saml_idp_rails 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: ee42ec55e4011bf7db613fd7ac82ae6357505f95cf19892f1203a659cb88a2fb
+  data.tar.gz: 204c561da47fc51ab53de0bb9b34d6a6d519febbfe638dd05b44a501176fe251
+SHA512:
+  metadata.gz: 01c41f507dc9fe3b896382d9009ebafb2096e7b68b0c6d9c85413c167f9a9da7889cc0c9cd4b33b14e7cdc764ebe2dbe31d42352276336af04fbcecb7cc205e7
+  data.tar.gz: cfc3728394769efa8cff0370a500db391fa237379a60f12bfe3a82ab29ecd81869d6c5e0e65de2030766d303e4da1ac3e9ce2a2752e18473b25ce73ca1b29ce0

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright zogoo
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,150 @@
+# SamlIdpRails
+A Ruby gem that implements SAML Identity Provider (IdP) functionality for Rails applications.
+
+## Usage
+This gem allows you to add SAML IdP capabilities to your Rails application.
+
+## Installation
+
+1. Add this line to your Rails application's Gemfile:
+
+```ruby
+gem "saml_idp_rails"
+```
+
+And then execute:
+```bash
+$ bundle
+```
+
+Or install it yourself as:
+```bash
+$ gem install saml_idp_rails
+```
+
+2. Generate the necessary migrations for Active Record:
+```bash
+bin/rails saml_idp_rails:install:migrations
+```
+
+3. Migrate the Service Provider settings to your database:
+```bash
+bin/rails db:migrate
+```
+
+4. Configure your IdP service:
+Create a configuration file in your Rails initializers directory:
+
+```rb
+# config/initializers/saml_idp_config.rb
+
+SamlIdpRails.configure do |config|
+  # Base URL of your application
+  config.base_url = "http://localhost:3000"
+  
+  # URL where users will be redirected to sign in
+  config.sign_in_url = "/users/sign_in"
+  
+  # Default URL to redirect after successful authentication
+  config.relay_state_url = "/home"
+  
+  # Hook to validate user session
+  config.session_validation_hook = ->(session) { true }
+  
+  # Lambda to find SAML Service Provider configuration
+  config.saml_config_finder = lambda do |_request|
+    SamlIdpRails::SamlSpConfig.find_by(uuid: params.require(:uuid))
+  end
+  
+  # Lambda to find and return user information for SAML response
+  config.saml_user_finder = lambda do |_request|
+    User = Struct.new(:name_id_attribute, :email, keyword_init: true)
+    User.new(
+      name_id_attribute: "email",
+      email: "user@example.com"
+    )
+  end
+end
+```
+
+5. Create a Service Provider (SP) configuration:
+After running migrations, you'll find a migration file in your Rails app under:
+`db/migrate/YYYYMMDDHHMMSS_create_saml_idp_rails_saml_sp_configs.saml_idp_rails.rb`
+
+Example of creating an SP configuration:
+
+```rb
+SamlIdpRails::SamlSpConfig.create(
+  # Basic SP Information
+  name: "Test SP Config One",                # Unique identifier for the SP configuration
+  display_name: "Test SP One",               # Human-readable name for the SP
+  entity_id: "http://test-sp-one.com",      # Entity ID provided by the SP
+  
+  # Certificate and Key Configuration
+  signing_certificate: "Your IdP public key",    # Base64 encoded IdP public key
+  encryption_certificate: nil,                   # Optional: SP encryption certificate
+  private_key: "Your IdP private key",          # IdP private key (keep secure)
+  pv_key_password: nil,                         # Optional: Private key password if encrypted
+  
+  # SAML Settings
+  sign_assertions: true,                    # Whether to sign SAML assertions
+  sign_authn_request: false,                # Whether SP requires signed authentication requests
+  certificate: "SP X509 certificate",       # SP's public certificate for signature validation
+  relay_state: "sample_relay_state",        # Post-SSO redirect URL
+  name_id_attribute: "email",               # Attribute to use as NameID
+  raw_metadata: nil,                        # Optional: Raw SP metadata XML
+  
+  # SAML Format Settings
+  name_id_formats: ["email_address"],       # Supported NameID formats
+  
+  # Service Endpoints
+  assertion_consumer_services: [{
+    "binding" => "HTTP-POST",
+    "default" => "true",
+    "location" => "http://test-sp-one.com/acs"
+  }],
+  single_logout_services: {
+    "HTTP-Redirect" => "http://test-sp-one.com/slo"
+  },
+  
+  # Contact Information
+  contact_person: {
+    "surname" => "Doe",
+    "given_name" => "John",
+    "email_address" => "john.doe@test-sp-one.com"
+  },
+  
+  # SAML Attributes
+  saml_attributes: [{
+    "name" => "email",
+    "getter" => "email",
+    "nameFormat" => "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
+    "name_format" => "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
+    "friendlyName" => "Email address"
+  }],
+  
+  # Public Identifier
+  uuid: "8ad17d2a-f870-4796-8212-7487411b8578"  # Unique identifier for SP configuration
+)
+```
+
+Once you successfully create the correct `SamlSpConfig`.
+Then you can test it in your development environment to accessing following url
+
+1. Metadata endpoint
+```bash
+curl http://localhost:3000/saml_idp/8ad17d2a-f870-4796-8212-7487411b8578/metadata
+```
+
+2. IdP initiated SAML SSO
+You will see SAML response posted `http://test-sp-one.com/acs` in the Network tab of Browser dev tool.
+
+```url
+http://localhost:3000/saml_idp/8ad17d2a-f870-4796-8212-7487411b8578/sso
+```
+
+## Contributing
+To contribute, fork the repository and create a pull request with your changes.
+
+## License
+This gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,8 @@
+require "bundler/setup"
+
+APP_RAKEFILE = File.expand_path("test/dummy/Rakefile", __dir__)
+load "rails/tasks/engine.rake"
+
+load "rails/tasks/statistics.rake"
+
+require "bundler/gem_tasks"

