class OneLogin::RubySaml::Settings

SAML2 Toolkit Settings

Constants

DEFAULTS

Attributes

assertion_consumer_logout_service_binding[R]
assertion_consumer_logout_service_url[RW]
assertion_consumer_service_binding[R]
assertion_consumer_service_url[RW]
attribute_consuming_service[R]
attributes_index[RW]
authn_context[RW]
authn_context_comparison[RW]
authn_context_decl_ref[RW]
certificate[RW]
certificate_new[RW]

Deprecated

compress_request[RW]
compress_response[RW]
double_quote_xml_attribute_values[RW]
force_authn[RW]
idp_attribute_names[RW]
idp_cert[RW]
idp_cert_fingerprint[RW]
idp_cert_fingerprint_algorithm[RW]
idp_cert_multi[RW]
idp_entity_id[RW]

IdP Data

idp_name_qualifier[RW]
idp_slo_response_service_url[RW]
idp_slo_service_url[W]
idp_slo_target_url[RW]
idp_sso_service_url[W]
idp_sso_target_url[RW]
issuer[RW]
message_max_bytesize[RW]
name_identifier_format[RW]
name_identifier_value[RW]
name_identifier_value_requested[RW]
passive[RW]
private_key[RW]
protocol_binding[R]
security[RW]

Work-flow

sessionindex[RW]
single_logout_service_url[W]
soft[RW]
sp_cert_multi[RW]
sp_entity_id[W]

SP Data

sp_name_qualifier[RW]
valid_until[RW]

Public Class Methods

new(overrides = {}, keep_security_attributes = false) click to toggle source
# File lib/onelogin/ruby-saml/settings.rb, line 13
def initialize(overrides = {}, keep_security_attributes = false)
  if keep_security_attributes
    security_attributes = overrides.delete(:security) || {}
    config = DEFAULTS.merge(overrides)
    config[:security] = DEFAULTS[:security].merge(security_attributes)
  else
    config = DEFAULTS.merge(overrides)
  end

  config.each do |k,v|
    acc = "#{k}=".to_sym
    if respond_to? acc
      value = v.is_a?(Hash) ? v.dup : v
      send(acc, value)
    end
  end
  @attribute_consuming_service = AttributeService.new
end

Public Instance Methods

assertion_consumer_logout_service_binding=(value) click to toggle source

@deprecated Setter for legacy Single Logout Service Binding parameter.

(Currently we only support “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect”) @param value [String, Symbol]

# File lib/onelogin/ruby-saml/settings.rb, line 164
def assertion_consumer_logout_service_binding=(value)
  @assertion_consumer_logout_service_binding = get_binding(value)
end
assertion_consumer_service_binding=(value) click to toggle source

Setter for SP Assertion Consumer Service Binding @param value [String, Symbol].

# File lib/onelogin/ruby-saml/settings.rb, line 134
def assertion_consumer_service_binding=(value)
  @assertion_consumer_service_binding = get_binding(value)
end
get_binding(value) click to toggle source
# File lib/onelogin/ruby-saml/settings.rb, line 270
def get_binding(value)
  return unless value

  Utils::BINDINGS[value.to_sym] || value
end
get_fingerprint() click to toggle source

Calculates the fingerprint of the IdP x509 certificate. @return [String] The fingerprint

# File lib/onelogin/ruby-saml/settings.rb, line 171
def get_fingerprint
  idp_cert_fingerprint || begin
    idp_cert = get_idp_cert
    if idp_cert
      fingerprint_alg = XMLSecurity::BaseDocument.new.algorithm(idp_cert_fingerprint_algorithm).new
      fingerprint_alg.hexdigest(idp_cert.to_der).upcase.scan(/../).join(":")
    end
  end
end
get_idp_cert() click to toggle source

@return [OpenSSL::X509::Certificate|nil] Build the IdP certificate from the settings (previously format it)

# File lib/onelogin/ruby-saml/settings.rb, line 183
def get_idp_cert
  OneLogin::RubySaml::Utils.build_cert_object(idp_cert)
end
get_idp_cert_multi() click to toggle source

@return [Hash with 2 arrays of OpenSSL::X509::Certificate] Build multiple IdP certificates from the settings.

# File lib/onelogin/ruby-saml/settings.rb, line 189
def get_idp_cert_multi
  return nil if idp_cert_multi.nil? || idp_cert_multi.empty?

  raise ArgumentError.new("Invalid value for idp_cert_multi") unless idp_cert_multi.is_a?(Hash)

  certs = {:signing => [], :encryption => [] }

  [:signing, :encryption].each do |type|
    certs_for_type = idp_cert_multi[type] || idp_cert_multi[type.to_s]
    next if !certs_for_type || certs_for_type.empty?

    certs_for_type.each do |idp_cert|
      certs[type].push(OneLogin::RubySaml::Utils.build_cert_object(idp_cert))
    end
  end

  certs
end
get_sp_cert() click to toggle source

@return [OpenSSL::X509::Certificate] The SP signing certificate. @deprecated Use get_sp_signing_pair or get_sp_certs instead.

