Rebase

Author: pitbulk

Gemfile

@@ -6,8 +6,10 @@ group :test do
   if RUBY_VERSION < "1.9"
     gem "nokogiri",   "~> 1.5.0"
     gem "ruby-debug", "~> 0.10.4"
+  elsif RUBY_VERSION < "2.0"
+    gem "debugger", "~> 1.1"
   else
-    gem "debugger",   "~> 1.1"
+    gem "byebug",   "~> 2.1.1"
   end
   gem "shoulda",    "~> 2.11"
   gem "rake",       "~> 10"

README.md

@@ -73,7 +73,7 @@ def saml_settings
 
   settings.assertion_consumer_service_url = "http://#{request.host}/saml/finalize"
   settings.issuer                         = request.host
-  settings.idp_sso_target_url             = "https://app.onelogin.com/saml/signon/#{OneLoginAppId}"
+  settings.idp_sso_target_url             = "https://app.onelogin.com/trust/saml2/http-post/sso/#{OneLoginAppId}"
   settings.idp_cert_fingerprint           = OneLoginAppCertFingerPrint
   settings.name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
 
@@ -126,9 +126,35 @@ class SamlController < ApplicationController
   end
 end
 ```
+## Metadata Based Configuration
 
+The method above requires a little extra work to manually specify attributes about the IdP.  (And your SP application)  There's an easier method -- use a metadata exchange.  Metadata is just an XML file that defines the capabilities of both the IdP and the SP application.  It also contains the X.509 public
+key certificates which add to the trusted relationship.  The IdP administrator can also configure custom settings for an SP based on the metadata.
 
-If are using saml:AttributeStatement to transfare metadata, like the user name, you can access all the attributes through `response.attributes`. It contains all the saml:AttributeStatement with its 'Name' as a indifferent key and the one saml:AttributeValue as value.
+Using ```idp_metadata_parser.parse_remote``` IdP metadata will be added to the settings withouth further ado.
+
+```ruby
+def saml_settings
+
+  idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+  # Returns OneLogin::RubySaml::Settings prepopulated with idp metadata
+  settings = idp_metadata_parser.parse_remote("https://example.com/auth/saml2/idp/metadata")
+
+  settings.assertion_consumer_service_url = "http://#{request.host}/saml/consume"
+  settings.issuer                         = request.host
+  settings.name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+  # Optional for most SAML IdPs
+  settings.authn_context = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+
+  settings
+end
+```
+The following attributes are set:
+  * id_sso_target_url
+  * idp_slo_target_url
+  * id_cert_fingerpint
+
+If are using saml:AttributeStatement to transfer metadata, like the user name, you can access all the attributes through `response.attributes`. It contains all the saml:AttributeStatement with its 'Name' as a indifferent key and the one saml:AttributeValue as value.
 