data/app/assets/stylesheets/saml_idp_rails/application.css

@@ -0,0 +1,15 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or any plugin's vendor/assets/stylesheets directory can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any other CSS/SCSS
+ * files in this directory. Styles in this file should be added after the last require_* statement.
+ * It is generally better to create a new file per style scope.
+ *
+ *= require_tree .
+ *= require_self
+ */

data/app/controllers/saml_idp_rails/application_controller.rb

@@ -0,0 +1,4 @@
+module SamlIdpRails
+  class ApplicationController < ActionController::Base
+  end
+end

data/app/controllers/saml_idp_rails/saml_idp_controller.rb

@@ -0,0 +1,143 @@
+require_relative "../../../lib/saml_idp_rails/saml_config"
+
+module SamlIdpRails
+  class SamlIdpController < ApplicationController
+    layout false
+    include SamlIdp::Controller
+
+    before_action :store_authn_request, only: %i[sso_request], unless: :user_signed_in?
+    before_action :validate_session
+    before_action :load_config, only: %i[sso_request slo_request initiate_slo metadata]
+    before_action :validate_saml_request, only: %i[sso_request slo_request], if: :sp_initiated_request?
+
+    def sso_request
+      saml_response
+      render :sso_response
+    end
+
+    def slo_request
+      return redirect_to SamlIdpRails.config.relay_state_url, allow_other_host: true unless sp_initiated_request?
+
+      saml_slo_response = encode_logout_response(
+        current_saml_user,
+        @saml_config.append_request_config(saml_request).merge!(
+          public_cert: current_sp_config.certificate,
+          private_key: current_sp_config.private_key,
+          pv_key_password: current_sp_config.pv_key_password
+        )
+      )
+
+      # TODO: move this part to gem
+      # If SLO request doesn't contain the SLO endpoint then use SP config default SLO url
+      @sp_slo_endpoint = saml_request&.logout_url || current_sp_config.single_logout_services&.values&.first
+      @sp_slo_binding = current_sp_config.single_logout_services&.keys&.first == "HTTP-Redirect" ? :redirect : :post
+      saml_slo_response = Zlib::Deflate.deflate(saml_slo_response, 9)[2..-5] if @sp_slo_binding == :redirect
+      @saml_slo_response = Base64.strict_encode64(saml_slo_response)
+      @sp_slo_url = generate_url(host: @sp_slo_endpoint, SAMLResponse: @saml_slo_response, RelayState: SamlIdpRails.config.relay_state_url)
+      render :slo_response
+    end
+
+    def initiate_slo
+      # TODO: move it out to "saml_idp" gem
+      slo_endpoint = current_sp_config.single_logout_services
+      binding = slo_endpoint&.keys&.first == "HTTP-Redirect" ? :get : :post
+      slo_location = slo_endpoint&.values&.first
+
+      logout_request = SamlIdp::LogoutRequestBuilder.new(
+        response_id: SecureRandom.uuid,
+        issuer_uri: SamlIdpRails.config.base_url,
+        saml_slo_url: slo_location,
+        name_id: @saml_config.name_id_value,
