pax_global_header00006660000000000000000000000064126636646400014527gustar00rootroot0000000000000052 comment=fbdd30956962d1a8824980efdab0a821f6201a2d omniauth-saml-1.5.0/000077500000000000000000000000001266366464000143105ustar00rootroot00000000000000omniauth-saml-1.5.0/.gitignore000066400000000000000000000001071266366464000162760ustar00rootroot00000000000000coverage/ spec/support/example_private_key.pem /gemfiles/*.lock .idea/ omniauth-saml-1.5.0/.rspec000066400000000000000000000000101266366464000154140ustar00rootroot00000000000000--color omniauth-saml-1.5.0/.travis.yml000066400000000000000000000013741266366464000164260ustar00rootroot00000000000000env: global: - JRUBY_OPTS="$JRUBY_OPTS --debug" language: ruby script: bundle exec rspec matrix: include: - rvm: 1.8.7 gemfile: gemfiles/ruby-1.8.7.gemfile - rvm: 1.9.3 gemfile: Gemfile - rvm: 2.0.0 gemfile: Gemfile - rvm: 2.1 gemfile: Gemfile - rvm: 2.2 gemfile: Gemfile - rvm: 2.3.0 gemfile: Gemfile - rvm: jruby-18mode gemfile: gemfiles/ruby-1.8.7.gemfile - rvm: jruby-19mode gemfile: Gemfile - rvm: jruby-head gemfile: Gemfile - rvm: rbx-2 gemfile: Gemfile - rvm: ruby-head gemfile: Gemfile allow_failures: - rvm: 1.8.7 - rvm: jruby-18mode - rvm: jruby-head - rvm: rbx-2 - rvm: ruby-head fast_finish: true sudo: false omniauth-saml-1.5.0/CHANGELOG.md000066400000000000000000000034641266366464000161300ustar00rootroot00000000000000# OmniAuth SAML Version History A generic SAML strategy for OmniAuth. https://github.com/omniauth/omniauth-saml ## 1.5.0 (2016-02-25) * Initialize OneLogin::RubySaml::Response instance with settings * Adding "settings" to Response Class at initialization to handle signing verification * Support custom attributes * change URL from PracticallyGreen to omniauth * Add specs for ACS fallback URL behavior * Call validation earlier to get real error instead of 'response missing name_id' * Avoid mutation of the options hash during requests and callbacks ## 1.4.2 (2016-02-09) * update ruby-saml to 1.1 ## 1.4.1 (2015-08-09) * Configurable attribute_consuming_service ## 1.4.0 (2015-07-23) * update ruby-saml to 1.0.0 ## 1.3.1 (2015-02-26) * Added missing fingerprint key check * Expose fingerprint on the auth_hash ## 1.3.0 (2015-01-23) * add `idp_cert_fingerprint_validator` option ## 1.2.0 (2014-03-19) * provide SP metadata at `/auth/saml/metadata` ## 1.1.0 (2013-11-07) * no longer set a default `name_identifier_format` * pass strategy options to the underlying ruby-saml library * fallback to omniauth callback url if `assertion_consumer_service_url` is not set * add `idp_sso_target_url_runtime_params` option ## 1.0.0 (2012-11-12) * remove SAML code and port to ruby-saml gem * fix incompatibility with OmniAuth 1.1 ## 0.9.2 (2012-03-30) * validate the SAML response * 100% test coverage * now requires ruby 1.9.2+ ## 0.9.1 (2012-02-23) * return first and last name in the info hash * no longer use LDAP OIDs for name and email selection * return SAML attributes as the omniauth raw_info hash ## 0.9.0 (2012-02-14) * initial release * extracts commits from omniauth 0-3-stable branch * port to omniauth 1.0 strategy format * update README with more documentation and license * package as the `omniauth-saml` gem omniauth-saml-1.5.0/CONTRIBUTING.md000066400000000000000000000045441266366464000165500ustar00rootroot00000000000000# Contributing ## Workflow We are using the [Feature Branch Workflow (also known as GitHub Flow)](https://guides.github.com/introduction/flow/), and prefer delivery as pull requests. Our first line of defense is the [Travis CI](https://travis-ci.org/omniauth/omniauth-saml) build defined within [.travis.yml](.travis.yml) and triggered for every pull request. Create a feature branch: ```sh git checkout -B feat/contributing ``` ## Git Commit The cardinal rule for creating good commits is to ensure there is only one "logical change" per commit. Why is this an important rule? * The smaller the amount of code being changed, the quicker & easier it is to review & identify potential flaws. * If a change is found to be flawed later, it may be necessary to revert the broken commit. This is much easier to do if there are not other unrelated code changes entangled with the original commit. * When troubleshooting problems using Git's bisect capability, small well defined changes will aid in isolating exactly where the code problem was introduced. * When browsing history using Git annotate/blame, small well defined changes also aid in isolating exactly where & why a piece of code came from. Things to avoid when creating commits * Mixing whitespace changes with functional code changes. * Mixing two unrelated functional changes. * Sending large new features in a single giant commit. ## Git Commit Conventions We use git commit as per [Conventional Changelog](https://github.com/ajoslin/conventional-changelog): ```none (): ``` Allowed types: * **feat**: A new feature * **fix**: A bug fix * **docs**: Documentation only changes * **style**: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, newline, line endings, etc) * **refactor**: A code change that neither fixes a bug or adds a feature * **perf**: A code change that improves performance * **test**: Adding missing tests * **chore**: Changes to the build process or auxiliary tools and libraries such as documentation generation You can add additional details after a new line to describe the change in detail or automatically close a issue on Github. ```none feat: create initial CONTRIBUTING.md This closes #73 ``` > **NOTE:** [CHANGELOG.md](CHANGELOG.md) is generated based on the commits. omniauth-saml-1.5.0/Gemfile000066400000000000000000000001671266366464000156070ustar00rootroot00000000000000source 'https://rubygems.org' group :test do gem 'coveralls', require: false gem 'mime-types', '< 3' end gemspec omniauth-saml-1.5.0/Gemfile.lock000066400000000000000000000026131266366464000165340ustar00rootroot00000000000000PATH remote: . specs: omniauth-saml (1.5.0) omniauth (~> 1.3) ruby-saml (~> 1.1, >= 1.1.1) GEM remote: