# Saml::Kit Saml::Kit is a library with the purpose of creating and consuming SAML documents. It supports the HTTP Post and HTTP Redirect bindings. It can create Service Provider Metadata, Identity Provider Metadata, AuthnRequest, Response, LogoutRequest, LogoutResponse documents. It also supports generating signed and encrypted assertions. ## Installation Add this line to your application's Gemfile: ```ruby gem 'saml-kit' ``` And then execute: $ bundle Or install it yourself as: $ gem install saml-kit ## Usage To specify a global configuration: (useful for a rails application) ```ruby Saml::Kit.configure do |configuration| configuration.issuer = ENV['ISSUER'] configuration.generate_key_pair_for(use: :signing) configuration.generate_key_pair_for(use: :signing) end ``` ### Metadata To generate metadata for an Identity Provider. ```ruby Saml::Kit::Metadata.build_xml do |builder| builder.contact_email = 'hi@example.com' builder.organization_name = "Acme, Inc" builder.organization_url = 'https://www.example.com' builder.build_identity_provider do |x| x.add_single_sign_on_service('https://www.example.com/login', binding: :http_post) x.add_single_sign_on_service('https://www.example.com/login', binding: :http_redirect) x.add_single_logout_service('https://www.example.com/logout', binding: :http_post) x.name_id_formats = [ Saml::Kit::Namespaces::EMAIL_ADDRESS ] x.attributes << :id x.attributes << :email end end ``` Will produce something like: ```xml urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress Acme, Inc Acme, Inc https://www.example.com mailto:hi@example.com ``` To generate service provider metadata: ```xml metadata = Saml::Kit::Metadata.build do |builder| builder.contact_email = 'hi@example.com' builder.organization_name = "Acme, Inc" builder.organization_url = 'https://www.example.com' builder.build_service_provider do |x| x.add_assertion_consumer_service('https://www.example.com/consume', binding: :http_post) x.add_single_logout_service('https://www.example.com/logout', binding: :http_post) end end puts metadata.to_xml(pretty: true) ``` Will produce something like: ```xml urn:oasis:names:tc:SAML:2.0:nameid-format:persistent Acme, Inc Acme, Inc https://www.example.com mailto:hi@example.com ``` To produce Metadata with an IDPSSODescriptor and SPSSODescriptor. ```ruby metadata = Saml::Kit::Metadata.build do |builder| builder.contact_email = 'hi@example.com' builder.organization_name = "Acme, Inc" builder.organization_url = 'https://www.example.com' builder.build_identity_provider do |x| x.add_single_sign_on_service('https://www.example.com/login', binding: :http_post) x.add_single_sign_on_service('https://www.example.com/login', binding: :http_redirect) x.add_single_logout_service('https://www.example.com/logout', binding: :http_post) x.name_id_formats = [ Saml::Kit::Namespaces::EMAIL_ADDRESS ] x.attributes << :id x.attributes << :email end builder.build_service_provider do |x| x.add_assertion_consumer_service('https://www.example.com/consume', binding: :http_post) x.add_single_logout_service('https://www.example.com/logout', binding: :http_post) end end puts metadata.to_xml(pretty: true) ``` ```xml urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress urn:oasis:names:tc:SAML:2.0:nameid-format:persistent Acme, Inc Acme, Inc https://www.example.com mailto:hi@example.com ``` ### AuthnRequest To generate an Authentication Request choose the desired binding from the metadata and use it to serialize a request. ```ruby idp = Saml::Kit::IdentityProviderMetadata.new(raw_xml) url, saml_params = idp.login_request_for(binding: :http_post) puts [url, saml_params].inspect # ["https://www.example.com/login", {"SAMLRequest"=>"PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbHA6QXV0aG5SZXF1ZXN0IHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfN2Y0YjkxZGMtNTMyNi00NjgzLTgyOWItYWViNzlkNjM0ZWYzIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNy0xMi0xOVQwNDo0ODoxMloiIERlc3RpbmF0aW9uPSJodHRwczovL3d3dy5leGFtcGxlLmNvbS9sb2dpbiI+PHNhbWw6SXNzdWVyLz48c2FtbHA6TmFtZUlEUG9saWN5IEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6cGVyc2lzdGVudCIvPjwvc2FtbHA6QXV0aG5SZXF1ZXN0Pg=="}] ``` ### Response To generate a Response you