ruby-saml 0.8.18 → 0.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.gitignore +1 -0
- data/.travis.yml +1 -6
- data/Gemfile +2 -12
- data/README.md +363 -35
- data/Rakefile +14 -0
- data/changelog.md +22 -9
- data/lib/onelogin/ruby-saml/attribute_service.rb +34 -0
- data/lib/onelogin/ruby-saml/attributes.rb +26 -64
- data/lib/onelogin/ruby-saml/authrequest.rb +47 -93
- data/lib/onelogin/ruby-saml/idp_metadata_parser.rb +87 -0
- data/lib/onelogin/ruby-saml/logoutrequest.rb +36 -100
- data/lib/onelogin/ruby-saml/logoutresponse.rb +25 -35
- data/lib/onelogin/ruby-saml/metadata.rb +46 -16
- data/lib/onelogin/ruby-saml/response.rb +63 -373
- data/lib/onelogin/ruby-saml/saml_message.rb +78 -0
- data/lib/onelogin/ruby-saml/settings.rb +54 -122
- data/lib/onelogin/ruby-saml/slo_logoutrequest.rb +25 -71
- data/lib/onelogin/ruby-saml/slo_logoutresponse.rb +37 -102
- data/lib/onelogin/ruby-saml/utils.rb +32 -199
- data/lib/onelogin/ruby-saml/version.rb +1 -1
- data/lib/ruby-saml.rb +5 -2
- data/lib/schemas/{saml20assertion_schema.xsd → saml-schema-assertion-2.0.xsd} +283 -283
- data/lib/schemas/saml-schema-authn-context-2.0.xsd +23 -0
- data/lib/schemas/saml-schema-authn-context-types-2.0.xsd +821 -0
- data/lib/schemas/saml-schema-metadata-2.0.xsd +339 -0
- data/lib/schemas/{saml20protocol_schema.xsd → saml-schema-protocol-2.0.xsd} +302 -302
- data/lib/schemas/sstc-metadata-attr.xsd +35 -0
- data/lib/schemas/sstc-saml-attribute-ext.xsd +25 -0
- data/lib/schemas/sstc-saml-metadata-algsupport-v1.0.xsd +41 -0
- data/lib/schemas/sstc-saml-metadata-ui-v1.0.xsd +89 -0
- data/lib/schemas/{xenc_schema.xsd → xenc-schema.xsd} +1 -11
- data/lib/schemas/xml.xsd +287 -0
- data/lib/schemas/{xmldsig_schema.xsd → xmldsig-core-schema.xsd} +0 -9
- data/lib/xml_security.rb +83 -235
- data/ruby-saml.gemspec +1 -0
- data/test/idp_metadata_parser_test.rb +54 -0
- data/test/logoutrequest_test.rb +68 -155
- data/test/logoutresponse_test.rb +43 -32
- data/test/metadata_test.rb +87 -0
- data/test/request_test.rb +102 -99
- data/test/response_test.rb +181 -495
- data/test/responses/idp_descriptor.xml +3 -0
- data/test/responses/logoutresponse_fixtures.rb +7 -8
- data/test/responses/response_no_cert_and_encrypted_attrs.xml +29 -0
- data/test/responses/response_with_multiple_attribute_values.xml +1 -1
- data/test/responses/slo_request.xml +4 -0
- data/test/settings_test.rb +25 -112
- data/test/slo_logoutrequest_test.rb +40 -50
- data/test/slo_logoutresponse_test.rb +86 -185
- data/test/test_helper.rb +27 -102
- data/test/xml_security_test.rb +114 -337
- metadata +30 -81
- data/lib/onelogin/ruby-saml/setting_error.rb +0 -6
- data/test/certificates/certificate.der +0 -0
- data/test/certificates/formatted_certificate +0 -14
- data/test/certificates/formatted_chained_certificate +0 -42
- data/test/certificates/formatted_private_key +0 -12
- data/test/certificates/formatted_rsa_private_key +0 -12
- data/test/certificates/invalid_certificate1 +0 -1
- data/test/certificates/invalid_certificate2 +0 -1
- data/test/certificates/invalid_certificate3 +0 -12
- data/test/certificates/invalid_chained_certificate1 +0 -1
