diff --git a/UPGRADING.md b/UPGRADING.md
index 0623bcbc..8d3a9d02 100644
--- a/UPGRADING.md
+++ b/UPGRADING.md
@@ -10,6 +10,13 @@ RubySaml version `2.0.0` changes the root namespace from `OneLogin::RubySaml::`
to search your codebase for the string `OneLogin::` and remove it as appropriate. Aside from this namespace change,
the class names themselves have intentionally been kept the same.
+The `settings.compress_request` and `settings.compress_response` attributes have been removed.
+Please remove them everywhere within your project code. These behaviors are now set automatically
+according to the `settings.idp_sso_service_binding` and `settings.idp_slo_service_binding` parameters
+respectively: `HTTP-Redirect` will always use compression, while `HTTP-POST` will not. For clarity,
+here "compression" is used to make redirect URLs which contain SAML messages be shorter. For POST
+messages, compression may be achieved by enabling `Content-Encoding: gzip` on your webserver.
+
## Updating from 1.12.x to 1.13.0
Version `1.13.0` adds `settings.idp_sso_service_binding` and `settings.idp_slo_service_binding`, and
diff --git a/lib/ruby_saml/authrequest.rb b/lib/ruby_saml/authrequest.rb
index 539b8add..fbafb48b 100644
--- a/lib/ruby_saml/authrequest.rb
+++ b/lib/ruby_saml/authrequest.rb
@@ -56,6 +56,7 @@ def create_params(settings, params={})
# The method expects :RelayState but sometimes we get 'RelayState' instead.
# Based on the HashWithIndifferentAccess value in Rails we could experience
# conflicts so this line will solve them.
+ binding_redirect = settings.idp_sso_service_binding == Utils::BINDINGS[:redirect]
relay_state = params[:RelayState] || params['RelayState']
if relay_state.nil?
@@ -71,12 +72,12 @@ def create_params(settings, params={})
Logging.debug "Created AuthnRequest: #{request}"
- request = deflate(request) if settings.compress_request
+ request = deflate(request) if binding_redirect
base64_request = encode(request)
request_params = {"SAMLRequest" => base64_request}
sp_signing_key = settings.get_sp_signing_key
- if settings.idp_sso_service_binding == Utils::BINDINGS[:redirect] && settings.security[:authn_requests_signed] && sp_signing_key
+ if binding_redirect && settings.security[:authn_requests_signed] && sp_signing_key
params['SigAlg'] = settings.security[:signature_method]
url_string = RubySaml::Utils.build_query(
type: 'SAMLRequest',
diff --git a/lib/ruby_saml/logoutrequest.rb b/lib/ruby_saml/logoutrequest.rb
index d808c054..c53c7341 100644
--- a/lib/ruby_saml/logoutrequest.rb
+++ b/lib/ruby_saml/logoutrequest.rb
@@ -53,6 +53,7 @@ def create_params(settings, params={})
# The method expects :RelayState but sometimes we get 'RelayState' instead.
# Based on the HashWithIndifferentAccess value in Rails we could experience
# conflicts so this line will solve them.
+ binding_redirect = settings.idp_slo_service_binding == Utils::BINDINGS[:redirect]
relay_state = params[:RelayState] || params['RelayState']
if relay_state.nil?
@@ -68,12 +69,12 @@ def create_params(settings, params={})
Logging.debug "Created SLO Logout Request: #{request}"
- request = deflate(request) if settings.compress_request
+ request = deflate(request) if binding_redirect
base64_request = encode(request)
request_params = {"SAMLRequest" => base64_request}
sp_signing_key = settings.get_sp_signing_key
- if settings.idp_slo_service_binding == Utils::BINDINGS[:redirect] && settings.security[:logout_requests_signed] && sp_signing_key
+ if binding_redirect && settings.security[:logout_requests_signed] && sp_signing_key
params['SigAlg'] = settings.security[:signature_method]
url_string = RubySaml::Utils.build_query(
type: 'SAMLRequest',
diff --git a/lib/ruby_saml/saml_message.rb b/lib/ruby_saml/saml_message.rb
index dd8b2571..e8ecb476 100644
--- a/lib/ruby_saml/saml_message.rb
+++ b/lib/ruby_saml/saml_message.rb
@@ -104,11 +104,11 @@ def decode_raw_saml(saml, settings = nil)
# Deflate, base64 encode and url-encode a SAML Message (To be used in the HTTP-redirect binding)
# @param saml [String] The plain SAML Message
- # @param settings [RubySaml::Settings|nil] Toolkit settings
+ # @param compress [true|false] Whether or not the SAML should be deflated.
