ruby-saml 1.9.0 → 1.14.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of ruby-saml might be problematic. Click here for more details.
- checksums.yaml +5 -5
- data/.github/workflows/test.yml +25 -0
- data/{changelog.md → CHANGELOG.md} +64 -1
- data/README.md +394 -211
- data/UPGRADING.md +149 -0
- data/lib/onelogin/ruby-saml/attributes.rb +24 -1
- data/lib/onelogin/ruby-saml/authrequest.rb +26 -10
- data/lib/onelogin/ruby-saml/idp_metadata_parser.rb +285 -184
- data/lib/onelogin/ruby-saml/logging.rb +3 -3
- data/lib/onelogin/ruby-saml/logoutrequest.rb +26 -11
- data/lib/onelogin/ruby-saml/logoutresponse.rb +27 -11
- data/lib/onelogin/ruby-saml/metadata.rb +62 -17
- data/lib/onelogin/ruby-saml/response.rb +86 -37
- data/lib/onelogin/ruby-saml/saml_message.rb +14 -5
- data/lib/onelogin/ruby-saml/setting_error.rb +6 -0
- data/lib/onelogin/ruby-saml/settings.rb +117 -41
- data/lib/onelogin/ruby-saml/slo_logoutrequest.rb +33 -31
- data/lib/onelogin/ruby-saml/slo_logoutresponse.rb +43 -20
- data/lib/onelogin/ruby-saml/utils.rb +101 -9
- data/lib/onelogin/ruby-saml/version.rb +1 -1
- data/lib/xml_security.rb +39 -13
- data/ruby-saml.gemspec +21 -8
- metadata +43 -284
- data/.travis.yml +0 -32
- data/test/certificates/certificate1 +0 -12
- data/test/certificates/certificate_without_head_foot +0 -1
- data/test/certificates/formatted_certificate +0 -14
- data/test/certificates/formatted_chained_certificate +0 -42
- data/test/certificates/formatted_private_key +0 -12
- data/test/certificates/formatted_rsa_private_key +0 -12
- data/test/certificates/invalid_certificate1 +0 -1
- data/test/certificates/invalid_certificate2 +0 -1
- data/test/certificates/invalid_certificate3 +0 -12
- data/test/certificates/invalid_chained_certificate1 +0 -1
- data/test/certificates/invalid_private_key1 +0 -1
- data/test/certificates/invalid_private_key2 +0 -1
- data/test/certificates/invalid_private_key3 +0 -10
- data/test/certificates/invalid_rsa_private_key1 +0 -1
- data/test/certificates/invalid_rsa_private_key2 +0 -1
- data/test/certificates/invalid_rsa_private_key3 +0 -10
- data/test/certificates/ruby-saml-2.crt +0 -15
- data/test/certificates/ruby-saml.crt +0 -14
- data/test/certificates/ruby-saml.key +0 -15
- data/test/idp_metadata_parser_test.rb +0 -579
- data/test/logging_test.rb +0 -62
- data/test/logout_requests/invalid_slo_request.xml +0 -6
- data/test/logout_requests/slo_request.xml +0 -4
- data/test/logout_requests/slo_request.xml.base64 +0 -1
- data/test/logout_requests/slo_request_deflated.xml.base64 +0 -1
- data/test/logout_requests/slo_request_with_name_id_format.xml +0 -4
- data/test/logout_requests/slo_request_with_session_index.xml +0 -5
- data/test/logout_responses/logoutresponse_fixtures.rb +0 -67
- data/test/logoutrequest_test.rb +0 -226
- data/test/logoutresponse_test.rb +0 -402
- data/test/metadata/idp_descriptor.xml +0 -26
- data/test/metadata/idp_descriptor_2.xml +0 -56
- data/test/metadata/idp_descriptor_3.xml +0 -14
- data/test/metadata/idp_descriptor_4.xml +0 -72
- data/test/metadata/idp_metadata_different_sign_and_encrypt_cert.xml +0 -72
- data/test/metadata/idp_metadata_multi_certs.xml +0 -75
- data/test/metadata/idp_metadata_multi_signing_certs.xml +0 -52
- data/test/metadata/idp_metadata_same_sign_and_encrypt_cert.xml +0 -71
- data/test/metadata/idp_multiple_descriptors.xml +0 -53
- data/test/metadata/no_idp_descriptor.xml +0 -21
- data/test/metadata_test.rb +0 -331