https://rubygems.org/ specs: coveralls (0.7.2) multi_json (~> 1.3) rest-client (= 1.6.7) simplecov (>= 0.7) term-ansicolor (= 1.2.2) thor (= 0.18.1) diff-lcs (1.2.4) hashie (3.4.3) macaddr (1.7.1) systemu (~> 2.6.2) mime-types (2.99) mini_portile2 (2.0.0) multi_json (1.3.7) nokogiri (1.6.7.2) mini_portile2 (~> 2.0.0.rc2) omniauth (1.3.1) hashie (>= 1.2, < 4) rack (>= 1.0, < 3) rack (1.5.2) rack-test (0.6.2) rack (>= 1.0) rest-client (1.6.7) mime-types (>= 1.16) rspec (2.14.1) rspec-core (~> 2.14.0) rspec-expectations (~> 2.14.0) rspec-mocks (~> 2.14.0) rspec-core (2.14.7) rspec-expectations (2.14.4) diff-lcs (>= 1.1.3, < 2.0) rspec-mocks (2.14.4) ruby-saml (1.1.2) nokogiri (>= 1.5.10) uuid (~> 2.3) simplecov (0.7.1) multi_json (~> 1.0) simplecov-html (~> 0.7.1) simplecov-html (0.7.1) systemu (2.6.5) term-ansicolor (1.2.2) tins (~> 0.8) thor (0.18.1) tins (0.13.2) uuid (2.3.8) macaddr (~> 1.0) PLATFORMS ruby DEPENDENCIES coveralls mime-types (< 3) omniauth-saml! rack-test (~> 0.6) rspec (~> 2.8) simplecov (~> 0.6) BUNDLED WITH 1.11.2 omniauth-saml-1.5.0/LICENSE.md000066400000000000000000000023021266366464000157110ustar00rootroot00000000000000# License Copyright © 2016 Omniauth-SAML maintainers Copyright © 2011-2014 [Practically Green, Inc.](http://www.practicallygreen.com/). All rights reserved. Released under the MIT license. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. omniauth-saml-1.5.0/README.md000066400000000000000000000160611266366464000155730ustar00rootroot00000000000000# OmniAuth SAML [![Gem Version](http://img.shields.io/gem/v/omniauth-saml.svg)][gem] [![Build Status](http://img.shields.io/travis/omniauth/omniauth-saml.svg)][travis] [![Dependency Status](http://img.shields.io/gemnasium/omniauth/omniauth-saml.svg)][gemnasium] [![Code Climate](http://img.shields.io/codeclimate/github/omniauth/omniauth-saml.svg)][codeclimate] [![Coverage Status](http://img.shields.io/coveralls/omniauth/omniauth-saml.svg)][coveralls] [gem]: https://rubygems.org/gems/omniauth-saml [travis]: http://travis-ci.org/omniauth/omniauth-saml [gemnasium]: https://gemnasium.com/omniauth/omniauth-saml [codeclimate]: https://codeclimate.com/github/omniauth/omniauth-saml [coveralls]: https://coveralls.io/r/omniauth/omniauth-saml A generic SAML strategy for OmniAuth available under the [MIT License](LICENSE.md) https://github.com/omniauth/omniauth-saml ## Requirements * [OmniAuth](http://www.omniauth.org/) 1.3+ * Ruby 1.9.x or Ruby 2.1.x+ ## Usage Use the SAML strategy as a middleware in your application: ```ruby require 'omniauth' use OmniAuth::Strategies::SAML, :assertion_consumer_service_url => "consumer_service_url", :issuer => "issuer", :idp_sso_target_url => "idp_sso_target_url", :idp_sso_target_url_runtime_params => {:original_request_param => :mapped_idp_param}, :idp_cert => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", :idp_cert_fingerprint => "E7:91:B2:E1:...", :idp_cert_fingerprint_validator => lambda { |fingerprint| fingerprint }, :name_identifier_format => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" ``` or in your Rails application: in `Gemfile`: ```ruby gem 'omniauth-saml' ``` and in `config/initializers/omniauth.rb`: ```ruby Rails.application.config.middleware.use OmniAuth::Builder do provider :saml, :assertion_consumer_service_url => "consumer_service_url", :issuer => "rails-application", :idp_sso_target_url => "idp_sso_target_url", :idp_sso_target_url_runtime_params => {:original_request_param => :mapped_idp_param}, :idp_cert => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", :idp_cert_fingerprint => "E7:91:B2:E1:...", :idp_cert_fingerprint_validator => lambda { |fingerprint| fingerprint }, :name_identifier_format => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" end ``` For IdP-initiated SSO, users should directly access the IdP SSO target URL. Set the `href` of your application's login link to the value of `idp_sso_target_url`. For SP-initiated SSO, link to `/auth/saml`. ## Metadata The service provider metadata used to ease configuration of the SAML SP in the IdP can be retrieved from `http://example.com/auth/saml/metadata`. Send this URL to the administrator of the IdP. ## Options * `:assertion_consumer_service_url` - The URL at which the SAML assertion should be received. If not provided, defaults to the OmniAuth callback URL (typically `http://example.com/auth/saml/callback`). Optional. * `:issuer` - The name of your application. Some identity providers might need this to establish the identity of the service provider requesting the login. **Required**. * `:idp_sso_target_url` - The URL to which the authentication request should be sent. This would be on the identity provider. **Required**. * `:idp_sso_target_url_runtime_params` - A dynamic mapping of request params that exist during the request phase of OmniAuth that should to be sent to the IdP after a specific mapping. So for example, a param `original_request_param` with value `original_param_value`, could be sent to the IdP on the login request as `mapped_idp_param` with value `original_param_value`. Optional. * `:idp_cert` - The identity provider's certificate in PEM format. Takes precedence over the fingerprint option below. This option or `:idp_cert_fingerprint` or `:idp_cert_fingerprint_validator` must be present. * `:idp_cert_fingerprint` - The SHA1 fingerprint of the certificate, e.g. "90:CC:16:F0:8D:...". This is provided from the identity provider when setting up the relationship. This option or `:idp_cert` or `:idp_cert_fingerprint_validator` MUST be present. * `:idp_cert_fingerprint_validator` - A lambda that MUST accept one parameter (the fingerprint), verify if it is valid and return it if successful. This option or `:idp_cert` or `:idp_cert_fingerprint` MUST be present. * `:name_identifier_format` - Used during SP-initiated SSO. Describes the format of the username required by this application. If you need the email address, use "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress". See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf