Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[NEEDS DISCUSSION] v2.0: Param renames #702

Open
wants to merge 1 commit into
base: v2.x
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 19 additions & 19 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -191,7 +191,7 @@ If you don't know what expect, always use the former (set the settings on initia
def saml_settings
settings = RubySaml::Settings.new
settings.assertion_consumer_service_url = "http://#{request.host}/saml/consume"
settings.sp_assertion_consumer_service_url = "http://#{request.host}/saml/consume"
settings.sp_entity_id = "http://#{request.host}/saml/metadata"
settings.idp_entity_id = "https://app.onelogin.com/saml/metadata/#{OneLoginAppId}"
settings.idp_sso_service_url = "https://app.onelogin.com/trust/saml2/http-post/sso/#{OneLoginAppId}"
Expand All @@ -211,8 +211,8 @@ def saml_settings
]
# Optional bindings (defaults to Redirect for logout POST for ACS)
settings.single_logout_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" # or :post, :redirect
settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" # or :post, :redirect
settings.sp_slo_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" # or :post, :redirect
settings.sp_assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" # or :post, :redirect
settings
end
Expand Down Expand Up @@ -263,11 +263,11 @@ class SamlController < ApplicationController
def saml_settings
settings = RubySaml::Settings.new
settings.assertion_consumer_service_url = "http://#{request.host}/saml/consume"
settings.sp_entity_id = "http://#{request.host}/saml/metadata"
settings.idp_sso_service_url = "https://app.onelogin.com/saml/signon/#{OneLoginAppId}"
settings.idp_cert_fingerprint = OneLoginAppCertFingerPrint
settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
settings.sp_assertion_consumer_service_url = "http://#{request.host}/saml/consume"
settings.sp_entity_id = "http://#{request.host}/saml/metadata"
settings.idp_sso_service_url = "https://app.onelogin.com/saml/signon/#{OneLoginAppId}"
settings.idp_cert_fingerprint = OneLoginAppCertFingerPrint
settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
# Optional for most SAML IdPs
settings.authn_context = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
Expand Down Expand Up @@ -338,9 +338,9 @@ def saml_settings
# Returns RubySaml::Settings pre-populated with IdP metadata
settings = idp_metadata_parser.parse_remote("https://example.com/auth/saml2/idp/metadata")
settings.assertion_consumer_service_url = "http://#{request.host}/saml/consume"
settings.sp_entity_id = "http://#{request.host}/saml/metadata"
settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
settings.sp_assertion_consumer_service_url = "http://#{request.host}/saml/consume"
settings.sp_entity_id = "http://#{request.host}/saml/metadata"
settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
# Optional for most SAML IdPs
settings.authn_context = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
Expand Down Expand Up @@ -622,8 +622,8 @@ Ruby SAML supports the following functionality:
In order to use functions 1-3 above, you must first define your SP public certificate and private key:
```ruby
settings.certificate = "CERTIFICATE TEXT WITH BEGIN/END HEADER AND FOOTER"
settings.private_key = "PRIVATE KEY TEXT WITH BEGIN/END HEADER AND FOOTER"
settings.sp_cert = "CERTIFICATE TEXT WITH BEGIN/END HEADER AND FOOTER"
settings.sp_private_key = "PRIVATE KEY TEXT WITH BEGIN/END HEADER AND FOOTER"
```
Note that the same certificate (and its associated private key) are used to perform
Expand All @@ -642,8 +642,8 @@ You may also globally set the SP signature and digest method, to be used in SP s
You may add a `<ds:Signature>` digital signature element to your SP Metadata XML using the following setting:
```ruby
settings.certificate = "CERTIFICATE TEXT WITH BEGIN/END HEADER AND FOOTER"
settings.private_key = "PRIVATE KEY TEXT WITH BEGIN/END HEADER AND FOOTER"
settings.sp_cert = "CERTIFICATE TEXT WITH BEGIN/END HEADER AND FOOTER"
settings.sp_private_key = "PRIVATE KEY TEXT WITH BEGIN/END HEADER AND FOOTER"
settings.security[:metadata_signed] = true # Enable signature on Metadata
```
Expand All @@ -658,8 +658,8 @@ To enable, please first set your certificate and private key. This will add `<md
to your SP Metadata XML, to be read by the IdP.
```ruby
settings.certificate = "CERTIFICATE TEXT WITH BEGIN/END HEADER AND FOOTER"
settings.private_key = "PRIVATE KEY TEXT WITH BEGIN/END HEADER AND FOOTER"
settings.sp_cert = "CERTIFICATE TEXT WITH BEGIN/END HEADER AND FOOTER"
settings.sp_private_key = "PRIVATE KEY TEXT WITH BEGIN/END HEADER AND FOOTER"
```
Next, you may specify the specific SP SAML messages you would like to sign:
Expand All @@ -684,8 +684,8 @@ You may enable EncryptedAssertion as follows. This will add `<md:KeyDescriptor u
SP Metadata XML, to be read by the IdP.