- data/test/request_test.rb +0 -323
- data/test/response_test.rb +0 -1619
- data/test/responses/adfs_response_sha1.xml +0 -46
- data/test/responses/adfs_response_sha256.xml +0 -46
- data/test/responses/adfs_response_sha384.xml +0 -46
- data/test/responses/adfs_response_sha512.xml +0 -46
- data/test/responses/adfs_response_xmlns.xml +0 -45
- data/test/responses/attackxee.xml +0 -13
- data/test/responses/invalids/duplicated_attributes.xml.base64 +0 -1
- data/test/responses/invalids/empty_destination.xml.base64 +0 -1
- data/test/responses/invalids/empty_nameid.xml.base64 +0 -1
- data/test/responses/invalids/encrypted_new_attack.xml.base64 +0 -1
- data/test/responses/invalids/invalid_audience.xml.base64 +0 -1
- data/test/responses/invalids/invalid_issuer_assertion.xml.base64 +0 -1
- data/test/responses/invalids/invalid_issuer_message.xml.base64 +0 -1
- data/test/responses/invalids/invalid_signature_position.xml.base64 +0 -1
- data/test/responses/invalids/invalid_subjectconfirmation_inresponse.xml.base64 +0 -1
- data/test/responses/invalids/invalid_subjectconfirmation_nb.xml.base64 +0 -1
- data/test/responses/invalids/invalid_subjectconfirmation_noa.xml.base64 +0 -1
- data/test/responses/invalids/invalid_subjectconfirmation_recipient.xml.base64 +0 -1
- data/test/responses/invalids/multiple_assertions.xml.base64 +0 -2
- data/test/responses/invalids/multiple_signed.xml.base64 +0 -1
- data/test/responses/invalids/no_authnstatement.xml.base64 +0 -1
- data/test/responses/invalids/no_conditions.xml.base64 +0 -1
- data/test/responses/invalids/no_id.xml.base64 +0 -1
- data/test/responses/invalids/no_issuer_assertion.xml.base64 +0 -1
- data/test/responses/invalids/no_issuer_response.xml.base64 +0 -1
- data/test/responses/invalids/no_nameid.xml.base64 +0 -1
- data/test/responses/invalids/no_saml2.xml.base64 +0 -1
- data/test/responses/invalids/no_signature.xml.base64 +0 -1
- data/test/responses/invalids/no_status.xml.base64 +0 -1
- data/test/responses/invalids/no_status_code.xml.base64 +0 -1
- data/test/responses/invalids/no_subjectconfirmation_data.xml.base64 +0 -1
- data/test/responses/invalids/no_subjectconfirmation_method.xml.base64 +0 -1
- data/test/responses/invalids/response_invalid_signed_element.xml.base64 +0 -1
- data/test/responses/invalids/response_with_concealed_signed_assertion.xml +0 -51
- data/test/responses/invalids/response_with_doubled_signed_assertion.xml +0 -49
- data/test/responses/invalids/signature_wrapping_attack.xml.base64 +0 -1
- data/test/responses/invalids/status_code_responder.xml.base64 +0 -1
- data/test/responses/invalids/status_code_responer_and_msg.xml.base64 +0 -1
- data/test/responses/invalids/wrong_spnamequalifier.xml.base64 +0 -1
- data/test/responses/no_signature_ns.xml +0 -48
- data/test/responses/open_saml_response.xml +0 -56
- data/test/responses/response_assertion_wrapped.xml.base64 +0 -93
- data/test/responses/response_audience_self_closed_tag.xml.base64 +0 -1
- data/test/responses/response_double_status_code.xml.base64 +0 -1
- data/test/responses/response_encrypted_attrs.xml.base64 +0 -1
- data/test/responses/response_encrypted_nameid.xml.base64 +0 -1
- data/test/responses/response_eval.xml +0 -7
- data/test/responses/response_no_cert_and_encrypted_attrs.xml +0 -29
- data/test/responses/response_node_text_attack.xml.base64 +0 -1
- data/test/responses/response_node_text_attack2.xml.base64 +0 -1
