samlsso 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/.gitignore +50 -0
- data/CODE_OF_CONDUCT.md +49 -0
- data/Gemfile +4 -0
- data/LICENSE +21 -0
- data/README.md +36 -0
- data/Rakefile +2 -0
- data/bin/console +14 -0
- data/bin/setup +8 -0
- data/lib/samlsso.rb +16 -0
- data/lib/samlsso/attribute_service.rb +32 -0
- data/lib/samlsso/attributes.rb +107 -0
- data/lib/samlsso/authrequest.rb +124 -0
- data/lib/samlsso/idp_metadata_parser.rb +85 -0
- data/lib/samlsso/logging.rb +20 -0
- data/lib/samlsso/logoutrequest.rb +100 -0
- data/lib/samlsso/logoutresponse.rb +110 -0
- data/lib/samlsso/metadata.rb +94 -0
- data/lib/samlsso/response.rb +271 -0
- data/lib/samlsso/saml_message.rb +117 -0
- data/lib/samlsso/settings.rb +115 -0
- data/lib/samlsso/slo_logoutrequest.rb +64 -0
- data/lib/samlsso/slo_logoutresponse.rb +99 -0
- data/lib/samlsso/utils.rb +42 -0
- data/lib/samlsso/validation_error.rb +5 -0
- data/lib/samlsso/version.rb +3 -0
- data/lib/schemas/saml-schema-assertion-2.0.xsd +283 -0
- data/lib/schemas/saml-schema-authn-context-2.0.xsd +23 -0
- data/lib/schemas/saml-schema-authn-context-types-2.0.xsd +821 -0
- data/lib/schemas/saml-schema-metadata-2.0.xsd +339 -0
- data/lib/schemas/saml-schema-protocol-2.0.xsd +302 -0
- data/lib/schemas/sstc-metadata-attr.xsd +35 -0
- data/lib/schemas/sstc-saml-attribute-ext.xsd +25 -0
- data/lib/schemas/sstc-saml-metadata-algsupport-v1.0.xsd +41 -0
- data/lib/schemas/sstc-saml-metadata-ui-v1.0.xsd +89 -0
- data/lib/schemas/xenc-schema.xsd +136 -0
- data/lib/schemas/xml.xsd +287 -0
- data/lib/schemas/xmldsig-core-schema.xsd +309 -0
- data/lib/xml_security.rb +276 -0
- data/samlsso.gemspec +44 -0
- metadata +168 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: 6eef1ff2931908247fa908b45369820de85c56e6
|
4
|
+
data.tar.gz: 5fe581ce6f74f9dbcb4ffefab1f39055bb814301
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: f8f60a37d9608b41a040cba0b178c8a2696e6f67aee0341944f39622e8bb167acef85299342325d2b0929d2935d43060d244ad26763477d2a124a585bf8cbfbf
|
7
|
+
data.tar.gz: 0ba87a05251f4b3bbfce53fefdcd5b5ebecdbc0074631c634d9b63e151918a8a5a5143e76123cfdbe8b43df0b9674d84f3188c8fbee4e1d5811710662c4c15d4