- data/test/certificates/invalid_private_key1 +0 -1
- data/test/certificates/invalid_private_key2 +0 -1
- data/test/certificates/invalid_private_key3 +0 -10
- data/test/certificates/invalid_rsa_private_key1 +0 -1
- data/test/certificates/invalid_rsa_private_key2 +0 -1
- data/test/certificates/invalid_rsa_private_key3 +0 -10
- data/test/certificates/ruby-saml-2.crt +0 -15
- data/test/requests/logoutrequest_fixtures.rb +0 -47
- data/test/responses/encrypted_new_attack.xml.base64 +0 -1
- data/test/responses/invalids/invalid_issuer_assertion.xml.base64 +0 -1
- data/test/responses/invalids/invalid_issuer_message.xml.base64 +0 -1
- data/test/responses/invalids/multiple_signed.xml.base64 +0 -1
- data/test/responses/invalids/no_signature.xml.base64 +0 -1
- data/test/responses/invalids/response_with_concealed_signed_assertion.xml +0 -51
- data/test/responses/invalids/response_with_doubled_signed_assertion.xml +0 -49
- data/test/responses/invalids/signature_wrapping_attack.xml.base64 +0 -1
- data/test/responses/response_node_text_attack.xml.base64 +0 -1
- data/test/responses/response_with_concealed_signed_assertion.xml +0 -51
- data/test/responses/response_with_doubled_signed_assertion.xml +0 -49
- data/test/responses/response_with_multiple_attribute_statements.xml +0 -72
- data/test/responses/response_with_signed_assertion_3.xml +0 -30
- data/test/responses/response_with_signed_message_and_assertion.xml +0 -34
- data/test/responses/response_with_undefined_recipient.xml.base64 +0 -1
- data/test/responses/response_wrapped.xml.base64 +0 -150
- data/test/responses/valid_response.xml.base64 +0 -1
- data/test/responses/valid_response_without_x509certificate.xml.base64 +0 -1
- data/test/utils_test.rb +0 -231
data/test/request_test.rb
CHANGED
|
@@ -1,15 +1,11 @@
|
|
|
1
1
|
require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
|
|
2
2
|
|
|
3
|
-
class RequestTest <
|
|
3
|
+
class RequestTest < Test::Unit::TestCase
|
|
4
4
|
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
before do
|
|
5
|
+
context "Authrequest" do
|
|
6
|
+
should "create the deflated SAMLRequest URL parameter" do
|
|
7
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
9
8
|
settings.idp_sso_target_url = "http://example.com"
|
|
10
|
-
end
|
|
11
|
-
|
|
12
|
-
it "create the deflated SAMLRequest URL parameter" do
|
|
13
9
|
auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
|
|
14
10
|
assert auth_url =~ /^http:\/\/example\.com\?SAMLRequest=/
|
|
15
11
|
payload = CGI.unescape(auth_url.split("=").last)
|
|
@@ -23,7 +19,9 @@ class RequestTest < Minitest::Test
|
|
|
23
19
|
assert_match /^<samlp:AuthnRequest/, inflated
|
|
24
20
|
end
|
|
25
21
|
|
|
26
|
-
|
|
22
|
+
should "create the deflated SAMLRequest URL parameter including the Destination" do
|
|
23
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
24
|
+
settings.idp_sso_target_url = "http://example.com"
|
|
27
25
|
auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
|
|
28
26
|
payload = CGI.unescape(auth_url.split("=").last)
|
|
29
27
|
decoded = Base64.decode64(payload)
|
|
@@ -36,8 +34,10 @@ class RequestTest < Minitest::Test
|
|
|
36
34
|