# @return [String] The deflated and encoded SAML Message (encoded if the compression is requested)
#
- def encode_raw_saml(saml, settings)
- saml = deflate(saml) if settings.compress_request
+ def encode_raw_saml(saml, compress = false)
+ saml = deflate(saml) if compress
CGI.escape(encode(saml))
end
diff --git a/lib/ruby_saml/settings.rb b/lib/ruby_saml/settings.rb
index 9eb6debd..37103951 100644
--- a/lib/ruby_saml/settings.rb
+++ b/lib/ruby_saml/settings.rb
@@ -52,8 +52,6 @@ def initialize(overrides = {}, keep_security_attributes = false)
attr_accessor :name_identifier_value
attr_accessor :name_identifier_value_requested
attr_accessor :sessionindex
- attr_accessor :compress_request
- attr_accessor :compress_response
attr_accessor :double_quote_xml_attribute_values
attr_accessor :message_max_bytesize
attr_accessor :passive
@@ -278,8 +276,6 @@ def get_binding(value)
assertion_consumer_service_binding: Utils::BINDINGS[:post],
single_logout_service_binding: Utils::BINDINGS[:redirect],
idp_cert_fingerprint_algorithm: XMLSecurity::Document::SHA1,
- compress_request: true,
- compress_response: true,
message_max_bytesize: 250_000,
soft: true,
double_quote_xml_attribute_values: false,
diff --git a/lib/ruby_saml/slo_logoutresponse.rb b/lib/ruby_saml/slo_logoutresponse.rb
index d2337816..3664a4a3 100644
--- a/lib/ruby_saml/slo_logoutresponse.rb
+++ b/lib/ruby_saml/slo_logoutresponse.rb
@@ -62,6 +62,7 @@ def create_params(settings, request_id = nil, logout_message = nil, params = {},
# The method expects :RelayState but sometimes we get 'RelayState' instead.
# Based on the HashWithIndifferentAccess value in Rails we could experience
# conflicts so this line will solve them.
+ binding_redirect = settings.idp_slo_service_binding == Utils::BINDINGS[:redirect]
relay_state = params[:RelayState] || params['RelayState']
if relay_state.nil?
@@ -77,12 +78,12 @@ def create_params(settings, request_id = nil, logout_message = nil, params = {},
Logging.debug "Created SLO Logout Response: #{response}"
- response = deflate(response) if settings.compress_response
+ response = deflate(response) if binding_redirect
base64_response = encode(response)
response_params = {"SAMLResponse" => base64_response}
sp_signing_key = settings.get_sp_signing_key
- if settings.idp_slo_service_binding == Utils::BINDINGS[:redirect] && settings.security[:logout_responses_signed] && sp_signing_key
+ if binding_redirect && settings.security[:logout_responses_signed] && sp_signing_key
params['SigAlg'] = settings.security[:signature_method]
url_string = RubySaml::Utils.build_query(
type: 'SAMLResponse',
diff --git a/test/logoutrequest_test.rb b/test/logoutrequest_test.rb
index 30a5f5b9..22543add 100644
--- a/test/logoutrequest_test.rb
+++ b/test/logoutrequest_test.rb
@@ -152,21 +152,7 @@ class RequestTest < Minitest::Test
assert_match %r[], inflated
end
- it "create a signed logout request" do
- settings.compress_request = true
-
- unauth_req = RubySaml::Logoutrequest.new
- unauth_url = unauth_req.create(settings)
-
- inflated = decode_saml_request_payload(unauth_url)
- assert_match %r[([a-zA-Z0-9/+=]+)], inflated
- assert_match %r[], inflated
- assert_match %r[], inflated
- end
-
it "create an uncompressed signed logout request" do
- settings.compress_request = false
-
params = RubySaml::Logoutrequest.new.create_params(settings)
request_xml = Base64.decode64(params["SAMLRequest"])
@@ -176,7 +162,6 @@ class RequestTest < Minitest::Test
end
it "create a signed logout request with 256 digest and signature method" do
- settings.compress_request = false
settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
settings.security[:digest_method] = XMLSecurity::Document::SHA256
@@ -188,7 +173,6 @@ class RequestTest < Minitest::Test
end
