lawrencepit / ruby-saml-idp Goto Github PK

View Code? Open in Web Editor NEW

137.0 137.0 101.0 68 KB

SAML Identity Provider library in ruby

License: MIT License

Ruby 74.81% JavaScript 1.54% CSS 1.31% HTML 22.35%

ruby-saml-idp's People

Contributors

Stargazers

Watchers

Forkers

aaronchi goosetav epictetus drnic troygnichols kylehr r3n4ud jimworm mje113 proving-ground tripledub demarque magicmarkker rrodriguez-gap wbajzek annuyadav ismell veny pixeltrix ridiculous mobilitylabs q-centrix missy-may proactivehealth fjyaniez mrbriandavis influitive numerex comike011 linqiu wangyuehong-shanon pt-nguyen devjuic repairshopr wsny mmitchell mymedsandme gamesalad ahcuk superborrownet shannoncornish muthhus paracycle judngu zillou cdd loyaltynz gtaschuk qstream omx bigknow boumer x4d3 gencer dev-develop notmaxx murtali owenscorning davidfou kerrizor duttski ashishprajapati identification-io polleverywhere khaitu kevinburkeomg trusted saydiy pvijayfullstack onsitehd redouble enterprise-oss rockcena vinnyvinoth yasminemedhat treiff hotelengine junz80 petergoldstein featurist ezcater jpcamara jj4me khaismile1997 studiosity

ruby-saml-idp's Issues

uuid gem not loaded

I needed to add require "uuid" to my SamlIdpController class file; else UUID was missing.

SECURITY: Update ruby-saml gem dependency to 1.7 to patch new SAML vulnerability

OneLogin just alerted its users to a new SAML vulnerability. They have already patched their ruby-saml gem in version 1.7 and this gem should now be referencing that version (

ruby-saml-idp/ruby-saml-idp.gemspec

Line 30 in 728fd8b

s.add_development_dependency("ruby-saml", "~> 0.8")

Here's the patch in onelogin/ruby-saml: SAML-Toolkits/ruby-saml@048a544

I can open a PR for this change if you'd like but hopefully this can get patched as soon as possible!

Thank you.

Don't name controller action 'initialize'

Spent a few hours fiddling before figuring this out. On rails 2 this is pretty catastrophic and causes very weird issues. Name the action 'init' or 'start' or really anything but the class constructor method name.

Possibly Incorrect XML Signature for SAML Responses

I've picked up an issue when validating SAML responses when using SHA256 for the signing algorithm.

In the SamlIdp::Controller#encode_SAMLResponse method, the code to produce the identifier is string interpolated as <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig##{algorithm_name}"> but results in a signature failure when validating SAML response.

I'm using the libsaml gem for my SP, which in-turn uses the xmldsig gem for verifying the response XML.
While debugging I found the Xmldsig::Reference#digest_method method, which looks for http://www.w3.org/2000/09/xmldsig#sha1 and http://www.w3.org/2001/04/xmlenc#sha256 when resolving the Ruby class to use.

From what I can understand from the XML Encryption Syntax and Processing W3C specification, the identifiers for each digest algorithm change according to the algorithm used.

E.g.

SHA1 = http://www.w3.org/2000/09/xmldsig#sha1
SHA256 = http://www.w3.org/2001/04/xmlenc#sha256
SHA512 = http://www.w3.org/2001/04/xmlenc#sha512

~~Also, I couldn't find any identifiers which had "rsa-" prefix to the "shaXXX" part. I.e. http://www.w3.org/2000/09/xmldsig#rsa-shaXXX.~~ This is correct as per Algorithm Identifiers and Implementation Requirements.

I'm no expert on the subject, so maybe someone who knows can comment on this.

Error: Not match the saml-schema-protocol-2.0.xsd

I'm getting the following error. Response Invalid. Errors: ["Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd"]

This is just a simple test between a simple app with the ruby-saml-idp gem installed and the ruby-saml-example application.

Can anyone point me in the right direction to troubleshoot this?

IdP Initiated SSO (single-sign-on)

Hopefully this is a pretty quick and easy answer. But how do you generate a SAML response without a request for a specific service provider?

I know I can use encode_response, is it just a matter of overriding the methods in the SAMLIdp::Controller?

Any help or pointing in the right direction is appreciated.

Adding additional attributes in saml_response

Help with generating the saml_response

Hey all -

What does the syntax look like to send additional attributes, I want to specify groups/name/etc in here:

    encode_SAMLResponse(user.email)

I tried this, it doesn't work..

    encode_SAMLResponse(user.email, name: user.full_name, groups: [user.account_id])

Support IdP SLO (IdP initiated logout)

https://github.com/calh/ruby-saml-rails3-example supports IdP initiated logout (via an unmerged patch to ruby-saml, ugh, SAML-Toolkits/ruby-saml#26).

It'd be nice for this canonical IdP written in ruby to speak the SLO sequence.

I created an example rails app https://github.com/drnic/ruby-saml-idp-rails3-example to wrap around ruby-saml-idp. I've added @lawrencepit as admin to it :)

Circular dependency detected while autoloading constant SamlIdp::IdpController

Getting this in Rails 4 on every change to my controller that inherits from SamlIdp::IdpController.

Removing unloadable statement solves this.

Question - Specify Attribute value type in the assertion produced

Where to specify type for an attribute value.For eg:
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"

1</saml2:AttributeValue>
Where do we specify "xsi:string" in ruby-saml-idp

present? couples to activesupport

The calls to present? in the controller mean that we're coupled to ActiveSupport, since that's the library that puts that function on the String class. It would be good to either add an explicit require, update the docs or change the function to use default methods on the String object.

