Class: OneLogin::KlRubySaml::Metadata
- Inherits:
-
Object
- Object
- OneLogin::KlRubySaml::Metadata
- Defined in:
- lib/onelogin/kl-ruby-saml/metadata.rb
Overview
SAML2 Metadata. XML Metadata Builder
Instance Method Summary collapse
-
#generate(settings, pretty_print = false) ⇒ String
Return SP metadata based on the settings.
Instance Method Details
#generate(settings, pretty_print = false) ⇒ String
Return SP metadata based on the settings.
20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 |
# File 'lib/onelogin/kl-ruby-saml/metadata.rb', line 20 def generate(settings, pretty_print=false) = KlXMLSecurity::Document.new namespaces = { "xmlns:md" => "urn:oasis:names:tc:SAML:2.0:metadata" } if settings.attribute_consuming_service.configured? namespaces["xmlns:saml"] = "urn:oasis:names:tc:SAML:2.0:assertion" end root = .add_element "md:EntityDescriptor", namespaces sp_sso = root.add_element "md:SPSSODescriptor", { "protocolSupportEnumeration" => "urn:oasis:names:tc:SAML:2.0:protocol", "AuthnRequestsSigned" => settings.security[:authn_requests_signed], # However we would like assertions signed if idp_cert_fingerprint or idp_cert is set "WantAssertionsSigned" => !!(settings.idp_cert_fingerprint || settings.idp_cert) } # Add KeyDescriptor if messages will be signed / encrypted cert = settings.get_sp_cert if cert cert_text = Base64.encode64(cert.to_der).gsub("\n", '') kd = sp_sso.add_element "md:KeyDescriptor", { "use" => "signing" } ki = kd.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"} xd = ki.add_element "ds:X509Data" xc = xd.add_element "ds:X509Certificate" xc.text = cert_text kd2 = sp_sso.add_element "md:KeyDescriptor", { "use" => "encryption" } ki2 = kd2.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"} xd2 = ki2.add_element "ds:X509Data" xc2 = xd2.add_element "ds:X509Certificate" xc2.text = cert_text end root.attributes["ID"] = "_" + UUID.new.generate if settings.issuer root.attributes["entityID"] = settings.issuer end if settings.single_logout_service_url sp_sso.add_element "md:SingleLogoutService", { "Binding" => settings.single_logout_service_binding, "Location" => settings.single_logout_service_url, "ResponseLocation" => settings.single_logout_service_url } end if settings.name_identifier_format nameid = sp_sso.add_element "md:NameIDFormat" nameid.text = settings.name_identifier_format end if settings.assertion_consumer_service_url sp_sso.add_element "md:AssertionConsumerService", { "Binding" => settings.assertion_consumer_service_binding, "Location" => settings.assertion_consumer_service_url, "isDefault" => true, "index" => 0 } end if settings.attribute_consuming_service.configured? sp_acs = sp_sso.add_element "md:AttributeConsumingService", { "isDefault" => "true", "index" => settings.attribute_consuming_service.index } srv_name = sp_acs.add_element "md:ServiceName", { "xml:lang" => "en" } srv_name.text = settings.attribute_consuming_service.name settings.attribute_consuming_service.attributes.each do |attribute| sp_req_attr = sp_acs.add_element "md:RequestedAttribute", { "NameFormat" => attribute[:name_format], "Name" => attribute[:name], "FriendlyName" => attribute[:friendly_name] } unless attribute[:attribute_value].nil? sp_attr_val = sp_req_attr.add_element "saml:AttributeValue" sp_attr_val.text = attribute[:attribute_value] end end end # With OpenSSO, it might be required to also include # <md:RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" xsi:type="query:AttributeQueryDescriptorType" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"/> # <md:XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"/> << REXML::XMLDecl.new("1.0", "UTF-8") # embed signature if settings.security[:metadata_signed] && settings.private_key && settings.certificate private_key = settings.get_sp_key .sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method]) end ret = "" # pretty print the XML so IdP administrators can easily see what the SP supports if pretty_print .write(ret, 1) else ret = .to_s end return ret end |