+        algorithm: OpenSSL::Digest::SHA256, # TODO: Update this to use the SP's digest method
+        public_cert: current_sp_config.certificate,
+        private_key: current_sp_config.private_key,
+        pv_key_password: current_sp_config.pv_key_password
+      ).signed
+
+      @slo_request_params = {
+        name: current_sp_config.name,
+        location: slo_location,
+        params: {
+          SAMLRequest: binding == :get ? Base64.encode64(logout_request) : logout_request,
+          RelayState: SamlIdpRails.config.relay_state_url
+        },
+        method: binding
+      }
+      render :slo_request
+    end
+
+    def metadata
+      render xml: @saml_config.idp_metadata
+    end
+
+    def attribute
+      # TODO: Remove this endpoint from the saml_idp gem
+      render json: @saml_config.saml_attributes
+    end
+
+    private
+
+    def saml_response
+      @saml_response = encode_authn_response(
+        current_saml_user,
+        @saml_config.append_request_config(saml_request).merge!(
+          public_cert: current_sp_config.certificate,
+          private_key: current_sp_config.private_key,
+          pv_key_password: current_sp_config.pv_key_password
+        )
+      )
+    end
+
+    def saml_request
+      # GEM will decode SP initiated request which is mean @saml_request set by gem
+      sp_initiated_request? ? @saml_request : @saml_config.saml_request
+    end
+
+    def sp_initiated_request?
+      params[:SAMLRequest].present?
+    end
+
+    def current_sp_config
+      @current_sp_config ||= begin
+        instance_exec(request, &SamlIdpRails.config.saml_config_finder)
+      end
+    end
+
+    def current_saml_user
+      @current_saml_user ||= begin
+        instance_exec(request, &SamlIdpRails.config.saml_user_finder)
+      end
+    end
+
+    def store_authn_request
+      saml_authn_request = if request.post?
+        saml_post_req = { SAMLRequest: params[:SAMLRequest], RelayState: params[:RelayState] }
+        "#{request.fullpath}?#{saml_post_req.to_query}"
+      else
+        request.fullpath
+      end
+
+      session[:sp_config_id] = current_sp_config.id
+      session[:saml_auth_request] = saml_authn_request
+
+      redirect_to SamlIdpRails.config.sign_in_url, allow_other_host: true
+    end
+
+    def user_signed_in?
+      current_saml_user.present?
+    end
+
+    def load_config
+      @saml_config = SamlIdpRails::SamlConfig.new(current_sp_config, current_saml_user)
+      @saml_config.configure_saml_idp
+    end
+
+    def validate_session
+      SamlIdpRails.config.session_validation_hook.call(session) if SamlIdpRails.config.session_validation_hook.present?
+    end
+
+    def generate_url(host:, **params)
+      "#{host}?#{params.to_query}"
+    end
+  end
+end

data/app/helpers/saml_idp_rails/application_helper.rb

@@ -0,0 +1,4 @@
+module SamlIdpRails
+  module ApplicationHelper
+  end
+end

data/app/jobs/saml_idp_rails/application_job.rb

@@ -0,0 +1,4 @@
+module SamlIdpRails
+  class ApplicationJob < ActiveJob::Base
+  end
+end

