ruby-saml-idp 0.2 → 0.2.5
Sign up to get free protection for your applications and to get access to all the features.
- data/README.md +3 -3
- data/lib/ruby-saml-idp.rb +24 -4
- data/lib/saml-idp/controller.rb +5 -3
- data/lib/saml-idp/engine.rb +4 -0
- data/lib/saml-idp/version.rb +1 -1
- data/spec/controller_spec.rb +3 -3
- metadata +4 -3
- data/lib/saml-idp/rails.rb +0 -4
data/README.md
CHANGED
|
@@ -14,7 +14,7 @@ Add this to your Gemfile:
|
|
|
14
14
|
|
|
15
15
|
### Not using rails?
|
|
16
16
|
|
|
17
|
-
Include `SamlIdp::Controller` and see the examples that use rails. It should be straightforward for you. Basically you call `decode_SAMLRequest(params[:SAMLRequest])` and then use the value `saml_acs_url` to determine the source for which you need to authenticate a user. Once a user has successfully authenticated on your system send the Service Provider a SAMLReponse by posting to `saml_acs_url` the parameter `SAMLResponse` with the return value from a call to `
|
|
17
|
+
Include `SamlIdp::Controller` and see the examples that use rails. It should be straightforward for you. Basically you call `decode_SAMLRequest(params[:SAMLRequest])` and then use the value `saml_acs_url` to determine the source for which you need to authenticate a user. Once a user has successfully authenticated on your system send the Service Provider a SAMLReponse by posting to `saml_acs_url` the parameter `SAMLResponse` with the return value from a call to `encode_SAMLResponse(user_email)`
|
|
18
18
|
|
|
19
19
|
### Using rails?
|
|
20
20
|
|
|
@@ -38,7 +38,7 @@ class SamlIdpController < SamlIdp::IdpController
|
|
|
38
38
|
end
|
|
39
39
|
|
|
40
40
|
def idp_make_saml_response(user)
|
|
41
|
-
|
|
41
|
+
encode_SAMLResponse(user.email)
|
|
42
42
|
end
|
|
43
43
|
|
|
44
44
|
private
|
|
@@ -56,7 +56,7 @@ end
|
|
|
56
56
|
Keys and Secrets
|
|
57
57
|
----------------
|
|
58
58
|
|
|
59
|
-
To generate the SAML Response it uses a default X.509 certificate and secret key... which isn't so secret. You can find them in `SamlIdp::Default`. The X.509 certificate is valid until year 2032. Obviously you shouldn't use these if you intend to use this in production environments. In that case, within the controller set the properties `x509_certificate` and `secret_key` using a `prepend_before_filter` callback.
|
|
59
|
+
To generate the SAML Response it uses a default X.509 certificate and secret key... which isn't so secret. You can find them in `SamlIdp::Default`. The X.509 certificate is valid until year 2032. Obviously you shouldn't use these if you intend to use this in production environments. In that case, within the controller set the properties `x509_certificate` and `secret_key` using a `prepend_before_filter` callback within the current request context or set them globally via the `SamlIdp.x509_certificate` and `SamlIdp.secret_key` properties.
|
|
60
60
|
|
|
61
61
|
The fingerprint to use, if you use the default X.509 certificate of this gem, is:
|
|
62
62
|
|
data/lib/ruby-saml-idp.rb
CHANGED
|
@@ -1,4 +1,24 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
|
|
1
|
+
module SamlIdp
|
|
2
|
+
autoload :Controller, 'saml-idp/controller'
|
|
3
|
+
autoload :Default, 'saml-idp/default'
|
|
4
|
+
autoload :Engine, 'saml-idp/engine'
|
|
5
|
+
autoload :Version, 'saml-idp/version'
|
|
6
|
+
|
|
7
|
+
def self.x509_certificate
|
|
8
|
+
@@x509_certificate
|
|
9
|
+
end
|
|
10
|
+
def self.x509_certificate=(x509_certificate)
|
|
11
|
+
@@x509_certificate = x509_certificate
|
|
12
|
+
end
|
|
13
|
+
@@x509_certificate = Default::X509_CERTIFICATE
|
|
14
|
+
|
|
15
|
+
def self.secret_key
|
|
16
|
+
@@secret_key
|
|
17
|
+
end
|
|
18
|
+
def self.secret_key=(secret_key)
|
|
19
|
+
@@secret_key = secret_key
|
|
20
|
+
end
|
|
21
|
+
@@secret_key = Default::SECRET_KEY
|
|
22
|
+
|
|
23
|