|
data/.gitignore
ADDED
@@ -0,0 +1,50 @@
|
|
1
|
+
*.rbc
|
2
|
+
capybara-*.html
|
3
|
+
.rspec
|
4
|
+
/log
|
5
|
+
/tmp
|
6
|
+
/db/*.sqlite3
|
7
|
+
/db/*.sqlite3-journal
|
8
|
+
/public/system
|
9
|
+
/coverage/
|
10
|
+
/spec/tmp
|
11
|
+
/pkg/
|
12
|
+
/.yardoc
|
13
|
+
/_yardoc/
|
14
|
+
/doc/
|
15
|
+
/spec/reports/
|
16
|
+
**.orig
|
17
|
+
rerun.txt
|
18
|
+
pickle-email-*.html
|
19
|
+
|
20
|
+
|
21
|
+
# TODO Comment out these rules if you are OK with secrets being uploaded to the repo
|
22
|
+
config/initializers/secret_token.rb
|
23
|
+
config/secrets.yml
|
24
|
+
|
25
|
+
# dotenv
|
26
|
+
# TODO Comment out this rule if environment variables can be committed
|
27
|
+
.env
|
28
|
+
|
29
|
+
## Environment normalization:
|
30
|
+
/.bundle
|
31
|
+
/vendor/bundle
|
32
|
+
|
33
|
+
# these should all be checked in to normalize the environment:
|
34
|
+
Gemfile.lock
|
35
|
+
.ruby-version
|
36
|
+
.ruby-gemset
|
37
|
+
|
38
|
+
# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
|
39
|
+
.rvmrc
|
40
|
+
|
41
|
+
# if using bower-rails ignore default bower_components path bower.json files
|
42
|
+
/vendor/assets/bower_components
|
43
|
+
*.bowerrc
|
44
|
+
bower.json
|
45
|
+
|
46
|
+
# Ignore pow environment settings
|
47
|
+
.powenv
|
48
|
+
|
49
|
+
# Ignore Byebug command history file.
|
50
|
+
.byebug_history
|
data/CODE_OF_CONDUCT.md
ADDED
@@ -0,0 +1,49 @@
|
|
1
|
+
# Contributor Code of Conduct
|
2
|
+
|
3
|
+
As contributors and maintainers of this project, and in the interest of
|
4
|
+
fostering an open and welcoming community, we pledge to respect all people who
|
5
|
+
contribute through reporting issues, posting feature requests, updating
|
6
|
+
documentation, submitting pull requests or patches, and other activities.
|
7
|
+
|
8
|
+
We are committed to making participation in this project a harassment-free
|
9
|
+
experience for everyone, regardless of level of experience, gender, gender
|
10
|
+
identity and expression, sexual orientation, disability, personal appearance,
|
11
|
+
body size, race, ethnicity, age, religion, or nationality.
|
12
|
+
|
13
|
+
Examples of unacceptable behavior by participants include:
|
14
|
+
|
15
|
+
* The use of sexualized language or imagery
|
16
|
+
* Personal attacks
|
17
|
+
* Trolling or insulting/derogatory comments
|
18
|
+
* Public or private harassment
|
19
|
+
* Publishing other's private information, such as physical or electronic
|
20
|
+
addresses, without explicit permission
|
21
|
+
* Other unethical or unprofessional conduct
|
22
|
+
|
23
|
+
Project maintainers have the right and responsibility to remove, edit, or
|
24
|
+
reject comments, commits, code, wiki edits, issues, and other contributions
|
25
|
+
that are not aligned to this Code of Conduct, or to ban temporarily or
|
26
|
+
permanently any contributor for other behaviors that they deem inappropriate,
|
27
|
+
threatening, offensive, or harmful.
|
28
|
+
|
29
|
+
By adopting this Code of Conduct, project maintainers commit themselves to
|
30
|
+
fairly and consistently applying these principles to every aspect of managing
|
31
|
+
this project. Project maintainers who do not follow or enforce the Code of
|
32
|
+
Conduct may be permanently removed from the project team.
|
33
|
+
|
34
|
+
This code of conduct applies both within project spaces and in public spaces
|
35
|
+
when an individual is representing the project or its community.
|
36
|
+
|
37
|
+
Instances of abusive, harassing, or otherwise unacceptable behavior may be
|
38
|
+
reported by contacting a project maintainer at mukherjee.siddhartha@gmail.com. All
|
39
|
+
complaints will be reviewed and investigated and will result in a response that
|
40
|
+
is deemed necessary and appropriate to the circumstances. Maintainers are
|
41
|
+
obligated to maintain confidentiality with regard to the reporter of an
|
42
|
+
incident.
