stormpath-sdk 1.0.1 → 1.1.0

data/lib/stormpath-sdk/provider/saml/saml_mapping_rules.rb

@@ -0,0 +1,22 @@
+#
+# Copyright 2016 Stormpath, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+class Stormpath::Provider::SamlMappingRules < Stormpath::Provider::Provider
+  prop_reader :href, :created_at, :modified_at, :items
+
+  def set_options(options)
+    set_property :href, options[:href]
+  end
+end

data/lib/stormpath-sdk/provider/saml/saml_provider.rb

@@ -0,0 +1,20 @@
+#
+# Copyright 2016 Stormpath, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+class Stormpath::Provider::SamlProvider < Stormpath::Provider::Provider
+  prop_reader :provider_id, :sso_login_url, :sso_logout_url,
+    :encoded_x509_signing_cert, :request_signature_algorithm,
+    :service_provider_metadata, :attribute_statement_mapping_rules
+end

data/lib/stormpath-sdk/provider/saml/saml_provider_data.rb

@@ -0,0 +1,19 @@
+#
+# Copyright 2016 Stormpath, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+class Stormpath::Provider::SamlProviderData < Stormpath::Provider::ProviderData
+  prop_reader :href, :created_at, :modified_at, :provider_id, :sso_log_in_url,
+    :sso_lgout_url
+end

data/lib/stormpath-sdk/provider/saml/saml_provider_metadata.rb

@@ -0,0 +1,19 @@
+#
+# Copyright 2016 Stormpath, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+class Stormpath::Provider::SamlProviderMetadata < Stormpath::Provider::ProviderData
+  prop_reader :href, :created_at, :modified_at, :entity_id, :x509_signing_cert,
+    :assertion_consumer_service_post_endpoint
+end

data/lib/stormpath-sdk/resource/application.rb

@@ -21,7 +21,7 @@ class Stormpath::Resource::Application < Stormpath::Resource::Instance
 
   class LoadError < Stormpath::Error; end
 
-  prop_accessor :name, :description
+  prop_accessor :name, :description, :authorized_callback_uris
 
   belongs_to :tenant
 
@@ -91,8 +91,8 @@ class Stormpath::Resource::Application < Stormpath::Resource::Instance
     id_site_result
   end
 
-  def send_password_reset_email email
-    password_reset_token = create_password_reset_token email;
+  def send_password_reset_email(email, account_store: nil)
+    password_reset_token = create_password_reset_token(email, account_store: account_store)
     password_reset_token.account
   end
 
@@ -109,9 +109,9 @@ class Stormpath::Resource::Application < Stormpath::Resource::Instance
   end
 
   def authenticate_oauth(request)
-    Stormpath::Oauth::Authenticator.new(data_store).authenticate(href, request) 
+    Stormpath::Oauth::Authenticator.new(data_store).authenticate(href, request)
   end
-  
+
   private
 
   def jwt_token_payload(options)
@@ -135,7 +135,22 @@ class Stormpath::Resource::Application < Stormpath::Resource::Instance
     client.data_store.api_key.id
   end
 
-  def create_password_reset_token email
-    password_reset_tokens.create email: email
+  def create_password_reset_token(email, account_store: nil)
+    params = { email: email }
+    params[:account_store] = account_store_to_hash(account_store) if account_store
+    password_reset_tokens.create(params)
+  end
+
+  def account_store_to_hash(account_store)
+    case account_store
+    when Stormpath::Resource::Organization
+      { name_key: account_store.name_key }
+    when Stormpath::Resource::Group, Stormpath::Resource::Directory
+      { href: account_store.href }
+    when Hash
+      account_store
+    else
+      fail ArgumentError, 'Account store has to be passed either as an resource or a hash'
+    end
   end
 end