 ```ruby
 response          = OneLogin::RubySaml::Response.new(params[:SAMLResponse])
@@ -137,9 +163,108 @@ response.settings = saml_settings
 response.attributes[:username]
 ```
 
-The saml:AuthnContextClassRef of the AuthNRequest can be provided by `settings.authn_context` , possible values are described at [SAMLAuthnCxt]. The comparison method can be set using the parameter `settings.authn_context_comparison` (the possible values are: 'exact', 'better', 'maximum' and 'minimum'), 'exact' is the default value.
-If we want to add a saml:AuthnContextDeclRef, define a `settings.authn_context_decl_ref`.
+Imagine this saml:AttributeStatement
+
+```xml
+  <saml:AttributeStatement>
+    <saml:Attribute Name="uid">
+      <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">demo</saml:AttributeValue>
+    </saml:Attribute>
+    <saml:Attribute Name="another_value">
+      <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">value1</saml:AttributeValue>
+      <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">value2</saml:AttributeValue>
+    </saml:Attribute>
+    <saml:Attribute Name="role">
+      <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">role1</saml:AttributeValue>
+    </saml:Attribute>
+    <saml:Attribute Name="role">
+      <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">role2</saml:AttributeValue>
+      <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">role3</saml:AttributeValue>
+    </saml:Attribute>
+    <saml:Attribute Name="attribute_with_nil_value">
+      <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
+    </saml:Attribute>
+    <saml:Attribute Name="attribute_with_nils_and_empty_strings">
+      <saml:AttributeValue/>
+      <saml:AttributeValue>valuePresent</saml:AttributeValue>
+      <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
+      <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="1"/>
+    </saml:Attribute>
+  </saml:AttributeStatement>
+```
+
+```ruby
+pp(response.attributes)   # is an OneLogin::RubySaml::Attributes object
+# => @attributes=
+  {"uid"=>["demo"],
+   "another_value"=>["value1", "value2"],
+   "role"=>["role1", "role2", "role3"],
+   "attribute_with_nil_value"=>[nil],
+   "attribute_with_nils_and_empty_strings"=>["", "valuePresent", nil, nil]}>
+
+# Active single_value_compatibility
+OneLogin::RubySaml::Attributes.single_value_compatibility = true
+
+pp(response.attributes[:uid])
+# => "demo"
 
+pp(response.attributes[:role])
+# => "role1"
+
+pp(response.attributes.single(:role))
+# => "role1"
+
+pp(response.attributes.multi(:role))
+# => ["role1", "role2", "role3"]
+
+pp(response.attributes[:attribute_with_nil_value])
+# => nil
+
+pp(response.attributes[:attribute_with_nils_and_empty_strings])
+# => ""
+
+pp(response.attributes[:not_exists])
+# => nil
+
+pp(response.attributes.single(:not_exists))
+# => nil
+
+pp(response.attributes.multi(:not_exists))
+# => nil
+
+# Deactive single_value_compatibility
+OneLogin::RubySaml::Attributes.single_value_compatibility = false
+
+pp(response.attributes[:uid])
+# => ["demo"]
+
+pp(response.attributes[:role])
+# => ["role1", "role2", "role3"]
+
+pp(response.attributes.single(:role))
+# => "role1"
+
+pp(response.attributes.multi(:role))
+# => ["role1", "role2", "role3"]
+
+pp(response.attributes[:attribute_with_nil_value])
+# => [nil]
+
+pp(response.attributes[:attribute_with_nils_and_empty_strings])
+# => ["", "valuePresent", nil, nil]
+
+pp(response.attributes[:not_exists])
+# => nil
+
+pp(response.attributes.single(:not_exists))
+# => nil
+
+pp(response.attributes.multi(:not_exists))
+# => nil
+```
+
+The saml:AuthnContextClassRef of the AuthNRequest can be provided by `settings.authn_context` , possible values are described at [SAMLAuthnCxt]. The comparison method can be set using the parameter `settings.authn_context_comparison` (the possible values are: 'exact', 'better', 'maximum' and 'minimum'), 'exact' is the default value.
++If we want to add a saml:AuthnContextDeclRef, define a `settings.authn_context_decl_ref`.
 
 ## Service Provider Metadata
 

lib/onelogin/ruby-saml/attributes.rb

@@ -47,7 +47,7 @@ def include?(name)
 
       # Return first value for an attribute
       def single(name)
-        attributes[canonize_name(name)].first
+        attributes[canonize_name(name)].first if include?(name)
       end
 
       # Return all values for an attribute
@@ -106,4 +106,4 @@ def attributes
       end
     end
   end
-end
+end

lib/onelogin/ruby-saml/idp_metadata_parser.rb

@@ -16,6 +16,11 @@ class IdpMetadataParser
 
       attr_reader :document
 
+      def parse_remote(url, validate_cert = true)
