Fix the PR #99

Author: pitbulk

README.md

@@ -104,6 +104,10 @@ response.settings = saml_settings
 response.attributes[:username]
 ```
 
+The saml:AuthnContextClassRef of the AuthNRequest can be provided by settings.authn_context , possible values are described at [SAMLAuthnCxt]. The comparison method can be set using the parameter settings.authn_context_comparison (the possible values are: 'exact', 'better', 'maximum' and 'minimum'), 'exact' is the default value.
+If we want to add a saml:AuthnContextDeclRef, define a settings.authn_context_decl_ref
+
+
 ## Service Provider Metadata
 
 To form a trusted pair relationship with the IdP, the SP (you) need to provide metadata XML

lib/onelogin/ruby-saml/authrequest.rb

@@ -66,19 +66,34 @@ def create_authentication_xml_doc(settings)
           }
         end
 
-        # BUG fix here -- if an authn_context is defined, add the tags with an "exact"
-        # match required for authentication to succeed.  If this is not defined,
-        # the IdP will choose default rules for authentication.  (Shibboleth IdP)
-        if settings.authn_context != nil
+        if settings.authn_context || settings.authn_context_decl_ref
+
+          if settings.authn_context_comparison != nil
+            comparison = settings.authn_context_comparison
+          else
+            comparison = 'exact'
+          end
+
           requested_context = root.add_element "samlp:RequestedAuthnContext", {
             "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
-            "Comparison" => "exact",
-          }
-          class_ref = requested_context.add_element "saml:AuthnContextClassRef", {
-            "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion",
+            "Comparison" => comparison,
           }
-          class_ref.text = settings.authn_context
+
+          if settings.authn_context != nil
+            class_ref = requested_context.add_element "saml:AuthnContextClassRef", {
+              "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion",
+            }
+            class_ref.text = settings.authn_context
+          end
+          # add saml:AuthnContextDeclRef element
+          if settings.authn_context_decl_ref != nil
+            class_ref = requested_context.add_element "saml:AuthnContextDeclRef", {
+              "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion",
+            }
+            class_ref.text = settings.authn_context_decl_ref
+          end
         end
+
         request_doc
       end
 

lib/onelogin/ruby-saml/logoutrequest.rb

@@ -62,19 +62,6 @@ def create_unauth_xml_doc(settings, params)
           sessionindex.text = settings.sessionindex
         end
 
-        # BUG fix here -- if an authn_context is defined, add the tags with an "exact"
-        # match required for authentication to succeed.  If this is not defined,
-        # the IdP will choose default rules for authentication.  (Shibboleth IdP)
-        if settings.authn_context != nil
-          requested_context = root.add_element "samlp:RequestedAuthnContext", {
-              "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
-              "Comparison" => "exact",
-          }
-          class_ref = requested_context.add_element "saml:AuthnContextClassRef", {
-              "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion",
-          }
-          class_ref.text = settings.authn_context
-        end
         request_doc
       end
     end

lib/onelogin/ruby-saml/settings.rb

@@ -10,7 +10,6 @@ def initialize(overrides = {})
       end
       attr_accessor :assertion_consumer_service_url, :issuer, :sp_name_qualifier
       attr_accessor :idp_sso_target_url, :idp_cert_fingerprint, :idp_cert, :name_identifier_format
-      attr_accessor :authn_context
       attr_accessor :idp_slo_target_url
       attr_accessor :name_identifier_value
       attr_accessor :sessionindex
@@ -21,6 +20,9 @@ def initialize(overrides = {})
       attr_accessor :protocol_binding
       attr_accessor :attributes_index
       attr_accessor :force_authn
+      attr_accessor :authn_context
+      attr_accessor :authn_context_comparison
+      attr_accessor :authn_context_decl_ref
 
       private
 

test/request_test.rb

@@ -142,5 +142,41 @@ class RequestTest < Test::Unit::TestCase
         assert auth_url =~ /^http:\/\/example.com\?field=value&SAMLRequest/
       end
     end
+
+    should "create the saml:AuthnContextClassRef element correctly" do
+      settings = OneLogin::RubySaml::Settings.new
+      settings.idp_sso_target_url = "http://example.com"
+      settings.authn_context = 'secure/name/password/uri'
+      auth_doc = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
+      assert auth_doc.to_s =~ /<saml:AuthnContextClassRef[\S ]+>secure\/name\/password\/uri<\/saml:AuthnContextClassRef>/
+    end
+
+    should "create the saml:AuthnContextClassRef with comparison exact" do
+      settings = OneLogin::RubySaml::Settings.new
+      settings.idp_sso_target_url = "http://example.com"
+      settings.authn_context = 'secure/name/password/uri'
+      auth_doc = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
+      assert auth_doc.to_s =~ /<samlp:RequestedAuthnContext Comparison='exact'/
+      assert auth_doc.to_s =~ /<saml:AuthnContextClassRef[\S ]+>secure\/name\/password\/uri<\/saml:AuthnContextClassRef>/
+    end
+
+    should "create the saml:AuthnContextClassRef with comparison minimun" do
+      settings = OneLogin::RubySaml::Settings.new
+      settings.idp_sso_target_url = "http://example.com"
+      settings.authn_context = 'secure/name/password/uri'
+      settings.authn_context_comparison = 'minimun'
+      auth_doc = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
+      assert auth_doc.to_s =~ /<samlp:RequestedAuthnContext Comparison='minimun'/
+      assert auth_doc.to_s =~ /<saml:AuthnContextClassRef[\S ]+>secure\/name\/password\/uri<\/saml:AuthnContextClassRef>/
+    end
+
+    should "create the saml:AuthnContextDeclRef element correctly" do
+      settings = OneLogin::RubySaml::Settings.new
+      settings.idp_sso_target_url = "http://example.com"
+      settings.authn_context_decl_ref = 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
+      auth_doc = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
+      assert auth_doc.to_s =~ /<saml:AuthnContextDeclRef[\S ]+>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport<\/saml:AuthnContextDeclRef>/
+    end
+
   end
 end