data/lib/stormpath-sdk/resource/directory.rb

@@ -40,4 +40,20 @@ class Stormpath::Resource::Directory < Stormpath::Resource::Instance
     provider = data_store.get_resource provider_href, clazz_proc
     instance_variable_set "@_provider", provider
   end
+
+  def provider_metadata
+    metadata_href = provider.service_provider_metadata["href"]
+    data_store.get_resource metadata_href, Stormpath::Provider::SamlProviderMetadata
+  end
+
+  def statement_mapping_rules
+    metadata_href = provider.attribute_statement_mapping_rules["href"]
+    data_store.get_resource metadata_href, Stormpath::Provider::SamlMappingRules
+  end
+
+  def create_attribute_mappings(mappings)
+    mappings.set_options(href: provider.attribute_statement_mapping_rules["href"])
+    data_store.create mappings.href, mappings, Stormpath::Provider::SamlMappingRules
+  end
 end
+

data/lib/stormpath-sdk/version.rb

@@ -14,6 +14,6 @@
 # limitations under the License.
 #
 module Stormpath
-  VERSION = '1.0.1'
-  VERSION_DATE = '2016-02-16'
+  VERSION = '1.1.0'
+  VERSION_DATE = '2016-05-11'
 end

data/spec/client_spec.rb

@@ -12,17 +12,20 @@ describe Stormpath::Client, :vcr do
       end
     end
 
+    let(:api_key_and_secret_properties) do
+      <<-properties
+        apiKey.id=#{test_api_key_id}
+        apiKey.secret=#{test_api_key_secret}
+      properties
+    end
+
     context 'given a hash' do
       context 'with an api key file location', 'that points to a remote file' do
         let(:api_key_file_location) { 'http://fake.server.com/apiKey.properties' }
         let(:client) { Stormpath::Client.new(api_key_file_location: api_key_file_location) }
 
         before do
-          stub_request(:any, api_key_file_location).to_return(body:<<properties
-apiKey.id=#{test_api_key_id}
-apiKey.secret=#{test_api_key_secret}
-properties
-                                                              )
+          stub_request(:any, api_key_file_location).to_return(body: api_key_and_secret_properties)
         end
 
         it_behaves_like 'a valid client'
@@ -224,11 +227,7 @@ properties
         end
 
         before do
-          stub_request(:any, api_key_file_location).to_return(body:<<properties
-apiKey.id=#{test_api_key_id}
-apiKey.secret=#{test_api_key_secret}
-properties
-)
+          stub_request(:any, api_key_file_location).to_return(body: api_key_and_secret_properties)
           data_store = client.instance_variable_get '@data_store'
           cache_manager = data_store.cache_manager
           @directories_cache = cache_manager.get_cache 'directories'
@@ -397,13 +396,11 @@ properties
           expect(groups_cache_summary).to eq [2, 1, 0, 0, 2]
         end
       end
-
     end
 
     context 'search' do
-
       let(:first_application_name) { random_application_name(1) }
-      let(:second_application_name ) { random_application_name(2) }
+      let(:second_application_name) { random_application_name(2) }
 
       let!(:applications) do
         [
@@ -628,6 +625,104 @@ properties
     end
   end
 
