Class: SAML2::AuthnRequest

Inherits:

Request

• Object
• Base
• Message
• Request
• SAML2::AuthnRequest

Defined in:

lib/saml2/authn_request.rb

Instance Attribute Summary

• #assertion_consumer_service ⇒ AssertionConsumerService^? readonly

  Must call #resolve before accessing.

• #assertion_consumer_service_index ⇒ Integer^?
• #assertion_consumer_service_url ⇒ String^?
• #attribute_consuming_service ⇒ AttributeConsumingService^? readonly

  Must call #resolve before accessing.

• #attribute_consuming_service_index ⇒ Integer^?
• #force_authn ⇒ Boolean^? writeonly
• #name_id_policy ⇒ NameID::Policy^?
• #passive ⇒ Boolean^? writeonly
• #protocol_binding ⇒ String^?
• #requested_authn_context ⇒ Object

Attributes inherited from Message

#destination, #errors, #issuer

Attributes inherited from Base

#xml

Class Method Summary

• .initiate(issuer, identity_provider = nil, assertion_consumer_service: nil, service_provider: nil) ⇒ AuthnRequest

  Initiate a SAML SSO flow, from a service provider to an identity provider.

Instance Method Summary

• #build(builder) ⇒ void

  Serialize this object to XML, as part of a larger document.

• #force_authn? ⇒ true, ...
• #passive? ⇒ true, ...
• #resolve(service_provider) ⇒ Boolean

  Populate #assertion_consumer_service and #attribute_consuming_service attributes.

• #subject ⇒ Subject^?
• #valid_interoperable_profile? ⇒ Boolean
• #valid_web_browser_sso_profile? ⇒ Boolean

Methods inherited from Message

from_xml, #from_xml, #id, #initialize, #issue_instant, parse, #sign, #valid_schema?, #validate

Methods included from Signable

#sign, #signature, #signed?, #signing_key, #valid_signature?, #validate_signature

Methods inherited from Base

#decrypt, from_xml, #from_xml, #initialize, #inspect, load_object_array, load_string_array, lookup_qname, #to_s, #to_xml

Constructor Details

This class inherits a constructor from SAML2::Message

Instance Attribute Details

#assertion_consumer_service ⇒ AssertionConsumerService^? (readonly)

Must call #resolve before accessing.

Returns:

• (AssertionConsumerService, nil)

# File 'lib/saml2/authn_request.rb', line 110

def assertion_consumer_service
  @assertion_consumer_service
end

#assertion_consumer_service_index ⇒ Integer^?

Returns:

• (Integer, nil)

# File 'lib/saml2/authn_request.rb', line 116

def assertion_consumer_service_index
  if xml && !instance_variable_defined?(:@assertion_consumer_service_index)
    @assertion_consumer_service_index = xml["AssertionConsumerServiceIndex"]&.to_i
  end
  @assertion_consumer_service_index
end

#assertion_consumer_service_url ⇒ String^?

Returns:

• (String, nil)

# File 'lib/saml2/authn_request.rb', line 124

def assertion_consumer_service_url
  if xml && !instance_variable_defined?(:@assertion_consumer_service_url)
    @assertion_consumer_service_url = xml["AssertionConsumerServiceURL"]
  end
  @assertion_consumer_service_url
end

#attribute_consuming_service ⇒ AttributeConsumingService^? (readonly)

Must call #resolve before accessing.

Returns:

• (AttributeConsumingService, nil)

# File 'lib/saml2/authn_request.rb', line 113

def attribute_consuming_service
  @attribute_consuming_service
end

#attribute_consuming_service_index ⇒ Integer^?

Returns:

• (Integer, nil)

# File 'lib/saml2/authn_request.rb', line 132

def attribute_consuming_service_index
  if xml && !instance_variable_defined?(:@attribute_consuming_service_index)
    @attribute_consuming_service_index = xml["AttributeConsumingServiceIndex"]&.to_i
  end
  @attribute_consuming_service_index
end

#force_authn=(value) ⇒ Boolean^? (writeonly)

Returns:

• (Boolean, nil)

# File 'lib/saml2/authn_request.rb', line 24

def force_authn=(value)
  @force_authn = value
end

#name_id_policy ⇒ NameID::Policy^?

Returns:

• (NameID::Policy, nil)

# File 'lib/saml2/authn_request.rb', line 101

def name_id_policy
  if xml && !instance_variable_defined?(:@name_id_policy)
    @name_id_policy = NameID::Policy.from_xml(xml.at_xpath("samlp:NameIDPolicy", Namespaces::ALL))
  end
  @name_id_policy
end

#passive=(value) ⇒ Boolean^? (writeonly)

Returns:

• (Boolean, nil)

# File 'lib/saml2/authn_request.rb', line 24

def passive=(value)
  @passive = value
end

#protocol_binding ⇒ String^?

Returns:

• (String, nil)

# File 'lib/saml2/authn_request.rb', line 152

def protocol_binding
  @protocol_binding = xml["ProtocolBinding"] if xml && !instance_variable_defined?(:@protocol_binding)
  @protocol_binding
end

#requested_authn_context ⇒ Object

# File 'lib/saml2/authn_request.rb', line 165

def requested_authn_context
  if xml && !instance_variable_defined?(:@requested_authn_context)
    @requested_authn_context = RequestedAuthnContext.from_xml(xml.at_xpath("samlp:RequestedAuthnContext",
                                                                           Namespaces::ALL))
  end
  @requested_authn_context
end

Class Method Details

.initiate(issuer, identity_provider = nil, assertion_consumer_service: nil, service_provider: nil) ⇒ AuthnRequest

TODO:

go over these params, and use kwargs. Maybe pass Entity instead of ServiceProvider.