- data/test/responses/response_node_text_attack3.xml.base64 +0 -1
- data/test/responses/response_unsigned_xml_base64 +0 -1
- data/test/responses/response_with_ampersands.xml +0 -139
- data/test/responses/response_with_ampersands.xml.base64 +0 -93
- data/test/responses/response_with_ds_namespace_at_the_root.xml.base64 +0 -1
- data/test/responses/response_with_multiple_attribute_statements.xml +0 -72
- data/test/responses/response_with_multiple_attribute_values.xml +0 -67
- data/test/responses/response_with_retrieval_method.xml +0 -26
- data/test/responses/response_with_saml2_namespace.xml.base64 +0 -102
- data/test/responses/response_with_signed_assertion.xml.base64 +0 -66
- data/test/responses/response_with_signed_assertion_2.xml.base64 +0 -1
- data/test/responses/response_with_signed_assertion_3.xml +0 -30
- data/test/responses/response_with_signed_message_and_assertion.xml +0 -34
- data/test/responses/response_with_undefined_recipient.xml.base64 +0 -1
- data/test/responses/response_without_attributes.xml.base64 +0 -79
- data/test/responses/response_without_reference_uri.xml.base64 +0 -1
- data/test/responses/response_wrapped.xml.base64 +0 -150
- data/test/responses/signed_message_encrypted_signed_assertion.xml.base64 +0 -1
- data/test/responses/signed_message_encrypted_unsigned_assertion.xml.base64 +0 -1
- data/test/responses/signed_nameid_in_atts.xml +0 -47
- data/test/responses/signed_unqual_nameid_in_atts.xml +0 -47
- data/test/responses/simple_saml_php.xml +0 -71
- data/test/responses/starfield_response.xml.base64 +0 -1
- data/test/responses/test_sign.xml +0 -43
- data/test/responses/unsigned_encrypted_adfs.xml +0 -23
- data/test/responses/unsigned_message_aes128_encrypted_signed_assertion.xml.base64 +0 -1
- data/test/responses/unsigned_message_aes192_encrypted_signed_assertion.xml.base64 +0 -1
- data/test/responses/unsigned_message_aes256_encrypted_signed_assertion.xml.base64 +0 -1
- data/test/responses/unsigned_message_des192_encrypted_signed_assertion.xml.base64 +0 -1
- data/test/responses/unsigned_message_encrypted_assertion_without_saml_namespace.xml.base64 +0 -1
- data/test/responses/unsigned_message_encrypted_signed_assertion.xml.base64 +0 -1
- data/test/responses/unsigned_message_encrypted_unsigned_assertion.xml.base64 +0 -1
- data/test/responses/valid_response.xml.base64 +0 -1
- data/test/responses/valid_response_with_formatted_x509certificate.xml.base64 +0 -1
- data/test/responses/valid_response_without_x509certificate.xml.base64 +0 -1
- data/test/saml_message_test.rb +0 -56
- data/test/settings_test.rb +0 -329
- data/test/slo_logoutrequest_test.rb +0 -448
- data/test/slo_logoutresponse_test.rb +0 -199
- data/test/test_helper.rb +0 -327
- data/test/utils_test.rb +0 -254
- data/test/xml_security_test.rb +0 -421
data/UPGRADING.md
ADDED
@@ -0,0 +1,149 @@
|
|
1
|
+
# Ruby SAML Migration Guide
|
2
|
+
|
3
|
+
## Updating from 1.12.x to 1.13.0
|
4
|
+
|
5
|
+
Version `1.13.0` adds `settings.idp_sso_service_binding` and `settings.idp_slo_service_binding`, and
|
6
|
+
deprecates `settings.security[:embed_sign]`. If specified, new binding parameters will be used in place of `:embed_sign`
|
7
|
+
to determine how to handle SAML message signing (`HTTP-POST` embeds signature and `HTTP-Redirect` does not.)
|
8
|
+
|
9
|
+
In addition, the `IdpMetadataParser#parse`, `#parse_to_hash` and `#parse_to_array` methods now retrieve
|
10
|
+
`idp_sso_service_binding` and `idp_slo_service_binding`.