+  describe '#organization' do
+    context 'search' do
+      let(:organization_name) { random_organization_name }
+
+      let!(:organization) do
+        test_api_client.organizations.create(
+          name: organization_name,
+          name_key: "testorganization"
+        )
+      end
+
+      context 'by any attribute' do
+        let(:search_results) do
+          test_api_client.organizations.search(organization_name)
+        end
+
+        it 'returns the application' do
+          expect(search_results.count).to eq 1
+        end
+      end
+
+      context 'by an explicit attribute' do
+        let(:search_results) do
+          test_api_client.organizations.search(name: random_organization_name)
+        end
+
+        it 'returns the application' do
+          expect(search_results.count).to eq 1
+        end
+      end
+
+      after { organization.delete }
+    end
+
+    context 'given a collection' do
+      let(:organization) do
+        test_api_client.organizations.create(
+            name: random_organization_name,
+            name_key: random_name_key,
+            description: 'A test description'
+        )
+      end
+
+      it 'returns the collection' do
+        expect(test_api_client.organizations).to be_kind_of(Stormpath::Resource::Collection)
+        expect(test_api_client.organizations.count).to be >= 1
+      end
+
+      after { organization.delete }
+    end
+
+    context 'given a collection with a limit' do
+      let!(:organization_1) do
+        test_api_client.organizations.create name: random_organization_name(1), name_key: random_name_key(1)
+      end
+
+      let!(:organization_2) do
+        test_api_client.organizations.create name: random_organization_name(2), name_key: random_name_key(2)
+      end
+
+      after do
+        organization_1.delete
+        organization_2.delete
+      end
+
+      it 'should retrieve the number of organizations described with the limit' do
+        expect(test_api_client.organizations.count).to be >= 2
+      end
+    end
+
+    describe '.create' do
+      let(:organization_name) { random_organization_name }
+
+      let(:organization_attributes) do
+        {
+          name: organization_name,
+          name_key: random_name_key,
+          description: 'A test description'
+        }
+      end
+
+      let(:organization) do
+        test_api_client.organizations.create organization_attributes
+      end
+
+      it 'creates an organization' do
+        expect(organization).to be
+        expect(organization.name).to eq(organization_attributes[:name])
+        expect(organization.name_key).to eq(organization_attributes[:name_key])
+        expect(organization.description).to eq(organization_attributes[:description])
+      end
+
+      after do
+        organization.delete
+      end
+    end
+  end
+
   describe "#organization_account_store_mappings" do
     let(:organization) do
       test_api_client.organizations.create name: 'test_organization',

data/spec/fixtures/response/create_saml_directory.json

@@ -0,0 +1,26 @@
+{
+  "href":"https://api.stormpath.com/v1/directories/2uH3tJWHS4ZE5R7gcOzmGn",
+  "name":"test_directory_",
+  "description":"description_for_some_test_directory",
+  "status":"ENABLED",
+  "createdAt":"2016-02-05T11:48:28.970Z",
+  "modifiedAt":"2016-02-05T11:48:28.970Z",
+  "tenant":{"href":"https://api.stormpath.com/v1/tenants/3BoGKJZ6kwMlIqWCIYf8hr"},
+  "provider":{
+    "href":"https://api.stormpath.com/v1/directories/2uH3tJWHS4ZE5R7gcOzmGn/provider",
+    "provider_id": "saml",
+    "sso_login_url": "https://yourIdp.com/saml2/sso/login",
+    "sso_logout_url": "https://yourIdp.com/saml2/sso/logout",
+    "encoded_x509_signing_cert": "-----BEGIN CERTIFICATE-----\n...Certificate goes here...\n-----END CERTIFICATE-----",
+    "request_signature_algorithm": "RSA-SHA256"
+  },
+  "customData":{"href":"https://api.stormpath.com/v1/directories/2uH3tJWHS4ZE5R7gcOzmGn/customData"},
+  "passwordPolicy":{"href":"https://api.stormpath.com/v1/passwordPolicies/2uH3tJWHS4ZE5R7gcOzmGn"},
+  "accountCreationPolicy":{"href":"https://api.stormpath.com/v1/accountCreationPolicies/2uH3tJWHS4ZE5R7gcOzmGn"},
+  "accounts":{"href":"https://api.stormpath.com/v1/directories/2uH3tJWHS4ZE5R7gcOzmGn/accounts"},
+  "applicationMappings":{"href":"https://api.stormpath.com/v1/directories/2uH3tJWHS4ZE5R7gcOzmGn/applicationMappings"},
+  "applications":{"href":"https://api.stormpath.com/v1/directories/2uH3tJWHS4ZE5R7gcOzmGn/applications"},
+  "groups":{"href":"https://api.stormpath.com/v1/directories/2uH3tJWHS4ZE5R7gcOzmGn/groups"},
+  "organizations":{"href":"https://api.stormpath.com/v1/directories/2uH3tJWHS4ZE5R7gcOzmGn/organizations"},
+  "organizationMappings":{"href":"https://api.stormpath.com/v1/directories/2uH3tJWHS4ZE5R7gcOzmGn/organizationMappings"}
+}