Initiate a SAML SSO flow, from a service provider to an identity provider.

Parameters:

• issuer (NameID)
• identity_provider (IdentityProvider) (defaults to: nil)
• assertion_consumer_service (Endpoint::Indexed) (defaults to: nil)
• service_provider (ServiceProvider) (defaults to: nil)

Returns:

• (AuthnRequest)

# File 'lib/saml2/authn_request.rb', line 37

def self.initiate(issuer, identity_provider = nil,
                  assertion_consumer_service: nil,
                  service_provider: nil)
  authn_request = new
  authn_request.issuer = issuer
  authn_request.destination = identity_provider.single_sign_on_services.first.location if identity_provider
  authn_request.name_id_policy = NameID::Policy.new(true, NameID::Format::UNSPECIFIED)
  assertion_consumer_service ||= service_provider.assertion_consumer_services.default if service_provider
  if assertion_consumer_service
    authn_request.protocol_binding = assertion_consumer_service.binding
    authn_request.assertion_consumer_service_url = assertion_consumer_service.location
  end
  authn_request
end

Instance Method Details

#build(builder) ⇒ void

This method returns an undefined value.

Serialize this object to XML, as part of a larger document

Parameters:

• builder (Nokogiri::XML::Builder) —

  The builder helper object to serialize to.

# File 'lib/saml2/authn_request.rb', line 174

def build(builder)
  builder["samlp"].AuthnRequest(
    "xmlns:samlp" => Namespaces::SAMLP,
    "xmlns:saml" => Namespaces::SAML
  ) do |authn_request|
    super(authn_request)

    if assertion_consumer_service_index
      authn_request.parent["AssertionConsumerServiceIndex"] =
        assertion_consumer_service_index
    end
    if assertion_consumer_service_url
      authn_request.parent["AssertionConsumerServiceURL"] =
        assertion_consumer_service_url
    end
    if attribute_consuming_service_index
      authn_request.parent["AttributeConsumingServiceIndex"] =
        attribute_consuming_service_index
    end
    authn_request.parent["ForceAuthn"] = force_authn? unless force_authn?.nil?
    authn_request.parent["IsPassive"] = passive? unless passive?.nil?
    authn_request.parent["ProtocolBinding"] = protocol_binding if protocol_binding

    subject&.build(authn_request)
    name_id_policy&.build(authn_request)
    requested_authn_context&.build(authn_request)
  end
end

#force_authn? ⇒ true, ...

Returns:

• (true, false, nil)

# File 'lib/saml2/authn_request.rb', line 140

def force_authn?
  @force_authn = xml["ForceAuthn"]&.== "true" if xml && !instance_variable_defined?(:@force_authn)
  @force_authn
end

#passive? ⇒ true, ...

Returns:

• (true, false, nil)

# File 'lib/saml2/authn_request.rb', line 146

def passive?
  @passive = xml["IsPassive"]&.== "true" if xml && !instance_variable_defined?(:@passive)
  @passive
end

#resolve(service_provider) ⇒ Boolean

Populate #assertion_consumer_service and #attribute_consuming_service attributes.

Given ServiceProvider metadata, resolve the index/urls in this object to actual objects.

Parameters:

• service_provider (ServiceProvider)

Returns:

• (Boolean)

# File 'lib/saml2/authn_request.rb', line 80

def resolve(service_provider)
  # TODO: check signature if present

  @assertion_consumer_service =
    if assertion_consumer_service_url
      service_provider.assertion_consumer_services.find do |acs|
        acs.location == assertion_consumer_service_url
      end
    else
      service_provider.assertion_consumer_services.resolve(assertion_consumer_service_index)
    end
  @attribute_consuming_service =
    service_provider.attribute_consuming_services.resolve(attribute_consuming_service_index)

  return false unless @assertion_consumer_service
  return false if attribute_consuming_service_index && !@attribute_consuming_service

  true
end

#subject ⇒ Subject^?

Returns:

• (Subject, nil)

# File 'lib/saml2/authn_request.rb', line 158

def subject
  if xml && !instance_variable_defined?(:@subject)
    @subject = Subject.from_xml(xml.at_xpath("saml:Subject", Namespaces::ALL))
  end
  @subject
end

#valid_interoperable_profile? ⇒ Boolean

Returns:

• (Boolean)

See Also:

• https://saml2int.org/profile/current/#section82

# File 'lib/saml2/authn_request.rb', line 61

def valid_interoperable_profile?
  # It's a subset of Web Browser SSO profile
  return false unless valid_web_browser_sso_profile?

  return false unless assertion_consumer_service_url
  return false if protocol_binding && protocol_binding != Bindings::HTTP_POST::URN
  return false if subject

  true
end

#valid_web_browser_sso_profile? ⇒ Boolean

Returns:

• (Boolean)

See Also:

• section 4.1

# File 'lib/saml2/authn_request.rb', line 53

def valid_web_browser_sso_profile?
  return false unless issuer
  return false if issuer.format && issuer.format != NameID::Format::ENTITY

  true
end