data/app/mailers/saml_idp_rails/application_mailer.rb

@@ -0,0 +1,6 @@
+module SamlIdpRails
+  class ApplicationMailer < ActionMailer::Base
+    default from: "from@example.com"
+    layout "mailer"
+  end
+end

data/app/models/saml_idp_rails/application_record.rb

@@ -0,0 +1,5 @@
+module SamlIdpRails
+  class ApplicationRecord < ActiveRecord::Base
+    self.abstract_class = true
+  end
+end

data/app/models/saml_idp_rails/saml_sp_config.rb

@@ -0,0 +1,50 @@
+require "saml_idp"
+
+module SamlIdpRails
+  class SamlSpConfig < ApplicationRecord
+    before_create :generate_uuid
+
+    if connection.adapter_name.downcase.starts_with?("sqlite")
+      serialize :name_id_formats, coder: JSON
+      serialize :assertion_consumer_services, coder: JSON
+      serialize :single_logout_services, type: Hash, coder: JSON
+      serialize :contact_person, type: Hash, coder: JSON
+      serialize :saml_attributes, coder: JSON
+    end
+
+    def parsed_metadata
+      metadata_attr = ::SamlIdp::IncomingMetadata.new(raw_metadata).to_h
+      # TODO: Move this logic to GEM
+      metadata_attr[:name_id_formats] = metadata_attr[:name_id_formats].to_a
+      if raw_metadata.present?
+        assign_attributes(metadata_attr.except(:unspecified_certificate))
+        # When SP metadata contains a <KeyDescriptor> that is not specified as signing or encryption,
+        # this method assigns the certificate to signing only.
+        self.signing_certificate = metadata_attr[:unspecified_certificate] if metadata_attr[:unspecified_certificate].present?
+        encoded_certificates
+      end
+      self
+    end
+
+    # SP metadata removes header and footer of the certificate
+    # This method adds them back
+    def encoded_certificates
+      self.signing_certificate = format_with_pem(signing_certificate) if signing_certificate.present? && !pem_formatted?(signing_certificate)
+      self.encryption_certificate = format_with_pem(encryption_certificate) if encryption_certificate.present? && !pem_formatted?(encryption_certificate)
+    end
+
+    private
+
+    def generate_uuid
+      self.uuid = SecureRandom.uuid
+    end
+
+    def pem_formatted?(cert)
+      cert.scan(/(-----BEGIN CERTIFICATE-----)(.+?)(-----END CERTIFICATE-----)/m).any?
+    end
+
+    def format_with_pem(cert)
+      "-----BEGIN CERTIFICATE-----\n#{cert.strip}\n-----END CERTIFICATE-----"
+    end
+  end
+end

data/app/views/layouts/saml_idp_rails/application.html.erb

@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>SamlIdpRails</title>
+  <%= csrf_meta_tags %>
+  <%= csp_meta_tag %>
+
+  <%= yield :head %>
+
+  <%= stylesheet_link_tag    "saml_idp_rails/application", media: "all" %>
+</head>
+<body>
+
+<%= yield %>
+
+</body>
+</html>

data/app/views/saml_idp_rails/saml_idp/slo_request.html.erb

@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Logging out from <%= @slo_request_params[:name] %></title>
+</head>
+<body>
+  <p>Logging out from <%= @slo_request_params[:name] %>...</p>
+  <form id="slo_form" action="<%= @slo_request_params[:location] %>" method="<%= @slo_request_params[:method] %>">
+    <% @slo_request_params[:params].each do |key, value| %>
+      <input type="hidden" name="<%= key %>" value="<%= value %>">
+    <% end %>
+  </form>
+  <script type="text/javascript">
+    // Automatically submit the form
+    document.getElementById('slo_form').submit();
+  </script>
+</body>
+</html>