data/spec/fixtures/response/create_saml_directory_mapping_rules.json

@@ -0,0 +1,12 @@
+{
+  "href": "https://api.stormpath.com/v1/attributeStatementMappingRules/5Gd35dLZfFI1DB29xA6ZMe",
+  "createdAt": "2016-01-27T09:52:28.564Z",
+  "modifiedAt": "2016-02-29T12:58:50.496Z",
+  "items": [
+    {
+      "name": "uid4", 
+      "name_format": "nil",
+      "account_attributes": ["username"]
+    }
+  ]
+}

data/spec/fixtures/response/get_saml_directory_provider.json

@@ -0,0 +1,16 @@
+{
+  "href": "https://api.stormpath.com/v1/directories/5GbnGg4HIqoFdlRjHndYQC/provider",
+  "createdAt": "2016-01-27T09:52:32.850Z",
+  "modifiedAt": "2016-01-27T09:52:32.850Z",
+  "providerId": "saml",
+  "ssoLoginUrl": "https://yourIdp.com/saml2/sso/login",
+  "ssoLogoutUrl": "https://yourIdp.com/saml2/sso/logout",
+  "encoded_x509_signing_cert": "-----BEGIN CERTIFICATE-----\n...Certificate goes here...\n-----END CERTIFICATE-----",
+  "requestSignatureAlgorithm": "RSA-SHA256",
+  "attributeStatementMappingRules": { 
+    "href": "https://api.stormpath.com/v1/attributeStatementMappingRules/5Gd35dLZfFI1DB29xA6ZMe" 
+  },
+  "serviceProviderMetadata": { 
+    "href": "https://api.stormpath.com/v1/samlServiceProviderMetadatas/5LRVP0EMfrpHYijuqgCUAq" 
+  }
+}

data/spec/fixtures/response/get_saml_directory_provider_metadata.json

@@ -0,0 +1,12 @@
+{
+  "href": "https://api.stormpath.com/v1/samlServiceProviderMetadatas/5LRVP0EMfrpHYijuqgCUAq",
+  "createdAt": "2016-01-27T09:52:32.844Z",
+  "modifiedAt": "2016-01-27T09:52:32.844Z",
+  "entityId": "urn:stormpath:directory:5GbnGg4HIqoFdlRjHndYQC:provider:sp",
+  "assertionConsumerServicePostEndpoint": { 
+    "href": "https://api.stormpath.com/v1/directories/5GbnGg4HIqoFdlRjHndYQC/saml/sso/post" 
+  },
+  "x509SigningCert": { 
+    "href": "https://api.stormpath.com/v1/x509certificates/5LR5SeoE66qXOAfB1lRqYK" 
+  }
+}

data/spec/resource/application_spec.rb

@@ -99,6 +99,18 @@ describe Stormpath::Resource::Application, :vcr do
 
   end
 
+  describe 'edit authorized_callback_uris' do
+    let(:authorized_callback_uris) { ["https://myapplication.com/whatever/callback", "https://myapplication.com/whatever/callback2"] }
+
+    it 'changes authorized callback uris on application' do
+      application.authorized_callback_uris = authorized_callback_uris
+      response = application.save
+
+      expect(response).to eq application 
+      #expect(application.authorized_callback_uris).to eq(authorized_callback_uris)
+    end
+  end
+
 
   describe '#create_account' do
     let(:account) do
@@ -122,7 +134,7 @@ describe Stormpath::Resource::Application, :vcr do
 
     context 'without registration workflow' do
       it 'creates an account with workflow disabled' do
-        response = application.create_account account 
+        response = application.create_account account
 
