saml_idp 0.10.0 → 0.11.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1a69c8d8c945c47e87cb526d4dfcf5f30c2f687d03b33e99013eef63acbe4377
-  data.tar.gz: 4933af3eb5cb686111307cd86d074ab45cc879a253f7a0833aaaa3262add74db
+  metadata.gz: f04deecaf7c0bd7c5655134d314a4b95b9438b24b67e83d7b160d9fa2232f2fc
+  data.tar.gz: b999a0a1f97e85e34704bfe35d3dddb89eebcfbfe1723be5e9dfcfb17e511ef5
 SHA512:
-  metadata.gz: 61d5e37801af0e41b71cdf0bdbac6cac61e0b86969de75c27519b74ede55e3b9c2ec7c2dfc8bff9ef82ec1fa1a870c9483fe31e65e17d645fdf6cab5205ac2d1
-  data.tar.gz: a1594a0f1da0694a93c478259dcece4d38c30863564aa653b585bdae9ef6834699b784ff151b7569e7cccee22b41e0b5a37f0a5151a89b664feda92005f3f21f
+  metadata.gz: 94921b45008f31783c0428992b9cad6b4b1098ad312fd721987d0d27f89921f286f7bd8960237b5f371f8ccb23cac1a6c8b6c7aa110fcf4318a0b63b52497e9e
+  data.tar.gz: e142a4c38d3604dc033d0cfef0a298fbb094d5d36939518558aa219d6bd16ca753960fcc553c076e9969e031946e56d10ef3ba0c1505fcf9df3f7ee62ecdab11

data/README.md

@@ -111,7 +111,7 @@ CERT
   # config.organization_name = "Your Organization"
   # config.organization_url = "http://example.com"
   # config.base_saml_location = "#{base}/saml"
-  # config.reference_id_generator                                 # Default: -> { UUID.generate }
+  # config.reference_id_generator                                 # Default: -> { SecureRandom.uuid }
   # config.single_logout_service_post_location = "#{base}/saml/logout"
   # config.single_logout_service_redirect_location = "#{base}/saml/logout"
   # config.attribute_service_location = "#{base}/saml/attributes"

data/lib/saml_idp/configurator.rb

@@ -1,5 +1,7 @@
 # encoding: utf-8
 require 'ostruct'
+require 'securerandom'
+
 module SamlIdp
   class Configurator
     attr_accessor :x509_certificate
@@ -13,6 +15,7 @@ module SamlIdp
     attr_accessor :reference_id_generator
     attr_accessor :attribute_service_location
     attr_accessor :single_service_post_location
+    attr_accessor :single_service_redirect_location
     attr_accessor :single_logout_service_post_location
     attr_accessor :single_logout_service_redirect_location
     attr_accessor :attributes
@@ -24,7 +27,7 @@ module SamlIdp
       self.x509_certificate = Default::X509_CERTIFICATE
       self.secret_key = Default::SECRET_KEY
       self.algorithm = :sha1
-      self.reference_id_generator = ->() { UUID.generate }
+      self.reference_id_generator = ->() { SecureRandom.uuid }
       self.service_provider = OpenStruct.new
       self.service_provider.finder = ->(_) { Default::SERVICE_PROVIDER }
       self.service_provider.metadata_persister = ->(id, settings) {  }

data/lib/saml_idp/controller.rb

@@ -2,7 +2,7 @@
 require 'openssl'
 require 'base64'
 require 'time'
-require 'uuid'
+require 'securerandom'
 require 'saml_idp/request'
 require 'saml_idp/logout_response_builder'
 module SamlIdp
@@ -126,11 +126,11 @@ module SamlIdp
     end
 
     def get_saml_response_id
-      UUID.generate
+      SecureRandom.uuid
     end
 
     def get_saml_reference_id
-      UUID.generate
+      SecureRandom.uuid
     end
 
     def default_algorithm

data/lib/saml_idp/incoming_metadata.rb

@@ -34,6 +34,19 @@ module SamlIdp
     end
     hashable :sign_assertions
 
+    def sign_authn_request
+      doc = xpath(
+        "//md:SPSSODescriptor",
+        ds: signature_namespace,
+        md: metadata_namespace
+      ).first
+      if (doc && !doc['AuthnRequestsSigned'].nil?)
+        return doc['AuthnRequestsSigned'].strip.downcase == 'true'
+      end
+      return false
+    end
+    hashable :sign_authn_request
+
     def display_name
       role_descriptor_document.present? ? role_descriptor_document["ServiceDisplayName"] : ""
     end

