ruby-saml 0.8.18 → 0.9
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of ruby-saml might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/.gitignore +1 -0
- data/.travis.yml +1 -6
- data/Gemfile +2 -12
- data/README.md +363 -35
- data/Rakefile +14 -0
- data/changelog.md +22 -9
- data/lib/onelogin/ruby-saml/attribute_service.rb +34 -0
- data/lib/onelogin/ruby-saml/attributes.rb +26 -64
- data/lib/onelogin/ruby-saml/authrequest.rb +47 -93
- data/lib/onelogin/ruby-saml/idp_metadata_parser.rb +87 -0
- data/lib/onelogin/ruby-saml/logoutrequest.rb +36 -100
- data/lib/onelogin/ruby-saml/logoutresponse.rb +25 -35
- data/lib/onelogin/ruby-saml/metadata.rb +46 -16
- data/lib/onelogin/ruby-saml/response.rb +63 -373
- data/lib/onelogin/ruby-saml/saml_message.rb +78 -0
- data/lib/onelogin/ruby-saml/settings.rb +54 -122
- data/lib/onelogin/ruby-saml/slo_logoutrequest.rb +25 -71
- data/lib/onelogin/ruby-saml/slo_logoutresponse.rb +37 -102
- data/lib/onelogin/ruby-saml/utils.rb +32 -199
- data/lib/onelogin/ruby-saml/version.rb +1 -1
- data/lib/ruby-saml.rb +5 -2
- data/lib/schemas/{saml20assertion_schema.xsd → saml-schema-assertion-2.0.xsd} +283 -283
- data/lib/schemas/saml-schema-authn-context-2.0.xsd +23 -0
- data/lib/schemas/saml-schema-authn-context-types-2.0.xsd +821 -0
- data/lib/schemas/saml-schema-metadata-2.0.xsd +339 -0
- data/lib/schemas/{saml20protocol_schema.xsd → saml-schema-protocol-2.0.xsd} +302 -302
- data/lib/schemas/sstc-metadata-attr.xsd +35 -0
- data/lib/schemas/sstc-saml-attribute-ext.xsd +25 -0
- data/lib/schemas/sstc-saml-metadata-algsupport-v1.0.xsd +41 -0
- data/lib/schemas/sstc-saml-metadata-ui-v1.0.xsd +89 -0
- data/lib/schemas/{xenc_schema.xsd → xenc-schema.xsd} +1 -11
- data/lib/schemas/xml.xsd +287 -0
- data/lib/schemas/{xmldsig_schema.xsd → xmldsig-core-schema.xsd} +0 -9
- data/lib/xml_security.rb +83 -235
- data/ruby-saml.gemspec +1 -0
- data/test/idp_metadata_parser_test.rb +54 -0
- data/test/logoutrequest_test.rb +68 -155
- data/test/logoutresponse_test.rb +43 -32
- data/test/metadata_test.rb +87 -0
- data/test/request_test.rb +102 -99
- data/test/response_test.rb +181 -495
- data/test/responses/idp_descriptor.xml +3 -0
- data/test/responses/logoutresponse_fixtures.rb +7 -8
- data/test/responses/response_no_cert_and_encrypted_attrs.xml +29 -0
- data/test/responses/response_with_multiple_attribute_values.xml +1 -1
- data/test/responses/slo_request.xml +4 -0
- data/test/settings_test.rb +25 -112
- data/test/slo_logoutrequest_test.rb +40 -50
- data/test/slo_logoutresponse_test.rb +86 -185
- data/test/test_helper.rb +27 -102
- data/test/xml_security_test.rb +114 -337
- metadata +30 -81
- data/lib/onelogin/ruby-saml/setting_error.rb +0 -6
- data/test/certificates/certificate.der +0 -0
- data/test/certificates/formatted_certificate +0 -14
- data/test/certificates/formatted_chained_certificate +0 -42
- data/test/certificates/formatted_private_key +0 -12
- data/test/certificates/formatted_rsa_private_key +0 -12
- data/test/certificates/invalid_certificate1 +0 -1
- data/test/certificates/invalid_certificate2 +0 -1
- data/test/certificates/invalid_certificate3 +0 -12