assert_match /<samlp:AuthnRequest[^<]* Destination='http:\/\/example.com'/, inflated
|
|
37
35
|
end
|
|
38
36
|
|
|
39
|
-
|
|
37
|
+
should "create the SAMLRequest URL parameter without deflating" do
|
|
38
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
40
39
|
settings.compress_request = false
|
|
40
|
+
settings.idp_sso_target_url = "http://example.com"
|
|
41
41
|
auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
|
|
42
42
|
assert auth_url =~ /^http:\/\/example\.com\?SAMLRequest=/
|
|
43
43
|
payload = CGI.unescape(auth_url.split("=").last)
|
|
@@ -46,7 +46,9 @@ class RequestTest < Minitest::Test
|
|
|
46
46
|
assert_match /^<samlp:AuthnRequest/, decoded
|
|
47
47
|
end
|
|
48
48
|
|
|
49
|
-
|
|
49
|
+
should "create the SAMLRequest URL parameter with IsPassive" do
|
|
50
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
51
|
+
settings.idp_sso_target_url = "http://example.com"
|
|
50
52
|
settings.passive = true
|
|
51
53
|
auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
|
|
52
54
|
assert auth_url =~ /^http:\/\/example\.com\?SAMLRequest=/
|
|
@@ -61,8 +63,10 @@ class RequestTest < Minitest::Test
|
|
|
61
63
|
assert_match /<samlp:AuthnRequest[^<]* IsPassive='true'/, inflated
|
|
62
64
|
end
|
|
63
65
|
|
|
64
|
-
|
|
65
|
-
settings
|
|
66
|
+
should "create the SAMLRequest URL parameter with ProtocolBinding" do
|
|
67
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
68
|
+
settings.idp_sso_target_url = "http://example.com"
|
|
69
|
+
settings.protocol_binding = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
|
|
66
70
|
auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
|
|
67
71
|
assert auth_url =~ /^http:\/\/example\.com\?SAMLRequest=/
|
|
68
72
|
payload = CGI.unescape(auth_url.split("=").last)
|
|
@@ -76,8 +80,10 @@ class RequestTest < Minitest::Test
|
|
|
76
80
|
assert_match /<samlp:AuthnRequest[^<]* ProtocolBinding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'/, inflated
|
|
77
81
|
end
|
|
78
82
|
|
|
79
|
-
|
|
80
|
-
settings
|
|
83
|
+
should "create the SAMLRequest URL parameter with AttributeConsumingServiceIndex" do
|
|
84
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
85
|
+
settings.idp_sso_target_url = "http://example.com"
|
|
86
|
+
settings.attributes_index = 30
|
|
81
87
|
auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
|
|
82
88
|
assert auth_url =~ /^http:\/\/example\.com\?SAMLRequest=/
|
|
83
89
|
payload = CGI.unescape(auth_url.split("=").last)
|
|
@@ -87,42 +93,29 @@ class RequestTest < Minitest::Test
|
|
|
87
93
|
inflated = zstream.inflate(decoded)
|
|
88
94
|
zstream.finish
|
|
89
95
|
zstream.close
|
|
90
|
-
assert_match /<samlp:AuthnRequest[^<]*
|
|
96
|
+
assert_match /<samlp:AuthnRequest[^<]* AttributeConsumingServiceIndex='30'/, inflated
|
|
91
97
|
end
|
|
92
98
|
|
|
93
|
-
|
|
94
|
-
settings
|
|
99
|
+
should "create the SAMLRequest URL parameter with ForceAuthn" do
|
|
100
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
101
|
+
settings.idp_sso_target_url = "http://example.com"
|
|
102
|
+
settings.force_authn = true
|
|
95
103
|
auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