# File lib/onelogin/ruby-saml/settings.rb, line 236
def get_sp_cert
  node = get_sp_signing_pair
  node[0] if node
end
get_sp_cert_new() click to toggle source

@return [OpenSSL::X509::Certificate|nil] Build the New SP certificate from the settings.

@deprecated Use get_sp_certs instead

# File lib/onelogin/ruby-saml/settings.rb, line 261
def get_sp_cert_new
  node = get_sp_certs[:signing].last
  node[0] if node
end
get_sp_certs() click to toggle source

@return [Hash<Symbol, Array<Array<OpenSSL::X509::Certificate, OpenSSL::PKey::RSA>>>]

Build the SP certificates and private keys from the settings. If
check_sp_cert_expiration is true, only returns certificates and private keys
that are not expired.
# File lib/onelogin/ruby-saml/settings.rb, line 212
def get_sp_certs
  certs = get_all_sp_certs
  return certs unless security[:check_sp_cert_expiration]

  active_certs = { signing: [], encryption: [] }
  certs.each do |use, pairs|
    next if pairs.empty?

    pairs = pairs.select { |cert, _| !cert || OneLogin::RubySaml::Utils.is_cert_active(cert) }
    raise OneLogin::RubySaml::ValidationError.new("The SP certificate expired.") if pairs.empty?

    active_certs[use] = pairs.freeze
  end
  active_certs.freeze
end
get_sp_decryption_keys() click to toggle source

@return [Array<OpenSSL::PKey::RSA>] The SP decryption keys.

# File lib/onelogin/ruby-saml/settings.rb, line 251
def get_sp_decryption_keys
  ary = get_sp_certs[:encryption].map { |pair| pair[1] }
  ary.compact!
  ary.uniq!(&:to_pem)
  ary.freeze
end
get_sp_key()

@deprecated Use get_sp_signing_key or get_sp_certs instead.

Alias for: get_sp_signing_key
get_sp_signing_key() click to toggle source

@return [OpenSSL::PKey::RSA] The SP signing key.

# File lib/onelogin/ruby-saml/settings.rb, line 242
def get_sp_signing_key
  node = get_sp_signing_pair
  node[1] if node
end
Also aliased as: get_sp_key
get_sp_signing_pair() click to toggle source

@return [Array<OpenSSL::X509::Certificate, OpenSSL::PKey::RSA>]

The SP signing certificate and private key.
# File lib/onelogin/ruby-saml/settings.rb, line 230
def get_sp_signing_pair
  get_sp_certs[:signing].first
end
idp_binding_from_embed_sign() click to toggle source
# File lib/onelogin/ruby-saml/settings.rb, line 266
def idp_binding_from_embed_sign
  security[:embed_sign] ? Utils::BINDINGS[:post] : Utils::BINDINGS[:redirect]
end
idp_slo_service_binding() click to toggle source

@return [String] IdP Single Logout Service Binding

# File lib/onelogin/ruby-saml/settings.rb, line 107
def idp_slo_service_binding
  @idp_slo_service_binding || idp_binding_from_embed_sign
end
idp_slo_service_binding=(value) click to toggle source

Setter for IdP Single Logout Service Binding @param value [String, Symbol].

# File lib/onelogin/ruby-saml/settings.rb, line 114
def idp_slo_service_binding=(value)
  @idp_slo_service_binding = get_binding(value)
end
idp_slo_service_url() click to toggle source

@return [String] IdP Single Logout Service URL

# File lib/onelogin/ruby-saml/settings.rb, line 88
def idp_slo_service_url
  @idp_slo_service_url || @idp_slo_target_url
end
idp_sso_service_binding() click to toggle source

@return [String] IdP Single Sign On Service Binding

# File lib/onelogin/ruby-saml/settings.rb, line 94
def idp_sso_service_binding
  @idp_sso_service_binding || idp_binding_from_embed_sign
end
idp_sso_service_binding=(value) click to toggle source

Setter for IdP Single Sign On Service Binding @param value [String, Symbol].

# File lib/onelogin/ruby-saml/settings.rb, line 101
def idp_sso_service_binding=(value)
  @idp_sso_service_binding = get_binding(value)
end
idp_sso_service_url() click to toggle source

@return [String] IdP Single Sign On Service URL

# File lib/onelogin/ruby-saml/settings.rb, line 82
def idp_sso_service_url
  @idp_sso_service_url || @idp_sso_target_url
end
protocol_binding=(value) click to toggle source

Setter for SP Protocol Binding @param value [String, Symbol].