+        idp_metadata = get_idp_metadata(url, validate_cert)
+        parse(idp_metadata)
+      end
+
       def parse(idp_metadata)
         @document = REXML::Document.new(idp_metadata)
 
@@ -29,6 +34,29 @@ def parse(idp_metadata)
 
       private
 
+      # Retrieve the remote IdP metadata from the URL or a cached copy
+      # # returns a REXML document of the metadata
+      def get_idp_metadata(url, validate_cert)
+        uri = URI.parse(url)
+        if uri.scheme == "http"
+          response = Net::HTTP.get_response(uri)
+          meta_text = response.body
+        elsif uri.scheme == "https"
+          http = Net::HTTP.new(uri.host, uri.port)
+          http.use_ssl = true
+          # Most IdPs will probably use self signed certs
+          if validate_cert
+            http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+          else
+            http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+          end
+          get = Net::HTTP::Get.new(uri.request_uri)
+          response = http.request(get)
+          meta_text = response.body
+        end
+        meta_text
+      end
+
       def single_signon_service_url
         node = REXML::XPath.first(document, "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleSignOnService/@Location", { "md" => METADATA })
         node.value if node

test/idp_metadata_parser_test.rb

@@ -1,7 +1,13 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
+require 'net/http'
+require 'net/https'
 
 class IdpMetadataParserTest < Test::Unit::TestCase
 
+  class MockResponse
+    attr_accessor :body
+  end
+
   context "parsing an IdP descriptor file" do
     should "extract settings details from xml" do
       idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
@@ -14,4 +20,35 @@ class IdpMetadataParserTest < Test::Unit::TestCase
     end
   end
 
+  context "download and parse IdP descriptor file" do
+    setup do
+      mock_response = MockResponse.new
+      mock_response.body = idp_metadata
+      @url = "https://example.com"
+      uri = URI(@url)
+
+      @http = Net::HTTP.new(uri.host, uri.port)
+      Net::HTTP.expects(:new).returns(@http)
+      @http.expects(:request).returns(mock_response)
+    end
+
+
+    should "extract settings from remote xml" do
+      idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+      settings = idp_metadata_parser.parse_remote(@url)
+
+      assert_equal "https://example.hello.com/access/saml/login", settings.idp_sso_target_url
+      assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", settings.idp_cert_fingerprint
+      assert_equal "https://example.hello.com/access/saml/logout", settings.idp_slo_target_url
+      assert_equal OpenSSL::SSL::VERIFY_PEER, @http.verify_mode
+    end
+
+    should "accept self signed certificate if insturcted" do
+      idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+      settings = idp_metadata_parser.parse_remote(@url, false)
+
+      assert_equal OpenSSL::SSL::VERIFY_NONE, @http.verify_mode
+    end
+  end
+
 end

test/response_test.rb

@@ -243,43 +243,99 @@ class RubySamlTest < Test::Unit::TestCase
           assert_equal "demo", response.attributes[:uid]
         end
 
+        should "extract single value as string in compatibility mode off" do
+          response = OneLogin::RubySaml::Response.new(fixture(:response_with_multiple_attribute_values))
+          OneLogin::RubySaml::Attributes.single_value_compatibility = false
+          assert_equal ["demo"], response.attributes[:uid]
+          # classes are not reloaded between tests so restore default
+          OneLogin::RubySaml::Attributes.single_value_compatibility = true
+        end
+
         should "extract first of multiple values as string for b/w compatibility" do
           response = OneLogin::RubySaml::Response.new(fixture(:response_with_multiple_attribute_values))
           assert_equal 'value1', response.attributes[:another_value]
         end
 
+        should "extract first of multiple values as string for b/w compatibility in compatibility mode off" do
+          response = OneLogin::RubySaml::Response.new(fixture(:response_with_multiple_attribute_values))
+          OneLogin::RubySaml::Attributes.single_value_compatibility = false
+          assert_equal ['value1', 'value2'], response.attributes[:another_value]
+          OneLogin::RubySaml::Attributes.single_value_compatibility = true
+        end
+
         should "return array with all attributes when asked in XML order" do
           response = OneLogin::RubySaml::Response.new(fixture(:response_with_multiple_attribute_values))
