From fcb331b1dff5faf7d56f5977c05726b9ed8052eb Mon Sep 17 00:00:00 2001
From: zogoo <chtsogbadrakh@gmail.com>
Date: Fri, 25 Oct 2024 14:16:19 +0200
Subject: [PATCH] [fix] Allow IdP set reference ID for SAML response (#21)

* Pass ref id as Session Index

* Official Rails 8 is not released yet to RubyGem until that let's stick official older version

---------

Co-authored-by: zogoo <ch.tsogbadrakh@gmail.com>
---
 gemfiles/rails_dev.gemfile              |  2 +-
 lib/saml_idp/saml_response.rb           |  4 ++--
 spec/lib/saml_idp/saml_response_spec.rb | 19 +++++++++++++++++++
 3 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/gemfiles/rails_dev.gemfile b/gemfiles/rails_dev.gemfile
index 645a4e5d..dd5a03a3 100644
--- a/gemfiles/rails_dev.gemfile
+++ b/gemfiles/rails_dev.gemfile
@@ -2,7 +2,7 @@
 
 source "https://rubygems.org"
 
-gem "rails", github: "rails/rails", branch: "main"
+gem "rails", "~> 7.2.1"
 gem "activeresource", github: "rails/activeresource", branch: "main"
 
 gemspec path: "../"
diff --git a/lib/saml_idp/saml_response.rb b/lib/saml_idp/saml_response.rb
index fdc327a5..85cf48b1 100644
--- a/lib/saml_idp/saml_response.rb
+++ b/lib/saml_idp/saml_response.rb
@@ -98,7 +98,7 @@ def response_builder
 
     def assertion_builder
       @assertion_builder ||=
-        AssertionBuilder.new SecureRandom.uuid,
+        AssertionBuilder.new(reference_id || SecureRandom.uuid,
                              issuer_uri,
                              principal,
                              audience_uri,
@@ -110,7 +110,7 @@ def assertion_builder
                              encryption_opts,
                              session_expiry,
                              name_id_formats_opts,
-                             asserted_attributes_opts
+                             asserted_attributes_opts)
     end
     private :assertion_builder
   end
diff --git a/spec/lib/saml_idp/saml_response_spec.rb b/spec/lib/saml_idp/saml_response_spec.rb
index a9e82151..b79f8a2b 100644
--- a/spec/lib/saml_idp/saml_response_spec.rb
+++ b/spec/lib/saml_idp/saml_response_spec.rb
@@ -192,6 +192,25 @@ module SamlIdp
       expect(saml_resp.is_valid?).to eq(true)
     end
 
+    it "will pass reference_id as SessionIndex" do
+      expect { subject.build }.not_to raise_error
+      signed_encoded_xml = subject.build
+      resp_settings = saml_settings(saml_acs_url)
+      resp_settings.private_key = Default::SECRET_KEY
+      resp_settings.issuer = audience_uri
+      saml_resp = OneLogin::RubySaml::Response.new(signed_encoded_xml, settings: resp_settings)
+
+      expect(
+        Nokogiri::XML(saml_resp.response).at_xpath(
+          "//saml:AuthnStatement/@SessionIndex",
+          {
+            "samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
+            "saml" => "urn:oasis:names:tc:SAML:2.0:assertion"
+          }
+        ).value
+      ).to eq("_#{reference_id}")
+    end
+
     it "sets session expiration" do
       saml_resp = OneLogin::RubySaml::Response.new(subject.build)
       expect(saml_resp.session_expires_at).to eq Time.local(1990, "jan", 2).iso8601