Class: Rack::Shibboleth::Request

Inherits:
Object
  • Object
show all
Defined in:
lib/rack/shibboleth/request.rb

Overview

Represents a request to be made to a Shibboleth IdP. This request is serialized and sent to the IdP via a URL parameter to begin authorization.

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(opts = {}) ⇒ Request

Creates a new request

Parameters:

  • opts (Hash) (defaults to: {})

    a hash where if the symbols :issuer, :idp_url, or :assertion_url are set, the corresponding attributes will be set in the created request


46
47
48
49
50
# File 'lib/rack/shibboleth/request.rb', line 46

def initialize opts = {}
  @issuer        = opts[:issuer]
  @assertion_url = opts[:assertion_url]
  @idp_url       = opts[:idp_url]
end

Instance Attribute Details

#assertion_urlString

Where the IdP will redirect to once the user has successfully authenticated with them. This is normally specified in the metadata given to the IdP and cannot be different from what's listed there

Returns:

  • (String)

    The URL the IdP should redirect back to


32
33
34
# File 'lib/rack/shibboleth/request.rb', line 32

def assertion_url
  @assertion_url
end

#idp_urlString

The full url of where the IdP's authentication point is located. Currently only Shibboleth 2's HTTP-POST method is supported, so this url should be similar to:

https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO

The exact location may be different, but the SAML2/Redirect/SSO should probably be there

Returns:

  • (String)

    The URL the IdP is located at


25
26
27
# File 'lib/rack/shibboleth/request.rb', line 25

def idp_url
  @idp_url
end

#issuerString

The name of the issuing application of the request for authentication. Otherwise, the SP. This name is registered with your IdP in the metadata file provided to them

Returns:

  • (String)

    The issuer of the request


39
40
41
# File 'lib/rack/shibboleth/request.rb', line 39

def issuer
  @issuer
end

Instance Method Details

#encodeString

Encodes this request so it's ready to be sent to the IdP

Returns:

  • (String)

    this request's saml encoded properly so it may be sent in URL parameters or whatever


56
57
58
59
60
61
# File 'lib/rack/shibboleth/request.rb', line 56

def encode
  # Not really sure why we only take part of the defalated saml, but
  # the IdP seems to take it...
  deflated_request = Zlib::Deflate.deflate(saml, 9)[2..-5]
  Base64.encode64(deflated_request)
end

#idString

The unique ID for this request. This ID is present in the request to the Idp

Returns:

  • (String)

    a 32 character ID for this request


83
84
85
# File 'lib/rack/shibboleth/request.rb', line 83

def id
  @id ||= SecureRandom.hex(16)
end

#samlString

Generates the actual SAML request as XML. This is unencoded, so it should go through the encoding process before being sent to the Idp

Returns:

  • (String)

    the saml request to send to the IdP


67
68
69
70
71
72
73
74
75
76
77
# File 'lib/rack/shibboleth/request.rb', line 67

def saml
  validate_specified_attributes!

  issued = Time.now.utc.iso8601

  # This request template was captured in a request to an IdP from a
  # known working Shibboleth SP
  %Q{<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="#{assertion_url}" Destination="#{idp_url}" ID="_#{id}" IssueInstant="#{issued}" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">#{issuer}</saml:Issuer><samlp:NameIDPolicy AllowCreate="1"/>
  </samlp:AuthnRequest>}
end