data/lib/saml_idp/metadata_builder.rb

@@ -24,13 +24,15 @@ module SamlIdp
 
             entity.IDPSSODescriptor protocolSupportEnumeration: protocol_enumeration do |descriptor|
               build_key_descriptor descriptor
-              descriptor.SingleLogoutService Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
-                Location: single_logout_service_post_location
-              descriptor.SingleLogoutService Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
-                Location: single_logout_service_redirect_location
+              build_endpoint descriptor, [
+                { tag: 'SingleLogoutService', url: single_logout_service_post_location, bind: 'HTTP-POST' }, 
+                { tag: 'SingleLogoutService', url: single_logout_service_redirect_location, bind: 'HTTP-Redirect'}
+              ]
               build_name_id_formats descriptor
-              descriptor.SingleSignOnService Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
-                Location: single_service_post_location
+              build_endpoint descriptor, [
+                { tag: 'SingleSignOnService', url: single_service_post_location, bind: 'HTTP-POST' }, 
+                { tag: 'SingleSignOnService', url: single_service_redirect_location, bind: 'HTTP-Redirect'}
+              ]
               build_attribute descriptor
             end
 
@@ -38,8 +40,9 @@ module SamlIdp
               build_key_descriptor authority_descriptor
               build_organization authority_descriptor
               build_contact authority_descriptor
-              authority_descriptor.AttributeService Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
-                Location: attribute_service_location
+              build_endpoint authority_descriptor, [
+                { tag: 'AttributeService', url: attribute_service_location, bind: 'HTTP-Redirect' }
+              ]
               build_name_id_formats authority_descriptor
               build_attribute authority_descriptor
             end
@@ -69,6 +72,17 @@ module SamlIdp
     end
     private :build_name_id_formats
 
+    def build_endpoint(el, end_points)
+      end_points.each do |ep|
+        next unless ep[:url].present?
+
+        el.tag! ep[:tag],
+          Binding: "urn:oasis:names:tc:SAML:2.0:bindings:#{ep[:bind]}",
+          Location: ep[:url]
+      end
+    end
+    private :build_endpoint
+
     def build_attribute(el)
       attributes.each do |attribute|
         el.tag! "saml:Attribute",
@@ -151,6 +165,7 @@ module SamlIdp
       organization_url
       attribute_service_location
       single_service_post_location
+      single_service_redirect_location
       single_logout_service_post_location
       single_logout_service_redirect_location
       technical_contact

data/lib/saml_idp/persisted_metadata.rb

@@ -6,5 +6,9 @@ module SamlIdp
     def sign_assertions?
       !!attributes[:sign_assertions]
     end
+
+    def sign_authn_request?
+      !!attributes[:sign_authn_request]
+    end
   end
 end

data/lib/saml_idp/request.rb

@@ -115,9 +115,14 @@ module SamlIdp
     end
 
     def valid_signature?
-      # Force signatures for logout requests because there is no other
-      # protection against a cross-site DoS.
-      service_provider.valid_signature?(document, logout_request?)
+      # Force signatures for logout requests because there is no other protection against a cross-site DoS.
+      # Validate signature when metadata specify AuthnRequest should be signed
+      metadata = service_provider.current_metadata
+      if logout_request? || authn_request? && metadata.respond_to?(:sign_authn_request?) && metadata.sign_authn_request?
+        document.valid_signature?(service_provider.fingerprint)
+      else
+        true
+      end
     end
 
     def service_provider?

data/lib/saml_idp/service_provider.rb

@@ -22,18 +22,13 @@ module SamlIdp
     end
 
     def valid_signature?(doc, require_signature = false)
-      if require_signature || should_validate_signature?
+      if require_signature || attributes[:validate_signature]
         doc.valid_signature?(fingerprint)
       else
         true
       end
     end
 