section 8.3 for other options. Note that the identity provider might not support all options. If not specified, the IdP is free to choose the name identifier format used in the response. Optional. * `:request_attributes` - Used to build the metadata file to inform the IdP to send certain attributes along with the SAMLResponse messages. Defaults to requesting `name`, `first_name`, `last_name` and `email` attributes. See the `OneLogin::RubySaml::AttributeService` class in the [Ruby SAML gem](https://github.com/onelogin/ruby-saml) for the available options for each attribute. Set to `{}` to disable this from metadata. * `:attribute_service_name` - Name for the attribute service. Defaults to `Required attributes`. * `:attribute_statements` - Used to map Attribute Names in a SAMLResponse to entries in the OmniAuth [info hash](https://github.com/intridea/omniauth/wiki/Auth-Hash-Schema#schema-10-and-later). For example, if your SAMLResponse contains an Attribute called 'EmailAddress', specify `{:email => ['EmailAddress']}` to map the Attribute to the corresponding key in the info hash. URI-named Attributes are also supported, e.g. `{:email => ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']}`. *Note*: All attributes can also be found in an array under `auth_hash[:extra][:raw_info]`, so this setting should only be used to map attributes that are part of the OmniAuth info hash schema. * See the `OneLogin::RubySaml::Settings` class in the [Ruby SAML gem](https://github.com/onelogin/ruby-saml) for additional supported options. ## Devise Integration Straightforward integration with [Devise](https://github.com/plataformatec/devise), the widely-used authentication solution for Rails. In `config/initializers/devise.rb`: ```ruby Devise.setup do |config| config.omniauth :saml, idp_cert_fingerprint: 'fingerprint', idp_sso_target_url: 'target_url' end ``` Then follow Devise's general [OmniAuth tutorial](https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview), replacing references to `facebook` with `saml`. ## Authors Authored by [Rajiv Aaron Manglani](http://www.rajivmanglani.com/), Raecoo Cao, Todd W Saxton, Ryan Wilcox, Steven Anderson, Nikos Dimitrakopoulos, Rudolf Vriend and [Bruno Pedro](http://brunopedro.com/). omniauth-saml-1.5.0/gemfiles/000077500000000000000000000000001266366464000161035ustar00rootroot00000000000000omniauth-saml-1.5.0/gemfiles/ruby-1.8.7.gemfile000066400000000000000000000001541266366464000210670ustar00rootroot00000000000000source 'https://rubygems.org' gem 'nokogiri', '~> 1.5.10' gem 'hashie', '~> 2.0.5' gemspec :path => '../' omniauth-saml-1.5.0/lib/000077500000000000000000000000001266366464000150565ustar00rootroot00000000000000omniauth-saml-1.5.0/lib/omniauth-saml.rb000066400000000000000000000001271266366464000201610ustar00rootroot00000000000000require 'omniauth/strategies/saml' require 'omniauth/strategies/saml/validation_error' omniauth-saml-1.5.0/lib/omniauth-saml/000077500000000000000000000000001266366464000176345ustar00rootroot00000000000000omniauth-saml-1.5.0/lib/omniauth-saml/version.rb000066400000000000000000000000761266366464000216510ustar00rootroot00000000000000module OmniAuth module SAML VERSION = '1.5.0' end end omniauth-saml-1.5.0/lib/omniauth/000077500000000000000000000000001266366464000167025ustar00rootroot00000000000000omniauth-saml-1.5.0/lib/omniauth/strategies/000077500000000000000000000000001266366464000210545ustar00rootroot00000000000000omniauth-saml-1.5.0/lib/omniauth/strategies/saml.rb000066400000000000000000000130501266366464000223340ustar00rootroot00000000000000require 'omniauth' require 'ruby-saml' module OmniAuth module Strategies class SAML include OmniAuth::Strategy OTHER_REQUEST_OPTIONS = [:skip_conditions, :allowed_clock_drift, :matches_request_id, :skip_subject_confirmation].freeze option :name_identifier_format, nil option :idp_sso_target_url_runtime_params, {} option :request_attributes, [ { :name => 'email', :name_format => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', :friendly_name => 'Email address' }, { :name => 'name', :name_format => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', :friendly_name => 'Full name' }, { :name => 'first_name', :name_format => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', :friendly_name => 'Given name' }, { :name => 'last_name', :name_format => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', :friendly_name => 'Family name' } ] option :attribute_service_name, 'Required attributes' option :attribute_statements, { name: ["name"], email: ["email", "mail"], first_name: ["first_name", "firstname", "firstName"], last_name: ["last_name", "lastname", "lastName"] } def request_phase options[:assertion_consumer_service_url] ||= callback_url runtime_request_parameters = options.delete(:idp_sso_target_url_runtime_params) additional_params = {} runtime_request_parameters.each_pair do |request_param_key, mapped_param_key| additional_params[mapped_param_key] = request.params[request_param_key.to_s] if request.params.has_key?(request_param_key.to_s) end if runtime_request_parameters authn_request = OneLogin::RubySaml::Authrequest.new settings = OneLogin::RubySaml::Settings.new(options) redirect(authn_request.create(settings, additional_params)) end def callback_phase unless request.params['SAMLResponse'] raise OmniAuth::Strategies::SAML::ValidationError.new("SAML response missing") end # Call a fingerprint validation method if there's one if options.idp_cert_fingerprint_validator fingerprint_exists = options.idp_cert_fingerprint_validator[response_fingerprint] unless fingerprint_exists raise OmniAuth::Strategies::SAML::ValidationError.new("Non-existent fingerprint") end # id_cert_fingerprint becomes the given fingerprint if it exists options.idp_cert_fingerprint = fingerprint_exists end settings = OneLogin::RubySaml::Settings.new(options) # filter options to select only extra parameters opts = options.select {|k,_| OTHER_REQUEST_OPTIONS.include?