|
11
|
+
|
12
|
+
Lastly, for convenience you may now use the Symbol aliases `:post` and `:redirect` for any `settings.*_binding` parameter.
|
13
|
+
|
14
|
+
## Upgrading from 1.11.x to 1.12.0
|
15
|
+
|
16
|
+
Version `1.12.0` adds support for gcm algorithm and
|
17
|
+
change/adds specific error messages for signature validations
|
18
|
+
|
19
|
+
`idp_sso_target_url` and `idp_slo_target_url` attributes of the Settings class deprecated
|
20
|
+
in favor of `idp_sso_service_url` and `idp_slo_service_url`. The `IdpMetadataParser#parse`,
|
21
|
+
`#parse_to_hash` and `#parse_to_array` methods now retrieve SSO URL and SLO URL endpoints with
|
22
|
+
`idp_sso_service_url` and `idp_slo_service_url` (previously `idp_sso_target_url` and
|
23
|
+
`idp_slo_target_url` respectively).
|
24
|
+
|
25
|
+
## Upgrading from 1.10.x to 1.11.0
|
26
|
+
|
27
|
+
Version `1.11.0` deprecates the use of `settings.issuer` in favour of `settings.sp_entity_id`.
|
28
|
+
There are two new security settings: `settings.security[:check_idp_cert_expiration]` and
|
29
|
+
`settings.security[:check_sp_cert_expiration]` (both false by default) that check if the
|
30
|
+
IdP or SP X.509 certificate has expired, respectively.
|
31
|
+
|
32
|
+
Version `1.10.2` includes the `valid_until` attribute in parsed IdP metadata.
|
33
|
+
|
34
|
+
Version `1.10.1` improves Ruby 1.8.7 support.
|
35
|
+
|
36
|
+
## Upgrading from 1.9.0 to 1.10.0
|
37
|
+
|
38
|
+
Version `1.10.0` improves IdpMetadataParser to allow parse multiple IDPSSODescriptor,
|
39
|
+
Add Subject support on AuthNRequest to allow SPs provide info to the IdP about the user
|
40
|
+
to be authenticated and updates the format_cert method to accept certs with /\x0d/
|
41
|
+
|
42
|
+
## Upgrading from 1.8.0 to 1.9.0
|
43
|
+
|
44
|
+
Version `1.9.0` better supports Ruby 2.4+ and JRuby 9.2.0.0. `Settings` initialization
|
45
|
+
now has a second parameter, `keep_security_settings` (default: false), which saves security
|
46
|
+
settings attributes that are not explicitly overridden, if set to true.
|
47
|
+
|
48
|
+
## Upgrading from 1.7.x to 1.8.0
|
49
|
+
|
50
|
+
On Version `1.8.0`, creating AuthRequests/LogoutRequests/LogoutResponses with nil RelayState
|
51
|
+
param will not generate a URL with an empty RelayState parameter anymore. It also changes
|
52
|
+
the invalid audience error message.
|
53
|
+
|
54
|
+
## Upgrading from 1.6.0 to 1.7.0
|
55
|
+
|
56
|
+
Version `1.7.0` is a recommended update for all Ruby SAML users as it includes a fix for
|
57
|
+
the [CVE-2017-11428](https://www.cvedetails.com/cve/CVE-2017-11428/) vulnerability.
|
58
|
+
|
59
|
+
## Upgrading from 1.5.0 to 1.6.0
|
60
|
+
|
61
|
+
Version `1.6.0` changes the preferred way to construct instances of `Logoutresponse` and
|
62
|
+
`SloLogoutrequest`. Previously the _SAMLResponse_, _RelayState_, and _SigAlg_ parameters
|
63
|
+
of these message types were provided via the constructor's `options[:get_params]` parameter.
|
64
|
+
Unfortunately this can result in incompatibility with other SAML implementations; signatures
|
65
|
+
are specified to be computed based on the _sender's_ URI-encoding of the message, which can
|
66
|
+
differ from that of Ruby SAML. In particular, Ruby SAML's URI-encoding does not match that
|
67
|
+
of Microsoft ADFS, so messages from ADFS can fail signature validation.