-    def should_validate_signature?
-      attributes[:validate_signature] ||
-        current_metadata.respond_to?(:sign_assertions?) && current_metadata.sign_assertions?
-    end
-
     def refresh_metadata
       fresh = fresh_incoming_metadata
       if valid_signature?(fresh.document)

data/lib/saml_idp/version.rb

@@ -1,4 +1,4 @@
 # encoding: utf-8
 module SamlIdp
-  VERSION = '0.10.0'
+  VERSION = '0.11.0'
 end

data/saml_idp.gemspec

@@ -44,7 +44,6 @@ section of the README.
   INST
 
   s.add_dependency('activesupport', '>= 3.2')
-  s.add_dependency('uuid', '>= 2.3')
   s.add_dependency('builder', '>= 3.0')
   s.add_dependency('nokogiri', '>= 1.6.2')
 

data/spec/lib/saml_idp/configurator_spec.rb

@@ -9,6 +9,7 @@ module SamlIdp
     it { should respond_to :base_saml_location }
     it { should respond_to :reference_id_generator }
     it { should respond_to :attribute_service_location }
+    it { should respond_to :single_service_redirect_location }
     it { should respond_to :single_service_post_location }
     it { should respond_to :single_logout_service_post_location }
     it { should respond_to :single_logout_service_redirect_location }

data/spec/lib/saml_idp/controller_spec.rb

@@ -21,6 +21,30 @@ describe SamlIdp::Controller do
     expect(saml_acs_url).to eq(requested_saml_acs_url)
   end
 
+  context "When SP metadata required to validate auth request signature" do
+    before do
+      idp_configure("https://foo.example.com/saml/consume", true)
+      params[:SAMLRequest] = make_saml_request("https://foo.example.com/saml/consume", true)
+    end
+
+    it 'SP metadata sign_authn_request attribute should be true' do
+      # Signed auth request will be true in the metadata
+      expect(SamlIdp.config.service_provider.persisted_metadata_getter.call(nil,nil)[:sign_authn_request]).to eq(true)
+    end
+
+    it 'should call xml signature validation method' do
+      signed_doc = SamlIdp::XMLSecurity::SignedDocument.new(params[:SAMLRequest])
+      allow(signed_doc).to receive(:validate).and_return(true)
+      allow(SamlIdp::XMLSecurity::SignedDocument).to receive(:new).and_return(signed_doc)
+      validate_saml_request
+      expect(signed_doc).to have_received(:validate).once
+    end
+
+    it 'should successfully validate signature' do
+      expect(validate_saml_request).to eq(true)
+    end
+  end
+
   context "SAML Responses" do
     let(:principal) { double email_address: "foo@example.com" }
     let (:encryption_opts) do

data/spec/lib/saml_idp/incoming_metadata_spec.rb

@@ -3,7 +3,7 @@ module SamlIdp
 
   metadata_1 = <<-eos
 <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="test" entityID="https://test-saml.com/saml">
-  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="false">
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="false" WantAssertionsSigned="false">
   </md:SPSSODescriptor>
 </md:EntityDescriptor>
   eos
@@ -22,10 +22,18 @@ module SamlIdp
 </md:EntityDescriptor>
   eos
 
+  metadata_4 = <<-eos
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="test" entityID="https://test-saml.com/saml">
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+  </md:SPSSODescriptor>
+</md:EntityDescriptor>
+  eos
+
   describe IncomingMetadata do
     it 'should properly set sign_assertions to false' do
       metadata = SamlIdp::IncomingMetadata.new(metadata_1)
       expect(metadata.sign_assertions).to eq(false)
+      expect(metadata.sign_authn_request).to eq(false)
     end
 
     it 'should properly set entity_id as https://test-saml.com/saml' do
@@ -36,11 +44,17 @@ module SamlIdp
     it 'should properly set sign_assertions to true' do
       metadata = SamlIdp::IncomingMetadata.new(metadata_2)
       expect(metadata.sign_assertions).to eq(true)
+      expect(metadata.sign_authn_request).to eq(true)
     end
 