|
|
96
104
|
assert auth_url =~ /^http:\/\/example\.com\?SAMLRequest=/
|
|
97
|
-
payload
|
|
98
|
-
decoded
|
|
99
|
-
zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
|
|
100
|
-
inflated = zstream.inflate(decoded)
|
|
101
|
-
zstream.finish
|
|
102
|
-
zstream.close
|
|
103
|
-
|
|
104
|
-
assert_match /<samlp:NameIDPolicy[^<]* AllowCreate='true'/, inflated
|
|
105
|
-
assert_match /<samlp:NameIDPolicy[^<]* Format='urn:oasis:names:tc:SAML:2.0:nameid-format:transient'/, inflated
|
|
106
|
-
end
|
|
105
|
+
payload = CGI.unescape(auth_url.split("=").last)
|
|
106
|
+
decoded = Base64.decode64(payload)
|
|
107
107
|
|
|
108
|
-
|
|
109
|
-
settings.name_identifier_value_requested = "testuser@example.com"
|
|
110
|
-
settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
|
|
111
|
-
auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
|
|
112
|
-
assert auth_url =~ /^http:\/\/example\.com\?SAMLRequest=/
|
|
113
|
-
payload = CGI.unescape(auth_url.split("=").last)
|
|
114
|
-
decoded = Base64.decode64(payload)
|
|
115
|
-
zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
|
|
108
|
+
zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
|
|
116
109
|
inflated = zstream.inflate(decoded)
|
|
117
110
|
zstream.finish
|
|
118
111
|
zstream.close
|
|
119
|
-
|
|
120
|
-
assert inflated.include?('<saml:Subject>')
|
|
121
|
-
assert inflated.include?("<saml:NameID Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'>testuser@example.com</saml:NameID>")
|
|
122
|
-
assert inflated.include?("<saml:SubjectConfirmation Method='urn:oasis:names:tc:SAML:2.0:cm:bearer'/>")
|
|
112
|
+
assert_match /<samlp:AuthnRequest[^<]* ForceAuthn='true'/, inflated
|
|
123
113
|
end
|
|
124
114
|
|
|
125
|
-
|
|
115
|
+
should "accept extra parameters" do
|
|
116
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
117
|
+
settings.idp_sso_target_url = "http://example.com"
|
|
118
|
+
|
|
126
119
|
auth_url = OneLogin::RubySaml::Authrequest.new.create(settings, { :hello => "there" })
|
|
127
120
|
assert auth_url =~ /&hello=there$/
|
|
128
121
|
|
|
@@ -130,15 +123,19 @@ class RequestTest < Minitest::Test
|
|
|
130
123
|
assert auth_url =~ /&hello=$/
|
|
131
124
|
end
|
|
132
125
|
|
|
133
|
-
|
|
134
|
-
|
|
126
|
+
context "when the target url doesn't contain a query string" do
|
|
127
|
+
should "create the SAMLRequest parameter correctly" do
|
|
128
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
129
|
+
settings.idp_sso_target_url = "http://example.com"
|
|
130
|
+
|
|
135
131
|
auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
|
|
136
132
|
assert auth_url =~ /^http:\/\/example.com\?SAMLRequest/
|
|
137
133
|
end
|
|
138
134
|
end
|
|
139
135
|
|
|
140
|
-
|
|
141
|
-
|
|
136
|
+
context "when the target url contains a query string" do
|
|
137
|
+
should "create the SAMLRequest parameter correctly" do
|
|
138
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
142
139
|
settings.idp_sso_target_url = "http://example.com?field=value"
|
|
143
140
|
|
|
144
141
|
auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
|
|
@@ -146,94 +143,100 @@ class RequestTest < Minitest::Test