I get the error: Zlib::DataError at /saml/auth invalid code lengths set

For some reason I'm getting this error:

Zlib::DataError at /saml/auth
invalid code lengths set

I generated my own certificates and I'm testing it locally, when send the request it fails here:
@saml_request = zstream.inflate(Base64.decode64(saml_request)) exactly on the inflate method, the decode64 works good and I can read perfectly the xml:

<samlp:AuthnRequest AssertionConsumerServiceURL='https://localhost:9001/v/callback' 
Destination='http://localhost:3000/saml/auth' ID='_79a0007-7a33-4660-aa5c-06352b3b0008' 
IssueInstant='2017-08-03T20:28:11Z' ProtocolBinding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' 
Version='2.0' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion' 
xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><saml:Issuer>http://localhost:9001/</saml:Issuer>
<ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'><ds:SignedInfo><ds:CanonicalizationMethod 
Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'/><ds:SignatureMethod Algorithm='http://www.w3.org
/2000/09/xmldsig#rsa-sha1'/><ds:Reference URI='#_79a06347-7a33-4880-aa5c-06352b3b6638'>
<ds:Transforms><ds:Transform Algorithm='http://www.w3.org/2000/09/xmldsig#enveloped-signature'
/><ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'><ec:InclusiveNamespaces 
PrefixList='#default samlp saml ds xs xsi md' xmlns:ec='http://www.w3.org/2001/10/xml-exc-c14n#'
/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'
/><ds:DigestValue>Da5OtETbfjtPr1gR570a6/rhqjQ=</ds:DigestValue></ds:Reference></ds:SignedInfo>
<ds:SignatureValue>0gLy8U3EAHJg
/drpr0Vq49ZzsomJ8z+QtrXPkBKCmFLCKyIjlVOYA8Ugq8+7UBH3kWzWz
/TnLGJbU7TNwZTkJQI3bk9Lyppc+6JPBMFP7oknxi8S2YFXd6WWkxVU0EEBhNLBnHIUrVnYGex3C6FYe
TrgFyscUmrz+099kgpWqso=</ds:SignatureValue><ds:KeyInfo><ds:X509Data>
<ds:X509Certificate>MIICATCCAWoCCQDC8zSdppoKyjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQ
GEwJBVTETMBEGA1UECAKJADKAJSHDAJL0ZTEhXXXXXXCgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgT
HRkMB4X0IFdpZGdpdHMgUHR5IEx0ZDCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3SuvHf2+80PK9ePk9D3LAKJSDHALSKJDAHLSKJDH7B5VQjtP
/rwsTsnKv0Lk322mvNq89NQtXXXXXXNdkod9MF6A21
/myhxscLiUmcuaY1rtj0J59uIKysuFBWFqIn0Tx0XhvALKSJDHALKJSDHLAKJDHAJADHLKC7YpJvzkCAwEA
ATANBgkqhkiG9w0BAQsFAAOLAKJSDHWUOIQWmmBK375Q6qTY7pWTHbZijndHyv
/MwQpqAwX/Ng0249D8nWLg3V+ui/hAdHBUaXgMaW4YNyM0mZbjT4qfpSjSj/hmsesHU
/zm0FLw1McpchzZI8Rx04CIQJsXPoeaOEALKNCASA1twTR6q9GkYEAB9NEkfg==
</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:NameIDPolicy 
AllowCreate='true' Format='urn:oasis:names:tc:SAML:2.0:nameid-format:transient'/></samlp:AuthnRequest>

Canonicalization is not performed

The canonicalization doesn't seem to be performed. The XML Signature for the current assertion message validates properly, however - when attribute orders change the validation fails.

Passes Validation:

<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_71be78a0-98a7-0130-e799-4dcd5b4422b3"
           IssueInstant="2013-05-06T18:19:41Z" Version="2.0">
  <Issuer>example.com/Issuer>
  <Subject>
    <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">SOMENAME</NameID>
    <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
      <SubjectConfirmationData InResponseTo="samlr-838de9f0-b679-11e2-b86c-0024811fab45" NotOnOrAfter="2013-05-06T18:22:41Z" Recipient="http://example.com/sso/consume"></SubjectConfirmationData>
    </SubjectConfirmation>
  </Subject>
  <Conditions NotBefore="2013-05-06T18:19:36Z" NotOnOrAfter="2013-05-06T19:19:41Z">
    <AudienceRestriction>
      <Audience>http://example.com/sso/consume</Audience>
    </AudienceRestriction>
  </Conditions>
  <AttributeStatement>
    <Attribute Name="CustomName"
               NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
               FriendlyName="CustomName">
      <AttributeValue>SOMENAME</AttributeValue>
    </Attribute>
  </AttributeStatement>
  <AuthnStatement AuthnInstant="2013-05-06T18:19:41Z" SessionIndex="_71be78a0-98a7-0130-e799-4dcd5b4422b3">
    <AuthnContext>
<AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>
    </AuthnContext>
  </AuthnStatement>
</Assertion>

Fails Validation (changed attribute order for Attribute):

...
<Attribute FriendlyName="CustomName" Name="CustomName"
               NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
               >
...

Only for testing?

This is a question more than an issue. I get the impression that this intended primarily for testing and development of SAML consumers, rather than for production-ready Ruby-powered IDPs?

Why POST the SAMLResponse to the SP and not redirect?

The provided HTML form auto-POSTs the SAMLResponse on page load (triggered by Javascript). I wonder why this was preferred over a redirect?

References:

https://github.com/lawrencepit/ruby-saml-idp/blob/master/app/controllers/saml_idp/idp_controller.rb#L26
https://github.com/lawrencepit/ruby-saml-idp/blob/master/app/views/saml_idp/idp/saml_post.html.erb