Skip to content

Commit

Permalink
Merge pull request #152 from onelogin/contextauth
Browse files Browse the repository at this point in the history
Fix the PR #99
  • Loading branch information
pitbulk committed Oct 31, 2014
2 parents 05e22f0 + 5050ac8 commit 5143b44
Show file tree
Hide file tree
Showing 5 changed files with 67 additions and 24 deletions.
5 changes: 4 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -154,7 +154,7 @@ The following attributes are set:
* idp_slo_target_url
* id_cert_fingerpint

If are using saml:AttributeStatement to transfer metadata, like the user name, you can access all the attributes through response.attributes. It contains all the saml:AttributeStatement with its 'Name' as a indifferent key and the one saml:AttributeValue as value.
If are using saml:AttributeStatement to transfer metadata, like the user name, you can access all the attributes through `response.attributes`. It contains all the saml:AttributeStatement with its 'Name' as a indifferent key and the one saml:AttributeValue as value.

```ruby
response = OneLogin::RubySaml::Response.new(params[:SAMLResponse])
Expand Down Expand Up @@ -263,6 +263,9 @@ pp(response.attributes.multi(:not_exists))
# => nil
```

The saml:AuthnContextClassRef of the AuthNRequest can be provided by `settings.authn_context` , possible values are described at [SAMLAuthnCxt]. The comparison method can be set using the parameter `settings.authn_context_comparison` (the possible values are: 'exact', 'better', 'maximum' and 'minimum'), 'exact' is the default value.
+If we want to add a saml:AuthnContextDeclRef, define a `settings.authn_context_decl_ref`.

## Service Provider Metadata

To form a trusted pair relationship with the IdP, the SP (you) need to provide metadata XML
Expand Down
33 changes: 24 additions & 9 deletions lib/onelogin/ruby-saml/authrequest.rb
Original file line number Diff line number Diff line change
Expand Up @@ -68,19 +68,34 @@ def create_authentication_xml_doc(settings)
}
end

# BUG fix here -- if an authn_context is defined, add the tags with an "exact"
# match required for authentication to succeed. If this is not defined,
# the IdP will choose default rules for authentication. (Shibboleth IdP)
if settings.authn_context != nil
if settings.authn_context || settings.authn_context_decl_ref

if settings.authn_context_comparison != nil
comparison = settings.authn_context_comparison
else
comparison = 'exact'
end

requested_context = root.add_element "samlp:RequestedAuthnContext", {
"xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
"Comparison" => "exact",
}
class_ref = requested_context.add_element "saml:AuthnContextClassRef", {
"xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion",
"Comparison" => comparison,
}
class_ref.text = settings.authn_context

if settings.authn_context != nil
class_ref = requested_context.add_element "saml:AuthnContextClassRef", {
"xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion",
}
class_ref.text = settings.authn_context
end
# add saml:AuthnContextDeclRef element
if settings.authn_context_decl_ref != nil
class_ref = requested_context.add_element "saml:AuthnContextDeclRef", {
"xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion",
}
class_ref.text = settings.authn_context_decl_ref
end
end

request_doc
end

Expand Down
13 changes: 0 additions & 13 deletions lib/onelogin/ruby-saml/logoutrequest.rb
Original file line number Diff line number Diff line change
Expand Up @@ -62,19 +62,6 @@ def create_unauth_xml_doc(settings, params)
sessionindex.text = settings.sessionindex
end

# BUG fix here -- if an authn_context is defined, add the tags with an "exact"
# match required for authentication to succeed. If this is not defined,
# the IdP will choose default rules for authentication. (Shibboleth IdP)
if settings.authn_context != nil
requested_context = root.add_element "samlp:RequestedAuthnContext", {
"xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
"Comparison" => "exact",
}
class_ref = requested_context.add_element "saml:AuthnContextClassRef", {
"xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion",
}
class_ref.text = settings.authn_context
end
request_doc
end
end
Expand Down
4 changes: 3 additions & 1 deletion lib/onelogin/ruby-saml/settings.rb
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ def initialize(overrides = {})
end
attr_accessor :assertion_consumer_service_url, :issuer, :sp_name_qualifier
attr_accessor :idp_sso_target_url, :idp_cert_fingerprint, :idp_cert, :name_identifier_format
attr_accessor :authn_context
attr_accessor :idp_slo_target_url
attr_accessor :name_identifier_value
attr_accessor :sessionindex
Expand All @@ -21,6 +20,9 @@ def initialize(overrides = {})
attr_accessor :protocol_binding
attr_accessor :attributes_index
attr_accessor :force_authn
attr_accessor :authn_context
attr_accessor :authn_context_comparison
attr_accessor :authn_context_decl_ref

private

Expand Down
36 changes: 36 additions & 0 deletions test/request_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -142,5 +142,41 @@ class RequestTest < Test::Unit::TestCase
assert auth_url =~ /^http:\/\/example.com\?field=value&SAMLRequest/
end
end

should "create the saml:AuthnContextClassRef element correctly" do
settings = OneLogin::RubySaml::Settings.new
settings.idp_sso_target_url = "http://example.com"
settings.authn_context = 'secure/name/password/uri'
auth_doc = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
assert auth_doc.to_s =~ /<saml:AuthnContextClassRef[\S ]+>secure\/name\/password\/uri<\/saml:AuthnContextClassRef>/
end

should "create the saml:AuthnContextClassRef with comparison exact" do
settings = OneLogin::RubySaml::Settings.new
settings.idp_sso_target_url = "http://example.com"
settings.authn_context = 'secure/name/password/uri'
auth_doc = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
assert auth_doc.to_s =~ /<samlp:RequestedAuthnContext[\S ]+Comparison='exact'/
assert auth_doc.to_s =~ /<saml:AuthnContextClassRef[\S ]+>secure\/name\/password\/uri<\/saml:AuthnContextClassRef>/
end

should "create the saml:AuthnContextClassRef with comparison minimun" do
settings = OneLogin::RubySaml::Settings.new
settings.idp_sso_target_url = "http://example.com"
settings.authn_context = 'secure/name/password/uri'
settings.authn_context_comparison = 'minimun'
auth_doc = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
assert auth_doc.to_s =~ /<samlp:RequestedAuthnContext[\S ]+Comparison='minimun'/
assert auth_doc.to_s =~ /<saml:AuthnContextClassRef[\S ]+>secure\/name\/password\/uri<\/saml:AuthnContextClassRef>/
end

should "create the saml:AuthnContextDeclRef element correctly" do
settings = OneLogin::RubySaml::Settings.new
settings.idp_sso_target_url = "http://example.com"
settings.authn_context_decl_ref = 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
auth_doc = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
assert auth_doc.to_s =~ /<saml:AuthnContextDeclRef[\S ]+>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport<\/saml:AuthnContextDeclRef>/
end

end
end

0 comments on commit 5143b44

Please sign in to comment.