           assert_equal ['value1', 'value2'], response.attributes.multi(:another_value)
         end
 
+        should "return array with all attributes when asked in XML order in compatibility mode off" do
+          response = OneLogin::RubySaml::Response.new(fixture(:response_with_multiple_attribute_values))
+          OneLogin::RubySaml::Attributes.single_value_compatibility = false
+          assert_equal ['value1', 'value2'], response.attributes.multi(:another_value)
+          OneLogin::RubySaml::Attributes.single_value_compatibility = true
+        end
+
         should "return first of multiple values when multiple Attribute tags in XML" do
           response = OneLogin::RubySaml::Response.new(fixture(:response_with_multiple_attribute_values))
           assert_equal 'role1', response.attributes[:role]
         end
 
+        should "return first of multiple values when multiple Attribute tags in XML in compatibility mode off" do
+          response = OneLogin::RubySaml::Response.new(fixture(:response_with_multiple_attribute_values))
+          OneLogin::RubySaml::Attributes.single_value_compatibility = false
+          assert_equal ['role1', 'role2', 'role3'], response.attributes[:role]
+          OneLogin::RubySaml::Attributes.single_value_compatibility = true
+        end
+
         should "return all of multiple values in reverse order when multiple Attribute tags in XML" do
           response = OneLogin::RubySaml::Response.new(fixture(:response_with_multiple_attribute_values))
           assert_equal ['role1', 'role2', 'role3'], response.attributes.multi(:role)
         end
 
+        should "return all of multiple values in reverse order when multiple Attribute tags in XML in compatibility mode off" do
+          response = OneLogin::RubySaml::Response.new(fixture(:response_with_multiple_attribute_values))
+          OneLogin::RubySaml::Attributes.single_value_compatibility = false
+          assert_equal ['role1', 'role2', 'role3'], response.attributes.multi(:role)
+          OneLogin::RubySaml::Attributes.single_value_compatibility = true
+        end
+
         should "return nil value correctly" do
           response = OneLogin::RubySaml::Response.new(fixture(:response_with_multiple_attribute_values))
           assert_nil response.attributes[:attribute_with_nil_value]
         end
 
+        should "return nil value correctly when not in compatibility mode off" do
+          response = OneLogin::RubySaml::Response.new(fixture(:response_with_multiple_attribute_values))
+          OneLogin::RubySaml::Attributes.single_value_compatibility = false
+          assert_equal [nil], response.attributes[:attribute_with_nil_value]
+          OneLogin::RubySaml::Attributes.single_value_compatibility = true
+        end
+
         should "return multiple values including nil and empty string" do
           response = OneLogin::RubySaml::Response.new(fixture(:response_with_multiple_attribute_values))
           assert_equal ["", "valuePresent", nil, nil], response.attributes.multi(:attribute_with_nils_and_empty_strings)
         end
 
-        should "return multiple values from [] when not in compatibility mode" do
+        should "return multiple values from [] when not in compatibility mode off" do
           response = OneLogin::RubySaml::Response.new(fixture(:response_with_multiple_attribute_values))
           OneLogin::RubySaml::Attributes.single_value_compatibility = false
           assert_equal ["", "valuePresent", nil, nil], response.attributes[:attribute_with_nils_and_empty_strings]
-          # classes are not reloaded between tests so restore default
           OneLogin::RubySaml::Attributes.single_value_compatibility = true
         end
+
+        should "check what happens when trying retrieve attribute that does not exists" do
+          response = OneLogin::RubySaml::Response.new(fixture(:response_with_multiple_attribute_values))
+          assert_equal nil, response.attributes[:attribute_not_exists]
+          assert_equal nil, response.attributes.single(:attribute_not_exists)
+          assert_equal nil, response.attributes.multi(:attribute_not_exists)
+
+          OneLogin::RubySaml::Attributes.single_value_compatibility = false
+          assert_equal nil, response.attributes[:attribute_not_exists]
+          assert_equal nil, response.attributes.single(:attribute_not_exists)
+          assert_equal nil, response.attributes.multi(:attribute_not_exists)          
+          OneLogin::RubySaml::Attributes.single_value_compatibility = true
+        end
+
       end
     end