         expect(response).to be_kind_of Stormpath::Resource::Account
         expect(response.email).to eq(account.email)
@@ -243,14 +255,12 @@ describe Stormpath::Resource::Application, :vcr do
 
   describe '#send_password_reset_email' do
     context 'given an email' do
-      context 'of an exisiting account on the application' do
+      context 'of an existing account on the application' do
         let(:account) { directory.accounts.create build_account  }
 
         let(:sent_to_account) { application.send_password_reset_email account.email }
 
-        after do
-          account.delete if account
-        end
+        after { account.delete if account }
 
         it 'sends a password reset request of the account' do
           expect(sent_to_account).to be
@@ -259,6 +269,27 @@ describe Stormpath::Resource::Application, :vcr do
         end
       end
 
+      context 'of an existing account not mapped to the application' do
+        let(:account) { other_directory.accounts.create build_account  }
+
+        let(:other_directory) do
+          test_api_client.directories.create(
+            name: random_directory_name('password_reset_account_store_href')
+          )
+        end
+
+        after do
+          account.delete
+          other_directory.delete
+        end
+
+        it 'sends a password reset request of the account' do
+          expect do
+            application.send_password_reset_email account.email
+          end.to raise_error Stormpath::Error
+        end
+      end
+
       context 'of a non exisitng account' do
         it 'raises an exception' do
           expect do
@@ -266,6 +297,224 @@ describe Stormpath::Resource::Application, :vcr do
           end.to raise_error Stormpath::Error
         end
       end
+
+      context 'of an existing account on the application with an account store href' do
+        let(:account) { directory.accounts.create build_account  }
+
+        let(:sent_to_account) do
+          application.send_password_reset_email(account.email, account_store: { href: directory.href })
+        end
+
+        after { account.delete if account }
+
+        it 'sends a password reset request of the account' do
+          expect(sent_to_account).to be
+          expect(sent_to_account).to be_kind_of Stormpath::Resource::Account
+          expect(sent_to_account.email).to eq(account.email)
+        end
+      end
+
+      context 'of an existing account on the application with an account store resource object' do
+        let(:account) { directory.accounts.create build_account  }
+
+        let(:sent_to_account) do
+          application.send_password_reset_email(account.email, account_store: directory)
+        end
+
+        after { account.delete if account }
+
+        it 'sends a password reset request of the account' do
+          expect(sent_to_account).to be
+          expect(sent_to_account).to be_kind_of Stormpath::Resource::Account
+          expect(sent_to_account.email).to eq(account.email)
+        end
+      end
+
+      context 'of an existing account not mapped to the application with an account store href' do
+        let(:account) { directory.accounts.create build_account  }
+
+        let(:other_directory) do
+          test_api_client.directories.create(
+            name: random_directory_name('password_reset_account_store_href'),
+            description: 'abc'
+          )
+        end
+
+        after do
+          account.delete
+          other_directory.delete
+        end
+
+        it 'sends a password reset request of the account' do
+          expect do
+            application.send_password_reset_email(account.email, account_store: { href: other_directory.href })
+          end.to raise_error Stormpath::Error
+        end
+      end
+
+      context 'of an existing account on the application with a non existant account store organization namekey' do
+        let(:account) { directory.accounts.create build_account  }
+
+        after do
+          account.delete
+        end
+
+        it 'sends a password reset request of the account' do
+          expect do
+            application.send_password_reset_email(account.email, account_store: { name_key: "NoKey" })
+          end.to raise_error Stormpath::Error
+        end
+      end
+
+      context 'of an existing account on the application with a right account store organization namekey' do
+        let(:account) { account_directory.accounts.create build_account  }
+
+        let(:account_directory) do
+          test_api_client.directories.create(
+            name: random_directory_name('password_reset_account_store_href')
+          )
+        end
+
+        let(:reloaded_account_directory) do
+          test_api_client.directories.get(account_directory.href)
+        end
+
