Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix LogoutResponse issuer validation and implement SAML Response issuer validation. Related to Pull Request 116 #147

Merged
merged 11 commits into from
Oct 31, 2014
136 changes: 127 additions & 9 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ The Ruby SAML library is for implementing the client side of a SAML authorizatio

SAML authorization is a two step process and you are expected to implement support for both.

We created a demo project for Rails4 that uses the latest version of this library: [ruby-saml-example](https://github.com/onelogin/ruby-saml-example)

## The initialization phase

This is the first request you will get from the identity provider. It will hit your application at a specific URL (that you've announced as being your SAML initialization point). The response to this initialization, is a redirect back to the identity provider, which can look something like this (ignore the saml_settings method call for now):
Expand Down Expand Up @@ -43,7 +45,9 @@ def saml_settings

settings.assertion_consumer_service_url = "http://#{request.host}/saml/finalize"
settings.issuer = request.host
settings.idp_sso_target_url = "https://app.onelogin.com/saml/signon/#{OneLoginAppId}"
settings.idp_entity_id = "https://app.onelogin.com/saml2/metadata/#{OneLoginAppId}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are you sure you want to show these URLs to the world?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why not?, we want our customers uses the toolkit to connect OneLogin

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just double checking, you know better than me

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hey @pitbulk I don't think the endpoint is correct, it states /saml2/metadata/<app-id> which I don't see is being defined anywhere in our routes, in any case that would be /saml/metadata/<app-id> instead.
The ones below are correct, though

settings.idp_sso_target_url = "https://app.onelogin.com/trust/saml2/http-post/sso/#{OneLoginAppId}"
settings.idp_slo_target_url = "https://app.onelogin.com/trust/saml2/http-redirect/slo/#{OneLoginAppId}"
settings.idp_cert_fingerprint = OneLoginAppCertFingerPrint
settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
# Optional for most SAML IdPs
Expand All @@ -67,13 +71,17 @@ class SamlController < ApplicationController
response = OneLogin::RubySaml::Response.new(params[:SAMLResponse])
response.settings = saml_settings

if response.is_valid? && user = current_account.users.find_by_email(response.name_id)
authorize_success(user)
# We validate the SAML Response and check if the user already exists in the system
if response.is_valid?
# session[:userid] = response.name_id
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why are these commented out?

# session[:attributes] = response.attributes
authorize_success # Log the user
else
authorize_failure(user)
authorize_failure # This method show an error message
end
end


private

def saml_settings
Expand All @@ -90,18 +98,128 @@ class SamlController < ApplicationController
settings.attributes_index = 30

settings
end

end
```

If are using saml:AttributeStatement to transfare metadata, like the user name, you can access all the attributes through response.attributes. It
contains all the saml:AttributeStatement with its 'Name' as a indifferent key and the one saml:AttributeValue as value.
If are using saml:AttributeStatement to transfer metadata, like the user name, you can access all the attributes through response.attributes. It
contains all the saml:AttributeStatement with its 'Name' as a indifferent key and the one/more saml:AttributeValue as value.
The value returned is always an array of a single value or multiple values.

Imagine this saml:AttributeStatement

```
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should be XML formatted, currently no syntax highlighting is specified

<saml:AttributeStatement>
<saml:Attribute Name="username"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xsi:type="xs:string">jhonsmith</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="phone"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xsi:type="xs:string"></saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="memberOf"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xsi:type="xs:string">admin</saml:AttributeValue>
<saml:AttributeValue xsi:type="xs:string">user</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
```

```ruby
response = OneLogin::RubySaml::Response.new(params[:SAMLResponse])
response.settings = saml_settings

response.attributes # is an OneLogin::RubySaml::Attributes object
#{"username"=>["jhonsmith"], "phone"=>[], "memberOf"=>["admin", "user"]}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

all your other comments came above the code, rather than under - lets keep this consistent, especially since this is documentation

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this case, the comments are exit of execute the above code.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

then follow the ruby convention of:

false.nil?
# => true

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I'm newbie in ruby, started to learn this week ;)


response.attributes[:username]
# "jhonsmith"

response.attributes[:memberOf]
# "admin"

response.attributes[:phone]
# nil

response.attributes.single(:memberOf)
"user"
(byebug) response.attributes.multi(:memberOf)
["user", "admin"]

```

## Single Log Out

Right now the Ruby Toolkit only supports SP-initiated Single Logout (The IdP-Initiated SLO will be supported soon).

Here is an example that we could add to our previous controller to generate and send a SAML Logout Request to the IdP

