[fix] Allow IdP set reference ID for SAML response (#21)

* Pass ref id as Session Index * Official Rails 8 is not released yet to RubyGem until that let's stick official older version --------- Co-authored-by: zogoo <[email protected]>
Zogoo · Oct 25, 2024 · fcb331b · fcb331b
1 parent d95a9d6
commit fcb331b
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 3 deletions.
diff --git a/gemfiles/rails_dev.gemfile b/gemfiles/rails_dev.gemfile
@@ -2,7 +2,7 @@
 
 source "https://rubygems.org"
 
-gem "rails", github: "rails/rails", branch: "main"
+gem "rails", "~> 7.2.1"
 gem "activeresource", github: "rails/activeresource", branch: "main"
 
 gemspec path: "../"
diff --git a/lib/saml_idp/saml_response.rb b/lib/saml_idp/saml_response.rb
@@ -98,7 +98,7 @@ def response_builder
 
     def assertion_builder
       @assertion_builder ||=
-        AssertionBuilder.new SecureRandom.uuid,
+        AssertionBuilder.new(reference_id || SecureRandom.uuid,
                              issuer_uri,
                              principal,
                              audience_uri,
@@ -110,7 +110,7 @@ def assertion_builder
                              encryption_opts,
                              session_expiry,
                              name_id_formats_opts,
-                             asserted_attributes_opts
+                             asserted_attributes_opts)
     end
     private :assertion_builder
   end

diff --git a/spec/lib/saml_idp/saml_response_spec.rb b/spec/lib/saml_idp/saml_response_spec.rb
@@ -192,6 +192,25 @@ module SamlIdp
       expect(saml_resp.is_valid?).to eq(true)
     end
 
+    it "will pass reference_id as SessionIndex" do
+      expect { subject.build }.not_to raise_error
+      signed_encoded_xml = subject.build
+      resp_settings = saml_settings(saml_acs_url)
+      resp_settings.private_key = Default::SECRET_KEY
+      resp_settings.issuer = audience_uri
+      saml_resp = OneLogin::RubySaml::Response.new(signed_encoded_xml, settings: resp_settings)
+
+      expect(
+        Nokogiri::XML(saml_resp.response).at_xpath(
+          "//saml:AuthnStatement/@SessionIndex",
+          {
+            "samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
+            "saml" => "urn:oasis:names:tc:SAML:2.0:assertion"
+          }
+        ).value
+      ).to eq("_#{reference_id}")
+    end
+
     it "sets session expiration" do
       saml_resp = OneLogin::RubySaml::Response.new(subject.build)
       expect(saml_resp.session_expires_at).to eq Time.local(1990, "jan", 2).iso8601