|
43
|
+
|
44
|
+
This Code of Conduct is adapted from the [Contributor Covenant][homepage],
|
45
|
+
version 1.3.0, available at
|
46
|
+
[http://contributor-covenant.org/version/1/3/0/][version]
|
47
|
+
|
48
|
+
[homepage]: http://contributor-covenant.org
|
49
|
+
[version]: http://contributor-covenant.org/version/1/3/0/
|
data/Gemfile
ADDED
data/LICENSE
ADDED
@@ -0,0 +1,21 @@
|
|
1
|
+
The MIT License (MIT)
|
2
|
+
|
3
|
+
Copyright (c) 2016 Siddhartha Mukherjee
|
4
|
+
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
7
|
+
in the Software without restriction, including without limitation the rights
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
10
|
+
furnished to do so, subject to the following conditions:
|
11
|
+
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
13
|
+
copies or substantial portions of the Software.
|
14
|
+
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
21
|
+
SOFTWARE.
|
data/README.md
ADDED
@@ -0,0 +1,36 @@
|
|
1
|
+
# Samlsso
|
2
|
+
|
3
|
+
SAML SSO for Ruby
|
4
|
+
|
5
|
+
(Fork of a old version of https://github.com/onelogin/ruby-saml, but then customized/enhanced to support encrypted SAML and some more)
|
6
|
+
|
7
|
+
## Installation
|
8
|
+
|
9
|
+
Add this line to your application's Gemfile:
|
10
|
+
|
11
|
+
```ruby
|
12
|
+
gem 'samlsso'
|
13
|
+
```
|
14
|
+
|
15
|
+
And then execute:
|
16
|
+
|
17
|
+
$ bundle
|
18
|
+
|
19
|
+
Or install it yourself as:
|
20
|
+
|
21
|
+
$ gem install samlsso
|
22
|
+
|
23
|
+
## Development
|
24
|
+
|
25
|
+
After checking out the repo, run `bin/setup` to install dependencies. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
|
26
|
+
|
27
|
+
To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
|
28
|
+
|
29
|
+
## Contributing
|
30
|
+
|
31
|
+
Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/samlsso. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
|
32
|
+
|
33
|
+
|
34
|
+
## License
|
35
|
+
|
36
|
+
The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
|
data/Rakefile
ADDED
data/bin/console
ADDED
@@ -0,0 +1,14 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
|
3
|
+
require "bundler/setup"
|
4
|
+
require "samlsso"
|
5
|
+
|
6
|
+
# You can add fixtures and/or initialization code here to make experimenting
|
7
|
+
# with your gem easier. You can also use a different console, if you like.
|
8
|
+
|
9
|
+
# (If you use this, don't forget to add pry to your Gemfile!)
|
10
|
+
# require "pry"
|
11
|
+
# Pry.start
|
12
|
+
|
13
|
+
require "irb"
|
14
|
+
IRB.start
|
data/bin/setup
ADDED
data/lib/samlsso.rb
ADDED
@@ -0,0 +1,16 @@
|
|
1
|
+
require 'samlsso/logging'
|
2
|
+
require 'samlsso/saml_message'
|
3
|
+
require 'samlsso/authrequest'
|
4
|
+
require 'samlsso/logoutrequest'
|
5
|
+
require 'samlsso/logoutresponse'
|
6
|
+
require 'samlsso/attributes'
|
7
|
+
require 'samlsso/slo_logoutrequest'
|
8
|
+
require 'samlsso/slo_logoutresponse'
|
9
|
+
require 'samlsso/response'
|
10
|
+
require 'samlsso/settings'
|
11
|
+
require 'samlsso/attribute_service'
|
12
|
+
require 'samlsso/validation_error'
|
13
|
+
require 'samlsso/metadata'
|
14
|
+
require 'samlsso/idp_metadata_parser'
|
15
|
+
require 'samlsso/utils'
|
16
|
+
require 'samlsso/version'
|
@@ -0,0 +1,32 @@
|
|
1
|
+
module Samlsso
|
2
|
+
class AttributeService
|
3
|
+
attr_reader :attributes
|
4
|
+
attr_reader :name
|
5
|
+
attr_reader :index
|
6
|
+
|
7
|
+
def initialize
|
8
|
+
@index = "1"
|
9
|
+
@attributes = []
|
10
|
+
end
|
11
|
+
|
12
|
+
def configure(&block)
|
13
|
+
instance_eval &block
|
14
|
+
end
|
15
|
+
|
16
|
+
def configured?