```ruby

# Create an SP initiated SLO
def sp_logout_request
# LogoutRequest accepts plain browser requests w/o paramters
settings = saml_settings

if settings.idp_slo_target_url.nil?
logger.info "SLO IdP Endpoint not found in settings, executing then a normal logout'"
delete_session
else

# Since we created a new SAML request, save the transaction_id
# to compare it with the response we get back
logout_request = OneLogin::RubySaml::Logoutrequest.new()
session[:transaction_id] = logout_request.uuid
logger.info "New SP SLO for userid '#{session[:userid]}' transactionid '#{session[:transaction_id]}'"

if settings.name_identifier_value.nil?
settings.name_identifier_value = session[:userid]
end

relayState = url_for controller: 'saml', action: 'index'
redirect_to(logout_request.create(settings, :RelayState => relayState))
end
end

```

and this method process the SAML Logout Response sent by the IdP as reply of the SAML Logout Request

```ruby

# After sending an SP initiated LogoutRequest to the IdP, we need to accept
# the LogoutResponse, verify it, then actually delete our session.
def logout_response
settings = Account.get_saml_settings

if session.has_key? :transation_id
logout_response = OneLogin::RubySaml::Logoutresponse.new(params[:SAMLResponse], settings, :matches_request_id => session[:transation_id])
else
logout_response = OneLogin::RubySaml::Logoutresponse.new(params[:SAMLResponse], settings)
end

logger.info "LogoutResponse is: #{logout_response.to_s}"

# Validate the SAML Logout Response
if not logout_response.validate
logger.error "The SAML Logout Response is invalid"
else
# Actually log out this session
if logout_response.success?
logger.info "Delete session for '#{session[:userid]}'"
delete_session
end
end
end

# Delete a user's session.
def delete_session
session[:userid] = nil
session[:attributes] = nil
end

```

## Service Provider Metadata
Expand Down
6 changes: 4 additions & 2 deletions lib/onelogin/ruby-saml/logoutresponse.rb
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ def initialize(response, settings = nil, options = {})

@options = options
@response = decode_raw_response(response)
@document = XMLSecurity::SignedDocument.new(response)
@document = XMLSecurity::SignedDocument.new(@response)
end

def validate!
Expand Down Expand Up @@ -139,7 +139,9 @@ def valid_in_response_to?(soft = true)
end

def valid_issuer?(soft = true)
unless URI.parse(issuer) == URI.parse(self.settings.issuer)
return true if self.settings.idp_entity_id.nil?

unless URI.parse(issuer) == URI.parse(self.settings.idp_entity_id)
return soft ? false : validation_error("Doesn't match the issuer, expected: <#{self.settings.issuer}>, but was: <#{issuer}>")
end
true
Expand Down
10 changes: 10 additions & 0 deletions lib/onelogin/ruby-saml/response.rb
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,7 @@ def validate(soft = true)
validate_structure(soft) &&
validate_response_state(soft) &&
validate_conditions(soft) &&
validate_issuer(soft) &&
document.validate_document(get_fingerprint, soft) &&
success?
end
Expand Down Expand Up @@ -192,6 +193,15 @@ def validate_conditions(soft = true)
true
end

def validate_issuer(soft = true)
return true if settings.idp_entity_id.nil?

unless URI.parse(issuer) == URI.parse(settings.idp_entity_id)
return soft ? false : validation_error("Doesn't match the issuer, expected: <#{settings.idp_entity_id}>, but was: <#{issuer}>")
end
true
end

def parse_time(node, attribute)
if node && node.attributes[attribute]
Time.parse(node.attributes[attribute])
Expand Down
2 changes: 1 addition & 1 deletion lib/onelogin/ruby-saml/settings.rb
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ def initialize(overrides = {})
end
end
attr_accessor :assertion_consumer_service_url, :issuer, :sp_name_qualifier
attr_accessor :idp_sso_target_url, :idp_cert_fingerprint, :idp_cert, :name_identifier_format
attr_accessor :idp_entity_id, :idp_sso_target_url, :idp_cert_fingerprint, :idp_cert, :name_identifier_format
attr_accessor :authn_context
attr_accessor :idp_slo_target_url
attr_accessor :name_identifier_value
Expand Down