|
|
|
146
143
|
end
|
|
147
144
|
end
|
|
148
145
|
|
|
149
|
-
|
|
150
|
-
|
|
146
|
+
context "when the settings indicate to sign (embebed) the request" do
|
|
147
|
+
should "create a signed request" do
|
|
148
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
151
149
|
settings.compress_request = false
|
|
152
150
|
settings.idp_sso_target_url = "http://example.com?field=value"
|
|
153
151
|
settings.security[:authn_requests_signed] = true
|
|
154
152
|
settings.security[:embed_sign] = true
|
|
155
|
-
settings.certificate
|
|
153
|
+
settings.certificate = ruby_saml_cert_text
|
|
156
154
|
settings.private_key = ruby_saml_key_text
|
|
157
|
-
end
|
|
158
155
|
|
|
159
|
-
it "create a signed request" do
|
|
160
156
|
params = OneLogin::RubySaml::Authrequest.new.create_params(settings)
|
|
161
157
|
request_xml = Base64.decode64(params["SAMLRequest"])
|
|
162
158
|
assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
|
|
163
|
-
|
|
159
|
+
request_xml =~ /<ds:SignatureMethod Algorithm='http:\/\/www.w3.org\/2000\/09\/xmldsig#rsa-sha1'\/>/
|
|
160
|
+
request_xml =~ /<ds:DigestMethod Algorithm='http:\/\/www.w3.org\/2000\/09\/xmldsig#rsa-sha1'\/>/
|
|
164
161
|
end
|
|
165
162
|
|
|
166
|
-
|
|
167
|
-
settings
|
|
163
|
+
should "create a signed request with 256 digest and signature methods" do
|
|
164
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
165
|
+
settings.compress_request = false
|
|
166
|
+
settings.idp_sso_target_url = "http://example.com?field=value"
|
|
167
|
+
settings.security[:authn_requests_signed] = true
|
|
168
|
+
settings.security[:embed_sign] = true
|
|
169
|
+
settings.security[:signature_method] = XMLSecurity::Document::SHA256
|
|
168
170
|
settings.security[:digest_method] = XMLSecurity::Document::SHA512
|
|
171
|
+
settings.certificate = ruby_saml_cert_text
|
|
172
|
+
settings.private_key = ruby_saml_key_text
|
|
169
173
|
|
|
170
174
|
params = OneLogin::RubySaml::Authrequest.new.create_params(settings)
|
|
171
|
-
|
|
172
175
|
request_xml = Base64.decode64(params["SAMLRequest"])
|
|
173
176
|
assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
|
|
174
|
-
|
|
175
|
-
|
|
177
|
+
request_xml =~ /<ds:SignatureMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha256'\/>/
|
|
178
|
+
request_xml =~ /<ds:DigestMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha512'\/>/
|
|
176
179
|
end
|
|
177
180
|
end
|
|
178
181
|
|
|
179
|
-
describe "#create_params when the settings indicate to sign the request" do
|
|
180
|
-
let(:cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
|
|
181
182
|
|
|
182
|
-
|
|
183
|
+
context "when the settings indicate to sign the request" do
|
|
184
|
+
should "create a signature parameter" do
|
|
185
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
183
186
|
settings.compress_request = false
|
|
184
187
|
settings.idp_sso_target_url = "http://example.com?field=value"
|
|
188
|
+
settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
|
|
185
189
|
settings.security[:authn_requests_signed] = true
|
|
186
190
|
settings.security[:embed_sign] = false
|
|
187
|
-
settings.