```ruby
settings.certificate = "CERTIFICATE TEXT WITH BEGIN/END HEADER AND FOOTER"
settings.private_key = "PRIVATE KEY TEXT WITH BEGIN/END HEADER AND FOOTER"
settings.sp_cert = "CERTIFICATE TEXT WITH BEGIN/END HEADER AND FOOTER"
settings.sp_private_key = "PRIVATE KEY TEXT WITH BEGIN/END HEADER AND FOOTER"
settings.security[:want_assertions_encrypted] = true # Invalidate SAML messages without an EncryptedAssertion
```
Expand Down
56 changes: 43 additions & 13 deletions UPGRADING.md
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ settings.security[:digest_method] = RubySaml::XML::Document::SHA1
settings.security[:signature_method] = RubySaml::XML::Document::RSA_SHA1
```

### Removal of embed_sign Setting
### Removal of security[:embed_sign] setting

The deprecated `settings.security[:embed_sign]` parameter has been removed. If you were using it, please instead switch
to using both the `settings.idp_sso_service_binding` and `settings.idp_slo_service_binding` parameters as show below.
Expand All @@ -68,10 +68,10 @@ settings.idp_slo_service_binding = :redirect

For clarity, the default value of both parameters is `:redirect` if they are not set.

### Deprecation of Compression Settings
### Deprecation of compression settings

The `settings.compress_request` and `settings.compress_response` parameters have been deprecated
and are no longer functional. They will be removed in RubySaml 2.1.0. Please remove `compress_request`
and are no longer functional. **They will be removed in RubySaml 2.1.0.** Please remove `compress_request`
and `compress_response` everywhere within your project code.

The SAML SP request/response message compression behavior is now controlled automatically by the
Expand All @@ -80,17 +80,47 @@ The SAML SP request/response message compression behavior is now controlled auto
"compression" is used to make redirect URLs which contain SAML messages be shorter. For POST messages,
compression may be achieved by enabling `Content-Encoding: gzip` on your webserver.

## Settings deprecations
### Deprecation of certificate_new setting

The following parameters in `RubySaml::Settings` are deprecated and will be removed in RubySaml 2.1.0:
The `settings.certificate_new` parameter has been deprecated in favor of `settings.sp_cert_multi`,
and **will be removed in RubySaml 2.1.0.** If you are using `certificate_new` you
will need to replace **all** of the `certificate`, `certificate_new`, and `private_key` params
with `sp_cert_multi` as shown below:

- `#issuer` is deprecated and replaced 1:1 by `#sp_entity_id`
- `#idp_sso_target_url` is deprecated and replaced 1:1 by `#idp_sso_service_url`
- `#idp_slo_target_url` is deprecated and replaced 1:1 by `#idp_slo_service_url`
- `#assertion_consumer_logout_service_url` is deprecated and replaced 1:1 by `#single_logout_service_url`
- `#assertion_consumer_logout_service_binding` is deprecated and replaced 1:1 by `#single_logout_service_binding`
- `#certificate_new` is deprecated and replaced by `#sp_cert_multi`. Refer to documentation as `#sp_cert_multi`
has a different value type than `#certificate_new`.
```ruby
settings.sp_cert_multi = {
signing: [
{ certificate: (certificate), private_key: (private_key) },
{ certificate: (certificate_new), private_key: (private_key) }
],
encryption: [
{ certificate: (certificate), private_key: (private_key) },
{ certificate: (certificate_new), private_key: (private_key) }
],
}
```

## Settings parameter deprecations

The following parameters in `RubySaml::Settings` are deprecated and replaced 1-for-1 with new parameters.
The new names clarify which parameters belong to the SP and which to the IdP.
Until RubySaml 3.0.0, using the old method will raise a deprecation warning but otherwise function as an alias
to the new parameter. Beginning in **RubySaml 3.0.0**, using the old method will raise a `NotImplemented` error.
Aside from the name change, there are no changes to the usage or functionality of these parameters.

| Old Parameter | New Parameter |
|---------------------------------------------|-----------------------------------------|
| `issuer` | `sp_entity_id` |
| `certificate` | `sp_cert` |
| `private_key` | `sp_private_key` |
| `assertion_consumer_service_url` | `sp_assertion_consumer_service_url` |
| `assertion_consumer_service_binding` | `sp_assertion_consumer_service_binding` |
| `assertion_consumer_logout_service_url` | `sp_slo_service_url` |
| `single_logout_service_url` | `sp_slo_service_url` |
| `assertion_consumer_logout_service_binding` | `sp_slo_service_binding` |
| `single_logout_service_binding` | `sp_slo_service_binding` |
| `idp_sso_target_url` | `idp_sso_service_url` |
| `idp_slo_target_url` | `idp_slo_service_url` |

## Updating from 1.12.x to 1.13.0

Expand Down Expand Up @@ -189,7 +219,7 @@ other SAML implementations.