+        let(:organization_name_key) { "#{random_string}-org-name-key" }
+
+        let(:organization) do
+          test_api_client.organizations.create(
+            name: "#{random_string}_organization_name",
+            name_key: organization_name_key
+          )
+        end
+
+        let(:sent_to_account) do
+          application.send_password_reset_email(account.email, account_store: { name_key: organization.name_key })
+        end
+
+        after do
+          account.delete
+          organization.delete
+          reloaded_account_directory.delete
+        end
+
+        before do
+          test_api_client.organization_account_store_mappings.create(
+            account_store: { href: account_directory.href },
+            organization: { href: organization.href }
+          )
+
+          test_api_client.account_store_mappings.create(application: application, account_store: organization)
+        end
+
+        it 'sends a password reset request of the account' do
+          expect(sent_to_account).to be
+          expect(sent_to_account).to be_kind_of Stormpath::Resource::Account
+          expect(sent_to_account.email).to eq(account.email)
+        end
+      end
+
+      context 'of an existing account on the application with a right account store organization resource object' do
+        let(:account) { account_directory.accounts.create build_account  }
+
+        let(:account_directory) do
+          test_api_client.directories.create(
+            name: random_directory_name('password_reset_account_store_href')
+          )
+        end
+
+        let(:reloaded_account_directory) do
+          test_api_client.directories.get(account_directory.href)
+        end
+
+        let(:organization_name_key) { "#{random_string}-org-name-key" }
+
+        let(:organization) do
+          test_api_client.organizations.create(
+            name: "#{random_string}_organization_name",
+            name_key: organization_name_key
+          )
+        end
+
+        let(:sent_to_account) do
+          application.send_password_reset_email(account.email, account_store: organization)
+        end
+
+        after do
+          account.delete
+          organization.delete
+          reloaded_account_directory.delete
+        end
+
+        before do
+          test_api_client.organization_account_store_mappings.create(
+            account_store: { href: account_directory.href },
+            organization: { href: organization.href }
+          )
+
+          test_api_client.account_store_mappings.create(application: application, account_store: organization)
+        end
+
+        it 'sends a password reset request of the account' do
+          expect(sent_to_account).to be
+          expect(sent_to_account).to be_kind_of Stormpath::Resource::Account
+          expect(sent_to_account.email).to eq(account.email)
+        end
+      end
+
+      context 'of an existing account on the application with a wrong account store organization namekey' do
+        let(:account) { account_directory.accounts.create build_account  }
+
+        let(:account_directory) do
+          test_api_client.directories.create(
+            name: random_directory_name('password_reset_account_store_href')
+          )
+        end
+
+        let(:reloaded_account_directory) do
+          test_api_client.directories.get(account_directory.href)
+        end
+
+        let(:organization_name_key) { "#{random_string}-org-name-key" }
+
+        let(:other_organization_name_key) { "#{random_string}-other-org-name-key" }
+
+        let(:organization) do
+          test_api_client.organizations.create(
+            name: "#{random_string}_organization_name",
+            name_key: organization_name_key
+          )
+        end
+
+        let(:other_organization) do
+          test_api_client.organizations.create(
+            name: "#{random_string}_other_organization_name",
+            name_key: other_organization_name_key
+          )
+        end
+
+        after do
+          account.delete
+          organization.delete
+          other_organization.delete
+          reloaded_account_directory.delete
+        end
+
+        before do
+          test_api_client.organization_account_store_mappings.create(
+            account_store: { href: account_directory.href },
+            organization: { href: organization.href }
+          )
+
+          test_api_client.account_store_mappings.create(application: application, account_store: organization)
+        end
+
+        it 'sends a password reset request of the account' do
+          expect do
+            application.send_password_reset_email(account.email, account_store: { name_key: other_organization.name_key })
+          end.to raise_error Stormpath::Error
+        end
+      end
     end
   end
 