- data/test/certificates/invalid_chained_certificate1 +0 -1
- data/test/certificates/invalid_private_key1 +0 -1
- data/test/certificates/invalid_private_key2 +0 -1
- data/test/certificates/invalid_private_key3 +0 -10
- data/test/certificates/invalid_rsa_private_key1 +0 -1
- data/test/certificates/invalid_rsa_private_key2 +0 -1
- data/test/certificates/invalid_rsa_private_key3 +0 -10
- data/test/certificates/ruby-saml-2.crt +0 -15
- data/test/requests/logoutrequest_fixtures.rb +0 -47
- data/test/responses/encrypted_new_attack.xml.base64 +0 -1
- data/test/responses/invalids/invalid_issuer_assertion.xml.base64 +0 -1
- data/test/responses/invalids/invalid_issuer_message.xml.base64 +0 -1
- data/test/responses/invalids/multiple_signed.xml.base64 +0 -1
- data/test/responses/invalids/no_signature.xml.base64 +0 -1
- data/test/responses/invalids/response_with_concealed_signed_assertion.xml +0 -51
- data/test/responses/invalids/response_with_doubled_signed_assertion.xml +0 -49
- data/test/responses/invalids/signature_wrapping_attack.xml.base64 +0 -1
- data/test/responses/response_node_text_attack.xml.base64 +0 -1
- data/test/responses/response_with_concealed_signed_assertion.xml +0 -51
- data/test/responses/response_with_doubled_signed_assertion.xml +0 -49
- data/test/responses/response_with_multiple_attribute_statements.xml +0 -72
- data/test/responses/response_with_signed_assertion_3.xml +0 -30
- data/test/responses/response_with_signed_message_and_assertion.xml +0 -34
- data/test/responses/response_with_undefined_recipient.xml.base64 +0 -1
- data/test/responses/response_wrapped.xml.base64 +0 -150
- data/test/responses/valid_response.xml.base64 +0 -1
- data/test/responses/valid_response_without_x509certificate.xml.base64 +0 -1
- data/test/utils_test.rb +0 -231
data/test/request_test.rb
CHANGED
|
@@ -1,15 +1,11 @@
|
|
|
1
1
|
require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
|
|
2
2
|
|
|
3
|
-
class RequestTest <
|
|
3
|
+
class RequestTest < Test::Unit::TestCase
|
|
4
4
|
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
before do
|
|
5
|
+
context "Authrequest" do
|
|
6
|
+
should "create the deflated SAMLRequest URL parameter" do
|
|
7
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
9
8
|
settings.idp_sso_target_url = "http://example.com"
|
|
10
|
-
end
|
|
11
|
-
|
|
12
|
-
it "create the deflated SAMLRequest URL parameter" do
|
|
13
9
|
auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
|
|
14
10
|
assert auth_url =~ /^http:\/\/example\.com\?SAMLRequest=/
|
|
15
11
|
payload = CGI.unescape(auth_url.split("=").last)
|
|
@@ -23,7 +19,9 @@ class RequestTest < Minitest::Test
|
|
|
23
19
|
assert_match /^<samlp:AuthnRequest/, inflated
|
|
24
20
|
end
|
|
25
21
|
|
|
26
|
-
|
|
22
|
+
should "create the deflated SAMLRequest URL parameter including the Destination" do
|
|
23
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
24
|
+
settings.idp_sso_target_url = "http://example.com"
|
|
27
25
|
auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
|
|
28
26
|
payload = CGI.unescape(auth_url.split("=").last)
|
|
29
27
|
decoded = Base64.decode64(payload)
|
|
@@ -36,8 +34,10 @@ class RequestTest < Minitest::Test