data/app/views/saml_idp_rails/saml_idp/slo_response.html.erb

@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+    <% if @sp_slo_binding == :redirect %>
+      <meta http-equiv="refresh" content="0;url=<%=@sp_slo_url%>">
+      <title>Redirecting...</title>
+    <% end %>
+  </head>
+  <% if @sp_slo_binding == :redirect %>
+    <p>This page has moved. If you are not redirected automatically, <a href="<%=@sp_slo_url%>">click here</a>.</p>
+  <% else %>
+    <body onload="document.forms[0].submit();" style="visibility:hidden;">
+      <%= form_tag(@sp_slo_endpoint) do %>
+        <%= hidden_field_tag("SAMLResponse", @saml_slo_response) %>
+        <%= hidden_field_tag("RelayState", SamlIdpRails.config.relay_state_url) %>
+        <%= submit_tag "Submit" %>
+      <% end %>
+    </body>
+  <% end %>
+</html>

data/app/views/saml_idp_rails/saml_idp/sso_response.html.erb

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+  </head>
+  <body onload="document.forms[0].submit();" style="visibility:hidden;">
+    <%= form_tag(saml_acs_url) do %>
+      <%= hidden_field_tag("SAMLResponse", @saml_response) %>
+      <%= hidden_field_tag("RelayState", params[:RelayState]) %>
+      <%= submit_tag "Submit" %>
+    <% end %>
+  </body>
+</html>

data/config/routes.rb

@@ -0,0 +1,9 @@
+SamlIdpRails::Engine.routes.draw do
+  get ":uuid/metadata", to: "saml_idp#metadata", as: "metadata"
+  post ":uuid/sso", to: "saml_idp#sso_request", as: "sso_post"
+  get ":uuid/sso", to: "saml_idp#sso_request", as: "sso_redirect"
+  post ":uuid/logout", to: "saml_idp#slo_request", as: "slo_post"
+  get ":uuid/logout", to: "saml_idp#slo_request", as: "slo_redirect"
+  post ":uuid/slo_request", to: "saml_idp#initiate_slo", as: "initiate_slo"
+  get ":uuid/attribute", to: "saml_idp#attribute", as: "attribute"
+end

data/db/migrate/20250120165545_create_saml_idp_rails_saml_sp_configs.rb

@@ -0,0 +1,62 @@
+class CreateSamlIdpRailsSamlSpConfigs < ActiveRecord::Migration[8.0]
+  def change
+    create_table :saml_idp_rails_saml_sp_configs do |t|
+      # For identification
+      t.string :name
+      t.string :display_name
+      # SP attributes
+      t.string :entity_id
+      t.string :signing_certificate
+      t.string :encryption_certificate
+      t.boolean :sign_assertions
+      t.boolean :sign_authn_request
+      # IdP attributes
+      t.string :certificate
+      t.string :private_key
+      t.string :pv_key_password
+      t.string :relay_state
+      t.string :name_id_attribute
+      t.text :raw_metadata
+
+      if connection.adapter_name.downcase.starts_with?('postgresql')
+        # SP attributes
+        t.text :name_id_formats, array: true, default: []
+        t.jsonb :assertion_consumer_services, default: []
+        t.jsonb :single_logout_services, default: {}
+        # IdP attributes
+        t.jsonb :contact_person, default: {}
+        t.jsonb :saml_attributes, default: {}
+      elsif connection.adapter_name.downcase.starts_with?('mysql')
+        # SP attributes
+        t.text :name_id_formats, array: true, default: []
+        t.json :assertion_consumer_services, default: []
+        t.json :single_logout_services, default: {}
+        # IdP attributes
+        t.json :contact_person, default: {}
+        t.json :saml_attributes, default: {}
+      else
+        # SP attributes
+        t.text :name_id_formats, default: '[]'
+        t.text :assertion_consumer_services, default: '[]'
+        t.text :single_logout_services, default: '{}'
+        # IdP attributes
+        t.text :contact_person, default: '{}'
+        t.text :saml_attributes, default: '{}'
+      end
+
+      # Public UUID for SP
+      if connection.adapter_name.downcase.starts_with?('mysql')
+        t.string :uuid, null: false, default: -> { "UUID()" }
+      elsif connection.adapter_name.downcase.starts_with?('postgresql')
+        t.uuid :uuid, null: false, default: -> { "gen_random_uuid()" }
+      else
+        t.string :uuid, null: false
+      end
+
+      t.timestamps
+    end
+
+    add_index :saml_idp_rails_saml_sp_configs, :name, unique: true
+    add_index :saml_idp_rails_saml_sp_configs, :entity_id, unique: true
+  end
+end