|
68
|
+
|
69
|
+
The new preferred way to provide _SAMLResponse_, _RelayState_, and _SigAlg_ is via the
|
70
|
+
`options[:raw_get_params]` parameter. For example:
|
71
|
+
|
72
|
+
```ruby
|
73
|
+
# In this example `query_params` is assumed to contain decoded query parameters,
|
74
|
+
# and `raw_query_params` is assumed to contain encoded query parameters as sent by the IDP.
|
75
|
+
settings = {
|
76
|
+
settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
|
77
|
+
settings.soft = false
|
78
|
+
}
|
79
|
+
options = {
|
80
|
+
get_params: {
|
81
|
+
"Signature" => query_params["Signature"],
|
82
|
+
},
|
83
|
+
raw_get_params: {
|
84
|
+
"SAMLRequest" => raw_query_params["SAMLRequest"],
|
85
|
+
"SigAlg" => raw_query_params["SigAlg"],
|
86
|
+
"RelayState" => raw_query_params["RelayState"],
|
87
|
+
},
|
88
|
+
}
|
89
|
+
slo_logout_request = OneLogin::RubySaml::SloLogoutrequest.new(query_params["SAMLRequest"], settings, options)
|
90
|
+
raise "Invalid Logout Request" unless slo_logout_request.is_valid?
|
91
|
+
```
|
92
|
+
|
93
|
+
The old form is still supported for backward compatibility, but all Ruby SAML users
|
94
|
+
should prefer `options[:raw_get_params]` where possible to ensure compatibility with
|
95
|
+
other SAML implementations.
|
96
|
+
|
97
|
+
## Upgrading from 1.4.2 to 1.4.3
|
98
|
+
|
99
|
+
Version `1.4.3` introduces Recipient validation of SubjectConfirmation elements.
|
100
|
+
The 'Recipient' value is compared with the settings.assertion_consumer_service_url
|
101
|
+
value.
|
102
|
+
|
103
|
+
If you want to skip that validation, add the :skip_recipient_check option to the
|
104
|
+
initialize method of the Response object.
|
105
|
+
|
106
|
+
Parsing metadata that contains more than one certificate will propagate the
|
107
|
+
idp_cert_multi property rather than idp_cert. See [signature validation
|
108
|
+
section](#signature-validation) for details.
|
109
|
+
|
110
|
+
## Upgrading from 1.3.x to 1.4.x
|
111
|
+
|
112
|
+
Version `1.4.0` is a recommended update for all Ruby SAML users as it includes security improvements.
|
113
|
+
|
114
|
+
## Upgrading from 1.2.x to 1.3.x
|
115
|
+
|
116
|
+
Version `1.3.0` is a recommended update for all Ruby SAML users as it includes security fixes.
|
117
|
+
It adds security improvements in order to prevent Signature wrapping attacks.
|
118
|
+
[CVE-2016-5697](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5697)
|
119
|
+
|
120
|
+
## Upgrading from 1.1.x to 1.2.x
|
121
|
+
|
122
|
+
Version `1.2` adds IDP metadata parsing improvements, uuid deprecation in favour of SecureRandom,
|
123
|
+
refactor error handling and some minor improvements.
|
124
|
+
|
125
|
+
There is no compatibility issue detected.
|
126
|
+
|
127
|
+
For more details, please review [CHANGELOG.md](CHANGELOG.md).
|
128
|
+
|
129
|
+
## Upgrading from 1.0.x to 1.1.x
|
130
|
+
|
131
|
+
Version `1.1` adds some improvements on signature validation and solves some namespace conflicts.
|
132
|
+
|
133
|
+
## Upgrading from 0.9.x to 1.0.x
|
134
|
+
|
135
|
+
Version `1.0` is a recommended update for all Ruby SAML users as it includes security fixes.
|
136
|
+
|
137
|
+
Version `1.0` adds security improvements like entity expansion limitation, more SAML message validations, and other important improvements like decrypt support.
|
138
|
+
|
139
|
+
### Important Changes
|
140
|
+
|
141
|
+
Please note the `get_idp_metadata` method raises an exception when it is not able to fetch the idp metadata, so review your integration if you are using this functionality.