(k.to_sym)} # symbolize keys without activeSupport/symbolize_keys (ruby-saml use symbols) opts = opts.inject({}) do |new_hash, (key, value)| new_hash[key.to_sym] = value new_hash end response = OneLogin::RubySaml::Response.new(request.params['SAMLResponse'], opts.merge(settings: settings)) response.attributes['fingerprint'] = options.idp_cert_fingerprint # will raise an error since we are not in soft mode response.soft = false response.is_valid? @name_id = response.name_id @attributes = response.attributes if @name_id.nil? || @name_id.empty? raise OmniAuth::Strategies::SAML::ValidationError.new("SAML response missing 'name_id'") end super rescue OmniAuth::Strategies::SAML::ValidationError fail!(:invalid_ticket, $!) rescue OneLogin::RubySaml::ValidationError fail!(:invalid_ticket, $!) end # Obtain an idp certificate fingerprint from the response. def response_fingerprint response = request.params['SAMLResponse'] response = (response =~ /^ 'http://www.w3.org/2000/09/xmldsig#' }) base64_cert = cert_element.text cert_text = Base64.decode64(base64_cert) cert = OpenSSL::X509::Certificate.new(cert_text) Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(':') end def other_phase if on_path?("#{request_path}/metadata") # omniauth does not set the strategy on the other_phase @env['omniauth.strategy'] ||= self setup_phase response = OneLogin::RubySaml::Metadata.new settings = OneLogin::RubySaml::Settings.new(options) if options.request_attributes.length > 0 settings.attribute_consuming_service.service_name options.attribute_service_name options.request_attributes.each do |attribute| settings.attribute_consuming_service.add_attribute attribute end end Rack::Response.new(response.generate(settings), 200, { "Content-Type" => "application/xml" }).finish else call_app! end end uid { @name_id } info do found_attributes = options.attribute_statements.map do |key, values| attribute = find_attribute_by(values) [key, attribute] end Hash[found_attributes] end extra { { :raw_info => @attributes } } def find_attribute_by(keys) keys.each do |key| return @attributes[key] if @attributes[key] end nil end end end end OmniAuth.config.add_camelization 'saml', 'SAML' omniauth-saml-1.5.0/lib/omniauth/strategies/saml/000077500000000000000000000000001266366464000220105ustar00rootroot00000000000000omniauth-saml-1.5.0/lib/omniauth/strategies/saml/validation_error.rb000066400000000000000000000001661266366464000257030ustar00rootroot00000000000000module OmniAuth module Strategies class SAML class ValidationError < Exception end end end endomniauth-saml-1.5.0/omniauth-saml.gemspec000066400000000000000000000020161266366464000204320ustar00rootroot00000000000000require File.expand_path('../lib/omniauth-saml/version', __FILE__) Gem::Specification.new do |gem| gem.name = 'omniauth-saml' gem.version = OmniAuth::SAML::VERSION gem.summary = 'A generic SAML strategy for OmniAuth.' gem.description = 'A generic SAML strategy for OmniAuth.' gem.license = 'MIT' gem.authors = ['Raecoo Cao', 'Ryan Wilcox', 'Rajiv Aaron Manglani', 'Steven Anderson', 'Nikos Dimitrakopoulos', 'Rudolf Vriend', 'Bruno Pedro'] gem.email = 'rajiv@alum.mit.edu' gem.homepage = 'https://github.com/omniauth/omniauth-saml' gem.add_runtime_dependency 'omniauth', '~> 1.3' gem.add_runtime_dependency 'ruby-saml', '~> 1.1', '>= 1.1.1' gem.add_development_dependency 'rspec', '~> 2.8' gem.add_development_dependency 'simplecov', '~> 0.6' gem.add_development_dependency 'rack-test', '~> 0.6' gem.files = ['README.md', 'CHANGELOG.md', 'LICENSE.md'] + Dir['lib/**/*.rb'] gem.test_files = Dir['spec/**/*.rb'] gem.require_paths = ["lib"] end omniauth-saml-1.5.0/spec/000077500000000000000000000000001266366464000152425ustar00rootroot00000000000000omniauth-saml-1.5.0/spec/omniauth/000077500000000000000000000000001266366464000170665ustar00rootroot00000000000000omniauth-saml-1.5.0/spec/omniauth/strategies/000077500000000000000000000000001266366464000212405ustar00rootroot00000000000000omniauth-saml-1.5.0/spec/omniauth/strategies/saml_spec.rb000066400000000000000000000172171266366464000235430ustar00rootroot00000000000000require 'spec_helper' RSpec::Matchers.define :fail_with do |message| match do |actual| actual.redirect? && /\?.*message=#{message}/ === actual.location end end def post_xml(xml=:example_response) post "/auth/saml/callback", {'SAMLResponse' => load_xml(xml)} end describe OmniAuth::Strategies::SAML, :type => :strategy do include OmniAuth::Test::StrategyTestCase let(:auth_hash){ last_request.env['omniauth.auth'] } let(:saml_options) do { :assertion_consumer_service_url => "http://localhost:9080/auth/saml/callback", :idp_sso_target_url => "https://idp.sso.example.com/signon/29490", :idp_cert_fingerprint => "C1:59:74:2B:E8:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB", :idp_sso_target_url_runtime_params => {:original_param_key => :mapped_param_key}, :name_identifier_format => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", :request_attributes => [ { :name => 'email', :name_format => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', :friendly_name => 'Email address' }, { :name => 'name', :name_format => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', :friendly_name => 'Full name' }, { :name => 'first_name', :name_format => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', :friendly_name => 'Given name' }, { :name => 'last_name', :name_format => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', :friendly_name => 'Family name' } ], :attribute_service_name => 'Required attributes' } end let(:strategy) { [OmniAuth::Strategies::SAML, saml_options] } describe 'GET /auth/saml' do context 'without idp runtime params present' do before do get '/auth/saml' end it 'should get authentication page' do last_response.should be_redirect last_response.location.should match /https:\/\/idp.sso.example.com\/signon\/29490/ last_response.location.should match /\?SAMLRequest=/ last_response.location.should_not match /mapped_param_key/ last_response.location.should_not match /original_param_key/ end end context 'with idp runtime params' do before do get '/auth/saml', 'original_param_key' => 'original_param_value', 'mapped_param_key' => 'mapped_param_value' end it 'should get authentication page' do last_response.should be_redirect last_response.location.should match /https:\/\/idp.sso.example.com\/signon\/29490/ last_response.location.should match /\?SAMLRequest=/ last_response.location.should match /\&mapped_param_key=original_param_value/ last_response.location.should_not match /original_param_key/ end end context "when the assertion_consumer_service_url is the default" do before :each do saml_options[:compress_request] = false saml_options.delete(:assertion_consumer_service_url) end it 'should send the current callback_url as the assertion_consumer_service_url' do %w(foo.example.com bar.example.com).each do |host| get "https://#{host}/auth/saml" last_response.should be_redirect location = URI.parse(last_response.location) query = Rack::Utils.parse_query location.query query.should have_key('SAMLRequest') request = REXML::Document.new(Base64.decode64(query['SAMLRequest'])) request.root.should_not be_nil acs = request.root.attributes.get_attribute('AssertionConsumerServiceURL') acs.to_s.should == "https://#{host}/auth/saml/callback" end end end end describe 'POST /auth/saml/callback' do subject { last_response } let(:xml) { :example_response } before :each do Time.stub(:now).and_return(Time.utc(2012, 11, 8, 20, 40, 00)) end context "when the response is valid" do before :each do post_xml end it "should set the uid to the nameID in the SAML response" do auth_hash['uid'].should == '_1f6fcf6be5e13b08b1e3610e7ff59f205fbd814f23' end it "should set the raw info to all attributes" do auth_hash['extra']['raw_info'].all.to_hash.should == { 'first_name' => ['Rajiv'], 'last_name' => ['Manglani'], 'email' => ['user@example.com'], 'company_name' => ['Example Company'], 'fingerprint' => saml_options[:idp_cert_fingerprint] } end end context "when fingerprint is empty and there's a fingerprint validator" do before :each do saml_options.delete(:idp_cert_fingerprint) saml_options[:idp_cert_fingerprint_validator] = lambda { |fingerprint| "C1:59:74:2B:E8:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB" } post_xml end it "should set the uid to the nameID in the SAML response" do auth_hash['uid'].should == '_1f6fcf6be5e13b08b1e3610e7ff59f205fbd814f23' end it "should set the raw info to all attributes" do auth_hash['extra']['raw_info'].all.to_hash.should == { 'first_name' => ['Rajiv'], 'last_name' => ['Manglani'], 'email' => ['user@example.com'], 'company_name' => ['Example Company'], 'fingerprint' => 'C1:59:74:2B:E8:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB' } end end context "when there is no SAMLResponse parameter" do before :each do post '/auth/saml/callback' end it { should fail_with(:invalid_ticket) } end context "when there is no name id in the XML" do before :each do post_xml :no_name_id end it { should fail_with(:invalid_ticket) } end context "when the fingerprint is invalid" do before :each do saml_options[:idp_cert_fingerprint] = "00:00:00:00:00:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB" post_xml end it { should fail_with(:invalid_ticket) } end context "when the digest is invalid" do before :each do post_xml :digest_mismatch end it { should fail_with(:invalid_ticket) } end context "when the signature is invalid" do before :each do post_xml :invalid_signature end it { should fail_with(:invalid_ticket) } end context "when response has custom attributes" do before :each do saml_options[:idp_cert_fingerprint] = "3B:82:F1:F5:54:FC:A8:FF:12:B8:4B:B8:16:61:1D:E4:8E:9B:E2:3C" saml_options[:attribute_statements] = { email: ["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"], first_name: ["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"], last_name: ["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"] } post_xml :custom_attributes end it "should obey attribute statements mapping" do auth_hash[:info].should == { 'first_name' => 'Rajiv', 'last_name' => 'Manglani', 'email' => 'user@example.com', 'name' => nil } end end end describe 'GET /auth/saml/metadata' do before do get '/auth/saml/metadata' end it 'should get SP metadata page' do last_response.status.should == 200 last_response.header["Content-Type"].should == "application/xml" end it 'should configure attributes consuming service' do last_response.body.should match /AttributeConsumingService/ last_response.body.should match /first_name/ last_response.body.should match /last_name/ last_response.body.should match /Required attributes/ end end end omniauth-saml-1.5.0/spec/spec_helper.rb000066400000000000000000000007561266366464000200700ustar00rootroot00000000000000if RUBY_VERSION >= '1.9' require 'simplecov' if ENV['TRAVIS'] require 'coveralls' Coveralls.wear! end SimpleCov.start end require 'omniauth-saml' require 'rack/test' require 'rexml/document' require 'rexml/xpath' require 'base64' RSpec.configure do |config| config.include Rack::Test::Methods end def load_xml(filename=:example_response) filename = File.expand_path(File.join('..', 'support', "#{filename.to_s}.xml"), __FILE__) Base64.encode64(IO.read(filename)) end omniauth-saml-1.5.0/spec/support/000077500000000000000000000000001266366464000167565ustar00rootroot00000000000000omniauth-saml-1.5.0/spec/support/custom_attributes.xml000066400000000000000000000145101266366464000232610ustar00rootroot00000000000000 http://localhost:9000/saml2/idp/metadata.php f311FuR1PE2NXct21G5z8Ka/Gfo= 3vfxoQn2PLwcYp1ApVLzlaZKEcHGjNZwLCBHkJC8oHYRonoL8v25iJ+5NFlWWXxSRG0SUA15coH+1gLMm6cF41h1sqHL/3wtiHQARnJUogqRUM76hTePHkSiJMUpr+ZD+Kb/l0DFct9/gJYkW1RPny9v8vdGNsMOQ/qnmk2xtII= MIICWDCCAcGgAwIBAgIBADANBgkqhkiG9w0BAQ0FADBJMQswCQYDVQQGEwJmaTEQMA4GA1UECAwHVXVzaW1hYTERMA8GA1UECgwIRmxvd2RvY2sxFTATBgNVBAMMDGZsb3dkb2NrLmNvbTAeFw0xNTA5MTYwODUxMzdaFw0xNjA5MTUwODUxMzdaMEkxCzAJBgNVBAYTAmZpMRAwDgYDVQQIDAdVdXNpbWFhMREwDwYDVQQKDAhGbG93ZG9jazEVMBMGA1UEAwwMZmxvd2RvY2suY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB gQDntqPTJ4pRMWb5d17e3vImfpOg6Hzr3PFtbsqEyM8uXZAL713Q4oASum+VlKkPp5ybzJKrFYeEeCl4NOdwyuabrOTUoJLE/x6CpGBgU6o+Iavku+4CkDM5scEIguZgroVabvkwoZRs/2TgVbLhNWXwtLD7n1OvVhLI0L9ycK+RNQIDAQABo1AwTjAdBgNVHQ4EFgQU9t1/AYExhABNzP1+hCsuImUpkXAwHwYDVR0jBBgwFoAU9t1/AYExhABNzP1+hCsuImUpkXAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCoMeBcLW6JTOdmygPXhYtS+c8t9RCg6Ki/XENOkZN98NgBRS7mAw+DZDezw5KTSH6k0DNw04MFAVZ64gaP2/ad9wHnsktH3mvbfQ8RY6XefSqNy0SuKIt03q26Xf3/vi1jrxn2JgnJG4V+AVR3DVoiiAfQF1ijQW2qhnZR3WCnWQ== http://localhost:9000/saml2/idp/metadata.php 20g3ohE5p7icP5ZQ3CSRkSpGaME= m9+Hq+RDNJyKWGsqCpqmkXt/6dz/NQUkdzeF5YHSezVuLFJajB+QC2aSeyic5H5Z0LBkQscjZ1sgme7Hyeo+ZvBgDrBejP6bZfMyaNrET6JTKXxXnrSI0txEL7oXGgnWLJX+oTUWLJgO+PHAUGeS9AgbKcBTQjaW7aW8uh4WtJg= MIICWDCCAcGgAwIBAgIBADANBgkqhkiG9w0BAQ0FADBJMQswCQYDVQQGEwJmaTEQMA4GA1UECAwHVXVzaW1hYTERMA8GA1UECgwIRmxvd2RvY2sxFTATBgNVBAMMDGZsb3dkb2NrLmNvbTAeFw0xNTA5MTYwODUxMzdaFw0xNjA5MTUwODUxMzdaMEkxCzAJBgNVBAYTAmZpMRAwDgYDVQQIDAdVdXNpbWFhMREwDwYDVQQKDAhGbG93ZG9jazEVMBMGA1UEAwwMZmxvd2RvY2suY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB gQDntqPTJ4pRMWb5d17e3vImfpOg6Hzr3PFtbsqEyM8uXZAL713Q4oASum+VlKkPp5ybzJKrFYeEeCl4NOdwyuabrOTUoJLE/x6CpGBgU6o+Iavku+4CkDM5scEIguZgroVabvkwoZRs/2TgVbLhNWXwtLD7n1OvVhLI0L9ycK+RNQIDAQABo1AwTjAdBgNVHQ4EFgQU9t1/AYExhABNzP1+hCsuImUpkXAwHwYDVR0jBBgwFoAU9t1/AYExhABNzP1+hCsuImUpkXAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCoMeBcLW6JTOdmygPXhYtS+c8t9RCg6Ki/XENOkZN98NgBRS7mAw+DZDezw5KTSH6k0DNw04MFAVZ64gaP2/ad9wHnsktH3mvbfQ8RY6XefSqNy0SuKIt03q26Xf3/vi1jrxn2JgnJG4V+AVR3DVoiiAfQF1ijQW2qhnZR3WCnWQ== _1f6fcf6be5e13b08b1e3610e7ff59f205fbd814f23 sample-saml-strategy urn:oasis:names:tc:SAML:2.0:ac:classes:Password Rajiv Manglani user@example.com omniauth-saml-1.5.0/spec/support/digest_mismatch.xml000066400000000000000000000150111266366464000226420ustar00rootroot00000000000000http://localhost:9000/saml2/idp/metadata.php AAAAAKooo1K7yYnKfXy88BRqgXM=N8G4Meh60EnU5U113JH3fHEr3nA+87kemKZDkqfEZnGHrfwfO2KhSbKEsU6M1ELq8ZCNDxYCFhbfwJOWij5+qkMD1gMYqvH2Hz169l5smEAfkmtovJwq+2lVO7AtVLez065rx2g+n2DmZx82H3ynrMV0vTDEQ2AohJPZjsRoNgY= MIIDHDCCAoWgAwIBAgIJAJq7aJgm4De9MA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRgwFgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxKjAoBgNVBAMTIU9tbmlBdXRoIFNBTUwgVGVzdGluZyBDZXJ0aWZpY2F0ZTAeFw0xMjExMDgyMDI5NTFaFw0xMjEyMDgyMDI5NTFaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRgwFgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxKjAoBgNVBAMTIU9tbmlBdXRoIFNBTUwgVGVzdGluZyBDZXJ0aWZpY2F0ZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzwg6Rakhf6boh5E2zve9Lp6dSjMTdrJhFQ1WRZwMOfRO7GPD9c7RetnxuPbg6PyBfSdFoGCJvMswDJMa7DZAlbgsf1WyOw9gaHzgf4j79XlFpis3XKJX8i1vUxxEVW7pYrUTJU0xbZ75l3AXtfnHXnxURF0eiD+s51nKBtnSkRcCAwEAAaOBzTCByjAdBgNVHQ4EFgQULih6jYTJ3XNDs53KSVwt4F9G2agwgZoGA1UdIwSBkjCBj4AULih6jYTJ3XNDs53KSVwt4F9G2aihbKRqMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRgwFgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxKjAoBgNVBAMTIU9tbmlBdXRoIFNBTUwgVGVzdGluZyBDZXJ0aWZpY2F0ZYIJAJq7aJgm4De9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAg+rrwZooo8DE47jmaBX+vUJBIVgSKdB45bDkL7FgTca2h1tsmgUL9nFyvp9FDEQ7IYw5599ywhrQf9GfsIZ374G7ie9C8JqURbdiP4/MMvOjV1RzyypXByfaY20tDwgz6JlLs7snh7O3s93FKpWhCjHE434CJwa1q5nHqNTgkZw=http://localhost:9000/saml2/idp/metadata.php 20g3ohE5p7icP5ZQ3CSRkSpGaME=m9+Hq+RDNJyKWGsqCpqmkXt/6dz/NQUkdzeF5YHSezVuLFJajB+QC2aSeyic5H5Z0LBkQscjZ1sgme7Hyeo+ZvBgDrBejP6bZfMyaNrET6JTKXxXnrSI0txEL7oXGgnWLJX+oTUWLJgO+PHAUGeS9AgbKcBTQjaW7aW8uh4WtJg= MIIDHDCCAoWgAwIBAgIJAJq7aJgm4De9MA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRgwFgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxKjAoBgNVBAMTIU9tbmlBdXRoIFNBTUwgVGVzdGluZyBDZXJ0aWZpY2F0ZTAeFw0xMjExMDgyMDI5NTFaFw0xMjEyMDgyMDI5NTFaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRgwFgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxKjAoBgNVBAMTIU9tbmlBdXRoIFNBTUwgVGVzdGluZyBDZXJ0aWZpY2F0ZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzwg6Rakhf6boh5E2zve9Lp6dSjMTdrJhFQ1WRZwMOfRO7GPD9c7RetnxuPbg6PyBfSdFoGCJvMswDJMa7DZAlbgsf1WyOw9gaHzgf4j79XlFpis3XKJX8i1vUxxEVW7pYrUTJU0xbZ75l3AXtfnHXnxURF0eiD+s51nKBtnSkRcCAwEAAaOBzTCByjAdBgNVHQ4EFgQULih6jYTJ3XNDs53KSVwt4F9G2agwgZoGA1UdIwSBkjCBj4AULih6jYTJ3XNDs53KSVwt4F9G2aihbKRqMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRgwFgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxKjAoBgNVBAMTIU9tbmlBdXRoIFNBTUwgVGVzdGluZyBDZXJ0aWZpY2F0ZYIJAJq7aJgm4De9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAg+rrwZooo8DE47jmaBX+vUJBIVgSKdB45bDkL7FgTca2h1tsmgUL9nFyvp9FDEQ7IYw5599ywhrQf9GfsIZ374G7ie9C8JqURbdiP4/MMvOjV1RzyypXByfaY20tDwgz6JlLs7snh7O3s93FKpWhCjHE434CJwa1q5nHqNTgkZw=_1f6fcf6be5e13b08b1e3610e7ff59f205fbd814f23sample-saml-strategyurn:oasis:names:tc:SAML:2.0:ac:classes:PasswordRajivManglaniuser@example.comExample Company omniauth-saml-1.5.0/spec/support/example_cert.pem000066400000000000000000000064371266366464000221430ustar00rootroot00000000000000Certificate: Data: Version: 3 (0x2) Serial Number: 9a:bb:68:98:26:e0:37:bd Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Some-State, O=Example Company, CN=OmniAuth SAML Testing Certificate Validity Not Before: Nov 8 20:29:51 2012 GMT Not After : Dec 8 20:29:51 2012 GMT Subject: C=US, ST=Some-State, O=Example Company, CN=OmniAuth SAML Testing Certificate Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:cf:08:3a:45:a9:21:7f:a6:e8:87:91:36:ce:f7: bd:2e:9e:9d:4a:33:13:76:b2:61:15:0d:56:45:9c: 0c:39:f4:4e:ec:63:c3:f5:ce:d1:7a:d9:f1:b8:f6: e0:e8:fc:81:7d:27:45:a0:60:89:bc:cb:30:0c:93: 1a:ec:36:40:95:b8:2c:7f:55:b2:3b:0f:60:68:7c: e0:7f:88:fb:f5:79:45:a6:2b:37:5c:a2:57:f2:2d: 6f:53:1c:44:55:6e:e9:62:b5:13:25:4d:31:6d:9e: f9:97:70:17:b5:f9:c7:5e:7c:54:44:5d:1e:88:3f: ac:e7:59:ca:06:d9:d2:91:17 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 2E:28:7A:8D:84:C9:DD:73:43:B3:9D:CA:49:5C:2D:E0:5F:46:D9:A8 X509v3 Authority Key Identifier: keyid:2E:28:7A:8D:84:C9:DD:73:43:B3:9D:CA:49:5C:2D:E0:5F:46:D9:A8 