# File lib/onelogin/ruby-saml/settings.rb, line 127
def protocol_binding=(value)
  @protocol_binding = get_binding(value)
end
single_logout_service_binding() click to toggle source

@return [String] Single Logout Service Binding.

# File lib/onelogin/ruby-saml/settings.rb, line 146
def single_logout_service_binding
  @single_logout_service_binding || @assertion_consumer_logout_service_binding
end
single_logout_service_binding=(value) click to toggle source

Setter for Single Logout Service Binding.

(Currently we only support “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect”) @param value [String, Symbol]

# File lib/onelogin/ruby-saml/settings.rb, line 155
def single_logout_service_binding=(value)
  @single_logout_service_binding = get_binding(value)
end
single_logout_service_url() click to toggle source

@return [String] Single Logout Service URL.

# File lib/onelogin/ruby-saml/settings.rb, line 140
def single_logout_service_url
  @single_logout_service_url || @assertion_consumer_logout_service_url
end
sp_entity_id() click to toggle source

@return [String] SP Entity ID

# File lib/onelogin/ruby-saml/settings.rb, line 120
def sp_entity_id
  @sp_entity_id || @issuer
end

Private Instance Methods

get_all_sp_certs() click to toggle source

@return [Hash<Symbol, Array<Array<OpenSSL::X509::Certificate, OpenSSL::PKey::RSA>>>]

Build the SP certificates and private keys from the settings. Returns all
certificates and private keys, even if they are expired.
# File lib/onelogin/ruby-saml/settings.rb, line 308
def get_all_sp_certs
  validate_sp_certs_params!
  get_sp_certs_multi || get_sp_certs_single
end
get_sp_certs_multi() click to toggle source

Get certs from get_sp_cert_multi parameter.

# File lib/onelogin/ruby-saml/settings.rb, line 347
def get_sp_certs_multi
  return if sp_cert_multi.nil? || sp_cert_multi.empty?

  raise ArgumentError.new("sp_cert_multi must be a Hash") unless sp_cert_multi.is_a?(Hash)

  certs = { :signing => [], :encryption => [] }.freeze

  [:signing, :encryption].each do |type|
    certs_for_type = sp_cert_multi[type] || sp_cert_multi[type.to_s]
    next if !certs_for_type || certs_for_type.empty?

    unless certs_for_type.is_a?(Array) && certs_for_type.all? { |cert| cert.is_a?(Hash) }
      raise ArgumentError.new("sp_cert_multi :#{type} node must be an Array of Hashes")
    end

    certs_for_type.each do |pair|
      cert = pair[:certificate] || pair['certificate'] || pair[:cert] || pair['cert']
      key  = pair[:private_key] || pair['private_key'] || pair[:key] || pair['key']

      unless cert && key
        raise ArgumentError.new("sp_cert_multi :#{type} node Hashes must specify keys :certificate and :private_key")
      end

      certs[type] << [
        OneLogin::RubySaml::Utils.build_cert_object(cert),
        OneLogin::RubySaml::Utils.build_private_key_object(key)
      ].freeze
    end
  end

  certs.each { |_, ary| ary.freeze }
  certs
end
get_sp_certs_single() click to toggle source

Get certs from certificate, certificate_new, and private_key parameters.

# File lib/onelogin/ruby-saml/settings.rb, line 325
def get_sp_certs_single
  certs = { :signing => [], :encryption => [] }

  sp_key = OneLogin::RubySaml::Utils.build_private_key_object(private_key)
  cert = OneLogin::RubySaml::Utils.build_cert_object(certificate)
  if cert || sp_key
    ary = [cert, sp_key].freeze
    certs[:signing] << ary
    certs[:encryption] << ary
  end

  cert_new = OneLogin::RubySaml::Utils.build_cert_object(certificate_new)
  if cert_new
    ary = [cert_new, sp_key].freeze
    certs[:signing] << ary
    certs[:encryption] << ary
  end

  certs
end
validate_sp_certs_params!() click to toggle source

Validate certificate, certificate_new, private_key, and sp_cert_multi params.

# File lib/onelogin/ruby-saml/settings.rb, line 314
def validate_sp_certs_params!
  multi    = sp_cert_multi   && !sp_cert_multi.empty?
  cert     = certificate     && !certificate.empty?
  cert_new = certificate_new && !certificate_new.empty?
  pk       = private_key     && !private_key.empty?
  if multi && (cert || cert_new || pk)
    raise ArgumentError.new("Cannot specify both sp_cert_multi and certificate, certificate_new, private_key parameters")
  end
end