|
142
|
+
|
143
|
+
## Upgrading from 0.8.x to 0.9.x
|
144
|
+
|
145
|
+
Version `0.9` adds many new features and improvements.
|
146
|
+
|
147
|
+
## Upgrading from 0.7.x to 0.8.x
|
148
|
+
|
149
|
+
Version `0.8.x` changes the namespace of the gem from `OneLogin::Saml` to `OneLogin::RubySaml`. Please update your implementations of the gem accordingly.
|
@@ -79,7 +79,7 @@ module OneLogin
|
|
79
79
|
self.class.single_value_compatibility ? single(canonize_name(name)) : multi(canonize_name(name))
|
80
80
|
end
|
81
81
|
|
82
|
-
# @return [
|
82
|
+
# @return [Hash] Return all attributes as a hash
|
83
83
|
#
|
84
84
|
def all
|
85
85
|
attributes
|
@@ -113,6 +113,29 @@ module OneLogin
|
|
113
113
|
end
|
114
114
|
end
|
115
115
|
|
116
|
+
# Fetch attribute value using name or regex
|
117
|
+
# @param name [String|Regexp] The attribute name
|
118
|
+
# @return [String|Array] Depending on the single value compatibility status this returns:
|
119
|
+
# - First value if single_value_compatibility = true
|
120
|
+
# response.attributes['mail'] # => 'user@example.com'
|
121
|
+
# - All values if single_value_compatibility = false
|
122
|
+
# response.attributes['mail'] # => ['user@example.com','user@example.net']
|
123
|
+
#
|
124
|
+
def fetch(name)
|
125
|
+
attributes.each_key do |attribute_key|
|
126
|
+
if name.is_a?(Regexp)
|
127
|
+
if name.respond_to? :match?
|
128
|
+
return self[attribute_key] if name.match?(attribute_key)
|
129
|
+
else
|
130
|
+
return self[attribute_key] if name.match(attribute_key)
|
131
|
+
end
|
132
|
+
elsif canonize_name(name) == canonize_name(attribute_key)
|
133
|
+
return self[attribute_key]
|
134
|
+
end
|
135
|
+
end
|
136
|
+
nil
|
137
|
+
end
|
138
|
+
|
116
139
|
protected
|
117
140
|
|
118
141
|
# stringifies all names so both 'email' and :email return the same result
|
@@ -3,6 +3,7 @@ require "rexml/document"
|
|
3
3
|
require "onelogin/ruby-saml/logging"
|
4
4
|
require "onelogin/ruby-saml/saml_message"
|
5
5
|
require "onelogin/ruby-saml/utils"
|
6
|
+
require "onelogin/ruby-saml/setting_error"
|
6
7
|
|
7
8
|
# Only supports SAML 2.0
|
8
9
|
module OneLogin
|
@@ -14,7 +15,7 @@ module OneLogin
|
|
14
15
|
class Authrequest < SamlMessage
|
15
16
|
|
16
17
|
# AuthNRequest ID
|
17
|
-
|
18
|
+
attr_accessor :uuid
|
18
19
|
|
19
20
|
# Initializes the AuthNRequest. An Authrequest Object that is an extension of the SamlMessage class.
|
20
21
|
# Asigns an ID, a random uuid.
|
@@ -23,6 +24,10 @@ module OneLogin
|
|
23
24
|
@uuid = OneLogin::RubySaml::Utils.uuid
|
24
25
|
end
|
25
26
|
|
27
|
+
def request_id
|
28
|
+
@uuid
|
29
|
+
end
|
30
|
+
|
26
31
|
# Creates the AuthNRequest string.
|
27
32
|
# @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
|
28
33
|
# @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
|
@@ -30,14 +35,14 @@ module OneLogin
|
|
30
35
|
#
|
31
36
|
def create(settings, params = {})
|
32
37
|
params = create_params(settings, params)
|
33
|
-
params_prefix = (settings.
|
38
|
+
params_prefix = (settings.idp_sso_service_url =~ /\?/) ? '&' : '?'