DirName:/C=US/ST=Some-State/O=Example Company/CN=OmniAuth SAML Testing Certificate serial:9A:BB:68:98:26:E0:37:BD X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption 83:ea:eb:c1:9a:28:a3:c0:c4:e3:b8:e6:68:15:fe:bd:42:41: 21:58:12:29:d0:78:e5:b0:e4:2f:b1:60:4d:c6:b6:87:5b:6c: 9a:05:0b:f6:71:72:be:9f:45:0c:44:3b:21:8c:39:e7:df:72: c2:1a:d0:7f:d1:9f:b0:86:77:ef:81:bb:89:ef:42:f0:9a:94: 45:b7:62:3f:8f:cc:32:f3:a3:57:54:73:cb:2a:57:07:27:da: 63:6d:2d:0f:08:33:e8:99:4b:b3:bb:27:87:b3:b7:b3:dd:c5: 2a:95:a1:0a:31:c4:e3:7e:02:27:06:b5:ab:99:c7:a8:d4:e0: 91:9c -----BEGIN CERTIFICATE----- MIIDHDCCAoWgAwIBAgIJAJq7aJgm4De9MA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNV BAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRgwFgYDVQQKEw9FeGFtcGxlIENv bXBhbnkxKjAoBgNVBAMTIU9tbmlBdXRoIFNBTUwgVGVzdGluZyBDZXJ0aWZpY2F0 ZTAeFw0xMjExMDgyMDI5NTFaFw0xMjEyMDgyMDI5NTFaMGgxCzAJBgNVBAYTAlVT MRMwEQYDVQQIEwpTb21lLVN0YXRlMRgwFgYDVQQKEw9FeGFtcGxlIENvbXBhbnkx KjAoBgNVBAMTIU9tbmlBdXRoIFNBTUwgVGVzdGluZyBDZXJ0aWZpY2F0ZTCBnzAN BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzwg6Rakhf6boh5E2zve9Lp6dSjMTdrJh FQ1WRZwMOfRO7GPD9c7RetnxuPbg6PyBfSdFoGCJvMswDJMa7DZAlbgsf1WyOw9g aHzgf4j79XlFpis3XKJX8i1vUxxEVW7pYrUTJU0xbZ75l3AXtfnHXnxURF0eiD+s 51nKBtnSkRcCAwEAAaOBzTCByjAdBgNVHQ4EFgQULih6jYTJ3XNDs53KSVwt4F9G 2agwgZoGA1UdIwSBkjCBj4AULih6jYTJ3XNDs53KSVwt4F9G2aihbKRqMGgxCzAJ BgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRgwFgYDVQQKEw9FeGFtcGxl IENvbXBhbnkxKjAoBgNVBAMTIU9tbmlBdXRoIFNBTUwgVGVzdGluZyBDZXJ0aWZp Y2F0ZYIJAJq7aJgm4De9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA g+rrwZooo8DE47jmaBX+vUJBIVgSKdB45bDkL7FgTca2h1tsmgUL9nFyvp9FDEQ7 IYw5599ywhrQf9GfsIZ374G7ie9C8JqURbdiP4/MMvOjV1RzyypXByfaY20tDwgz 6JlLs7snh7O3s93FKpWhCjHE434CJwa1q5nHqNTgkZw= -----END CERTIFICATE----- omniauth-saml-1.5.0/spec/support/example_key.pem000066400000000000000000000015671266366464000217750ustar00rootroot00000000000000-----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQDPCDpFqSF/puiHkTbO970unp1KMxN2smEVDVZFnAw59E7sY8P1 ztF62fG49uDo/IF9J0WgYIm8yzAMkxrsNkCVuCx/VbI7D2BofOB/iPv1eUWmKzdc olfyLW9THERVbulitRMlTTFtnvmXcBe1+cdefFREXR6IP6znWcoG2dKRFwIDAQAB AoGBAItafWbARkUXQvNlgl/jj5qetz7njFVcEk7KUGTAedZUpP8m1BNTp9sqcjNP MeqBdGOamJowAOZsWiZMqlWO2v71qc2rQI+VmPR0xpmBvbBjL16Gc4BbTdXZ1o1T tPHQO90GG2JIIt8on4Tt5uVZ+h2cKAqn8k3phRWrfyaGndmhAkEA9BZnGP3Dh1gG dK8ZWi8KyJUW3BizNudkbfMW3e/cdaQ7DRidiJ8C2W9hVjwDMee3LM/la4lYzG8c iWVoovBBhwJBANki3CZQh5UTTHCHn2O5p6m+nHjQ8Io8jjDhBpQ9eJzlOyTMiYAB XMhqFMgtlkIlYGSaNysHlhCS9cW3Tw2gV/ECQAOhnbEKfXEzBw2PWVI1JvTq+ucV Wv0zHhRgrHNq0R3S7qn4NsfEjddMR+dvhyCj8N6yzRf3eCG6eXM11gOujVsCQQCF P+lN8fliOJeeLvxXXKVRe9HWKpKSopq30EATVK3hyqLC8GopDaz8qGzcc21UZk+D LUhRtbQXs7fzf4yZ1h5hAkBZoR45A2DNHLcAjR6XIg7B6/bZOj3wZLxyaoSYRgK3 nLDigtGmCiMg+DXsaBihyjiQVRskiuPbDktmigbAyyOS -----END RSA PRIVATE KEY----- omniauth-saml-1.5.0/spec/support/example_response.xml000066400000000000000000000150111266366464000230470ustar00rootroot00000000000000http://localhost:9000/saml2/idp/metadata.php WSulGKooo1K7yYnKfXy88BRqgXM=N8G4Meh60EnU5U113JH3fHEr3nA+87kemKZDkqfEZnGHrfwfO2KhSbKEsU6M1ELq8ZCNDxYCFhbfwJOWij5+qkMD1gMYqvH2Hz169l5smEAfkmtovJwq+2lVO7AtVLez065rx2g+n2DmZx82H3ynrMV0vTDEQ2AohJPZjsRoNgY= MIIDHDCCAoWgAwIBAgIJAJq7aJgm4De9MA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRgwFgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxKjAoBgNVBAMTIU9tbmlBdXRoIFNBTUwgVGVzdGluZyBDZXJ0aWZpY2F0ZTAeFw0xMjExMDgyMDI5NTFaFw0xMjEyMDgyMDI5NTFaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRgwFgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxKjAoBgNVBAMTIU9tbmlBdXRoIFNBTUwgVGVzdGluZyBDZXJ0aWZpY2F0ZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzwg6Rakhf6boh5E2zve9Lp6dSjMTdrJhFQ1WRZwMOfRO7GPD9c7RetnxuPbg6PyBfSdFoGCJvMswDJMa7DZAlbgsf1WyOw9gaHzgf4j79XlFpis3XKJX8i1vUxxEVW7pYrUTJU0xbZ75l3AXtfnHXnxURF0eiD+s51nKBtnSkRcCAwEAAaOBzTCByjAdBgNVHQ4EFgQULih6jYTJ3XNDs53KSVwt4F9G2agwgZoGA1UdIwSBkjCBj4AULih6jYTJ3XNDs53KSVwt4F9G2aihbKRqMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRgwFgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxKjAoBgNVBAMTIU9tbmlBdXRoIFNBTUwgVGVzdGluZyBDZXJ0aWZpY2F0ZYIJAJq7aJgm4De9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAg+rrwZooo8DE47jmaBX+vUJBIVgSKdB45bDkL7FgTca2h1tsmgUL9nFyvp9FDEQ7IYw5599ywhrQf9GfsIZ374G7ie9C8JqURbdiP4/MMvOjV1RzyypXByfaY20tDwgz6JlLs7snh7O3s93FKpWhCjHE434CJwa1q5nHqNTgkZw=http://localhost:9000/saml2/idp/metadata.php 20g3ohE5p7icP5ZQ3CSRkSpGaME=m9+Hq+RDNJyKWGsqCpqmkXt/6dz/NQUkdzeF5YHSezVuLFJajB+QC2aSeyic5H5Z0LBkQscjZ1sgme7Hyeo+ZvBgDrBejP6bZfMyaNrET6JTKXxXnrSI0txEL7oXGgnWLJX+oTUWLJgO+PHAUGeS9AgbKcBTQjaW7aW8uh4WtJg= MIIDHDCCAoWgAwIBAgIJAJq7aJgm4De9MA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRgwFgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxKjAoBgNVBAMTIU9tbmlBdXRoIFNBTUwgVGVzdGluZyBDZXJ0aWZpY2F0ZTAeFw0xMjExMDgyMDI5NTFaFw0xMjEyMDgyMDI5NTFaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRgwFgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxKjAoBgNVBAMTIU9tbmlBdXRoIFNBTUwgVGVzdGluZyBDZXJ0aWZpY2F0ZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzwg6Rakhf6boh5E2zve9Lp6dSjMTdrJhFQ1WRZwMOfRO7GPD9c7RetnxuPbg6PyBfSdFoGCJvMswDJMa7DZAlbgsf1WyOw9gaHzgf4j79XlFpis3XKJX8i1vUxxEVW7pYrUTJU0xbZ75l3AXtfnHXnxURF0eiD+s51nKBtnSkRcCAwEAAaOBzTCByjAdBgNVHQ4EFgQULih6jYTJ3XNDs53KSVwt4F9G2agwgZoGA1UdIwSBkjCBj4AULih6jYTJ3XNDs53KSVwt4F9G2aihbKRqMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRgwFgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxKjAoBgNVBAMTIU9tbmlBdXRoIFNBTUwgVGVzdGluZyBDZXJ0aWZpY2F0ZYIJAJq7aJgm4De9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAg+rrwZooo8DE47jmaBX+vUJBIVgSKdB45bDkL7FgTca2h1tsmgUL9nFyvp9FDEQ7IYw5599ywhrQf9GfsIZ374G7ie9C8JqURbdiP4/MMvOjV1RzyypXByfaY20tDwgz6JlLs7snh7O3s93FKpWhCjHE434CJwa1q5nHqNTgkZw=_1f6fcf6be5e13b08b1e3610e7ff59f205fbd814f23sample-saml-strategyurn:oasis:names:tc:SAML:2.0:ac:classes:PasswordRajivManglaniuser@example.comExample Company omniauth-saml-1.5.0/spec/support/invalid_signature.xml000066400000000000000000000150111266366464000232050ustar00rootroot00000000000000http://localhost:9000/saml2/idp/metadata.php