     it 'should properly set sign_assertions to false when WantAssertionsSigned is not included' do
       metadata = SamlIdp::IncomingMetadata.new(metadata_3)
       expect(metadata.sign_assertions).to eq(false)
     end
+
+    it 'should properly set sign_authn_request to false when AuthnRequestsSigned is not included' do
+      metadata = SamlIdp::IncomingMetadata.new(metadata_4)
+      expect(metadata.sign_authn_request).to eq(false)
+    end
   end
 end

data/spec/lib/saml_idp/metadata_builder_spec.rb

@@ -11,7 +11,30 @@ module SamlIdp
 
     it "includes logout element" do
       subject.configurator.single_logout_service_post_location = 'https://example.com/saml/logout'
+      subject.configurator.single_logout_service_redirect_location = 'https://example.com/saml/logout'
       expect(subject.fresh).to match('<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com/saml/logout"/>')
+      expect(subject.fresh).to match('<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.com/saml/logout"/>')
+    end
+
+    it 'will not includes empty logout endpoint' do
+      subject.configurator.single_logout_service_post_location = ''
+      subject.configurator.single_logout_service_redirect_location = nil
+      expect(subject.fresh).not_to match('<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"')
+      expect(subject.fresh).not_to match('<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"')
+    end
+
+    it 'will includes sso element' do
+      subject.configurator.single_service_post_location = 'https://example.com/saml/sso'
+      subject.configurator.single_service_redirect_location = 'https://example.com/saml/sso'
+      expect(subject.fresh).to match('<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com/saml/sso"/>')
+      expect(subject.fresh).to match('<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.com/saml/sso"/>')
+    end
+
+    it 'will not includes empty sso element' do
+      subject.configurator.single_service_post_location = ''
+      subject.configurator.single_service_redirect_location = nil
+      expect(subject.fresh).not_to match('<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"')
+      expect(subject.fresh).not_to match('<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"')
     end
 
     context "technical contact" do

data/spec/spec_helper.rb

@@ -43,6 +43,25 @@ RSpec.configure do |config|
       }
     end
   end
+
+  # To reset to default config
+  config.after do
+    SamlIdp.instance_variable_set(:@config, nil)
+    SamlIdp.configure do |c|
+      c.attributes = {
+        emailAddress: {
+          name: "email-address",
+          getter: ->(p) { "foo@example.com" }
+        }
+      }
+
+      c.name_id.formats = {
+        "1.1" => {
+          email_address: ->(p) { "foo@example.com" }
+        }
+      }
+    end
+  end
 end
 
 SamlIdp::Default::SERVICE_PROVIDER[:metadata_url] = 'https://example.com/meta'

data/spec/support/certificates/sp_cert_req.csr

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIByTCCATICAQAwgYgxCzAJBgNVBAYTAmpwMQ4wDAYDVQQIDAVUb2t5bzELMAkG
+A1UECgwCR1MxIDAeBgNVBAMMF2h0dHBzOi8vZm9vLmV4YW1wbGUuY29tMQwwCgYD
+VQQHDANGb28xDDAKBgNVBAsMA0JvbzEeMBwGCSqGSIb3DQEJARYPZm9vQGV4YW1w
+bGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8DVj2mVLQV7AjT+cn
+Lv3kDnQFvAo3RdUeGGhplsYFacYByzNRD/jeguu1ahrvznDyZN8p3yB7OPbmt0r0
+aGr+yYzPh6brgkf5u6FMtWTj94vLQuT/uyQGuzdBkiLb5mAWRMtm43oHXDK0v25J
+tsG1PJnntkXfBDpFP1eWLO+jZwIDAQABoAAwDQYJKoZIhvcNAQENBQADgYEAd/J6
+5zjrMhgjxuaMuWCiNN7IS4F9SKy+gEmhkpNVCpChbpggruaEIoERjDP/TkZn2dgL
+VUeHTZB92t+wWfQbHNvEfbzqlV3XkuHkxewCwofnIV/k+8zG1Al5ELSKHehItxig
+rnTuBrFYsd2j4HEVqLzm4NyCfL+xzn/D4U2ec50=
+-----END CERTIFICATE REQUEST-----

