fix: default assertion_consumer_service_url not set during callback

justinhoward · justinhoward · commit 4a2a5efacd2a · 2017-06-08T10:11:40.000-07:00
Fix a bug where ruby-saml would fail SubjectConfirmation Recipient validation when using the default assertion_consumer_service_url. The url was not being set during the callback phase. This closes #139
diff --git a/lib/omniauth/strategies/saml.rb b/lib/omniauth/strategies/saml.rb
@@ -32,8 +32,6 @@ def self.inherited(subclass)
       option :idp_slo_session_destroy, proc { |_env, session| session.clear }
 
       def request_phase
-        options[:assertion_consumer_service_url] ||= callback_url
-
         authn_request = OneLogin::RubySaml::Authrequest.new
 
         with_settings do |settings|
@@ -212,6 +210,7 @@ def generate_logout_request(settings)
       end
 
       def with_settings
+        options[:assertion_consumer_service_url] ||= callback_url
         yield OneLogin::RubySaml::Settings.new(options)
       end
 
diff --git a/spec/omniauth/strategies/saml_spec.rb b/spec/omniauth/strategies/saml_spec.rb
@@ -157,6 +157,16 @@ def post_xml(xml=:example_response, opts = {})
       end
     end
 
+    context "when the assertion_consumer_service_url is the default" do
+      before :each do
+        saml_options.delete(:assertion_consumer_service_url)
+        OmniAuth.config.full_host = 'http://localhost:9080'
+        post_xml
+      end
+
+      it { is_expected.not_to fail_with(:invalid_ticket) }
+    end
+
     context "when there is no SAMLResponse parameter" do
       before :each do
         post '/auth/saml/callback'
