Class: OneLogin::RubySaml::Response
- Inherits:
-
SamlMessage
- Object
- SamlMessage
- OneLogin::RubySaml::Response
- Includes:
- ErrorHandling
- Defined in:
- lib/onelogin/ruby-saml/response.rb
Overview
SAML2 Authentication Response. SAML Response
Constant Summary collapse
- ASSERTION =
"urn:oasis:names:tc:SAML:2.0:assertion"
- PROTOCOL =
"urn:oasis:names:tc:SAML:2.0:protocol"
- DSIG =
"http://www.w3.org/2000/09/xmldsig#"
- XENC =
"http://www.w3.org/2001/04/xmlenc#"
Constants inherited from SamlMessage
Instance Attribute Summary collapse
-
#decrypted_document ⇒ Object
readonly
Returns the value of attribute decrypted_document.
-
#document ⇒ Object
readonly
Returns the value of attribute document.
-
#options ⇒ Object
readonly
Returns the value of attribute options.
-
#response ⇒ Object
readonly
Returns the value of attribute response.
-
#settings ⇒ Object
OneLogin::RubySaml::Settings Toolkit settings.
-
#soft ⇒ Object
Returns the value of attribute soft.
Attributes included from ErrorHandling
Instance Method Summary collapse
-
#allowed_clock_drift ⇒ Integer
returns the allowed clock drift on timing validation.
-
#attributes ⇒ Attributes
Gets the Attributes from the AttributeStatement element.
-
#audiences ⇒ Array
The Audience elements from the Contitions of the SAML Response.
-
#conditions ⇒ REXML::Element
Gets the Condition Element of the SAML Response if exists.
-
#destination ⇒ String|nil
Destination attribute from the SAML Response.
-
#in_response_to ⇒ String|nil
The InResponseTo attribute from the SAML Response.
-
#initialize(response, options = {}) ⇒ Response
constructor
Constructs the SAML Response.
-
#is_valid?(collect_errors = false) ⇒ Boolean
Validates the SAML Response with the default values (soft = true).
-
#issuers ⇒ Array
Gets the Issuers (from Response and Assertion).
-
#name_id ⇒ String
(also: #nameid)
The NameID provided by the SAML response from the IdP.
-
#name_id_format ⇒ String
(also: #nameid_format)
The NameID Format provided by the SAML response from the IdP.
-
#not_before ⇒ Time
Gets the NotBefore Condition Element value.
-
#not_on_or_after ⇒ Time
Gets the NotOnOrAfter Condition Element value.
-
#session_expires_at ⇒ String
Gets the SessionNotOnOrAfter from the AuthnStatement.
-
#sessionindex ⇒ String
Gets the SessionIndex from the AuthnStatement.
-
#status_code ⇒ String
StatusCode value from a SAML Response.
-
#status_message ⇒ String
The StatusMessage value from a SAML Response.
-
#success? ⇒ Boolean
Checks if the Status has the “Success” code.
Methods included from ErrorHandling
Methods inherited from SamlMessage
#id, schema, #valid_saml?, #version
Constructor Details
#initialize(response, options = {}) ⇒ Response
Constructs the SAML Response. A Response Object that is an extension of the SamlMessage class.
40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
# File 'lib/onelogin/ruby-saml/response.rb', line 40 def initialize(response, = {}) raise ArgumentError.new("Response cannot be nil") if response.nil? @errors = [] @options = @soft = true unless [:settings].nil? @settings = [:settings] unless @settings.soft.nil? @soft = @settings.soft end end @response = decode_raw_saml(response) @document = XMLSecurity::SignedDocument.new(@response, @errors) if assertion_encrypted? @decrypted_document = generate_decrypted_document end end |
Instance Attribute Details
#decrypted_document ⇒ Object (readonly)
Returns the value of attribute decrypted_document.
27 28 29 |
# File 'lib/onelogin/ruby-saml/response.rb', line 27 def decrypted_document @decrypted_document end |
#document ⇒ Object (readonly)
Returns the value of attribute document.
26 27 28 |
# File 'lib/onelogin/ruby-saml/response.rb', line 26 def document @document end |
#options ⇒ Object (readonly)
Returns the value of attribute options.