@@ -326,7 +575,7 @@ describe Stormpath::Resource::Application, :vcr do
       end
 
       it 'containes account data' do
-        expect(auth_request.account.href).to eq(account.href) 
+        expect(auth_request.account.href).to eq(account.href)
       end
     end
 
@@ -338,35 +587,131 @@ describe Stormpath::Resource::Application, :vcr do
         })
       end
 
-      let(:organization) do 
-        test_api_client.organizations.create name: 'test_organization',
-           name_key: "testorganization"
+      def create_application_account_store_mapping(application, account_store)
+        test_api_client.account_store_mappings.create(
+          application: application,
+          account_store: account_store
+        )
       end
 
-      let(:username_password_request) do
-        Stormpath::Authentication::UsernamePasswordRequest.new(
-          account.email,
-          "P@$$w0rd",
-          account_store: organization.name_key
-        )
+      let(:organization) do
+        test_api_client.organizations.create name: 'test_organization',
+           name_key: "testorganization"
       end
 
       let(:auth_request) { application.authenticate_account(username_password_request) }
 
       before do
         create_organization_account_store_mapping(organization, directory)
+        create_application_account_store_mapping(application, organization)
       end
 
       after do
         organization.delete if organization
       end
 
-      it 'returns login attempt response' do
-        expect(auth_request).to be_kind_of Stormpath::Authentication::AuthenticationResult
+      describe 'when sending the proper organization' do
+        describe 'using an organization name_key' do
+          let(:username_password_request) do
+            Stormpath::Authentication::UsernamePasswordRequest.new(
+              account.email, "P@$$w0rd",
+              account_store: { name_key: organization.name_key }
+            )
+          end
+
+          it 'returns login attempt response' do
+            expect(auth_request).to be_kind_of Stormpath::Authentication::AuthenticationResult
+          end
+
+          it 'containes account data' do
+            expect(auth_request.account.href).to eq(account.href)
+          end
+        end
+
+        describe 'using an organization href' do
+          let(:username_password_request) do
+            Stormpath::Authentication::UsernamePasswordRequest.new(
+              account.email, "P@$$w0rd",
+              account_store: { href: organization.href }
+            )
+          end
+
+          it 'returns login attempt response' do
+            expect(auth_request).to be_kind_of Stormpath::Authentication::AuthenticationResult
+          end
+
+          it 'containes account data' do
+            expect(auth_request.account.href).to eq(account.href)
+          end
+        end
+
+        describe 'using an organization object' do
+          let(:username_password_request) do
+            Stormpath::Authentication::UsernamePasswordRequest.new(
+              account.email, "P@$$w0rd",
+              account_store: organization
+            )
+          end
+
+          it 'returns login attempt response' do
+            expect(auth_request).to be_kind_of Stormpath::Authentication::AuthenticationResult
+          end
+
+          it 'containes account data' do
+            expect(auth_request.account.href).to eq(account.href)
+          end
+        end
       end
 
-      it 'containes account data' do
-        expect(auth_request.account.href).to eq(account.href)
+      describe 'when sending the wrong organization' do
+        describe 'using an organization name_key' do
+          let(:username_password_request) do
+            Stormpath::Authentication::UsernamePasswordRequest.new(
+              account.email, "P@$$w0rd",
+              account_store: { name_key: 'wrong-name-key' }
+            )
+          end
+
+          it 'raises an error' do
+            expect { auth_request }.to raise_error(Stormpath::Error)
+          end
+        end
+
+        describe 'using an organization href' do
+          let(:username_password_request) do
+            Stormpath::Authentication::UsernamePasswordRequest.new(
+              account.email, "P@$$w0rd",
+              account_store: { href: other_organization.href }
+            )
+          end
+
+          let(:other_organization) do
+            test_api_client.organizations.create name: 'other_organization',
+               name_key: "other-organization"
+          end
+
+          it 'raises an error' do
+            expect { auth_request }.to raise_error(Stormpath::Error)
+          end
+        end
+
+        describe 'using an organization object' do
+          let(:username_password_request) do
+            Stormpath::Authentication::UsernamePasswordRequest.new(
+              account.email, "P@$$w0rd",
+              account_store: other_organization
+            )
+          end
+
+          let(:other_organization) do
+            test_api_client.organizations.create name: 'other_organization',
+               name_key: "other-organization"
+          end
+
+          it 'raises an error' do
+            expect { auth_request }.to raise_error(Stormpath::Error)
+          end
+        end
       end
     end
 