|
|
|
36
34
|
assert_match /<samlp:AuthnRequest[^<]* Destination='http:\/\/example.com'/, inflated
|
|
37
35
|
end
|
|
38
36
|
|
|
39
|
-
|
|
37
|
+
should "create the SAMLRequest URL parameter without deflating" do
|
|
38
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
40
39
|
settings.compress_request = false
|
|
40
|
+
settings.idp_sso_target_url = "http://example.com"
|
|
41
41
|
auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
|
|
42
42
|
assert auth_url =~ /^http:\/\/example\.com\?SAMLRequest=/
|
|
43
43
|
payload = CGI.unescape(auth_url.split("=").last)
|
|
@@ -46,7 +46,9 @@ class RequestTest < Minitest::Test
|
|
|
46
46
|
assert_match /^<samlp:AuthnRequest/, decoded
|
|
47
47
|
end
|
|
48
48
|
|
|
49
|
-
|
|
49
|
+
should "create the SAMLRequest URL parameter with IsPassive" do
|
|
50
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
51
|
+
settings.idp_sso_target_url = "http://example.com"
|
|
50
52
|
settings.passive = true
|
|
51
53
|
auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
|
|
52
54
|
assert auth_url =~ /^http:\/\/example\.com\?SAMLRequest=/
|
|
@@ -61,8 +63,10 @@ class RequestTest < Minitest::Test
|
|
|
61
63
|
assert_match /<samlp:AuthnRequest[^<]* IsPassive='true'/, inflated
|
|
62
64
|
end
|
|
63
65
|
|
|
64
|
-
|
|
65
|
-
settings
|
|
66
|
+
should "create the SAMLRequest URL parameter with ProtocolBinding" do
|
|
67
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
68
|
+
settings.idp_sso_target_url = "http://example.com"
|
|
69
|
+
settings.protocol_binding = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
|
|
66
70
|
auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
|
|
67
71
|
assert auth_url =~ /^http:\/\/example\.com\?SAMLRequest=/
|
|
68
72
|
payload = CGI.unescape(auth_url.split("=").last)
|
|
@@ -76,8 +80,10 @@ class RequestTest < Minitest::Test
|
|
|
76
80
|
assert_match /<samlp:AuthnRequest[^<]* ProtocolBinding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'/, inflated
|
|
77
81
|
end
|
|
78
82
|
|
|
79
|
-
|
|
80
|
-
settings
|
|
83
|
+
should "create the SAMLRequest URL parameter with AttributeConsumingServiceIndex" do
|
|
84
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
85
|
+
settings.idp_sso_target_url = "http://example.com"
|
|
86
|
+
settings.attributes_index = 30
|
|
81
87
|
auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
|
|
82
88
|
assert auth_url =~ /^http:\/\/example\.com\?SAMLRequest=/
|
|
83
89
|
payload = CGI.unescape(auth_url.split("=").last)
|
|
@@ -87,42 +93,29 @@ class RequestTest < Minitest::Test
|
|
|
87
93
|
inflated = zstream.inflate(decoded)
|
|
88
94
|
zstream.finish
|
|
89
95
|
zstream.close
|
|
90
|
-
assert_match /<samlp:AuthnRequest[^<]*
|
|
96
|
+
assert_match /<samlp:AuthnRequest[^<]* AttributeConsumingServiceIndex='30'/, inflated
|
|
91
97
|
end
|
|
92
98
|
|
|
93
|
-
|
|
94
|
-
settings
|
|
99
|
+
should "create the SAMLRequest URL parameter with ForceAuthn" do
|
|
100
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
101
|
+
settings.idp_sso_target_url = "http://example.com"
|
|
102
|
+
settings.force_authn = true
|
|
95
103
|
auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
|
|
96
104
|
assert auth_url =~ /^http:\/\/example\.com\?SAMLRequest=/
|
|
97
|
-
payload
|
|
98
|
-
decoded
|
|
99
|
-
zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
|
|
100
|
-
inflated = zstream.inflate(decoded)
|
|
101
|
-
zstream.finish
|
|
102
|
-
zstream.close
|
|
103
|
-
|
|
104
|
-
assert_match /<samlp:NameIDPolicy[^<]* AllowCreate='true'/, inflated
|
|
105
|
-
assert_match /<samlp:NameIDPolicy[^<]* Format='urn:oasis:names:tc:SAML:2.0:nameid-format:transient'/, inflated
|
|
106
|
-
end
|
|
105
|
+
payload = CGI.unescape(auth_url.split("=").last)
|
|
106
|
+
decoded = Base64.decode64(payload)
|
|
107
107
|
|
|
108
|
-
|
|
109
|
-
settings.name_identifier_value_requested = "testuser@example.com"
|
|
110
|
-
settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
|
|
111
|
-
auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
|
|
112
|
-
assert auth_url =~ /^http:\/\/example\.com\?SAMLRequest=/
|
|
113
|
-
payload = CGI.unescape(auth_url.split("=").last)
|
|
114
|
-
decoded = Base64.decode64(payload)
|
|
115
|
-
zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
|
|
108
|
+
zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
|
|
116
109
|
inflated = zstream.inflate(decoded)
|
|
117
110
|
zstream.finish
|
|
118
111
|
zstream.close
|
|
119
|
-
|
|
120
|
-
assert inflated.include?('<saml:Subject>')
|
|
121
|
-
assert inflated.include?("<saml:NameID Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'>testuser@example.com</saml:NameID>")
|
|
122
|
-
assert inflated.include?("<saml:SubjectConfirmation Method='urn:oasis:names:tc:SAML:2.0:cm:bearer'/>")
|
|
112
|
+
assert_match /<samlp:AuthnRequest[^<]* ForceAuthn='true'/, inflated
|
|
123
113
|
end
|
|
124
114
|
|
|
125
|
-
|
|
115
|
+
should "accept extra parameters" do
|
|
116
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
117
|
+
settings.idp_sso_target_url = "http://example.com"
|
|
118
|
+
|
|
126
119
|
auth_url = OneLogin::RubySaml::Authrequest.new.create(settings, { :hello => "there" })
|
|
127
120
|
assert auth_url =~ /&hello=there$/
|
|
128
121
|
|
|
@@ -130,15 +123,19 @@ class RequestTest < Minitest::Test
|
|
|
130
123
|
assert auth_url =~ /&hello=$/
|
|
131
124
|
end
|
|
132
125
|
|
|
133
|
-
|
|
134
|
-
|
|
126
|
+
context "when the target url doesn't contain a query string" do
|
|
127
|
+
should "create the SAMLRequest parameter correctly" do
|
|
128
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
129
|
+
settings.idp_sso_target_url = "http://example.com"
|
|
130
|
+
|
|
135
131
|
auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
|
|
136
132
|
assert auth_url =~ /^http:\/\/example.com\?SAMLRequest/
|
|
137
133
|
end
|
|
138
134
|
end
|
|
139
135
|
|
|
140
|
-
|
|
141
|
-
|
|
136
|
+
context "when the target url contains a query string" do
|
|
137
|
+
should "create the SAMLRequest parameter correctly" do
|
|
138
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
142
139
|
settings.idp_sso_target_url = "http://example.com?field=value"
|
|
143
140
|
|
|
144
141
|
auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
|
|