## Upgrading from 1.4.2 to 1.4.3

Version `1.4.3` introduces Recipient validation of SubjectConfirmation elements.
The 'Recipient' value is compared with the settings.assertion_consumer_service_url
The 'Recipient' value is compared with the settings.sp_assertion_consumer_service_url
value.

If you want to skip that validation, add the :skip_recipient_check option to the
Expand Down
4 changes: 2 additions & 2 deletions lib/ruby_saml/authrequest.rb
Original file line number Diff line number Diff line change
Expand Up @@ -123,8 +123,8 @@ def create_xml_document(settings)
root.attributes['ForceAuthn'] = settings.force_authn unless settings.force_authn.nil?

# Conditionally defined elements based on settings
unless settings.assertion_consumer_service_url.nil?
root.attributes["AssertionConsumerServiceURL"] = settings.assertion_consumer_service_url
unless settings.sp_assertion_consumer_service_url.nil?
root.attributes["AssertionConsumerServiceURL"] = settings.sp_assertion_consumer_service_url
end

unless settings.sp_entity_id.nil?
Expand Down
2 changes: 1 addition & 1 deletion lib/ruby_saml/logging.rb
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ def logger
end

def deprecate(message)
warn("[DEPRECATION] RubySaml: #{message}")
warn("[RubySaml] DEPRECATION: #{message}")
end

def enabled?
Expand Down
14 changes: 7 additions & 7 deletions lib/ruby_saml/metadata.rb
Original file line number Diff line number Diff line change
Expand Up @@ -77,11 +77,11 @@ def add_sp_certificates(sp_sso, settings)
end

def add_sp_service_elements(sp_sso, settings)
if settings.single_logout_service_url
if settings.sp_slo_service_url
sp_sso.add_element "md:SingleLogoutService", {
"Binding" => settings.single_logout_service_binding,
"Location" => settings.single_logout_service_url,
"ResponseLocation" => settings.single_logout_service_url
"Binding" => settings.sp_slo_service_binding,
"Location" => settings.sp_slo_service_url,
"ResponseLocation" => settings.sp_slo_service_url
}
end

Expand All @@ -90,10 +90,10 @@ def add_sp_service_elements(sp_sso, settings)
nameid.text = settings.name_identifier_format
end

if settings.assertion_consumer_service_url
if settings.sp_assertion_consumer_service_url
sp_sso.add_element "md:AssertionConsumerService", {
"Binding" => settings.assertion_consumer_service_binding,
"Location" => settings.assertion_consumer_service_url,
"Binding" => settings.sp_assertion_consumer_service_binding,
"Location" => settings.sp_assertion_consumer_service_url,
"isDefault" => true,
"index" => 0
}
Expand Down
8 changes: 4 additions & 4 deletions lib/ruby_saml/response.rb
Original file line number Diff line number Diff line change
Expand Up @@ -636,10 +636,10 @@ def validate_destination
return append_error(error_msg)
end

return true if settings.assertion_consumer_service_url.nil? || settings.assertion_consumer_service_url.empty?
return true if settings.sp_assertion_consumer_service_url.nil? || settings.sp_assertion_consumer_service_url.empty?

unless RubySaml::Utils.uri_match?(destination, settings.assertion_consumer_service_url)
error_msg = "The response was received at #{destination} instead of #{settings.assertion_consumer_service_url}"
unless RubySaml::Utils.uri_match?(destination, settings.sp_assertion_consumer_service_url)
error_msg = "The response was received at #{destination} instead of #{settings.sp_assertion_consumer_service_url}"
return append_error(error_msg)
end

Expand Down Expand Up @@ -778,7 +778,7 @@ def validate_subject_confirmation
next if (attrs.include? "InResponseTo" and attrs['InResponseTo'] != in_response_to) ||
(attrs.include? "NotBefore" and now < (parse_time(confirmation_data_node, "NotBefore") - allowed_clock_drift)) ||
(attrs.include? "NotOnOrAfter" and now >= (parse_time(confirmation_data_node, "NotOnOrAfter") + allowed_clock_drift)) ||
(attrs.include? "Recipient" and !options[:skip_recipient_check] and settings and attrs['Recipient'] != settings.assertion_consumer_service_url)
(attrs.include? "Recipient" and !options[:skip_recipient_check] and settings and attrs['Recipient'] != settings.sp_assertion_consumer_service_url)

valid_subject_confirmation = true
break
Expand Down
Loading
Loading