data/lib/saml_idp_rails/config.rb

@@ -0,0 +1,27 @@
+require "saml_idp"
+
+module SamlIdpRails
+  class Config
+    ATTRIBUTES = %i[
+      base_url
+      sign_in_url
+      relay_state_url
+      session_validation_hook
+      saml_config_finder
+      saml_user_finder
+    ].freeze
+
+    attr_accessor *ATTRIBUTES
+
+    def configure(&block)
+      yield self if block_given?
+      self
+    end
+
+    def validate!
+      ATTRIBUTES.each do |attribute|
+        raise("SamlIdpRails: #{attribute} is not set") if self.public_send(attribute).nil?
+      end
+    end
+  end
+end

data/lib/saml_idp_rails/engine.rb

@@ -0,0 +1,5 @@
+module SamlIdpRails
+  class Engine < ::Rails::Engine
+    isolate_namespace SamlIdpRails
+  end
+end

data/lib/saml_idp_rails/railtie.rb

@@ -0,0 +1,4 @@
+module SamlIdpRails
+  class Railtie < ::Rails::Railtie
+  end
+end

data/lib/saml_idp_rails/saml_config.rb

@@ -0,0 +1,240 @@
+require "saml_idp"
+
+module SamlIdpRails
+  class SamlConfig
+    include SamlIdpRails::Engine.routes.url_helpers
+
+    attr_accessor :config
+
+    def initialize(sp_config, saml_user)
+      @config = {}
+      @config[:base_url] = SamlIdpRails.config.base_url
+      @config[:saml_config] = sp_config
+      @config[:saml_user] = saml_user
+    end
+
+    def configure_saml_idp
+      ::SamlIdp.configure do |config|
+        config.x509_certificate = saml_config.certificate
+        config.secret_key = saml_config.private_key
+        config.password = saml_config.pv_key_password
+        config.algorithm = :sha256
+        config.organization_name = base_url
+        config.organization_url = base_url
+        # URL configuration
+        config.base_saml_location = base_url # TODO: Read from gem configuration
+        config.single_logout_service_post_location = slo_post_endpoint
+        config.single_logout_service_redirect_location = slo_redirect_endpoint
+        config.attribute_service_location = attribute_endpoint
+        config.single_service_post_location = sso_post_endpoint
+        config.single_service_redirect_location = sso_redirect_endpoint
+        # Name ID format
+        config.name_id.formats = name_id_format
+        config.attributes = saml_attributes_as_hash
+        config.service_provider.metadata_persister = metadata_persister
+        config.service_provider.persisted_metadata_getter = persisted_matadata
+        config.service_provider.finder = service_providers
+        config.logger = Rails.logger
+      end
+    end
+
+    def append_request_config(saml_request)
+      config = {}
+      if saml_config.encryption_certificate.present?
+        config = {
+          encryption: {
+            cert: saml_config.encryption_certificate,
+            block_encryption: "aes256-cbc",
+            key_transport: "rsa-oaep-mgf1p"
+          }
+        }
+      end
+
+      config[:signed_assertion] = saml_config.sign_assertions
+      config[:signed_message] = true
+
+      # SP initiated SAML
+      if saml_request.present? && !saml_request.try(:idp_initiated?)
+        config[:acs_url] = saml_request.request["AssertionConsumerServiceURL"] if saml_request.authn_request?
+        return config
+      end
+
+      config.merge!(audience_uri: saml_config.entity_id)
+    end
+
+    def idp_metadata
+      SamlIdp.metadata.signed
+    end
+
+    def saml_request
+      @saml_request ||= Struct.new(
+        :request_id,
+        :issue_url,
+        :acs_url
+      ) do
+        def authn_request?
+          true
+        end
+
+        def idp_initiated?
+          true
+        end
+
+        def issuer
+          url = URI(issue_url)
+          url.query = nil
+          url.to_s
+        end
+      end.new(nil, base_url, default_acs_config[:location])
+    end
+
+    def name_id_value(attribute_name = nil)
+      attr = attribute_name.presence || saml_user.name_id_attribute
+      val =  saml_user.public_send(attr) if saml_user.respond_to?(attr)
+      raise("SamlIdpRails: Name ID attribute #{attr} is not set") if val.blank?
+      val
+    end
+
+    private
+
+    def service_providers
+      lambda { |_issuer_or_entity_id|
+        {
+          response_hosts: saml_config.assertion_consumer_services.map do |acs|
