }
+  # }
   class Saml
     autoload "RequestHandler", 'rack/saml/request_handler'
     autoload "MetadataHandler", 'rack/saml/metadata_handler'
     autoload "ResponseHandler", 'rack/saml/response_handler'
 
-    class SamlAssertionError < StandardError
-    end
-
     def default_config_path(config_file)
       ::File.expand_path("../../../config/#{config_file}", __FILE__)
     end
 
-    def default_saml_config
-      default_config_path('saml.yml')
+    def default_config
+      default_config_path('rack-saml.yml')
     end
 
     def default_metadata
@@ -38,12 +56,12 @@ module Rack
       @app = app
       @opts = opts
 
-      if @opts[:saml_config].nil? || !::File.exists?(@opts[:saml_config])
-        @opts[:saml_config] = default_saml_config
+      if @opts[:config].nil? || !::File.exists?(@opts[:config])
+        @opts[:config] = default_config
       end
-      @saml_config = YAML.load_file(@opts[:saml_config])
-      if @saml_config['assertion_handler'].nil?
-        raise ArgumentError, "'assertion_handler' parameter should be specified in the :saml_config file"
+      @config = YAML.load_file(@opts[:config])
+      if @config['assertion_handler'].nil?
+        raise ArgumentError, "'assertion_handler' parameter should be specified in the :config file"
       end
       if @opts[:metadata].nil? || !::File.exists?(@opts[:metadata])
         @opts[:metadata] = default_metadata
@@ -55,8 +73,82 @@ module Rack
       @attribute_map = YAML.load_file(@opts[:attribute_map])
     end
 
+    class Session
+      RACK_SAML_COOKIE = '_rack_saml'
+      def initialize(env)
+        @rack_session = env['rack.session']
+        if @rack_session[RACK_SAML_COOKIE].nil?
+          @session = @rack_session[RACK_SAML_COOKIE] = {
+            'ds.session' => {},
+            'saml_authreq.session' => {},
+            'saml_res.session' => {'env' => {}}
+          }
+        else
+          @session = @rack_session[RACK_SAML_COOKIE]
+        end
+      end
+
+      def generate_sid(length = 32)
+        SecureRandom.hex(length)
+      end
+
+      def get_sid(type)
+        @session["#{type}.session"]['sid']
+      end
+
+      def start(type, timeout = 300)
+        sid = nil
+        if timeout.nil?
+          period = nil
+        else
+          period = Time.now + timeout
+        end
+        case type
+        when 'ds'
+          sid = generate_sid(4)
+        when 'saml_authreq' 
+          sid = generate_sid
+        when 'saml_res'
+          sid = generate_sid
+        end
+        @session["#{type}.session"]['sid'] = sid
+        @session["#{type}.session"]['expired_at'] = period
+        @session["#{type}.session"]
+      end
+
+      def finish(type)
+        @session["#{type}.session"] = {}
+      end
+
+      def env
+        @session['saml_res.session']['env']
+      end
+
+      def is_valid?(type, sid = nil)
+        session = @session["#{type}.session"]
+        return false if session['sid'].nil? # no valid session
+        if session['expired_at'].nil? # no expiration
+          return true if sid.nil? # no sid check
+          return true if session['sid'] == sid # sid check
+        else
+          if Time.now < Time.at(session['expired_at']) # before expiration
+            return true if sid.nil? # no sid check
+            return true if session['sid'] == sid # sid check
+          end
+        end
+        false
+      end
+    end
+
     def call env
+      session = Session.new(env)
       request = Rack::Request.new env
+      # saml_sp: SAML SP's entity_id
+      # generate saml_sp from request uri and default path (rack-saml-sp)
+      saml_sp_prefix = "#{request.scheme}://#{request.host}#{":#{request.port}" if request.port}#{request.script_name}"
+      @config['saml_sp'] = "#{saml_sp_prefix}/rack-saml-sp"
+      @config['assertion_consumer_service_uri'] = "#{saml_sp_prefix}#{@config['protected_path']}"
+      # for debug
       #return [
       #  403,
       #  {
@@ -67,26 +159,46 @@ module Rack
       #]
       if request.request_method == 'GET'
         if match_protected_path?(request) # generate AuthnRequest
-          handler = RequestHandler.new(request, @saml_config, @metadata['idp_lists'][@saml_config['saml_idp']])
-          return Rack::Response.new.tap { |r|
-            r.redirect handler.authn_request.redirect_uri
-          }.finish
+          if session.is_valid?('saml_res') # the client already has a valid session
+            ResponseHandler.extract_attrs(request, session)
+          else
+            if !@config['shib_ds'].nil? # use discovery service (ds)
+              if request.params['entityID'].nil? # start ds session
+                session.start('ds')
+                return Rack::Response.new.tap { |r|
+                  r.redirect "#{@config['shib_ds']}?entityID=#{URI.encode(@config['saml_sp'], /[^\w]/)}&return=#{URI.encode("#{@config['assertion_consumer_service_uri']}?target=#{session.get_sid('ds')}", /[^\w]/)}"
+                }.finish
+              end
+              if !session.is_valid?('ds', request.params['target']) # confirm ds session
+                current_sid = session.get_sid('ds')
+                session.finish('ds')
+                return create_response(500, 'text/html', "Internal Server Error: Invalid discovery service session current sid=#{current_sid}, request sid=#{request.params['target']}")
+              end
+              session.finish('ds')
+              @config['saml_idp'] = request.params['entityID']
+            end
+            session.start('saml_authreq')
+            handler = RequestHandler.new(request, @config, @metadata['idp_lists'][@config['saml_idp']])
+            return Rack::Response.new.tap { |r|
+              r.redirect handler.authn_request.redirect_uri
+            }.finish
+          end
         elsif match_metadata_path?(request) # generate Metadata
-          handler = MetadataHandler.new(request, @saml_config, @metadata['idp_lists'][@saml_config['saml_idp']])
-          return [
-            200,
-            {
-              'Content-Type' => 'application/samlmetadata+xml'
-            },
-            [handler.sp_metadata.generate]
-          ]
+          handler = MetadataHandler.new(request, @config, @metadata['idp_lists'][@config['saml_idp']])
+          return create_response(200, 'application/samlmetadata+xml', handler.sp_metadata.generate)
         end
       elsif request.request_method == 'POST' && match_protected_path?(request) # process Response
-        handler = ResponseHandler.new(request, @saml_config, @metadata['idp_lists'][@saml_config['saml_idp']])
-        if handler.response.is_valid?
-          handler.extract_attrs(env, @attribute_map, @opts)
+        if session.is_valid?('saml_authreq')
+          handler = ResponseHandler.new(request, @config, @metadata['idp_lists'][@config['saml_idp']])
+          if handler.response.is_valid?
+            session.finish('saml_authreq')
+            session.start('saml_res', @config['saml_sess_timeout'] || 1800)
+            handler.extract_attrs(env, session, @attribute_map)
+          else
+            return create_response(403, 'text/html', 'SAML Error: Invalid SAML response.')
+          end
         else
-          raise SamlAssertionError, "Invalid SAML response."
+          return create_response(500, 'text/html', 'No valid AuthnRequest session.')
         end
       end
 
