class OmniAuth::Strategies::MSAD

Public Class Methods

new(app, *args, &block) click to toggle source
Calls superclass method
# File lib/omniauth/strategies/msad.rb, line 47
def initialize(app, *args, &block)
  super

  # Add the request attributes to the options.
  options[:sp_name_qualifier] = options[:sp_entity_id] if options[:sp_name_qualifier].nil?

  # Remove the nil options from the origianl options array that will be
  # defined by the MSAD options
  [
    :idp_name_qualifier,
    :name_identifier_format,
    :security
  ].each do |key|
    options.delete(key) if options[key].nil?
  end

  # Add the MSAD options to the local options, most of which are fetched
  # from the metadata. The options array is the one that gets priority in
  # case it overrides some of the metadata or locally defined option
  # values.
  @options = OmniAuth::Strategy::Options.new(
    msad_options.merge(options)
  )
end

Public Instance Methods

response_object() click to toggle source

This method can be used externally to fetch information about the response, e.g. in case of failures.

# File lib/omniauth/strategies/msad.rb, line 74
def response_object
  return nil unless request.params["SAMLResponse"]

  with_settings do |settings|
    response = OneLogin::RubySaml::Response.new(
      request.params["SAMLResponse"],
      options_for_response_object.merge(settings: settings)
    )
    response.attributes["fingerprint"] = settings.idp_cert_fingerprint
    response
  end
end

Private Instance Methods

msad_options() click to toggle source
# File lib/omniauth/strategies/msad.rb, line 89
def msad_options
  idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new

  # Returns OneLogin::RubySaml::Settings prepopulated with idp metadata
  settings = begin
    begin
      idp_metadata_parser.parse_remote_to_hash(
        options.idp_metadata_url,
        true
      )
    rescue ::URI::InvalidURIError
      # Allow the OmniAuth strategy to be configured with empty settings
      # in order to provide the metadata URL even when the authentication
      # endpoint is not configured.
      {}
    end
  end

  # Define the security settings as there are some defaults that need to be
  # modified
  security_defaults = OneLogin::RubySaml::Settings::DEFAULTS[:security]
  settings[:security] = security_defaults.merge(
    authn_requests_signed: options.certificate.present?,
    want_assertions_signed: true,
    digest_method: XMLSecurity::Document::SHA256,
    signature_method: XMLSecurity::Document::RSA_SHA256
  )

  # Add some extra information that is necessary for correctly formatted
  # logout requests.
  settings[:idp_name_qualifier] = settings[:idp_entity_id]

  if !options.name_identifier_format.blank?
    # If the name identifier format has been configured, use that instead
    # of the IdP metadata value. Otherwise the first format available in
    # the IdP metadata would be used.
    settings[:name_identifier_format] = options.name_identifier_format
  elsif settings[:name_identifier_format].blank?
    # If the name identifier format is not defined in the IdP metadata,
    # add the persistent format to the SP metadata.
    settings[:name_identifier_format] = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
  end

  settings
end
other_phase_for_metadata() click to toggle source

Customize the metadata class in order to add custom nodes to the metadata.

# File lib/omniauth/strategies/msad.rb, line 142
def other_phase_for_metadata
  with_settings do |settings|
    response = OmniAuth::MSAD::Metadata.new

    add_request_attributes_to(settings) if options.request_attributes.length.positive?

    Rack::Response.new(
      response.generate(settings),
      200,
      "Content-Type" => "application/xml"
    ).finish
  end
end
other_phase_for_spslo() click to toggle source

End the local user session BEFORE sending the logout request to the identity provider.

Calls superclass method
# File lib/omniauth/strategies/msad.rb, line 158
def other_phase_for_spslo
  return super unless options.idp_slo_target_url

  with_settings do |settings|
    # Some session variables are needed when generating the logout request
    request = generate_logout_request(settings)
    # Destroy the local user session
    options[:idp_slo_session_destroy].call @env, session
    # Send the logout request to the identity provider
    redirect(request)
  end
end
slo_relay_state() click to toggle source

Overridden to disable passing the relay state with a request parameter which is possible in the default implementation.

Calls superclass method
# File lib/omniauth/strategies/msad.rb, line 173
def slo_relay_state
  state = super

  # Ensure that we are only using the relay states to redirect the user
  # within the current website. This forces the relay state to always
  # start with a single forward slash character (/).
  return "/" unless state =~ %r{^/[^/].*}

  state
end
with_settings() { |settings| ... } click to toggle source
# File lib/omniauth/strategies/msad.rb, line 135
def with_settings
  options[:assertion_consumer_service_url] ||= callback_url
  yield OmniAuth::MSAD::Settings.new(options)
end