|
17
|
+
@attributes.length > 0 && !@name.nil?
|
18
|
+
end
|
19
|
+
|
20
|
+
def service_name(name)
|
21
|
+
@name = name
|
22
|
+
end
|
23
|
+
|
24
|
+
def service_index(index)
|
25
|
+
@index = index
|
26
|
+
end
|
27
|
+
|
28
|
+
def add_attribute(options={})
|
29
|
+
attributes << options
|
30
|
+
end
|
31
|
+
end
|
32
|
+
end
|
@@ -0,0 +1,107 @@
|
|
1
|
+
module Samlsso
|
2
|
+
# Wraps all attributes and provides means to query them for single or multiple values.
|
3
|
+
#
|
4
|
+
# For backwards compatibility Attributes#[] returns *first* value for the attribute.
|
5
|
+
# Turn off compatibility to make it return all values as an array:
|
6
|
+
# Attributes.single_value_compatibility = false
|
7
|
+
class Attributes
|
8
|
+
include Enumerable
|
9
|
+
|
10
|
+
# By default Attributes#[] is backwards compatible and
|
11
|
+
# returns only the first value for the attribute
|
12
|
+
# Setting this to `false` returns all values for an attribute
|
13
|
+
@@single_value_compatibility = true
|
14
|
+
|
15
|
+
# Get current status of backwards compatibility mode.
|
16
|
+
def self.single_value_compatibility
|
17
|
+
@@single_value_compatibility
|
18
|
+
end
|
19
|
+
|
20
|
+
# Sets the backwards compatibility mode on/off.
|
21
|
+
def self.single_value_compatibility=(value)
|
22
|
+
@@single_value_compatibility = value
|
23
|
+
end
|
24
|
+
|
25
|
+
# Initialize Attributes collection, optionally taking a Hash of attribute names and values.
|
26
|
+
#
|
27
|
+
# The +attrs+ must be a Hash with attribute names as keys and **arrays** as values:
|
28
|
+
# Attributes.new({
|
29
|
+
# 'name' => ['value1', 'value2'],
|
30
|
+
# 'mail' => ['value1'],
|
31
|
+
# })
|
32
|
+
def initialize(attrs = {})
|
33
|
+
@attributes = attrs
|
34
|
+
end
|
35
|
+
|
36
|
+
|
37
|
+
# Iterate over all attributes
|
38
|
+
def each
|
39
|
+
attributes.each{|name, values| yield name, values}
|
40
|
+
end
|
41
|
+
|
42
|
+
# Test attribute presence by name
|
43
|
+
def include?(name)
|
44
|
+
attributes.has_key?(canonize_name(name))
|
45
|
+
end
|
46
|
+
|
47
|
+
# Return first value for an attribute
|
48
|
+
def single(name)
|
49
|
+
attributes[canonize_name(name)].first if include?(name)
|
50
|
+
end
|
51
|
+
|
52
|
+
# Return all values for an attribute
|
53
|
+
def multi(name)
|
54
|
+
attributes[canonize_name(name)]