+            url = acs["location"] || acs[:location]
+            URI(url).host
+          end,
+          acs_url: default_acs_config[:location],
+          cert: (saml_config.signing_certificate.present? ? saml_config.signing_certificate : nil),
+          fingerprint: (saml_config.signing_certificate.present? ? SamlIdp::Fingerprint.certificate_digest(saml_config.signing_certificate, :sha256) : nil),
+          assertion_consumer_logout_service_url: saml_config.single_logout_services.values.first,
+          sign_authn_request: saml_config.sign_authn_request
+        }
+      }
+    end
+
+    def persisted_matadata
+      lambda { |_identifier, _|
+        # TODO: eliminate raw metadata usage
+        SamlIdp::IncomingMetadata.new(saml_config.raw_metadata)
+      }
+    end
+
+    # We don't need support it because, scary XML can be there
+    # TODO: Remove this method from GEM
+    def metadata_persister
+      lambda { |_identifier, _service_provider|
+      }
+    end
+
+    def default_name_idp_format
+      {
+        "1.1" => {
+          email_address: lambda { |_principal|
+            name_id_value
+          }
+        }
+      }
+    end
+
+    def name_id_format
+      first_name_format = saml_config.name_id_formats.first.to_s
+      first_name_format = "unspecified" if first_name_format.blank?
+      {
+        name_id_format_version(first_name_format).to_s => {
+          # TODO: Remove lambdas from GEM
+          first_name_format => lambda { |_principal|
+            name_id_value
+          }
+        }
+      }
+    end
+
+    def name_id_format_version(parsed_format)
+      return "1.1" if %w[email_address unspecified].include?(parsed_format.underscore)
+
+      "2.0"
+    end
+
+    def default_acs_config
+      (saml_config.assertion_consumer_services.first || {}).with_indifferent_access
+    end
+
+    def saml_attributes_as_hash
+      config_attribute = {}
+      saml_config.saml_attributes.each do |attribute|
+        # TODO: Resolve this issue on GEM side
+        attribute["name_format"] = attribute["nameFormat"] if attribute["nameFormat"].present?
+
+        config_attribute[attribute["friendlyName"]] = attribute.except("friendlyName")
+        # TODO: Remove lambdas from GEM
+        config_attribute[attribute["friendlyName"]]["getter"] = lambda { |_principal|
+          saml_attribute_getters(attribute["getter"])
+        }
+      end
+      config_attribute
+    end
+
+    def saml_attribute_getters(config_value)
+      attribute_value = user_attribute(config_value)
+      attribute_type = attribute_value.class.to_s
+      # Fixed string value
+      return config_value.to_s if attribute_value.blank?
+
+      case attribute_type
+      when "Array"
+        attribute_value.map(&:to_s)
+      when "Hash"
+        attribute_value.to_json
+      when "Integer"
+        attribute_value.to_s
+      when "String"
+        attribute_value
+      else
+        ""
+      end
+    end
+
+    def user_attribute(key)
+      saml_user.respond_to?(key) ? saml_user.public_send(key) : saml_user[key]
+    end
+
+    def metadata_endpoint
+      @config[:metadata_url] || metadata_url(uuid: saml_config.uuid, host: base_url)
+    end
+
+    def slo_post_endpoint
+      @config[:slo_post_url] || slo_post_url(uuid: saml_config.uuid, host: base_url)
+    end
+
+    # Form converts REDIRECT to POST
+    def slo_redirect_endpoint
+      @config[:metadata_url] || slo_redirect_url(uuid: saml_config.uuid, host: base_url)
+    end
+
+    def attribute_endpoint
+      @config[:attribute_url] || attribute_url(uuid: saml_config.uuid, host: base_url)
+    end
+
+    def sso_post_endpoint
+      @config[:sso_post_url] || sso_post_url(uuid: saml_config.uuid, host: base_url)
+    end
+
+    # Form converts REDIRECT to POST
+    def sso_redirect_endpoint
+      @config[:sso_redirect_url] || sso_redirect_url(uuid: saml_config.uuid, host: base_url)
+    end
+
+    def saml_user
+      @config[:saml_user] || raise("SamlIdpRails: saml_user is not set")
+    end
+
+    def saml_config
+      @config[:saml_config] || raise("SamlIdpRails: saml_config is not set")
+    end
+
+    def base_url
+      @config[:base_url] || raise("SamlIdpRails: base_url is not set")
+    end
+  end
+end

