lawrencepit / ruby-saml-idp Goto Github PK
View Code? Open in Web Editor NEWSAML Identity Provider library in ruby
License: MIT License
SAML Identity Provider library in ruby
License: MIT License
I needed to add require "uuid"
to my SamlIdpController
class file; else UUID
was missing.
OneLogin just alerted its users to a new SAML vulnerability. They have already patched their ruby-saml gem in version 1.7 and this gem should now be referencing that version (
ruby-saml-idp/ruby-saml-idp.gemspec
Line 30 in 728fd8b
Here's the patch in onelogin/ruby-saml: SAML-Toolkits/ruby-saml@048a544
I can open a PR for this change if you'd like but hopefully this can get patched as soon as possible!
Thank you.
Spent a few hours fiddling before figuring this out. On rails 2 this is pretty catastrophic and causes very weird issues. Name the action 'init' or 'start' or really anything but the class constructor method name.
I've picked up an issue when validating SAML responses when using SHA256
for the signing algorithm.
In the SamlIdp::Controller#encode_SAMLResponse method, the code to produce the identifier is string interpolated as <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig##{algorithm_name}">
but results in a signature failure when validating SAML response.
I'm using the libsaml
gem for my SP, which in-turn uses the xmldsig
gem for verifying the response XML.
While debugging I found the Xmldsig::Reference#digest_method
method, which looks for http://www.w3.org/2000/09/xmldsig#sha1
and http://www.w3.org/2001/04/xmlenc#sha256
when resolving the Ruby class to use.
From what I can understand from the XML Encryption Syntax and Processing W3C specification, the identifiers for each digest algorithm change according to the algorithm used.
E.g.
Also, I couldn't find any identifiers which had "rsa-" prefix to the "shaXXX" part. I.e. This is correct as per Algorithm Identifiers and Implementation Requirements.http://www.w3.org/2000/09/xmldsig#rsa-shaXXX
.
I'm no expert on the subject, so maybe someone who knows can comment on this.
I'm getting the following error. Response Invalid. Errors: ["Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd"]
This is just a simple test between a simple app with the ruby-saml-idp gem installed and the ruby-saml-example application.
Can anyone point me in the right direction to troubleshoot this?
Hopefully this is a pretty quick and easy answer. But how do you generate a SAML response without a request for a specific service provider?
I know I can use encode_response, is it just a matter of overriding the methods in the SAMLIdp::Controller?
Any help or pointing in the right direction is appreciated.
Help with generating the saml_response
Hey all -
What does the syntax look like to send additional attributes, I want to specify groups/name/etc in here:
encode_SAMLResponse(user.email)
I tried this, it doesn't work..
encode_SAMLResponse(user.email, name: user.full_name, groups: [user.account_id])
https://github.com/calh/ruby-saml-rails3-example supports IdP initiated logout (via an unmerged patch to ruby-saml, ugh, SAML-Toolkits/ruby-saml#26).
It'd be nice for this canonical IdP written in ruby to speak the SLO sequence.
I created an example rails app https://github.com/drnic/ruby-saml-idp-rails3-example to wrap around ruby-saml-idp. I've added @lawrencepit as admin to it :)
Getting this in Rails 4 on every change to my controller that inherits from SamlIdp::IdpController.
Removing unloadable
statement solves this.
Where to specify type for an attribute value.For eg:
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
1</saml2:AttributeValue>
Where do we specify "xsi:string" in ruby-saml-idp
The calls to present?
in the controller mean that we're coupled to ActiveSupport, since that's the library that puts that function on the String class. It would be good to either add an explicit require
, update the docs or change the function to use default methods on the String
object.