data/spec/support/certificates/sp_private_key.pem

@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALwNWPaZUtBXsCNP
+5ycu/eQOdAW8CjdF1R4YaGmWxgVpxgHLM1EP+N6C67VqGu/OcPJk3ynfIHs49ua3
+SvRoav7JjM+HpuuCR/m7oUy1ZOP3i8tC5P+7JAa7N0GSItvmYBZEy2bjegdcMrS/
+bkm2wbU8mee2Rd8EOkU/V5Ys76NnAgMBAAECgYEArwclVHCkebIECPnnxbqhKNCj
+AGtifsuKbrZ9CDoDGSq31xeQLdTV6BSm2nVlmOnmilWEuG4qx0Xf2CGlrBI78kmv
+vHCfFdaGnTxbmYnD0HN0u4RK2trsxWO+rEkJk14JE2eVD6ZRPrq1UOSMgGPrQSMb
+SuwAHUu/j94eL8BXuhECQQD3jTlo3Y4VPWttP6XPNqKDP+jRYJs5G0Bch//S9Qy7
+QzmU9/yAUk0BEOyqYcLxinjJhoq6bR2fiIibn+77z3jtAkEAwnhLwkGYOb7Nt3V6
+dQLKx1BP9dnYH7qG/sCmAs7GHPv4LGluaz4zsh2pdEDF/Xar4gwTzUpxYo8FpkCH
+rf4nIwJAVfWnGr/cR4nVVNFGHUcGdXbqvFHEdLb+yWK8NZ+79Qap5w2Zk2GAtb8P
+vzZFQCRqPuhGIegj4jLB5PBLRwtLHQJBAJiWyWL4ExikRUhBTr/HXBL+Sm9u6i0j
+L89unBQx6LNPZhB6/Z/6Y5fLvG2ycWgLGJ06usLnOYaLEHS9x3hXpp8CQQCdtQHw
+xeLBPhRDpfWWbSmFr+bFxyD/4iQHTHToIs3kaecn6OJ4rczIFpGm2Bm7f4X7F3H3
+DDy4jZ0R6iDqCcQD
+-----END PRIVATE KEY-----

data/spec/support/certificates/sp_x509_cert.crt

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC2DCCAkGgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBiDELMAkGA1UEBhMCanAx
+DjAMBgNVBAgMBVRva3lvMQswCQYDVQQKDAJHUzEgMB4GA1UEAwwXaHR0cHM6Ly9m
+b28uZXhhbXBsZS5jb20xDDAKBgNVBAcMA0ZvbzEMMAoGA1UECwwDQm9vMR4wHAYJ
+KoZIhvcNAQkBFg9mb29AZXhhbXBsZS5jb20wHhcNMjAwMTIzMDYyMzI5WhcNNDcw
+NjA5MDYyMzI5WjCBiDELMAkGA1UEBhMCanAxDjAMBgNVBAgMBVRva3lvMQswCQYD
+VQQKDAJHUzEgMB4GA1UEAwwXaHR0cHM6Ly9mb28uZXhhbXBsZS5jb20xDDAKBgNV
+BAcMA0ZvbzEMMAoGA1UECwwDQm9vMR4wHAYJKoZIhvcNAQkBFg9mb29AZXhhbXBs
+ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALwNWPaZUtBXsCNP5ycu
+/eQOdAW8CjdF1R4YaGmWxgVpxgHLM1EP+N6C67VqGu/OcPJk3ynfIHs49ua3SvRo
+av7JjM+HpuuCR/m7oUy1ZOP3i8tC5P+7JAa7N0GSItvmYBZEy2bjegdcMrS/bkm2
+wbU8mee2Rd8EOkU/V5Ys76NnAgMBAAGjUDBOMB0GA1UdDgQWBBQMtOtrh2VS/mh4
+awGbKA37vVnw+zAfBgNVHSMEGDAWgBQMtOtrh2VS/mh4awGbKA37vVnw+zAMBgNV
+HRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAHjTTm4Hyx1rfzygknc6q1dYwpEv
+/3AsPiTnF4AfH/5kGIIXNzwg0ADsziFMJYRRR9eMu97CHQbr8gHt99P8uaen6cmJ
+4VCwJLP2N8gZrycssimA3M83DWRRVZbxZhpuUWNajtYIxwyUbB7eRSJgz3Tc0opF
+933YwucWuFzKSqn3
+-----END CERTIFICATE-----

