ForceUnspecified: Rack app redirects to a SAML IdP URL with changing NameIDPolicy Format in SAMLRequest to unspecified

• Before: <samlp:NameIDPolicy AllowCreate='true' Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'/>
• After: <samlp:NameIDPolicy AllowCreate='true' Format='urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'/>

Some IdP, e.g. Azure Active Directory, forces user's true identifier even if an admin set customized User Identifier to the IdP, when a SAML request comes with NameIDPolicy Format=emailAddress. This is a simple Rack app that replaces all policies to unspecified before passing to IdP.

Installation

# Gemfile
gem 'force_unspecified'

# config.ru
require 'force_unspecified'
run ForceUnspecified

Usage

1. Set your RP to use https://force_unspecified/ORIGINAL_URL as a IdP SAML URL.
   • (where force_unspecified is your deployment URL of this app, and ORIGINAL_URL is your original IdP SAML URL)
   • e.g. https://force_unspecified/https://login.example.org/SAML
2. When RP sends a user to this app, this app changes nameid-format to unspecified, then redirects to the IdP.
3. Happiness

Development

After checking out the repo, run bin/setup to install dependencies. Then, run rake spec to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.

To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/sorah/force_unspecified.

License

The gem is available as open source under the terms of the MIT License.