saml2 3.2.4 → 3.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 05f37a8ab729b5a78b6b76c430ae6613d5852613b45980721510e60925b39872
-  data.tar.gz: 1e1ea950995d3deefa465c0fdb2c45c796327bf739633ec2e9b1d977931ee116
+  metadata.gz: 771858fe6a969b67349b77e75471ae2e3cf39f63bddf09a4944d9edaa022e870
+  data.tar.gz: 85b835224adb9a15269d5b6d3d62cc7a3320cd391c714445e7399e51dadccedb
 SHA512:
-  metadata.gz: 3f3f9d16794991653ebd7c779e5f325b4d0f48a94d90d08f225b82329ec448f09fb495a0028ab3b3b13bb7d9a797fc0c8a4ec0df8630822527e632303d54f408
-  data.tar.gz: 4e025a411a4dea50efa1377c3e2b09c1aa34f52db3ddb1e1e146041835dd392e9945e831751cc1f0b749c19e3c792af630d7b27dcbaaea3fe5544d8c15be4ccd
+  metadata.gz: 2837de4133371963522b8d159d58bbebed7c4bbd8feef331d2445281a40df95a818e63607c4095e2d8a93141f2288a5697f2c00a789b1f8316b45da092ba83a3
+  data.tar.gz: de08845f21f153d09e72644dd1dce422d198e492d974fda7f63fd26380e57ca3d61ec07a80ecf3686849a95ea985a5e09fde2981dd29ac043c9f1afdc4824ae4

data/lib/saml2/authn_statement.rb

@@ -4,27 +4,45 @@ require "saml2/base"
 
 module SAML2
   class AuthnStatement < Base
+    # @see https://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf
     module Classes
-      INTERNET_PROTOCOL =
-        "urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" # IP address
-      INTERNET_PROTOCOL_PASSWORD =
-        "urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword" # IP address, as well as username/password
-      KERBEROS =
-        "urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos"
-      PASSWORD =
-        "urn:oasis:names:tc:SAML:2.0:ac:classes:Password" # username/password, NOT over SSL
-      PASSWORD_PROTECTED_TRANSPORT =
-        "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" # username/password over SSL
-      PREVIOUS_SESSION =
-        "urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession" # remember me
-      SMARTCARD =
-        "urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard"
-      SMARTCARD_PKI =
-        "urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI" # smartcard with a private key on it
-      TLS_CLIENT =
-        "urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" # SSL client certificate
-      UNSPECIFIED =
-        "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified"
+      INTERNET_PROTOCOL = "urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol"
+      INTERNET_PROTOCOL_PASSWORD = "urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword"
+      KERBEROS = "urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos"
+      MOBILE_ONE_FACTOR_CONTRACT = "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorContract"
+      MOBILE_ONE_FACTOR_UNREGISTERED = "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorUnregistered"
+      MOBILE_TWO_FACTOR_CONTRACT = "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract"
+      MOBILE_TWO_FACTOR_UNREGISTERED = "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered"
+      PASSWORD = "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
+      PASSWORD_PROTECTED_TRANSPORT = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+      PGP = "urn:oasis:names:tc:SAML:2.0:ac:classes:PGP"
+      PREVIOUS_SESSION = "urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession"
+      SMARTCARD = "urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard"
+      SMARTCARD_PKI = "urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI"
+      SOFTWARE_PKI = "urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI"
+      SPKI = "urn:oasis:names:tc:SAML:2.0:ac:classes:SPKI"
+      SECURE_REMOTE_PASSWORD = "urn:oasis:names:tc:SAML:2.0:ac:classes:SecureRemotePassword"
+      TELEPHONY = "urn:oasis:names:tc:SAML:2.0:ac:classes:Telephony"
+      TELEPHONY_AUTHENTICATED = "urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony"
+      TELEPHONHY_NOMAD = "urn:oasis:names:tc:SAML:2.0:ac:classes:NomadTelephony"
+      TELEPHONY_PERSONALIZED = "urn:oasis:names:tc:SAML:2.0:ac:classes:PersonalTelephony"
+      TIME_SYNC_TOKEN = "urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken"
+      TLS_CLIENT = "urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient"
+      X509 = "urn:oasis:names:tc:SAML:2.0:ac:classes:X509"
+      XMLDSIG = "urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig"
+      UNSPECIFIED = "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified"
+
+      # @see https://refeds.org/profile/mfa
+      REFEDS_MFA = "https://refeds.org/profile/mfa"
+      # @see https://refeds.org/profile/sfa
+      REFEDS_SFA = "https://refeds.org/profile/sfa"
+
+      # @see https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-mfa-expected-inbound-assertions
+      MICROSOFT_MULTIPLE_AUTHN = "http://schemas.microsoft.com/claims/multipleauthn"
+      # @see https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-mfa-expected-inbound-assertions
+      MICROSOFT_WIA_OR_MULTI_AUTHN = "http://schemas.microsoft.com/claims/wiaormultiauthn"
+      # @see https://learn.microsoft.com/en-us/entra/identity-platform/single-sign-on-saml-protocol#requestedauthncontext
+      MICROSOFT_WINDOWS = "urn:federation:authentication:windows"
     end
 