will need a request object and the desired binding to serialize a response. You will also need to specify a user object to create a response for. ```ruby binding = idp.single_sign_on_service_for(binding: :http_post) raw_params = Hash[uri.query.split("&").map { |x| x.split("=", 2) }].symbolize_keys saml_request = binding.deserialize(raw_params) url, saml_params = saml_request.response_for(user, binding: :http_post) puts [url, saml_params].inspect # ["https://www.example.com/consume", {"SAMLResponse"=>"PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48UmVzcG9uc2UgSUQ9Il9hZjFiNTg5Ni0wN2MzLTQ2Y2QtYTA5ZC0xOTRmZGNkNWZiZmYiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDE3LTEyLTE5VDA1OjI5OjU0WiIgRGVzdGluYXRpb249Imh0dHBzOi8vd3d3LmV4YW1wbGUuY29tL2NvbnN1bWUiIENvbnNlbnQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjb25zZW50OnVuc3BlY2lmaWVkIiBJblJlc3BvbnNlVG89Il9mYzg5MjllOC0zY2ZkLTQ5YmQtOTgzNi0xNTRhZGYzOTEzZjYiIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxJc3N1ZXIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iLz48U3RhdHVzPjxTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L1N0YXR1cz48QXNzZXJ0aW9uIElEPSJfYjg4OWNmNzEtYTFmNS00ZWUxLWEzZTctMGM4ZTU5ZDY3ZTJkIiBJc3N1ZUluc3RhbnQ9IjIwMTctMTItMTlUMDU6Mjk6NTRaIiBWZXJzaW9uPSIyLjAiIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj48SXNzdWVyLz48U3ViamVjdD48TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6cGVyc2lzdGVudCI+Yjk2ODE1MDA ``` ### LogoutRequest To create a logout request you will need to choose the desired binding from the metadata then generate a request for a specific user. ```ruby class User attr_reader :id, :email def initialize(id:, email:) @id = id @email = email end def name_id_for(name_id_format) Saml::Kit::Namespaces::PERSISTENT == name_id_format ? id : email end def assertion_attributes_for(request) request.trusted? ? { access_token: SecureRandom.uuid } : {} end end user = User.new(id: SecureRandom.uuid, email: "hello@example.com") sp = Saml::Kit::IdentityProviderMetadata.new(xml) url, saml_params = sp.logout_request_for(user, binding: :http_post) puts [url, saml_params].inspect # ["https://www.example.com/logout", {"SAMLRequest"=>"PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48TG9nb3V0UmVxdWVzdCBJRD0iXzg3NjZiNTYyLTc2MzQtNDU4Zi04MzJmLTE4ODkwMjRlZDQ0MyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTctMTItMTlUMDQ6NTg6MThaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly93d3cuZXhhbXBsZS5jb20vbG9nb3V0IiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj48SXNzdWVyIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIi8+PE5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnBlcnNpc3RlbnQiIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5kODc3YWEzZS01YTUyLTRhODAtYTA3ZC1lM2U5YzBjNTA1Nzk8L05hbWVJRD48L0xvZ291dFJlcXVlc3Q+"}] ``` ### LogoutResponse To generate a logout response, deserialize the logout request then generate a response from the request. ```ruby idp = Saml::Kit::IdentityProviderMetadata.new(xml) raw_params = Hash[uri.query.split("&").map { |x| x.split("=", 2) }].symbolize_keys binding = idp.single_logout_service_for(binding: :http_post) saml_request = binding.deserialize(raw_params) url, saml_params = saml_request.response_for(binding: :http_post) puts [url, saml_params].inspect # ["https://www.example.com/logout", {"SAMLResponse"=>"PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48TG9nb3V0UmVzcG9uc2UgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgSUQ9Il9kZDA2YmY5MC04ODI2LTQ5ZTMtYmYxNS1jYzAxMWJkNzU3NGEiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDE3LTEyLTE5VDA1OjQyOjQyWiIgRGVzdGluYXRpb249Imh0dHBzOi8vd3d3LmV4YW1wbGUuY29tL2xvZ291dCIgSW5SZXNwb25zZVRvPSJfYmVhZjJiN2ItMDlmNC00ZmFkLWJkYmYtOWQ0ZDc1N2I5ZDU0Ij48SXNzdWVyIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIi8+PFN0YXR1cz48U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9TdGF0dXM+PC9Mb2dvdXRSZXNwb25zZT4="}] ``` ## Development After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment. To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org). ## Contributing Bug reports and pull requests are welcome on GitLab at https://gitlab.com/xlgmokha/saml-kit. ## License The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).