@@ -94,15 +206,21 @@ module Rack
     end
 
     def match_protected_path?(request)
-      if @saml_config['protected_path_regexp']
-        # to be fixed (Regexp)
-        return (request.path_info =~ Regexp.new(@saml_config['protected_path']))
-      end
-      request.path_info == @saml_config['protected_path']
+      request.path_info == @config['protected_path']
     end
 
     def match_metadata_path?(request)
-      request.path_info == @saml_config['metadata_path']
+      request.path_info == @config['metadata_path']
+    end
+
+    def create_response(code, content_type, message)
+      return [
+        code,
+        {
+          'Content-Type' => content_type
+        },
+        [message]
+      ]
     end
   end
 end

data/lib/rack-saml/version.rb

@@ -1,6 +1,6 @@
 require 'rack'
 module Rack
   module Saml
-    VERSION = "0.0.1"
+    VERSION = "0.0.2"
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-saml
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.0.2
   prerelease: 
 platform: ruby
 authors:
@@ -9,11 +9,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2011-12-29 00:00:00.000000000Z
+date: 2012-01-06 00:00:00.000000000Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ruby-saml
-  requirement: &2153190660 !ruby/object:Gem::Requirement
+  requirement: &2154954560 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -21,7 +21,7 @@ dependencies:
         version: 0.4.7
   type: :runtime
   prerelease: false
-  version_requirements: *2153190660
+  version_requirements: *2154954560
 description: SAML middleware for Rack (using ruby-saml)
 email:
 - toyokazu@gmail.com
@@ -29,11 +29,12 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- .README.md.swp
 - bin/conv_metadata.rb
 - config/attribute-map.yml
 - config/attribute-map.yml.sample
 - config/metadata.yml
-- config/saml.yml
+- config/rack-saml.yml
 - Gemfile
 - lib/rack/saml/metadata/abstract_metadata.rb
 - lib/rack/saml/metadata/onelogin_metadata.rb