|
34
39
|
saml_request = CGI.escape(params.delete("SAMLRequest"))
|
35
40
|
request_params = "#{params_prefix}SAMLRequest=#{saml_request}"
|
36
41
|
params.each_pair do |key, value|
|
37
42
|
request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
|
38
43
|
end
|
39
|
-
raise "Invalid settings,
|
40
|
-
@login_url = settings.
|
44
|
+
raise SettingError.new "Invalid settings, idp_sso_service_url is not set!" if settings.idp_sso_service_url.nil? or settings.idp_sso_service_url.empty?
|
45
|
+
@login_url = settings.idp_sso_service_url + request_params
|
41
46
|
end
|
42
47
|
|
43
48
|
# Creates the Get parameters for the request.
|
@@ -68,7 +73,7 @@ module OneLogin
|
|
68
73
|
base64_request = encode(request)
|
69
74
|
request_params = {"SAMLRequest" => base64_request}
|
70
75
|
|
71
|
-
if settings.
|
76
|
+
if settings.idp_sso_service_binding == Utils::BINDINGS[:redirect] && settings.security[:authn_requests_signed] && settings.private_key
|
72
77
|
params['SigAlg'] = settings.security[:signature_method]
|
73
78
|
url_string = OneLogin::RubySaml::Utils.build_query(
|
74
79
|
:type => 'SAMLRequest',
|
@@ -107,7 +112,7 @@ module OneLogin
|
|
107
112
|
root.attributes['ID'] = uuid
|
108
113
|
root.attributes['IssueInstant'] = time
|
109
114
|
root.attributes['Version'] = "2.0"
|
110
|
-
root.attributes['Destination'] = settings.
|
115
|
+
root.attributes['Destination'] = settings.idp_sso_service_url unless settings.idp_sso_service_url.nil? or settings.idp_sso_service_url.empty?
|
111
116
|
root.attributes['IsPassive'] = settings.passive unless settings.passive.nil?
|
112
117
|
root.attributes['ProtocolBinding'] = settings.protocol_binding unless settings.protocol_binding.nil?
|
113
118
|
root.attributes["AttributeConsumingServiceIndex"] = settings.attributes_index unless settings.attributes_index.nil?
|
@@ -117,10 +122,22 @@ module OneLogin
|
|
117
122
|
if settings.assertion_consumer_service_url != nil
|
118
123
|
root.attributes["AssertionConsumerServiceURL"] = settings.assertion_consumer_service_url
|
119
124
|
end
|
120
|
-
if settings.
|
125
|
+
if settings.sp_entity_id != nil
|
121
126
|
issuer = root.add_element "saml:Issuer"
|
122
|
-
issuer.text = settings.
|
127
|
+
issuer.text = settings.sp_entity_id
|
123
128
|
end
|
129
|
+
|
130
|
+
if settings.name_identifier_value_requested != nil
|
131
|
+
subject = root.add_element "saml:Subject"
|
132
|
+
|
133
|
+
nameid = subject.add_element "saml:NameID"
|
134
|
+
nameid.attributes['Format'] = settings.name_identifier_format if settings.name_identifier_format
|
135
|
+
nameid.text = settings.name_identifier_value_requested
|
136
|
+
|
137
|
+
subject_confirmation = subject.add_element "saml:SubjectConfirmation"
|
138
|
+
subject_confirmation.attributes['Method'] = "urn:oasis:names:tc:SAML:2.0:cm:bearer"
|
139
|
+
end
|
140
|
+
|
124
141
|
if settings.name_identifier_format != nil
|
125
142
|
root.add_element "samlp:NameIDPolicy", {
|
126
143
|
# Might want to make AllowCreate a setting?
|
@@ -162,8 +179,7 @@ module OneLogin
|
|
162
179
|
end
|
163
180
|
|
164
181
|
def sign_document(document, settings)
|
165
|
-
|
166
|
-
if settings.security[:authn_requests_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
|
182
|
+
if settings.idp_sso_service_binding == Utils::BINDINGS[:post] && settings.security[:authn_requests_signed] && settings.private_key && settings.certificate
|
167
183
|
private_key = settings.get_sp_key
|
168
184
|
cert = settings.get_sp_cert
|
169
185
|
document.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
|