it "create a signed logout request with 512 digest and signature method RSA_SHA384" do
- settings.compress_request = false
settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA384
settings.security[:digest_method] = XMLSecurity::Document::SHA512
@@ -201,7 +185,6 @@ class RequestTest < Minitest::Test
end
it "create a signed logout request using the first certificate and key" do
- settings.compress_request = false
settings.certificate = nil
settings.private_key = nil
settings.sp_cert_multi = {
@@ -220,7 +203,6 @@ class RequestTest < Minitest::Test
end
it "create a signed logout request using the first valid certificate and key when :check_sp_cert_expiration is true" do
- settings.compress_request = false
settings.certificate = nil
settings.private_key = nil
settings.security[:check_sp_cert_expiration] = true
@@ -328,7 +310,6 @@ class RequestTest < Minitest::Test
it "create a signature parameter using the first certificate and key" do
settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
- settings.compress_request = false
settings.certificate = nil
settings.private_key = nil
settings.sp_cert_multi = {
@@ -366,6 +347,7 @@ class RequestTest < Minitest::Test
before do
# sign the logout request
+ settings.idp_slo_service_binding = RubySaml::Utils::BINDINGS[:post]
settings.security[:logout_requests_signed] = true
settings.security[:embed_sign] = true
settings.certificate = ruby_saml_cert_text
@@ -373,15 +355,12 @@ class RequestTest < Minitest::Test
end
it "created a signed logout request" do
- settings.compress_request = true
-
unauth_req = RubySaml::Logoutrequest.new
- unauth_url = unauth_req.create(settings)
+ inflated = unauth_req.create_logout_request_xml_doc(settings).to_s
- inflated = decode_saml_request_payload(unauth_url)
assert_match %r[([a-zA-Z0-9/+=]+)], inflated
- assert_match %r[], inflated
- assert_match %r[], inflated
+ assert_match %r[], inflated
+ assert_match %r[], inflated
end
end
diff --git a/test/request_test.rb b/test/request_test.rb
index 00c190a6..0c404716 100644
--- a/test/request_test.rb
+++ b/test/request_test.rb
@@ -42,7 +42,7 @@ class RequestTest < Minitest::Test
end
it "create the SAMLRequest URL parameter without deflating" do
- settings.compress_request = false
+ settings.idp_sso_service_binding = RubySaml::Utils::BINDINGS[:post]
auth_url = RubySaml::Authrequest.new.create(settings)
assert_match(/^http:\/\/example\.com\?SAMLRequest=/, auth_url)
payload = CGI.unescape(auth_url.split("=").last)
@@ -242,7 +242,6 @@ class RequestTest < Minitest::Test
describe "#create_params signing with HTTP-POST binding" do
before do
- settings.compress_request = false
settings.idp_sso_service_url = "http://example.com?field=value"
settings.idp_sso_service_binding = :post
settings.security[:authn_requests_signed] = true
@@ -317,7 +316,6 @@ class RequestTest < Minitest::Test
let(:cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
before do
- settings.compress_request = false
settings.idp_sso_service_url = "http://example.com?field=value"
settings.idp_sso_service_binding = :redirect
settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
@@ -362,7 +360,6 @@ class RequestTest < Minitest::Test
it "create a signature parameter using the first certificate and key" do
settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
- settings.compress_request = false
settings.certificate = nil
settings.private_key = nil
settings.sp_cert_multi = {
@@ -432,7 +429,6 @@ class RequestTest < Minitest::Test
describe "DEPRECATED: #create_params signing with HTTP-POST binding via :embed_sign" do
before do
- settings.compress_request = false
settings.idp_sso_service_url = "http://example.com?field=value"
settings.security[:authn_requests_signed] = true
settings.security[:embed_sign] = true
@@ -452,7 +448,6 @@ class RequestTest < Minitest::Test