data/spec/support/saml_request_macros.rb

@@ -1,9 +1,9 @@
 require 'saml_idp/logout_request_builder'
 
 module SamlRequestMacros
-  def make_saml_request(requested_saml_acs_url = "https://foo.example.com/saml/consume")
+  def make_saml_request(requested_saml_acs_url = "https://foo.example.com/saml/consume", enable_secure_options = false)
     auth_request = OneLogin::RubySaml::Authrequest.new
-    auth_url = auth_request.create(saml_settings(requested_saml_acs_url))
+    auth_url = auth_request.create(saml_settings(requested_saml_acs_url, enable_secure_options))
     CGI.unescape(auth_url.split("=").last)
   end
 
@@ -18,7 +18,12 @@ module SamlRequestMacros
     Base64.strict_encode64(request_builder.signed)
   end
 
-  def saml_settings(saml_acs_url = "https://foo.example.com/saml/consume")
+  def generate_sp_metadata(saml_acs_url = "https://foo.example.com/saml/consume", enable_secure_options = false)
+    sp_metadata = OneLogin::RubySaml::Metadata.new
+    sp_metadata.generate(saml_settings(saml_acs_url, enable_secure_options), true)
+  end
+
+  def saml_settings(saml_acs_url = "https://foo.example.com/saml/consume", enable_secure_options = false)
     settings = OneLogin::RubySaml::Settings.new
     settings.assertion_consumer_service_url = saml_acs_url
     settings.issuer = "http://example.com/issuer"
@@ -26,9 +31,63 @@ module SamlRequestMacros
     settings.assertion_consumer_logout_service_url = 'https://foo.example.com/saml/logout'
     settings.idp_cert_fingerprint = SamlIdp::Default::FINGERPRINT
     settings.name_identifier_format = SamlIdp::Default::NAME_ID_FORMAT
+    add_securty_options(settings) if enable_secure_options
     settings
   end
 
+  def add_securty_options(settings, authn_requests_signed: true, 
+                                    embed_sign: true, 
+                                    logout_requests_signed: true, 
+                                    logout_responses_signed: true,
+                                    digest_method: XMLSecurity::Document::SHA256,
+                                    signature_method: XMLSecurity::Document::RSA_SHA256)
+    # Security section
+    settings.idp_cert = SamlIdp::Default::X509_CERTIFICATE
+    # Signed embedded singature
+    settings.security[:authn_requests_signed] = authn_requests_signed
+    settings.security[:embed_sign] = embed_sign
+    settings.security[:logout_requests_signed] = logout_requests_signed
+    settings.security[:logout_responses_signed] = logout_responses_signed
+    settings.security[:metadata_signed] = digest_method
+    settings.security[:digest_method] = digest_method
+    settings.security[:signature_method] = signature_method
+    settings.private_key = sp_pv_key
+    settings.certificate = sp_x509_cert
+  end
+
+  def idp_configure(saml_acs_url = "https://foo.example.com/saml/consume", enable_secure_options = false)
+    SamlIdp.configure do |config|
+      config.x509_certificate = SamlIdp::Default::X509_CERTIFICATE
+      config.secret_key = SamlIdp::Default::SECRET_KEY
+      config.password = nil
+      config.algorithm = :sha256
+      config.organization_name = 'idp.com'
+      config.organization_url = 'http://idp.com'
+      config.base_saml_location = 'http://idp.com/saml/idp'
+      config.single_logout_service_post_location = 'http://idp.com/saml/idp/logout'
+      config.single_logout_service_redirect_location = 'http://idp.com/saml/idp/logout'
+      config.attribute_service_location = 'http://idp.com/saml/idp/attribute'
+      config.single_service_post_location = 'http://idp.com/saml/idp/sso'
+      config.name_id.formats = SamlIdp::Default::NAME_ID_FORMAT
+      config.service_provider.metadata_persister = lambda { |_identifier, _service_provider|
+        raw_metadata = generate_sp_metadata(saml_acs_url, enable_secure_options)
+        SamlIdp::IncomingMetadata.new(raw_metadata).to_h
+      }
+      config.service_provider.persisted_metadata_getter = lambda { |_identifier, _settings|
+        raw_metadata = generate_sp_metadata(saml_acs_url, enable_secure_options)
+        SamlIdp::IncomingMetadata.new(raw_metadata).to_h
+      }
+      config.service_provider.finder = lambda { |_issuer_or_entity_id|
+        {
+          response_hosts: [URI(saml_acs_url).host],
+          acs_url: saml_acs_url,
+          cert: sp_x509_cert,
+          fingerprint: Digest::SHA256.hexdigest(OpenSSL::X509::Certificate.new(sp_x509_cert).to_der).scan(/../).join(':')
+        }
+      }
+    end
+  end
+
   def print_pretty_xml(xml_string)
     doc = REXML::Document.new xml_string
     outbuf = ""

