-
Notifications
You must be signed in to change notification settings - Fork 206
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Add
uid_attribute
option to control the attribute used for th…
…e user id. Some SAML 2.0 IdPs use the transient name identifier format. In that case the name identifier changes for each login, which makes the name identifier unsuitable as a user identifier. This patch introduces the `uid_attribute` option, that allows us to use a SAML 2.0 attribute as the user identifier instead of the name identifier. Fixes issue #120.
- Loading branch information
1 parent
c946c0a
commit eacc536
Showing
3 changed files
with
39 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -207,6 +207,31 @@ def post_xml(xml=:example_response, opts = {}) | |
end | ||
end | ||
|
||
context "when using custom user id attribute" do | ||
before :each do | ||
saml_options[:idp_cert_fingerprint] = "3B:82:F1:F5:54:FC:A8:FF:12:B8:4B:B8:16:61:1D:E4:8E:9B:E2:3C" | ||
saml_options[:uid_attribute] = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" | ||
post_xml :custom_attributes | ||
end | ||
|
||
it "should return user id attribute" do | ||
expect(auth_hash[:uid]).to eq("[email protected]") | ||
end | ||
end | ||
|
||
context "when using custom user id attribute, but it is missing" do | ||
before :each do | ||
saml_options[:uid_attribute] = "missing_attribute" | ||
post_xml | ||
end | ||
|
||
it "should fail to authenticate" do | ||
should fail_with(:invalid_ticket) | ||
expect(last_request.env['omniauth.error']).to be_instance_of(OmniAuth::Strategies::SAML::ValidationError) | ||
expect(last_request.env['omniauth.error'].message).to eq("SAML response missing 'missing_attribute' attribute") | ||
end | ||
end | ||
|
||
context "when response is a logout response" do | ||
before :each do | ||
saml_options[:issuer] = "https://idp.sso.example.com/metadata/29490" | ||
|