data/lib/saml_idp_rails/version.rb

@@ -0,0 +1,3 @@
+module SamlIdpRails
+  VERSION = "0.0.1"
+end

data/lib/saml_idp_rails.rb

@@ -0,0 +1,16 @@
+require "saml_idp_rails/version"
+require "saml_idp_rails/engine"
+require "saml_idp_rails/config"
+
+module SamlIdpRails
+  class << self
+    def configure(&block)
+      @config = Config.new.configure(&block)
+      @config.validate!
+    end
+
+    def config
+      @config
+    end
+  end
+end

data/lib/tasks/saml_idp_rails_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :saml_idp_rails do
+#   # Task goes here
+# end

metadata

@@ -0,0 +1,137 @@
+--- !ruby/object:Gem::Specification
+name: saml_idp_rails
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- zogoo
+bindir: bin
+cert_chain: []
+date: 2025-03-23 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 8.0.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 8.0.1
+- !ruby/object:Gem::Dependency
+  name: saml_idp
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: debug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: ruby-saml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: SamlIdpRails is open source Idp controller for Rails.
+email:
+- ch.zogoo@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.md
+- Rakefile
+- app/assets/stylesheets/saml_idp_rails/application.css
+- app/controllers/saml_idp_rails/application_controller.rb
+- app/controllers/saml_idp_rails/saml_idp_controller.rb
+- app/helpers/saml_idp_rails/application_helper.rb
+- app/jobs/saml_idp_rails/application_job.rb
+- app/mailers/saml_idp_rails/application_mailer.rb
+- app/models/saml_idp_rails/application_record.rb
+- app/models/saml_idp_rails/saml_sp_config.rb
+- app/views/layouts/saml_idp_rails/application.html.erb
+- app/views/saml_idp_rails/saml_idp/slo_request.html.erb
+- app/views/saml_idp_rails/saml_idp/slo_response.html.erb
+- app/views/saml_idp_rails/saml_idp/sso_response.html.erb
+- config/routes.rb
+- db/migrate/20250120165545_create_saml_idp_rails_saml_sp_configs.rb
+- lib/saml_idp_rails.rb
+- lib/saml_idp_rails/config.rb
+- lib/saml_idp_rails/engine.rb
+- lib/saml_idp_rails/railtie.rb
+- lib/saml_idp_rails/saml_config.rb
+- lib/saml_idp_rails/version.rb
+- lib/tasks/saml_idp_rails_tasks.rake
+homepage: https://github.com/zogoo/saml_idp_rails
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/zogoo/saml_idp_rails
+  source_code_uri: https://github.com/zogoo/saml_idp_rails
+  changelog_uri: https://github.com/Zogoo/saml_idp_rails/blob/master/CHANGELOG.md
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.4.1
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.3
+specification_version: 4
+summary: Idp controller for Rails
+test_files: []