Add settings.protocol_binding attribute with tests. Allows setting of ProtocolBinding attribute in AuthnRequest root node of xml doc.

Author: Dan Woolley

lib/onelogin/ruby-saml/authrequest.rb

@@ -36,7 +36,7 @@ def create(settings, params = {})
       def create_authentication_xml_doc(settings)
         uuid = "_" + UUID.new.generate
         time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
-        # Create AuthnRequest root element using REXML 
+        # Create AuthnRequest root element using REXML
         request_doc = REXML::Document.new
 
         root = request_doc.add_element "samlp:AuthnRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol" }
@@ -45,6 +45,7 @@ def create_authentication_xml_doc(settings)
         root.attributes['Version'] = "2.0"
         root.attributes['Destination'] = settings.idp_sso_target_url unless settings.idp_sso_target_url.nil?
         root.attributes['IsPassive'] = settings.passive unless settings.passive.nil?
+        root.attributes['ProtocolBinding'] = settings.protocol_binding unless settings.protocol_binding.nil?
 
         # Conditionally defined elements based on settings
         if settings.assertion_consumer_service_url != nil
@@ -55,7 +56,7 @@ def create_authentication_xml_doc(settings)
           issuer.text = settings.issuer
         end
         if settings.name_identifier_format != nil
-          root.add_element "samlp:NameIDPolicy", { 
+          root.add_element "samlp:NameIDPolicy", {
               "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
               # Might want to make AllowCreate a setting?
               "AllowCreate" => "true",
@@ -64,14 +65,14 @@ def create_authentication_xml_doc(settings)
         end
 
         # BUG fix here -- if an authn_context is defined, add the tags with an "exact"
-        # match required for authentication to succeed.  If this is not defined, 
+        # match required for authentication to succeed.  If this is not defined,
         # the IdP will choose default rules for authentication.  (Shibboleth IdP)
         if settings.authn_context != nil
-          requested_context = root.add_element "samlp:RequestedAuthnContext", { 
+          requested_context = root.add_element "samlp:RequestedAuthnContext", {
             "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
             "Comparison" => "exact",
           }
-          class_ref = requested_context.add_element "saml:AuthnContextClassRef", { 
+          class_ref = requested_context.add_element "saml:AuthnContextClassRef", {
             "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion",
           }
           class_ref.text = settings.authn_context

lib/onelogin/ruby-saml/settings.rb

@@ -18,9 +18,10 @@ def initialize(overrides = {})
       attr_accessor :compress_request
       attr_accessor :double_quote_xml_attribute_values
       attr_accessor :passive
+      attr_accessor :protocol_binding
 
       private
-      
+
       DEFAULTS = {:compress_request => true, :double_quote_xml_attribute_values => false}
     end
   end

test/request_test.rb

@@ -63,6 +63,23 @@ class RequestTest < Test::Unit::TestCase
       assert_match /<samlp:AuthnRequest[^<]* IsPassive='true'/, inflated
     end
 
+    should "create the SAMLRequest URL parameter with ProtocolBinding" do
+      settings = Onelogin::Saml::Settings.new
+      settings.idp_sso_target_url = "http://example.com"
+      settings.protocol_binding = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
+      auth_url = Onelogin::Saml::Authrequest.new.create(settings)
+      assert auth_url =~ /^http:\/\/example\.com\?SAMLRequest=/
+      payload  = CGI.unescape(auth_url.split("=").last)
+      decoded  = Base64.decode64(payload)
+
+      zstream  = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+      inflated = zstream.inflate(decoded)
+      zstream.finish
+      zstream.close
+
+      assert_match /<samlp:AuthnRequest[^<]* ProtocolBinding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'/, inflated
+    end
+
     should "accept extra parameters" do
       settings = Onelogin::Saml::Settings.new
       settings.idp_sso_target_url = "http://example.com"
@@ -78,7 +95,7 @@ class RequestTest < Test::Unit::TestCase
       should "create the SAMLRequest parameter correctly" do
         settings = Onelogin::Saml::Settings.new
         settings.idp_sso_target_url = "http://example.com"
-  
+
         auth_url = Onelogin::Saml::Authrequest.new.create(settings)
         assert auth_url =~ /^http:\/\/example.com\?SAMLRequest/
       end
@@ -88,7 +105,7 @@ class RequestTest < Test::Unit::TestCase
       should "create the SAMLRequest parameter correctly" do
         settings = Onelogin::Saml::Settings.new
         settings.idp_sso_target_url = "http://example.com?field=value"
-  
+
         auth_url = Onelogin::Saml::Authrequest.new.create(settings)
         assert auth_url =~ /^http:\/\/example.com\?field=value&SAMLRequest/
       end

test/settings_test.rb

@@ -11,8 +11,7 @@ class SettingsTest < Test::Unit::TestCase
         :assertion_consumer_service_url, :issuer, :sp_name_qualifier,
         :idp_sso_target_url, :idp_cert_fingerprint, :name_identifier_format,
         :idp_slo_target_url, :name_identifier_value, :sessionindex,
-        :assertion_consumer_logout_service_url,
-        :passive
+        :assertion_consumer_logout_service_url, :passive, :protocol_binding
       ]
 
       accessors.each do |accessor|
@@ -33,6 +32,7 @@ class SettingsTest < Test::Unit::TestCase
           :idp_cert_fingerprint => "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00",
           :name_identifier_format => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
           :passive => true,
+          :protocol_binding => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
       }
       @settings = Onelogin::Saml::Settings.new(config)