Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Difficulty setting WantAssertionsSigned in metadata.xml endpoint #306

Closed
vincentwoo opened this issue Mar 4, 2016 · 3 comments
Closed

Difficulty setting WantAssertionsSigned in metadata.xml endpoint #306

vincentwoo opened this issue Mar 4, 2016 · 3 comments

Comments

@vincentwoo
Copy link
Contributor

ruby-saml tries to decide whether it should set WantsAssertionsSigned on [https://github.com/onelogin/ruby-saml/blob/37368619bf04cfccad9634e79c98e5b9b38d980d/lib/onelogin/ruby-saml/metadata.rb#L33](this line of code). However, the rub here is that it requires idp_cert to be set. If you are writing a SP that integrates with multiple IDPs, it doesn't really make sense for your metadata endpoint (which usually looks something like):

 def metadata
    settings = saml_settings
    meta = OneLogin::RubySaml::Metadata.new
   ...

to know anything about any IDPs at this point in the code flow. Can you let saml-ruby users just say whether they want incoming assertions signed?
@pitbulk
Copy link
Collaborator

pitbulk commented Mar 4, 2016

A settings.security[:want_assertions_signed] could be added.
Can you provide a PR that includes:

  • this new setting value (if not set, maintain old behavior)
  • A new validator at the response.RB that invalidates any SAMLResponse with no Assertion signed when want_assertion_signed setting active.
  • Unit test

@vincentwoo
Copy link
Contributor Author

No, but can you?

@pitbulk
Copy link
Collaborator

pitbulk commented Mar 4, 2016

I will add this to the pending tasks queue, but can't give you an ETA.

alex-wood added a commit to alex-wood/ruby-saml that referenced this issue Apr 26, 2016
@alex-wood
Merge remote-tracking branch 'onelogin/master'
9847ff6 
* onelogin/master:
  Explictly state Ruby 2.0.x support
  Related to PR SAML-Toolkits#269
  Fix SAML-Toolkits#299
  Fix SAML-Toolkits#306. Support WantAssertionsSigned
  Use settings.idp_cert_fingerprint_algorithm in idp_metadata_parser for fingerprint instead of SHA1
  Implement binding parsing in idp_metadata_parser
kerlin added a commit to kerlin/rack-saml that referenced this issue Jun 21, 2022
@kerlin
Additional settings in onelogin_setting.rb
e13b9fb 
Adding setting to agree with changes in ruby-saml 1.3.1 and later. See SAML-Toolkits/ruby-saml#306 and SAML-Toolkits/ruby-saml@6c54131
Previously, settings.security[:want_assertions_signed] was set to true by ruby-saml/metadata.rb when the metadata.yml contained an idp certificate. Now set in rack-saml.yml with want_assertions_signed: true
Also passing the setting :authn_requests_signed
@kerlin kerlin mentioned this issue Jun 21, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pitbulk @vincentwoo