29 30 31 |
# File 'lib/onelogin/ruby-saml/response.rb', line 29 def @options end |
#response ⇒ Object (readonly)
Returns the value of attribute response.
28 29 30 |
# File 'lib/onelogin/ruby-saml/response.rb', line 28 def response @response end |
#settings ⇒ Object
OneLogin::RubySaml::Settings Toolkit settings
24 25 26 |
# File 'lib/onelogin/ruby-saml/response.rb', line 24 def settings @settings end |
#soft ⇒ Object
Returns the value of attribute soft.
31 32 33 |
# File 'lib/onelogin/ruby-saml/response.rb', line 31 def soft @soft end |
Instance Method Details
#allowed_clock_drift ⇒ Integer
returns the allowed clock drift on timing validation
280 281 282 |
# File 'lib/onelogin/ruby-saml/response.rb', line 280 def allowed_clock_drift return [:allowed_clock_drift] || 0 end |
#attributes ⇒ Attributes
Gets the Attributes from the AttributeStatement element.
All attributes can be iterated over attributes.each
or returned as array by attributes.all
For backwards compatibility ruby-saml returns by default only the first value for a given attribute with
attributes['name']
To get all of the attributes, use:
attributes.multi('name')
Or turn off the compatibility:
OneLogin::RubySaml::Attributes.single_value_compatibility = false
Now this will return an array:
attributes['name']
119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 |
# File 'lib/onelogin/ruby-saml/response.rb', line 119 def attributes @attr_statements ||= begin attributes = Attributes.new stmt_element = xpath_first_from_signed_assertion('/a:AttributeStatement') return attributes if stmt_element.nil? stmt_element.elements.each do |attr_element| name = attr_element.attributes["Name"] values = attr_element.elements.collect{|e| if (e.elements.nil? || e.elements.size == 0) # SAMLCore requires that nil AttributeValues MUST contain xsi:nil XML attribute set to "true" or "1" # otherwise the value is to be regarded as empty. ["true", "1"].include?(e.attributes['xsi:nil']) ? nil : e.text.to_s # explicitly support saml2:NameID with saml2:NameQualifier if supplied in attributes # this is useful for allowing eduPersonTargetedId to be passed as an opaque identifier to use to # identify the subject in an SP rather than email or other less opaque attributes # NameQualifier, if present is prefixed with a "/" to the value else REXML::XPath.match(e,'a:NameID', { "a" => ASSERTION }).collect{|n| (n.attributes['NameQualifier'] ? n.attributes['NameQualifier'] +"/" : '') + n.text.to_s } end } attributes.add(name, values.flatten) end attributes end end |
#audiences ⇒ Array
Returns The Audience elements from the Contitions of the SAML Response.
265 266 267 268 269 270 271 272 273 274 275 276 |
# File 'lib/onelogin/ruby-saml/response.rb', line 265 def audiences @audiences ||= begin audiences = [] nodes = xpath_from_signed_assertion('/a:Conditions/a:AudienceRestriction/a:Audience') nodes.each do |node| if node && node.text audiences << node.text end end audiences end end |
#conditions ⇒ REXML::Element
Gets the Condition Element of the SAML Response if exists. (returns the first node that matches the supplied xpath)
199 200 201 |
# File 'lib/onelogin/ruby-saml/response.rb', line 199 def conditions @conditions ||= xpath_first_from_signed_assertion('/a:Conditions') end |
#destination ⇒ String|nil
Returns Destination attribute from the SAML Response.
252 253 254 255 256 257 258 259 260 261 |
# File 'lib/onelogin/ruby-saml/response.rb', line 252 def destination @destination ||= begin node = REXML::XPath.first( document, "/p:Response", { "p" => PROTOCOL } ) node.nil? ? nil : node.attributes['Destination'] end end |
#in_response_to ⇒ String|nil
Returns The InResponseTo attribute from the SAML Response.