|
55
|
+
end
|
56
|
+
|
57
|
+
# By default returns first value for an attribute.
|
58
|
+
#
|
59
|
+
# Depending on the single value compatibility status this returns first value
|
60
|
+
# Attributes.single_value_compatibility = true # Default
|
61
|
+
# response.attributes['mail'] # => 'user@example.com'
|
62
|
+
#
|
63
|
+
# Or all values:
|
64
|
+
# Attributes.single_value_compatibility = false
|
65
|
+
# response.attributes['mail'] # => ['user@example.com','user@example.net']
|
66
|
+
def [](name)
|
67
|
+
self.class.single_value_compatibility ? single(canonize_name(name)) : multi(canonize_name(name))
|
68
|
+
end
|
69
|
+
|
70
|
+
# Return all attributes as an array
|
71
|
+
def all
|
72
|
+
attributes
|
73
|
+
end
|
74
|
+
|
75
|
+
# Set values for an attribute, overwriting all existing values
|
76
|
+
def set(name, values)
|
77
|
+
attributes[canonize_name(name)] = values
|
78
|
+
end
|
79
|
+
alias_method :[]=, :set
|
80
|
+
|
81
|
+
# Add new attribute or new value(s) to an existing attribute
|
82
|
+
def add(name, values = [])
|
83
|
+
attributes[canonize_name(name)] ||= []
|
84
|
+
attributes[canonize_name(name)] += Array(values)
|
85
|
+
end
|
86
|
+
|
87
|
+
# Make comparable to another Attributes collection based on attributes
|
88
|
+
def ==(other)
|
89
|
+
if other.is_a?(Attributes)
|
90
|
+
all == other.all
|
91
|
+
else
|
92
|
+
super
|
93
|
+
end
|
94
|
+
end
|
95
|
+
|
96
|
+
protected
|
97
|
+
|
98
|
+
# stringifies all names so both 'email' and :email return the same result
|
99
|
+
def canonize_name(name)
|
100
|
+
name.to_s
|
101
|
+
end
|
102
|
+
|
103
|
+
def attributes
|
104
|
+
@attributes
|
105
|
+
end
|
106
|
+
end
|
107
|
+
end
|
@@ -0,0 +1,124 @@
|
|
1
|
+
require "uuid"
|
2
|
+
|
3
|
+
require "samlsso/logging"
|
4
|
+
|
5
|
+
module Samlsso
|
6
|
+
include REXML
|
7
|
+
class Authrequest < SamlMessage
|
8
|
+
|
9
|
+
attr_reader :uuid # Can be obtained if neccessary
|
10
|
+
|
11
|
+
def initialize
|
12
|
+
@uuid = "_" + UUID.new.generate
|
13
|
+
end
|
14
|
+
|
15
|
+
def create(settings, params = {})
|
16
|
+
params = create_params(settings, params)
|
17
|
+
params_prefix = (settings.idp_sso_target_url =~ /\?/) ? '&' : '?'
|
18
|
+
saml_request = CGI.escape(params.delete("SAMLRequest"))
|
19
|
+
request_params = "#{params_prefix}SAMLRequest=#{saml_request}"
|
20
|
+
params.each_pair do |key, value|
|
21
|
+
request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
|
22
|
+
end
|
23
|
+
@login_url = settings.idp_sso_target_url + request_params
|
24
|
+
end
|
25
|
+
|
26
|
+
def create_params(settings, params={})
|
27
|
+
params = {} if params.nil?
|
28
|
+
|
29
|
+
request_doc = create_authentication_xml_doc(settings)
|
30
|
+
request_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
|
31
|
+
|
32
|
+
request = ""
|
33
|
+
request_doc.write(request)
|
34
|
+
|
35
|
+
Logging.debug "Created AuthnRequest: #{request}"
|
36
|
+
|
37
|
+
request = deflate(request) if settings.compress_request
|
38
|
+
base64_request = encode(request)
|
39
|
+
request_params = {"SAMLRequest" => base64_request}
|
40
|
+
|
41
|
+
if settings.security[:authn_requests_signed] && !settings.security[:embed_sign] && settings.private_key
|
42
|
+
params['SigAlg'] = XMLSecurity::Document::SHA1
|
43
|
+
url_string = "SAMLRequest=#{CGI.escape(base64_request)}"
|
44
|
+
url_string += "&RelayState=#{CGI.escape(params['RelayState'])}" if params['RelayState']
|
45
|
+
url_string += "&SigAlg=#{CGI.escape(params['SigAlg'])}"
|
46
|
+
private_key = settings.get_sp_key()
|
47
|
+
signature = private_key.sign(XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method]).new, url_string)
|
48
|
+
params['Signature'] = encode(signature)
|
49
|
+
end
|
50
|
+
|
51
|
+
params.each_pair do |key, value|
|
52
|
+
request_params[key] = value.to_s
|
53
|
+
end
|
54
|
+
|
55
|
+
request_params
|
56
|
+
end
|
57
|
+
|
58
|
+
def create_authentication_xml_doc(settings)
|
59
|
+
time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
|
60
|
+
|
61
|
+
request_doc = XMLSecurity::Document.new
|
62
|
+
request_doc.uuid = uuid
|
63
|
+
|
64
|
+
root = request_doc.add_element "samlp:AuthnRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol", "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
|
65
|
+
root.attributes['ID'] = uuid
|
66
|
+
root.attributes['IssueInstant'] = time
|
67
|
+
root.attributes['Version'] = "2.0"
|
68
|
+
root.attributes['Destination'] = settings.idp_sso_target_url unless settings.idp_sso_target_url.nil?
