search

apokalipto / devise_saml_authenticatable

Devise SAML 2.0 authentication strategy
MIT License
294 stars 150 forks source link

How to pass OneLogin::RubySaml::Response configuration options? #197

Open kwent opened 3 years ago

kwent commented 3 years ago

In the doc: https://github.com/onelogin/ruby-saml

response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_authnstatement: true}) # skips AuthnStatement
response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_conditions: true}) # skips conditions
response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_subject_confirmation: true}) # skips subject confirmation
response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_recipient_check: true}) # doens't skip subject confirmation, but skips the recipient check which is a sub check of the subject_confirmation check
response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_audience: true}) # skips audience check

I'm not sure how to for example set skip_subject_confirmation through devise_saml_authenticatable any guidance is welcome.

Regards

adamstegman commented 3 years ago

We pass in a OneLogin::RubySaml::Settings instance that you can update, but unfortunately it looks like these are not on that class.

Here's where the response is constructed: https://github.com/apokalipto/devise_saml_authenticatable/blob/04659f2293b8a08e102afae7bf54d12e155a8036/lib/devise_saml_authenticatable/strategy.rb#L58. We could probably provide some configuration to add more options to that.

arcreative commented 1 year ago

I ended up having to monkeypatch for skip_audience, would be great to have it handled by some sort of configuration hash or lambda

adamstegman commented 1 year ago

Yeah, if you want to create a PR that would make sense to me!

dominikduda commented 1 year ago

@arcreative Can u elaborate on how did you implement the patch?

Where do u store it? What way of patching did u use? What has to be done for the patch to work outside of creating a file for it?

I will probably need to patch adevise_saml_authenticatable/lib/devise_saml_authenticatable/strategy.rb#response_options as @adamstegman mentioned but I can't make it work.

jaredmoody commented 1 year ago

I don't know if this is the best, but it's working for me:

# lib/devise/extensions/saml_response_options.rb
require 'devise_saml_authenticatable/strategy'

module Devise
  module Extensions
    module SamlResponseOptions
      def response_options
        super.merge(skip_audience: true, skip_recipient_check: true)
      end
    end
  end
end

# config/initializers/devise.rb
# Monkey Patch Devise::Strategies::SamlAuthenticatable to skip audience validation in test env
if Rails.env.test?
  require 'devise/extensions/saml_response_options'
  Devise::Strategies::SamlAuthenticatable.prepend Devise::Extensions::SamlResponseOptions
end

UPDATE: This actually wasn't working until I switched .include to .prepend. Also updated to extend/use super instead of overwriting the whole method, which is more clear as to what modification is being made.

fastfedora commented 9 months ago

@jaredmoody Thanks! I was having the same problem and your solution worked perfectly for me.