search

SAML-Toolkits / ruby-saml

SAML SSO for Ruby
MIT License
918 stars 569 forks source link

Raw Parameters for SloLogoutRequest? #470

Closed jhubert closed 1 year ago

jhubert commented 6 years ago

Any guidance on how to get the raw parameters in Ruby on Rails for the raw_get_parameters hash in the new SloLogoutResponse setup?

I ended up using request.query_parameters, which seems to skip the encoding processing that params goes through. Is that what you're referring to here or is there some other approach we should be looking at?

For reference to others, since I had a had time on this one, this is what we're using:

    raw_query_params = request.query_parameters
    options = {
      get_params: {
        "Signature" => params["Signature"]
      },
      raw_get_params: {
        "SAMLRequest" => raw_query_params["SAMLRequest"],
        "SigAlg" => raw_query_params["SigAlg"],
        "RelayState" => raw_query_params["RelayState"]
      },
      matches_request_id: request_id
    }
pitbulk commented 6 years ago

The use of raw_get_params was introduced with https://github.com/onelogin/ruby-saml/pull/418

I'm not a Rails expert, but I think you can get them with raw_post or original_url

jhubert commented 6 years ago

Thanks for the nudge @pitbulk!

This was annoying.. but it looks like we got it. Here's what I'm using, for reference before we clean it up:

    # Get the rawest form of the query string params without unescaping them
    # More info: https://github.com/onelogin/ruby-saml#updating-from-150-to-160
    raw_query_params = Hash[request.original_fullpath.split('?').last.split('&').collect { |param| param.split('=') }] rescue {} # rubocop:disable Style/RescueModifier
    options = {
      get_params: {
        "Signature" => params["Signature"]
      },
      raw_get_params: {
        "SAMLResponse" => raw_query_params["SAMLResponse"],
        "SigAlg" => raw_query_params["SigAlg"],
        "RelayState" => raw_query_params["RelayState"]
      }
    }
    options[:matches_request_id] = request_id if request_id.present?
    log :info, "LogoutResponse options are: #{options.inspect}"
pitbulk commented 6 years ago

I see,

If is working for you, we can add this to the documentation to help other devs. are you interested in contributing with a PR to the README?

jhubert commented 6 years ago

Definitely. Let me clean it up and I'll get a PR made.

On Wed, Aug 29, 2018 at 3:28 AM Sixto Martin notifications@github.com wrote:

I see,

If is working for you, we can add this to the documentation to help other devs. are you interesting in contributing with a PR to the README?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/onelogin/ruby-saml/issues/470#issuecomment-416869903, or mute the thread https://github.com/notifications/unsubscribe-auth/AAANOIy6OyTbWHgo3yzfOzA2ykBm7Y0iks5uVlCigaJpZM4WP6dz .

pitbulk commented 6 years ago

@jhubert any progress?

lorint commented 3 years ago

I've put together PR #619 which is a fix where raw_query_params are built out first by attempting to retrieve the query string pieces from the ACS URL. This works with Azure Active Directory and other ADFS-related IdPs.

mtkachenk0 commented 2 years ago

Fixed in 1.14.0

Works fine if you update the gem to 1.14.0 and provide security: { lowercase_url_encoding: true } to the OneLogin::RubySaml::Settings instance (the very settings you provide to SloLogoutRequest)

Fix

pitbulk commented 1 year ago

As @mtkachenk0 commentred. This is solved using properly the lowercase_url_encoding setting

At the Single Log Out section of the README you can find it documented and used:

# Method to handle IdP initiated logouts
def idp_logout_request
  settings = Account.get_saml_settings
  # ADFS URL-Encodes SAML data as lowercase, and the toolkit by default uses
  # uppercase. Turn it True for ADFS compatibility on signature verification
  settings.security[:lowercase_url_encoding] = true

The PR is not required.