For some reason I'm getting this error:
Zlib::DataError at /saml/auth
invalid code lengths set
I generated my own certificates and I'm testing it locally, when send the request it fails here:
@saml_request = zstream.inflate(Base64.decode64(saml_request))
exactly on the inflate
method, the decode64 works good and I can read perfectly the xml:
<samlp:AuthnRequest AssertionConsumerServiceURL='https://localhost:9001/v/callback'
Destination='http://localhost:3000/saml/auth' ID='_79a0007-7a33-4660-aa5c-06352b3b0008'
IssueInstant='2017-08-03T20:28:11Z' ProtocolBinding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
Version='2.0' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'
xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><saml:Issuer>http://localhost:9001/</saml:Issuer>
<ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'/><ds:SignatureMethod Algorithm='http://www.w3.org
/2000/09/xmldsig#rsa-sha1'/><ds:Reference URI='#_79a06347-7a33-4880-aa5c-06352b3b6638'>
<ds:Transforms><ds:Transform Algorithm='http://www.w3.org/2000/09/xmldsig#enveloped-signature'
/><ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'><ec:InclusiveNamespaces
PrefixList='#default samlp saml ds xs xsi md' xmlns:ec='http://www.w3.org/2001/10/xml-exc-c14n#'
/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'
/><ds:DigestValue>Da5OtETbfjtPr1gR570a6/rhqjQ=</ds:DigestValue></ds:Reference></ds:SignedInfo>
<ds:SignatureValue>0gLy8U3EAHJg
/drpr0Vq49ZzsomJ8z+QtrXPkBKCmFLCKyIjlVOYA8Ugq8+7UBH3kWzWz
/TnLGJbU7TNwZTkJQI3bk9Lyppc+6JPBMFP7oknxi8S2YFXd6WWkxVU0EEBhNLBnHIUrVnYGex3C6FYe
TrgFyscUmrz+099kgpWqso=</ds:SignatureValue><ds:KeyInfo><ds:X509Data>
<ds:X509Certificate>MIICATCCAWoCCQDC8zSdppoKyjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQ
GEwJBVTETMBEGA1UECAKJADKAJSHDAJL0ZTEhXXXXXXCgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgT
HRkMB4X0IFdpZGdpdHMgUHR5IEx0ZDCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3SuvHf2+80PK9ePk9D3LAKJSDHALSKJDAHLSKJDH7B5VQjtP
/rwsTsnKv0Lk322mvNq89NQtXXXXXXNdkod9MF6A21
/myhxscLiUmcuaY1rtj0J59uIKysuFBWFqIn0Tx0XhvALKSJDHALKJSDHLAKJDHAJADHLKC7YpJvzkCAwEA
ATANBgkqhkiG9w0BAQsFAAOLAKJSDHWUOIQWmmBK375Q6qTY7pWTHbZijndHyv
/MwQpqAwX/Ng0249D8nWLg3V+ui/hAdHBUaXgMaW4YNyM0mZbjT4qfpSjSj/hmsesHU
/zm0FLw1McpchzZI8Rx04CIQJsXPoeaOEALKNCASA1twTR6q9GkYEAB9NEkfg==
</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:NameIDPolicy
AllowCreate='true' Format='urn:oasis:names:tc:SAML:2.0:nameid-format:transient'/></samlp:AuthnRequest>
The canonicalization doesn't seem to be performed. The XML Signature for the current assertion message validates properly, however - when attribute orders change the validation fails.
Passes Validation:
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_71be78a0-98a7-0130-e799-4dcd5b4422b3"
IssueInstant="2013-05-06T18:19:41Z" Version="2.0">
<Issuer>example.com/Issuer>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">SOMENAME</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="samlr-838de9f0-b679-11e2-b86c-0024811fab45" NotOnOrAfter="2013-05-06T18:22:41Z" Recipient="http://example.com/sso/consume"></SubjectConfirmationData>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2013-05-06T18:19:36Z" NotOnOrAfter="2013-05-06T19:19:41Z">
<AudienceRestriction>
<Audience>http://example.com/sso/consume</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="CustomName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
FriendlyName="CustomName">
<AttributeValue>SOMENAME</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2013-05-06T18:19:41Z" SessionIndex="_71be78a0-98a7-0130-e799-4dcd5b4422b3">
<AuthnContext>
<AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
Fails Validation (changed attribute order for Attribute):
...
<Attribute FriendlyName="CustomName" Name="CustomName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
...
This is a question more than an issue. I get the impression that this intended primarily for testing and development of SAML consumers, rather than for production-ready Ruby-powered IDPs?
The provided HTML form auto-POSTs the SAMLResponse on page load (triggered by Javascript). I wonder why this was preferred over a redirect?
References:
https://github.com/lawrencepit/ruby-saml-idp/blob/master/app/controllers/saml_idp/idp_controller.rb#L26
https://github.com/lawrencepit/ruby-saml-idp/blob/master/app/views/saml_idp/idp/saml_post.html.erb
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.