@@ -146,94 +143,100 @@ class RequestTest < Minitest::Test
|
|
|
146
143
|
end
|
|
147
144
|
end
|
|
148
145
|
|
|
149
|
-
|
|
150
|
-
|
|
146
|
+
context "when the settings indicate to sign (embebed) the request" do
|
|
147
|
+
should "create a signed request" do
|
|
148
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
151
149
|
settings.compress_request = false
|
|
152
150
|
settings.idp_sso_target_url = "http://example.com?field=value"
|
|
153
151
|
settings.security[:authn_requests_signed] = true
|
|
154
152
|
settings.security[:embed_sign] = true
|
|
155
|
-
settings.certificate
|
|
153
|
+
settings.certificate = ruby_saml_cert_text
|
|
156
154
|
settings.private_key = ruby_saml_key_text
|
|
157
|
-
end
|
|
158
155
|
|
|
159
|
-
it "create a signed request" do
|
|
160
156
|
params = OneLogin::RubySaml::Authrequest.new.create_params(settings)
|
|
161
157
|
request_xml = Base64.decode64(params["SAMLRequest"])
|
|
162
158
|
assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
|
|
163
|
-
|
|
159
|
+
request_xml =~ /<ds:SignatureMethod Algorithm='http:\/\/www.w3.org\/2000\/09\/xmldsig#rsa-sha1'\/>/
|
|
160
|
+
request_xml =~ /<ds:DigestMethod Algorithm='http:\/\/www.w3.org\/2000\/09\/xmldsig#rsa-sha1'\/>/
|
|
164
161
|
end
|
|
165
162
|
|
|
166
|
-
|
|
167
|
-
settings
|
|
163
|
+
should "create a signed request with 256 digest and signature methods" do
|
|
164
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
165
|
+
settings.compress_request = false
|
|
166
|
+
settings.idp_sso_target_url = "http://example.com?field=value"
|
|
167
|
+
settings.security[:authn_requests_signed] = true
|
|
168
|
+
settings.security[:embed_sign] = true
|
|
169
|
+
settings.security[:signature_method] = XMLSecurity::Document::SHA256
|
|
168
170
|
settings.security[:digest_method] = XMLSecurity::Document::SHA512
|
|
171
|
+
settings.certificate = ruby_saml_cert_text
|
|
172
|
+
settings.private_key = ruby_saml_key_text
|
|
169
173
|
|
|
170
174
|
params = OneLogin::RubySaml::Authrequest.new.create_params(settings)
|
|
171
|
-
|
|
172
175
|
request_xml = Base64.decode64(params["SAMLRequest"])
|
|
173
176
|
assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
|
|
174
|
-
|
|
175
|
-
|
|
177
|
+
request_xml =~ /<ds:SignatureMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha256'\/>/
|
|
178
|
+
request_xml =~ /<ds:DigestMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha512'\/>/
|
|
176
179
|
end
|
|
177
180
|
end
|
|
178
181
|
|
|
179
|
-
describe "#create_params when the settings indicate to sign the request" do
|
|
180
|
-
let(:cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
|
|
181
182
|
|
|
182
|
-
|
|
183
|
+
context "when the settings indicate to sign the request" do
|
|
184
|
+
should "create a signature parameter" do
|
|
185
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
183
186
|
settings.compress_request = false
|
|
184
187
|
settings.idp_sso_target_url = "http://example.com?field=value"
|
|
188
|
+
settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
|
|
185
189
|
settings.security[:authn_requests_signed] = true
|
|
186
190
|
settings.security[:embed_sign] = false
|
|
187
|
-
settings.