|
69
|
+
root.attributes['IsPassive'] = settings.passive unless settings.passive.nil?
|
70
|
+
root.attributes['ProtocolBinding'] = settings.protocol_binding unless settings.protocol_binding.nil?
|
71
|
+
root.attributes["AttributeConsumingServiceIndex"] = settings.attributes_index unless settings.attributes_index.nil?
|
72
|
+
root.attributes['ForceAuthn'] = settings.force_authn unless settings.force_authn.nil?
|
73
|
+
|
74
|
+
# Conditionally defined elements based on settings
|
75
|
+
if settings.assertion_consumer_service_url != nil
|
76
|
+
root.attributes["AssertionConsumerServiceURL"] = settings.assertion_consumer_service_url
|
77
|
+
end
|
78
|
+
if settings.issuer != nil
|
79
|
+
issuer = root.add_element "saml:Issuer"
|
80
|
+
issuer.text = settings.issuer
|
81
|
+
end
|
82
|
+
if settings.name_identifier_format != nil
|
83
|
+
root.add_element "samlp:NameIDPolicy", {
|
84
|
+
# Might want to make AllowCreate a setting?
|
85
|
+
"AllowCreate" => "true",
|
86
|
+
"Format" => settings.name_identifier_format
|
87
|
+
}
|
88
|
+
end
|
89
|
+
|
90
|
+
if settings.authn_context || settings.authn_context_decl_ref
|
91
|
+
|
92
|
+
if settings.authn_context_comparison != nil
|
93
|
+
comparison = settings.authn_context_comparison
|
94
|
+
else
|
95
|
+
comparison = 'exact'
|
96
|
+
end
|
97
|
+
|
98
|
+
requested_context = root.add_element "samlp:RequestedAuthnContext", {
|
99
|
+
"Comparison" => comparison,
|
100
|
+
}
|
101
|
+
|
102
|
+
if settings.authn_context != nil
|
103
|
+
class_ref = requested_context.add_element "saml:AuthnContextClassRef"
|
104
|
+
class_ref.text = settings.authn_context
|
105
|
+
end
|
106
|
+
# add saml:AuthnContextDeclRef element
|
107
|
+
if settings.authn_context_decl_ref != nil
|
108
|
+
class_ref = requested_context.add_element "saml:AuthnContextDeclRef"
|
109
|
+
class_ref.text = settings.authn_context_decl_ref
|
110
|
+
end
|
111
|
+
end
|
112
|
+
|
113
|
+
# embebed sign
|
114
|
+
if settings.security[:authn_requests_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
|
115
|
+
private_key = settings.get_sp_key()
|
116
|
+
cert = settings.get_sp_cert()
|
117
|
+
request_doc.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
|
118
|
+
end
|
119
|
+
|
120
|
+
request_doc
|
121
|
+
end
|
122
|
+
|
123
|
+
end
|
124
|
+
end
|