WSulGKooo1K7yYnKfXy88BRqgXM=AAAAAeh60EnU5U113JH3fHEr3nA+87kemKZDkqfEZnGHrfwfO2KhSbKEsU6M1ELq8ZCNDxYCFhbfwJOWij5+qkMD1gMYqvH2Hz169l5smEAfkmtovJwq+2lVO7AtVLez065rx2g+n2DmZx82H3ynrMV0vTDEQ2AohJPZjsRoNgY= MIIDHDCCAoWgAwIBAgIJAJq7aJgm4De9MA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRgwFgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxKjAoBgNVBAMTIU9tbmlBdXRoIFNBTUwgVGVzdGluZyBDZXJ0aWZpY2F0ZTAeFw0xMjExMDgyMDI5NTFaFw0xMjEyMDgyMDI5NTFaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRgwFgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxKjAoBgNVBAMTIU9tbmlBdXRoIFNBTUwgVGVzdGluZyBDZXJ0aWZpY2F0ZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzwg6Rakhf6boh5E2zve9Lp6dSjMTdrJhFQ1WRZwMOfRO7GPD9c7RetnxuPbg6PyBfSdFoGCJvMswDJMa7DZAlbgsf1WyOw9gaHzgf4j79XlFpis3XKJX8i1vUxxEVW7pYrUTJU0xbZ75l3AXtfnHXnxURF0eiD+s51nKBtnSkRcCAwEAAaOBzTCByjAdBgNVHQ4EFgQULih6jYTJ3XNDs53KSVwt4F9G2agwgZoGA1UdIwSBkjCBj4AULih6jYTJ3XNDs53KSVwt4F9G2aihbKRqMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRgwFgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxKjAoBgNVBAMTIU9tbmlBdXRoIFNBTUwgVGVzdGluZyBDZXJ0aWZpY2F0ZYIJAJq7aJgm4De9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAg+rrwZooo8DE47jmaBX+vUJBIVgSKdB45bDkL7FgTca2h1tsmgUL9nFyvp9FDEQ7IYw5599ywhrQf9GfsIZ374G7ie9C8JqURbdiP4/MMvOjV1RzyypXByfaY20tDwgz6JlLs7snh7O3s93FKpWhCjHE434CJwa1q5nHqNTgkZw=http://localhost:9000/saml2/idp/metadata.php 20g3ohE5p7icP5ZQ3CSRkSpGaME=m9+Hq+RDNJyKWGsqCpqmkXt/6dz/NQUkdzeF5YHSezVuLFJajB+QC2aSeyic5H5Z0LBkQscjZ1sgme7Hyeo+ZvBgDrBejP6bZfMyaNrET6JTKXxXnrSI0txEL7oXGgnWLJX+oTUWLJgO+PHAUGeS9AgbKcBTQjaW7aW8uh4WtJg= MIIDHDCCAoWgAwIBAgIJAJq7aJgm4De9MA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRgwFgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxKjAoBgNVBAMTIU9tbmlBdXRoIFNBTUwgVGVzdGluZyBDZXJ0aWZpY2F0ZTAeFw0xMjExMDgyMDI5NTFaFw0xMjEyMDgyMDI5NTFaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRgwFgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxKjAoBgNVBAMTIU9tbmlBdXRoIFNBTUwgVGVzdGluZyBDZXJ0aWZpY2F0ZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzwg6Rakhf6boh5E2zve9Lp6dSjMTdrJhFQ1WRZwMOfRO7GPD9c7RetnxuPbg6PyBfSdFoGCJvMswDJMa7DZAlbgsf1WyOw9gaHzgf4j79XlFpis3XKJX8i1vUxxEVW7pYrUTJU0xbZ75l3AXtfnHXnxURF0eiD+s51nKBtnSkRcCAwEAAaOBzTCByjAdBgNVHQ4EFgQULih6jYTJ3XNDs53KSVwt4F9G2agwgZoGA1UdIwSBkjCBj4AULih6jYTJ3XNDs53KSVwt4F9G2aihbKRqMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRgwFgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxKjAoBgNVBAMTIU9tbmlBdXRoIFNBTUwgVGVzdGluZyBDZXJ0aWZpY2F0ZYIJAJq7aJgm4De9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAg+rrwZooo8DE47jmaBX+vUJBIVgSKdB45bDkL7FgTca2h1tsmgUL9nFyvp9FDEQ7IYw5599ywhrQf9GfsIZ374G7ie9C8JqURbdiP4/MMvOjV1RzyypXByfaY20tDwgz6JlLs7snh7O3s93FKpWhCjHE434CJwa1q5nHqNTgkZw=_1f6fcf6be5e13b08b1e3610e7ff59f205fbd814f23sample-saml-strategyurn:oasis:names:tc:SAML:2.0:ac:classes:PasswordRajivManglaniuser@example.comExample Company omniauth-saml-1.5.0/spec/support/no_name_id.xml000066400000000000000000000145721266366464000216010ustar00rootroot00000000000000http://localhost:9000/saml2/idp/metadata.php kzbCl9Y1eWJhqW5Z1a0N1hlrVuI=bdRjpQ1SVr0P/2CRQYK66yIoZ025TRqNN0Gb3rfTu3TiEs5cjsbT+ZAt0qbEekKFmI59TwR890L+81bPb80yQx+pPbSuPB1ull9RYE/UxSR/9mRKRuxFJpCbKxSu3t64TKEfPZp+VMkNxBmJ1GDMaZu1zkB3jVTmeIcmPKYppyo= MIIDHDCCAoWgAwIBAgIJAJq7aJgm4De9MA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRgwFgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxKjAoBgNVBAMTIU9tbmlBdXRoIFNBTUwgVGVzdGluZyBDZXJ0aWZpY2F0ZTAeFw0xMjExMDgyMDI5NTFaFw0xMjEyMDgyMDI5NTFaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRgwFgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxKjAoBgNVBAMTIU9tbmlBdXRoIFNBTUwgVGVzdGluZyBDZXJ0aWZpY2F0ZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzwg6Rakhf6boh5E2zve9Lp6dSjMTdrJhFQ1WRZwMOfRO7GPD9c7RetnxuPbg6PyBfSdFoGCJvMswDJMa7DZAlbgsf1WyOw9gaHzgf4j79XlFpis3XKJX8i1vUxxEVW7pYrUTJU0xbZ75l3AXtfnHXnxURF0eiD+s51nKBtnSkRcCAwEAAaOBzTCByjAdBgNVHQ4EFgQULih6jYTJ3XNDs53KSVwt4F9G2agwgZoGA1UdIwSBkjCBj4AULih6jYTJ3XNDs53KSVwt4F9G2aihbKRqMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRgwFgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxKjAoBgNVBAMTIU9tbmlBdXRoIFNBTUwgVGVzdGluZyBDZXJ0aWZpY2F0ZYIJAJq7aJgm4De9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAg+rrwZooo8DE47jmaBX+vUJBIVgSKdB45bDkL7FgTca2h1tsmgUL9nFyvp9FDEQ7IYw5599ywhrQf9GfsIZ374G7ie9C8JqURbdiP4/MMvOjV1RzyypXByfaY20tDwgz6JlLs7snh7O3s93FKpWhCjHE434CJwa1q5nHqNTgkZw=http://localhost:9000/saml2/idp/metadata.php 4m3lMEXWyVKoEfMSk8RdwvR1pdQ=THArdS1Zpjj5nC5VgvTkGiqmlYewIgYFBGrxmMPiBo7z3vaDpa7indkSyJZiJXV9BbzFKclHk8l75lLEYuw7G5zDsE+eJ7OmA1P7vOQ25hMk3z7nyUwf6VITLWuvbfE2Tfi39jzyr1LWolKwPL3QQMEUhPJG+UKX2Mtr/FHT+iU= MIIDHDCCAoWgAwIBAgIJAJq7aJgm4De9MA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRgwFgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxKjAoBgNVBAMTIU9tbmlBdXRoIFNBTUwgVGVzdGluZyBDZXJ0aWZpY2F0ZTAeFw0xMjExMDgyMDI5NTFaFw0xMjEyMDgyMDI5NTFaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRgwFgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxKjAoBgNVBAMTIU9tbmlBdXRoIFNBTUwgVGVzdGluZyBDZXJ0aWZpY2F0ZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzwg6Rakhf6boh5E2zve9Lp6dSjMTdrJhFQ1WRZwMOfRO7GPD9c7RetnxuPbg6PyBfSdFoGCJvMswDJMa7DZAlbgsf1WyOw9gaHzgf4j79XlFpis3XKJX8i1vUxxEVW7pYrUTJU0xbZ75l3AXtfnHXnxURF0eiD+s51nKBtnSkRcCAwEAAaOBzTCByjAdBgNVHQ4EFgQULih6jYTJ3XNDs53KSVwt4F9G2agwgZoGA1UdIwSBkjCBj4AULih6jYTJ3XNDs53KSVwt4F9G2aihbKRqMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRgwFgYDVQQKEw9FeGFtcGxlIENvbXBhbnkxKjAoBgNVBAMTIU9tbmlBdXRoIFNBTUwgVGVzdGluZyBDZXJ0aWZpY2F0ZYIJAJq7aJgm4De9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAg+rrwZooo8DE47jmaBX+vUJBIVgSKdB45bDkL7FgTca2h1tsmgUL9nFyvp9FDEQ7IYw5599ywhrQf9GfsIZ374G7ie9C8JqURbdiP4/MMvOjV1RzyypXByfaY20tDwgz6JlLs7snh7O3s93FKpWhCjHE434CJwa1q5nHqNTgkZw=sample-saml-strategyurn:oasis:names:tc:SAML:2.0:ac:classes:PasswordRajivManglaniuser@example.comExample Company