let(:cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
before do
- settings.compress_request = false
settings.idp_sso_service_url = "http://example.com?field=value"
settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
settings.security[:authn_requests_signed] = true
diff --git a/test/saml_message_test.rb b/test/saml_message_test.rb
index 56dc8f6a..406ab120 100644
--- a/test/saml_message_test.rb
+++ b/test/saml_message_test.rb
@@ -15,13 +15,11 @@ class RubySamlTest < Minitest::Test
end
it "return encoded raw saml" do
- settings.compress_request = true
- encoded_raw = saml_message.send(:encode_raw_saml, logout_request_document, settings)
+ encoded_raw = saml_message.send(:encode_raw_saml, logout_request_document, true)
assert logout_request_deflated_base64, encoded_raw
- settings.compress_request = false
deflated = saml_message.send(:deflate, logout_request_deflated_base64)
- encoded_raw = saml_message.send(:encode_raw_saml, deflated, settings)
+ encoded_raw = saml_message.send(:encode_raw_saml, deflated, false)
assert logout_request_deflated_base64, encoded_raw
end
diff --git a/test/settings_test.rb b/test/settings_test.rb
index b31fb59a..bf391dcc 100644
--- a/test/settings_test.rb
+++ b/test/settings_test.rb
@@ -17,7 +17,7 @@ class SettingsTest < Minitest::Test
:idp_attribute_names, :issuer, :assertion_consumer_service_url, :single_logout_service_url,
:sp_name_qualifier, :name_identifier_format, :name_identifier_value, :name_identifier_value_requested,
:sessionindex, :attributes_index, :passive, :force_authn,
- :compress_request, :double_quote_xml_attribute_values, :message_max_bytesize,
+ :double_quote_xml_attribute_values, :message_max_bytesize,
:security, :certificate, :private_key, :certificate_new, :sp_cert_multi,
:authn_context, :authn_context_comparison, :authn_context_decl_ref,
:assertion_consumer_logout_service_url
diff --git a/test/slo_logoutresponse_test.rb b/test/slo_logoutresponse_test.rb
index 6680a262..a602af56 100644
--- a/test/slo_logoutresponse_test.rb
+++ b/test/slo_logoutresponse_test.rb
@@ -12,7 +12,6 @@ class SloLogoutresponseTest < Minitest::Test
settings.idp_entity_id = 'https://app.onelogin.com/saml/metadata/SOMEACCOUNT'
settings.idp_slo_service_url = "http://unauth.com/logout"
settings.name_identifier_value = "f00f00"
- settings.compress_request = true
settings.certificate = ruby_saml_cert_text
settings.private_key = ruby_saml_key_text
logout_request.settings = settings
@@ -102,7 +101,6 @@ class SloLogoutresponseTest < Minitest::Test
before do
settings.idp_sso_service_binding = :redirect
settings.idp_slo_service_binding = :post
- settings.compress_response = false
settings.security[:logout_responses_signed] = true
end
@@ -232,7 +230,6 @@ class SloLogoutresponseTest < Minitest::Test
before do
settings.idp_sso_service_binding = :post
settings.idp_slo_service_binding = :redirect
- settings.compress_response = false
settings.security[:logout_responses_signed] = true
end
@@ -313,7 +310,6 @@ class SloLogoutresponseTest < Minitest::Test
it "create a signature parameter using the first certificate and key" do
settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
- settings.compress_request = false
settings.certificate = nil
settings.private_key = nil
settings.sp_cert_multi = {
@@ -349,7 +345,6 @@ class SloLogoutresponseTest < Minitest::Test
describe "DEPRECATED: signing with HTTP-POST binding via :embed_sign" do
before do
- settings.compress_response = false
settings.security[:logout_responses_signed] = true
settings.security[:embed_sign] = true
end
@@ -384,7 +379,6 @@ class SloLogoutresponseTest < Minitest::Test
let(:cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
before do
- settings.compress_response = false
settings.security[:logout_responses_signed] = true
settings.security[:embed_sign] = false
end