class OneLogin::RubySaml::Authrequest

SAML2 Authentication. AuthNRequest (SSO SP initiated, Builder)

Attributes

uuid[R]

AuthNRequest ID

Public Class Methods

new() click to toggle source

Initializes the AuthNRequest. An Authrequest Object that is an extension of the SamlMessage class. Asigns an ID, a random uuid.

# File lib/onelogin/ruby-saml/authrequest.rb, line 22
def initialize
  @uuid = OneLogin::RubySaml::Utils.uuid
end

Public Instance Methods

create(settings, params = {}) click to toggle source

Creates the AuthNRequest string. @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings @param params [Hash] Some extra parameters to be added in the GET for example the RelayState @return [String] AuthNRequest string that includes the SAMLRequest

# File lib/onelogin/ruby-saml/authrequest.rb, line 31
def create(settings, params = {})
  params = create_params(settings, params)
  params_prefix = (settings.idp_sso_target_url =~ /\?/) ? '&' : '?'
  saml_request = CGI.escape(params.delete("SAMLRequest"))
  request_params = "#{params_prefix}SAMLRequest=#{saml_request}"
  params.each_pair do |key, value|
    request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
  end
  @login_url = settings.idp_sso_target_url + request_params
end
create_authentication_xml_doc(settings) click to toggle source

Creates the SAMLRequest String. @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings @return [String] The SAMLRequest String.

# File lib/onelogin/ruby-saml/authrequest.rb, line 89
def create_authentication_xml_doc(settings)
  document = create_xml_document(settings)
  sign_document(document, settings)
end
create_params(settings, params={}) click to toggle source

Creates the Get parameters for the request. @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings @param params [Hash] Some extra parameters to be added in the GET for example the RelayState @return [Hash] Parameters

# File lib/onelogin/ruby-saml/authrequest.rb, line 47
def create_params(settings, params={})
  # The method expects :RelayState but sometimes we get 'RelayState' instead.
  # Based on the HashWithIndifferentAccess value in Rails we could experience
  # conflicts so this line will solve them.
  relay_state = params[:RelayState] || params['RelayState']

  request_doc = create_authentication_xml_doc(settings)
  request_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values

  request = ""
  request_doc.write(request)

  Logging.debug "Created AuthnRequest: #{request}"

  request = deflate(request) if settings.compress_request
  base64_request = encode(request)
  request_params = {"SAMLRequest" => base64_request}

  if settings.security[:authn_requests_signed] && !settings.security[:embed_sign] && settings.private_key
    params['SigAlg']    = settings.security[:signature_method]
    url_string = OneLogin::RubySaml::Utils.build_query(
      :type => 'SAMLRequest',
      :data => base64_request,
      :relay_state => relay_state,
      :sig_alg => params['SigAlg']
    )
    sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
    signature = settings.get_sp_key.sign(sign_algorithm.new, url_string)
    params['Signature'] = encode(signature)
  end

  params.each_pair do |key, value|
    request_params[key] = value.to_s
  end

  request_params
end
create_xml_document(settings) click to toggle source
# File lib/onelogin/ruby-saml/authrequest.rb, line 94
def create_xml_document(settings)
  time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")

  request_doc = XMLSecurity::Document.new
  request_doc.uuid = uuid

  root = request_doc.add_element "samlp:AuthnRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol", "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
  root.attributes['ID'] = uuid
  root.attributes['IssueInstant'] = time
  root.attributes['Version'] = "2.0"
  root.attributes['Destination'] = settings.idp_sso_target_url unless settings.idp_sso_target_url.nil?
  root.attributes['IsPassive'] = settings.passive unless settings.passive.nil?
  root.attributes['ProtocolBinding'] = settings.protocol_binding unless settings.protocol_binding.nil?
  root.attributes["AttributeConsumingServiceIndex"] = settings.attributes_index unless settings.attributes_index.nil?
  root.attributes['ForceAuthn'] = settings.force_authn unless settings.force_authn.nil?

  # Conditionally defined elements based on settings
  if settings.assertion_consumer_service_url != nil
    root.attributes["AssertionConsumerServiceURL"] = settings.assertion_consumer_service_url
  end
  if settings.issuer != nil
    issuer = root.add_element "saml:Issuer"
    issuer.text = settings.issuer
  end
  if settings.name_identifier_format != nil
    root.add_element "samlp:NameIDPolicy", {
        # Might want to make AllowCreate a setting?
        "AllowCreate" => "true",
        "Format" => settings.name_identifier_format
    }
  end

  if settings.authn_context || settings.authn_context_decl_ref

    if settings.authn_context_comparison != nil
      comparison = settings.authn_context_comparison
    else
      comparison = 'exact'
    end

    requested_context = root.add_element "samlp:RequestedAuthnContext", {
      "Comparison" => comparison,
    }

    if settings.authn_context != nil
      class_ref = requested_context.add_element "saml:AuthnContextClassRef"
      class_ref.text = settings.authn_context
    end
    # add saml:AuthnContextDeclRef element
    if settings.authn_context_decl_ref != nil
      class_ref = requested_context.add_element "saml:AuthnContextDeclRef"
      class_ref.text = settings.authn_context_decl_ref
    end
  end

  request_doc
end
sign_document(document, settings) click to toggle source
# File lib/onelogin/ruby-saml/authrequest.rb, line 152
def sign_document(document, settings)
  # embed signature
  if settings.security[:authn_requests_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign] 
    private_key = settings.get_sp_key
    cert = settings.get_sp_cert
    document.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
  end

  document
end