239 240 241 242 243 244 245 246 247 248 |
# File 'lib/onelogin/ruby-saml/response.rb', line 239 def in_response_to @in_response_to ||= begin node = REXML::XPath.first( document, "/p:Response", { "p" => PROTOCOL } ) node.nil? ? nil : node.attributes['InResponseTo'] end end |
#is_valid?(collect_errors = false) ⇒ Boolean
Validates the SAML Response with the default values (soft = true)
65 66 67 |
# File 'lib/onelogin/ruby-saml/response.rb', line 65 def is_valid?(collect_errors = false) validate(collect_errors) end |
#issuers ⇒ Array
Gets the Issuers (from Response and Assertion). (returns the first node that matches the supplied xpath from the Response and from the Assertion)
221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 |
# File 'lib/onelogin/ruby-saml/response.rb', line 221 def issuers @issuers ||= begin issuers = [] nodes = REXML::XPath.match( document, "/p:Response/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION } ) nodes += xpath_from_signed_assertion("/a:Issuer") nodes.each do |node| issuers << node.text if node.text end issuers.uniq end end |
#name_id ⇒ String Also known as: nameid
Returns the NameID provided by the SAML response from the IdP.
71 72 73 74 75 76 |
# File 'lib/onelogin/ruby-saml/response.rb', line 71 def name_id @name_id ||= if name_id_node name_id_node.text end end |
#name_id_format ⇒ String Also known as: nameid_format
Returns the NameID Format provided by the SAML response from the IdP.
82 83 84 85 86 87 |
# File 'lib/onelogin/ruby-saml/response.rb', line 82 def name_id_format @name_id_format ||= if name_id_node && name_id_node.attribute("Format") name_id_node.attribute("Format").value end end |
#not_before ⇒ Time
Gets the NotBefore Condition Element value.
206 207 208 |
# File 'lib/onelogin/ruby-saml/response.rb', line 206 def not_before @not_before ||= parse_time(conditions, "NotBefore") end |
#not_on_or_after ⇒ Time
Gets the NotOnOrAfter Condition Element value.
213 214 215 |
# File 'lib/onelogin/ruby-saml/response.rb', line 213 def not_on_or_after @not_on_or_after ||= parse_time(conditions, "NotOnOrAfter") end |
#session_expires_at ⇒ String
Gets the SessionNotOnOrAfter from the AuthnStatement. Could be used to set the local session expiration (expire at latest)
155 156 157 158 159 160 |
# File 'lib/onelogin/ruby-saml/response.rb', line 155 def session_expires_at @expires_at ||= begin node = xpath_first_from_signed_assertion('/a:AuthnStatement') node.nil? ? nil : parse_time(node, "SessionNotOnOrAfter") end end |
#sessionindex ⇒ String
Gets the SessionIndex from the AuthnStatement. Could be used to be stored in the local session in order to be used in a future Logout Request that the SP could send to the IdP, to set what specific session must be deleted
98 99 100 101 102 103 |
# File 'lib/onelogin/ruby-saml/response.rb', line 98 def sessionindex @sessionindex ||= begin node = xpath_first_from_signed_assertion('/a:AuthnStatement') node.nil? ? nil : node.attributes['SessionIndex'] end end |
#status_code ⇒ String
Returns StatusCode value from a SAML Response.
171 172 173 174 175 176 177 178 179 180 |
# File 'lib/onelogin/ruby-saml/response.rb', line 171 def status_code @status_code ||= begin node = REXML::XPath.first( document, "/p:Response/p:Status/p:StatusCode", { "p" => PROTOCOL } ) node.attributes["Value"] if node && node.attributes end end |
#status_message ⇒ String
Returns the StatusMessage value from a SAML Response.
184 185 186 187 188 189 190 191 192 193 |
# File 'lib/onelogin/ruby-saml/response.rb', line 184 def @status_message ||= begin node = REXML::XPath.first( document, "/p:Response/p:Status/p:StatusMessage", { "p" => PROTOCOL } ) node.text if node end end |
#success? ⇒ Boolean
Checks if the Status has the “Success” code
165 166 167 |
# File 'lib/onelogin/ruby-saml/response.rb', line 165 def success? status_code == "urn:oasis:names:tc:SAML:2.0:status:Success" end |