+
end
|
|
24
|
+
|
data/lib/saml-idp/controller.rb
CHANGED
|
@@ -13,12 +13,12 @@ module SamlIdp
|
|
|
13
13
|
|
|
14
14
|
def x509_certificate
|
|
15
15
|
return @x509_certificate if defined?(@x509_certificate)
|
|
16
|
-
@x509_certificate = SamlIdp
|
|
16
|
+
@x509_certificate = SamlIdp.x509_certificate
|
|
17
17
|
end
|
|
18
18
|
|
|
19
19
|
def secret_key
|
|
20
20
|
return @secret_key if defined?(@secret_key)
|
|
21
|
-
@secret_key = SamlIdp
|
|
21
|
+
@secret_key = SamlIdp.secret_key
|
|
22
22
|
end
|
|
23
23
|
|
|
24
24
|
protected
|
|
@@ -36,9 +36,11 @@ module SamlIdp
|
|
|
36
36
|
@saml_acs_url = text[/AssertionConsumerServiceURL='(.+?)'/, 1]
|
|
37
37
|
end
|
|
38
38
|
|
|
39
|
-
def
|
|
39
|
+
def encode_SAMLResponse(nameID, opts = {})
|
|
40
40
|
now = Time.now.utc
|
|
41
41
|
response_id, reference_id = UUID.generate, UUID.generate
|
|
42
|
+
audience_uri = opts[:audience_uri] || saml_acs_url[/^(.*?\/\/.*?\/)/, 1]
|
|
43
|
+
issuer_uri = opts[:issuer_uri] || (defined?(request) && request.url) || "http://example.com"
|
|
42
44
|
|
|
43
45
|
assertion = %[<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_#{reference_id}" IssueInstant="#{now.iso8601}" Version="2.0"><Issuer>#{issuer_uri}</Issuer><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">#{nameID}</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="#{@saml_request_id}" NotOnOrAfter="#{(now+3*60).iso8601}" Recipient="#{@saml_acs_url}"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore="#{(now-5).iso8601}" NotOnOrAfter="#{(now+60*60).iso8601}"><AudienceRestriction><Audience>#{audience_uri}</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"><AttributeValue>#{nameID}</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="#{now.iso8601}" SessionIndex="_#{reference_id}"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>]
|
|
44
46
|
|
data/lib/saml-idp/version.rb
CHANGED
data/spec/controller_spec.rb
CHANGED
|
@@ -25,11 +25,11 @@ describe SamlIdp::Controller do
|
|
|
25
25
|
auth_url = auth_request.create(saml_config)
|
|
26
26
|
params[:SAMLRequest] = CGI.unescape(auth_url.split("=").last)
|
|
27
27
|
validate_saml_request
|
|
28
|
-
saml_response =
|
|
28
|
+
saml_response = encode_SAMLResponse("foo@example.com")
|
|
29
29
|
|
|
30
30
|
response = Onelogin::Saml::Response.new(saml_response)
|
|
31
31
|
response.name_id.should == "foo@example.com"
|
|
32
|
-
response.issuer.should == "
|
|
32
|
+
response.issuer.should == "http://example.com"
|
|
33
33
|
response.settings = saml_config
|
|
34
34
|
response.is_valid?.should be_true
|
|
35
35
|
end
|
|
@@ -39,7 +39,7 @@ describe SamlIdp::Controller do
|
|
|
39
39
|
def saml_settings(saml_acs_url)
|
|
40
40
|
settings = Onelogin::Saml::Settings.new
|
|
41
41
|
settings.assertion_consumer_service_url = saml_acs_url
|
|
42
|
-
settings.issuer = "http://example.com"
|
|
42
|
+
settings.issuer = "http://example.com/issuer"
|
|
43
43
|
settings.idp_sso_target_url = "http://idp.com/saml/idp"
|
|
44
44
|
settings.idp_cert_fingerprint = SamlIdp::Default::FINGERPRINT
|
|
45
45
|
settings.name_identifier_format = SamlIdp::Default::NAME_ID_FORMAT
|
metadata
CHANGED
|
@@ -1,12 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ruby-saml-idp
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
hash:
|
|
4
|
+
hash: 29
|
|
5
5
|
prerelease:
|
|
6
6
|
segments:
|
|
7
7
|
- 0
|
|
8
8
|
- 2
|
|
9
|
-
|
|
9
|
+
- 5
|
|
10
|
+
version: 0.2.5
|
|
10
11
|
platform: ruby
|
|
11
12
|
authors:
|
|
12
13
|
- Lawrence Pit
|
|
@@ -87,7 +88,7 @@ files:
|
|
|
87
88
|
- lib/ruby-saml-idp.rb
|
|
88
89
|
- lib/saml-idp/controller.rb
|
|
89
90
|
- lib/saml-idp/default.rb
|
|
90
|
-
- lib/saml-idp/
|
|
91
|
+
- lib/saml-idp/engine.rb
|
|
91
92
|
- lib/saml-idp/version.rb
|
|
92
93
|
- MIT-LICENSE
|
|
93
94
|
- README.md
|
data/lib/saml-idp/rails.rb
DELETED