|
|
191
|
+
settings.security[:signature_method] = XMLSecurity::Document::SHA1
|
|
192
|
+
settings.certificate = ruby_saml_cert_text
|
|
188
193
|
settings.private_key = ruby_saml_key_text
|
|
189
|
-
end
|
|
190
|
-
|
|
191
|
-
it "create a signature parameter with RSA_SHA1 and validate it" do
|
|
192
|
-
settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
|
|
193
194
|
|
|
194
|
-
params = OneLogin::RubySaml::Authrequest.new.create_params(settings
|
|
195
|
-
assert params['SAMLRequest']
|
|
196
|
-
assert params[:RelayState]
|
|
195
|
+
params = OneLogin::RubySaml::Authrequest.new.create_params(settings)
|
|
197
196
|
assert params['Signature']
|
|
198
|
-
|
|
197
|
+
assert params['SigAlg'] == XMLSecurity::Document::SHA1
|
|
199
198
|
|
|
200
|
-
|
|
201
|
-
|
|
202
|
-
|
|
203
|
-
|
|
204
|
-
|
|
205
|
-
assert_equal signature_algorithm, OpenSSL::Digest::SHA1
|
|
206
|
-
|
|
207
|
-
assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
|
|
199
|
+
# signature_method only affects the embedeed signature
|
|
200
|
+
settings.security[:signature_method] = XMLSecurity::Document::SHA256
|
|
201
|
+
params = OneLogin::RubySaml::Authrequest.new.create_params(settings)
|
|
202
|
+
assert params['Signature']
|
|
203
|
+
assert params['SigAlg'] == XMLSecurity::Document::SHA1
|
|
208
204
|
end
|
|
205
|
+
end
|
|
209
206
|
|
|
210
|
-
|
|
211
|
-
|
|
212
|
-
|
|
213
|
-
|
|
214
|
-
|
|
215
|
-
|
|
207
|
+
should "create the saml:AuthnContextClassRef element correctly" do
|
|
208
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
209
|
+
settings.idp_sso_target_url = "http://example.com"
|
|
210
|
+
settings.authn_context = 'secure/name/password/uri'
|
|
211
|
+
auth_doc = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
|
|
212
|
+
assert auth_doc.to_s =~ /<saml:AuthnContextClassRef>secure\/name\/password\/uri<\/saml:AuthnContextClassRef>/
|
|
213
|
+
end
|
|
216
214
|
|
|
217
|
-
|
|
218
|
-
|
|
219
|
-
|
|
215
|
+
should "create the saml:AuthnContextClassRef with comparison exact" do
|
|
216
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
217
|
+
settings.idp_sso_target_url = "http://example.com"
|
|
218
|
+
settings.authn_context = 'secure/name/password/uri'
|
|
219
|
+
auth_doc = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
|
|
220
|
+
assert auth_doc.to_s =~ /<samlp:RequestedAuthnContext[\S ]+Comparison='exact'/
|
|
221
|
+
assert auth_doc.to_s =~ /<saml:AuthnContextClassRef>secure\/name\/password\/uri<\/saml:AuthnContextClassRef>/
|
|
222
|
+
end
|
|
220
223
|
|
|
221
|
-
|
|
222
|
-
|
|
223
|
-
|
|
224
|
-
|
|
224
|
+
should "create the saml:AuthnContextClassRef with comparison minimun" do
|
|
225
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
226
|
+
settings.idp_sso_target_url = "http://example.com"
|
|
227
|
+
settings.authn_context = 'secure/name/password/uri'
|
|
228
|
+
settings.authn_context_comparison = 'minimun'
|
|
229
|
+
auth_doc = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
|
|
230
|
+
assert auth_doc.to_s =~ /<samlp:RequestedAuthnContext[\S ]+Comparison='minimun'/
|
|
231
|
+
assert auth_doc.to_s =~ /<saml:AuthnContextClassRef>secure\/name\/password\/uri<\/saml:AuthnContextClassRef>/
|
|
225
232
|
end
|
|
226
233
|
|
|
227
|
-
|
|
228
|
-
|
|
229
|
-
|
|
230
|
-
|
|
231
|
-
|
|
232
|
-
|
|
233
|
-
assert_equal authnrequest.request_id, authnrequest.uuid
|
|
234
|
-
assert_equal "new_uuid", authnrequest.request_id
|
|
235
|
-
end
|
|
234
|
+
should "create the saml:AuthnContextDeclRef element correctly" do
|
|
235
|
+
settings = OneLogin::RubySaml::Settings.new
|
|
236
|
+
settings.idp_sso_target_url = "http://example.com"
|
|
237
|
+
settings.authn_context_decl_ref = 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
|
|
238
|
+
auth_doc = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
|
|
239
|
+
assert auth_doc.to_s =~ /<saml:AuthnContextDeclRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport<\/saml:AuthnContextDeclRef>/
|
|
236
240
|
end
|
|
237
241
|
end
|
|
238
|
-
|
|
239
242
|
end
|