     # @return [Time]

data/lib/saml2/status.rb

@@ -7,24 +7,74 @@ module SAML2
     SUCCESS   = "urn:oasis:names:tc:SAML:2.0:status:Success"
     REQUESTER = "urn:oasis:names:tc:SAML:2.0:status:Requester"
     RESPONDER = "urn:oasis:names:tc:SAML:2.0:status:Responder"
+    VERSION_MISMATCH = "urn:oasis:names:tc:SAML:2.0:status:VersionMismatch"
 
+    AUTHN_FAILED = "urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"
+    INVALID_ATTR_NAME_OR_VALUE = "urn:oasis:names:tc:SAML:2.0:status:InvalidAttrNameOrValue"
+    INVALID_NAME_ID_POLICY = "urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"
+    NO_AUTHN_CONTEXT = "urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext"
+    NO_AVAILABLE_IDP = "urn:oasis:names:tc:SAML:2.0:status:NoAvailableIDP"
+    NO_PASSIVE = "urn:oasis:names:tc:SAML:2.0:status:NoPassive"
+    NO_SUPPORTED_IDP = "urn:oasis:names:tc:SAML:2.0:status:NoSupportedIDP"
+    PARTIAL_LOGOUT = "urn:oasis:names:tc:SAML:2.0:status:PartialLogout"
+    PROXY_COUNT_EXCEEDED = "urn:oasis:names:tc:SAML:2.0:status:ProxyCountExceeded"
+    REQUEST_DENIED = "urn:oasis:names:tc:SAML:2.0:status:RequestDenied"
+    REQUEST_UNSUPPORTED = "urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported"
+    REQUEST_VERSION_DEPRECATED = "urn:oasis:names:tc:SAML:2.0:status:RequestVersionDeprecated"
+    REQUEST_VERSION_TOO_HIGH = "urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooHigh"
+    REQUEST_VERSION_TOO_LOW = "urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooLow"
+    RESOURCE_NOT_RECOGNIZED = "urn:oasis:names:tc:SAML:2.0:status:ResourceNotRecognized"
+    TOO_MANY_RESPONSES = "urn:oasis:names:tc:SAML::2.0:status:TooManyResponses"
+    UNKNOWN_ATTR_PROFILE = "urn:oasis:names:tc:SAML:2.0:status:UnknownAttrProfile"
+    UNKNOWN_PRINCIPAL = "urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal"
+    UNSUPPORTED_BINDING = "urn:oasis:names:tc:SAML:2.0:status:UnsupportedBinding"
+
+    TOP_LEVEL_STATUS_CODES = [SUCCESS, REQUESTER, RESPONDER, VERSION_MISMATCH].freeze
+
+    # @return [Array<String>]
+    attr_reader :codes
     # @return [String]
-    attr_accessor :code, :message
+    attr_accessor :message, :detail
 
     # @param code [String]
     # @param message [String, nil]
-    def initialize(code = SUCCESS, message = nil)
+    def initialize(code = SUCCESS, message = nil, detail = nil)
       super()
-      @code = code
+      self.codes = code
       @message = message
+      @detail = detail
     end
 
     # (see Base#from_xml)
     def from_xml(node)
       super
-      self.code = node.at_xpath("samlp:StatusCode", Namespaces::ALL)["Value"]
-      self.message = load_string_array(xml, "samlp:StatusMessage")
+
+      @codes.clear
+      code_node = node
+
+      loop do
+        code_node = code_node.at_xpath("samlp:StatusCode", Namespaces::ALL)
+        break unless code_node
+
+        codes << code_node["Value"]
+      end
+      self.message = xml.at_xpath("samlp:StatusMessage", Namespaces::ALL)&.content&.strip
+      self.detail = xml.at_xpath("samlp:StatusDetail", Namespaces::ALL)&.content&.strip
+    end
+
+    def code
+      codes.first
+    end
+
+    def codes=(value)
+      codes = Array.wrap(value)
+      unless TOP_LEVEL_STATUS_CODES.include?(codes.first)
+        raise ArgumentError, "Invalid top level status code #{codes.first.inspect}"
+      end
+
+      @codes = codes
     end
+    alias_method :code=, :codes=
 
     def success?
       code == SUCCESS
@@ -33,10 +83,20 @@ module SAML2
     # (see Base#build)
     def build(builder)
       builder["samlp"].Status do |status|
-        status["samlp"].StatusCode(Value: code)
-        Array(message).each do |m|
-          status["samlp"].StatusMessage(m)
-        end
+        build_code(status, codes, 0)
+
+        status["samlp"].StatusMessage(message) if message
+        status["samlp"].StatusDetail(detail) if detail
+      end
+    end
+
+    private
+
+    def build_code(builder, codes, idx)
+      return if idx >= codes.length
+
+      builder["samlp"].StatusCode(Value: codes[idx]) do |code_builder|
+        build_code(code_builder, codes, idx + 1)
       end
     end
   end

data/lib/saml2/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module SAML2
-  VERSION = "3.2.4"
+  VERSION = "3.3.1"
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: saml2
 version: !ruby/object:Gem::Version
-  version: 3.2.4
+  version: 3.3.1
 platform: ruby
 authors:
 - Cody Cutrer
 bindir: exe
 cert_chain: []
-date: 2025-10-13 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -158,7 +158,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.3
+rubygems_version: 3.6.9
 specification_version: 4
 summary: SAML 2.0 Library
 test_files: []