|
|
191
|
+
settings.security[:signature_method] = XMLSecurity::Document::SHA1
|
|
192
|
+
settings.certificate = ruby_saml_cert_text
|
|
188
193
|
settings.private_key = ruby_saml_key_text
|
|
189
|
-
end
|
|
190
|
-
|
|
191
|
-
it "create a signature parameter with RSA_SHA1 and validate it" do
|
|
192
|
-
settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
|
|
193
194
|
|
|
194
|
-
params = OneLogin::RubySaml::Authrequest.new.create_params(settings
|
|
195
|
-
assert params['SAMLRequest']
|
|
196
|
-
assert params[:RelayState]
|
|
195
|
+
params = OneLogin::RubySaml::Authrequest.new.create_params(settings)
|
|
197
196
|
assert params['Signature']
|
|
198
|
-
|
|
197
|
+
assert params['SigAlg'] == XMLSecurity::Document::SHA1
|
|
199
198
|
|
|
200
|
-
|
|
201
|
-
|
|
202
|
-
|
|
203
|
-
|
|
204
|
-
|
|
205
|
-
assert_equal signature_algorithm, OpenSSL::Digest::SHA1
|
|
206
|
-
|
|
207
|
-
assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
|
|
199
|
+
# signature_method only affects the embedeed signature
|
|
200
|
+
settings.security[:signature_method] = XMLSecurity::Document::SHA256
|
|
201
|
+
params = OneLogin::RubySaml::Authrequest.new.create_params(settings)
|
|
202
|
+
assert params['Signature']
|
|
203
|
+
assert params['SigAlg'] == XMLSecurity::Document::SHA1
|
|
208
204
|
end
|
|
205
|
+
end
|
|
209
206
|
|
|
210
|
-
|
|
211
|
-
|
|
212
|
-
|
|
213
|
-
|
|
214
|
-
|
|
215
|
-
|
|
207
|
+
should "create the saml:AuthnContextClassRef element correctly" do
|
|
208
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
209
|
+
settings.idp_sso_target_url = "http://example.com"
|
|
210
|
+
settings.authn_context = 'secure/name/password/uri'
|
|
211
|
+
auth_doc = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
|
|
212
|
+
assert auth_doc.to_s =~ /<saml:AuthnContextClassRef>secure\/name\/password\/uri<\/saml:AuthnContextClassRef>/
|
|
213
|
+
end
|
|
216
214
|
|
|
217
|
-
|
|
218
|
-
|
|
219
|
-
|
|
215
|
+
should "create the saml:AuthnContextClassRef with comparison exact" do
|
|
216
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
217
|
+
settings.idp_sso_target_url = "http://example.com"
|
|
218
|
+
settings.authn_context = 'secure/name/password/uri'
|
|
219
|
+
auth_doc = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
|
|
220
|
+
assert auth_doc.to_s =~ /<samlp:RequestedAuthnContext[\S ]+Comparison='exact'/
|
|
221
|
+
assert auth_doc.to_s =~ /<saml:AuthnContextClassRef>secure\/name\/password\/uri<\/saml:AuthnContextClassRef>/
|
|
222
|
+
end
|
|
220
223
|
|
|
221
|
-
|
|
222
|
-
|
|
223
|
-
|
|
224
|
-
|
|
224
|
+
should "create the saml:AuthnContextClassRef with comparison minimun" do
|
|
225
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
226
|
+
settings.idp_sso_target_url = "http://example.com"
|
|
227
|
+
settings.authn_context = 'secure/name/password/uri'
|
|
228
|
+
settings.authn_context_comparison = 'minimun'
|
|
229
|
+
auth_doc = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
|
|
230
|
+
assert auth_doc.to_s =~ /<samlp:RequestedAuthnContext[\S ]+Comparison='minimun'/
|
|
231
|
+
assert auth_doc.to_s =~ /<saml:AuthnContextClassRef>secure\/name\/password\/uri<\/saml:AuthnContextClassRef>/
|
|
225
232
|
end
|
|
226
233
|
|
|
227
|
-
|
|
228
|
-
|
|
229
|
-
|
|
230
|
-
|
|
231
|
-
|
|
232
|
-
|
|
233
|
-
assert_equal authnrequest.request_id, authnrequest.uuid
|
|
234
|
-
assert_equal "new_uuid", authnrequest.request_id
|
|
235
|
-
end
|
|
234
|
+
should "create the saml:AuthnContextDeclRef element correctly" do
|
|
235
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
236
|
+
settings.idp_sso_target_url = "http://example.com"
|
|
237
|
+
settings.authn_context_decl_ref = 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
|
|
238
|
+
auth_doc = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
|
|
239
|
+
assert auth_doc.to_s =~ /<saml:AuthnContextDeclRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport<\/saml:AuthnContextDeclRef>/
|
|
236
240
|
end
|
|
237
241
|
end
|
|
238
|
-
|
|
239
242
|
end
|