data/spec/support/security_helpers.rb

@@ -58,4 +58,14 @@ module SecurityHelpers
   def r1_signature_2
     @signature2 ||= File.read(File.join(File.dirname(__FILE__), 'certificates', 'r1_certificate2_base64'))
   end
+
+  # Generated by SAML tool https://www.samltool.com/self_signed_certs.php
+  def sp_pv_key
+    @sp_pv_key ||= File.read(File.join(File.dirname(__FILE__), 'certificates', 'sp_private_key.pem'))
+  end
+
+  # Generated by SAML tool https://www.samltool.com/self_signed_certs.php, expired date is 9999
+  def sp_x509_cert
+    @sp_x509_cert ||= File.read(File.join(File.dirname(__FILE__), 'certificates', 'sp_x509_cert.crt'))
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: saml_idp
 version: !ruby/object:Gem::Version
-  version: 0.10.0
+  version: 0.11.0
 platform: ruby
 authors:
 - Jon Phenow
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-10-13 00:00:00.000000000 Z
+date: 2020-10-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -24,20 +24,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '3.2'
-- !ruby/object:Gem::Dependency
-  name: uuid
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '2.3'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '2.3'
 - !ruby/object:Gem::Dependency
   name: builder
   requirement: !ruby/object:Gem::Requirement
@@ -333,6 +319,9 @@ files:
 - spec/spec_helper.rb
 - spec/support/certificates/certificate1
 - spec/support/certificates/r1_certificate2_base64
+- spec/support/certificates/sp_cert_req.csr
+- spec/support/certificates/sp_private_key.pem
+- spec/support/certificates/sp_x509_cert.crt
 - spec/support/responses/adfs_response_sha1.xml
 - spec/support/responses/adfs_response_sha256.xml
 - spec/support/responses/adfs_response_sha384.xml
@@ -361,7 +350,7 @@ metadata:
   homepage_uri: https://github.com/saml-idp/saml_idp
   source_code_uri: https://github.com/saml-idp/saml_idp
   bug_tracker_uri: https://github.com/saml-idp/saml_idp/issues
-  documentation_uri: http://rdoc.info/gems/saml_idp/0.10.0
+  documentation_uri: http://rdoc.info/gems/saml_idp/0.11.0
 post_install_message: |
   If you're just recently updating saml_idp - please be aware we've changed the default
   certificate. See the PR and a description of why we've done this here:
@@ -470,6 +459,9 @@ test_files:
 - spec/spec_helper.rb
 - spec/support/certificates/certificate1
 - spec/support/certificates/r1_certificate2_base64
+- spec/support/certificates/sp_cert_req.csr
+- spec/support/certificates/sp_private_key.pem
+- spec/support/certificates/sp_x509_cert.crt
 - spec/support/responses/adfs_response_sha1.xml
 - spec/support/responses/adfs_response_sha256.xml
 - spec/support/responses/adfs_response_sha384.xml