Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Support RelayState binding by default during SSO #215

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat: Support RelayState binding by default during SSO #215

wants to merge 1 commit into from

Conversation

smudge
Copy link

@smudge smudge commented Jul 25, 2023
edited

Per OASIS SAML 2.0 standard:

Some bindings define a "RelayState" mechanism for preserving and conveying state information. When
such a mechanism is used in conveying a request message as the initial step of a SAML protocol, it
places requirements on the selection and use of the binding subsequently used to convey the response.
Namely, if a SAML request message is accompanied by RelayState data, then the SAML responder
MUST return its SAML protocol response using a binding that also supports a RelayState mechanism, and
it MUST place the exact RelayState data it received with the request into the corresponding RelayState
parameter in the response.

In order to make standards-compliant usage of RelayState easier for implementing developers, this PR makes two changes:

  1. It adds a default RelayState param mapping to the gem's :idp_sso_service_url_runtime_params config.
  2. It enables the use of RelayState when OmniAuth.config.test_mode is enabled.
    • It does this by extending OmniAuth::Strategy#mock_request_call to add any POST RelayState params to the query string that will be used in the callback URL.

Tests have been added for both of these new behaviors.

@smudge
feat: Support RelayState binding by default during SSO
a508436 
Per [OASIS SAML 2.0 standard](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf):

> Some bindings define a "RelayState" mechanism for preserving and conveying state information. When
> such a mechanism is used in conveying a request message as the initial step of a SAML protocol, it
> places requirements on the selection and use of the binding subsequently used to convey the response.
> Namely, if a SAML request message is accompanied by RelayState data, then the SAML responder
> MUST return its SAML protocol response using a binding that also supports a RelayState mechanism, and
> it MUST place the exact RelayState data it received with the request into the corresponding RelayState
> parameter in the response.

In order to make standards-compliant usage of `RelayState` easier for implementing developers, this PR makes two changes:

1. It adds a default `RelayState` param mapping to the gem's `:idp_sso_service_url_runtime_params` config.
2. It enables the use of `RelayState` when `OmniAuth.config.test_mode` is enabled.
    - It does this by extending `OmniAuth::Strategy#mock_request_call` to add any POST `RelayState` params to the query string that will be used in the callback URL.

Tests have been added for both of these new behaviors.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@smudge