@@ -381,10 +726,10 @@ describe Stormpath::Resource::Application, :vcr do
       let(:auth_request) { application.authenticate_account(username_password_request) }
 
       it 'returns stormpath error' do
-        expect { 
-          auth_request 
+        expect {
+          auth_request
         }.to raise_error(Stormpath::Error)
-      end 
+      end
     end
   end
 
@@ -506,7 +851,7 @@ describe Stormpath::Resource::Application, :vcr do
           expect(error.message).to eq("The specified callback URI (cb_uri) is not valid")
           expect(error.developer_message).to eq("The specified callback URI (cb_uri) is not valid. Make sure the "\
             "callback URI specified in your ID Site configuration matches the value specified.")
-        end 
+        end
       end
     end
   end
@@ -632,7 +977,7 @@ describe Stormpath::Resource::Application, :vcr do
         }, test_api_key_secret, 'HS256')
       }
 
-      it 'should error with the stormpath error' do  
+      it 'should error with the stormpath error' do
         expect {
           application.handle_id_site_callback(callback_uri_base + jwt_token)
         }.to raise_error(Stormpath::Error)
@@ -676,7 +1021,7 @@ describe Stormpath::Resource::Application, :vcr do
       before do
         @site_result = application.handle_id_site_callback(callback_uri_base + jwt_token)
       end
-      
+
       it 'should return IdSiteResult object' do
         expect(@site_result).to be_kind_of(Stormpath::IdSite::IdSiteResult)
       end
@@ -691,7 +1036,7 @@ describe Stormpath::Resource::Application, :vcr do
     before do
       application.accounts.create account_data
     end
-  
+
     context 'generate access token' do
       let(:password_grant_request) { Stormpath::Oauth::PasswordGrantRequest.new account_data[:email], account_data[:password] }
       let(:authenticate_oauth) { application.authenticate_oauth(password_grant_request) }
@@ -741,7 +1086,7 @@ describe Stormpath::Resource::Application, :vcr do
           .and_return(Stormpath::Oauth::IdSiteGrant.new({}, application.client))
 
         grant_request = Stormpath::Oauth::IdSiteGrantRequest.new jwt_token
-        response = application.authenticate_oauth(grant_request) 
+        response = application.authenticate_oauth(grant_request)
 
         expect(response).to be(Stormpath::Resource::AccessToken)
       end
@@ -777,12 +1122,12 @@ describe Stormpath::Resource::Application, :vcr do
       end
 
       it 'returens success on valid token' do
-        expect(authenticate_oauth.href).not_to be_empty 
-        expect(authenticate_oauth.account).not_to be_empty 
-        expect(authenticate_oauth.application).not_to be_empty 
-        expect(authenticate_oauth.jwt).not_to be_empty 
-        expect(authenticate_oauth.tenant).not_to be_empty 
-        expect(authenticate_oauth.expanded_jwt).not_to be_empty 
+        expect(authenticate_oauth.href).not_to be_empty
+        expect(authenticate_oauth.account).not_to be_empty
+        expect(authenticate_oauth.application).not_to be_empty
+        expect(authenticate_oauth.jwt).not_to be_empty
+        expect(authenticate_oauth.tenant).not_to be_empty
+        expect(authenticate_oauth.expanded_jwt).not_to be_empty
       end
     end