Now that all outstanding pull request have been merged, we can release 1.7.0.

A few days ago, ruby-saml version 1.4.0 was released recently with some security updates. I think we should bump the version used in omniauth-saml to 1.4.0. #117

@md5 @bufferoverflow what do you guys think?

Hi all,

I would like to confirm that omniauth supoorts multiple IDPs. If yes, please provide a guide for that.

Thanks

With updated dependencies to fix security issues, we need to release 1.6.0

• Update version.rb
• Update Gemfile
• Update CHANGELOG
• Tag new version
• Add to releases
• Build gem
• Publish gem

According to this pull request would it make sense to allow to configure Saml::Response options in the initializer:

SAML-Toolkits/ruby-saml#79

I have trouble with the time drift and want to adjust the underlying library?

I'm using omniauth-saml as part of GitLab and trying to connect to a a ipsilon idP that is backed by FreeIPA. The ipsilon idP requires that the metadata be signed. The ruby-saml-0.8.2 that is currently used in omniauth-saml doesn't do signed metadata.

According to the ruby-saml changelog signed meta-data support was added in v0.9.2. The current version is 1.0.0. The rub-saml website says, "Version 1.0 is a recommended update for all Ruby SAML users as it includes security fixes."

FYI, here is the configuration I'm trying to use.

gitlab_rails['omniauth_providers'] = [
   {
     "name" => "saml",
     "args" => {
         assertion_consumer_service_url:  'https://code.example.com/users/auth/saml/callback',
         idp_cert_fingerprint: 'B7:4E:15:77:40:DE:EE:EB:77:53:EE:58:4E:87:2B:3F:6B:8A:64:87',
         idp_sso_target_url: 'https://idp.example.com/idp/saml2/SSO/Redirect',
         issuer: 'GLGitLab',
         name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
         certificate: '-----BEGIN CERTIFICATE-----
<snipped_for_brevity>
-----END CERTIFICATE-----',
        private_key: '-----BEGIN PRIVATE KEY-----
<snipped_for_brevity>
-----END PRIVATE KEY-----',
        "security" => {
                authn_requests_signed: true,
                metadata_signed: true,
                digest_method: 'XMLSecurity::Document::SHA1',
                signature_method: 'XMLSecurity::Document::RSA_SHA1',
                embed_sign: true
                }
        }
   }
 ]

Does omniauth-saml support encrypted assertions? ruby-saml does so maybe it's possible here and I'm just not seeing it. If anyone has insight, please share.

With updated dependencies to fix security issues, we need to release 1.5.1

• Update version.rb
• Update Gemfile
• Update CHANGELOG
• Tag new version
• Add to releases
• Build gem
• Publish gem

As mentioned within #73 we need a CONTRIBUTING.md file, this has a nice side effect: https://github.com/blog/1184-contributing-guidelines

I have a routing question.

When I go to myserver.com/auth/saml/metadata, I get a routing error (No route matches). The only relevant route I have in routes.rb is /auth/:provider/callback. What route do I need to add to be able to access the metadata URL?

Thanks a lot!

Hello,

According to Ruby SAML Doc in order to have signing validated you have to initialize the call OneLogin::RubySaml::Response using RubySaml Settings and do not this later.

here is the PR #50

Thanks for reviewing it,

Guillaume.

I checked omniauth-saml's settings/code and I don't understand the use of

 :idp_cert_fingerprint_validator     => lambda { |fingerprint| fingerprint },

At the ruby toolkit, in order to check embedded Signatures (of the HTTP-POST binding), when you add a :idp_cert_fingerprint instead the :idp_cert, doesn't matter what you use, at the end the idp_cert is turned in a idp_cert_fingerprint to validate the document.

The certificate of the SAMLResponse is fingerprinted and compared with the value of the idp_cert_fingerprint.

I think this is already done at omniauth here

P.S I always recommend to set the idp_cert and not the idp_cert_fingerprint because HTTP-Redirect binding signature validations requires it (since the IdP's public certificate is not at the SAML Message).
As you plan to add SLO soon, recommend the use of certificates vs fingerprints.
Related topic: certFingerprint versus certificate/certData - simpleSAMLphp

Getting this after a basic installation :

gem 'omniauth'
gem 'omniauth-saml'

It returns :

active_support/dependencies.rb:251:in `require': no such file to load -- omniauth/core (LoadError)

So I add that to the gemfile though the ReadMe.md doesn't suggest so :

   gem "oa-core"

Now it gets me to here :

my_project/gems/omniauth-1.1.1/lib/omniauth/builder.rb:39:in `rescue in provider': Could not find matching strategy for :saml. You may need to install an additional gem (such as omniauth-saml). (LoadError)

Not sure what to do/think ..

saml assertions are failing due to xml canonicalization. xmlcanonicalizer changes:

<ns2:Assertion ID='_af8308e366f325cccdc0b0aade6abfb8d2a6' IssueInstant='2012-04-04T17:37:22Z' Version='2.0' xmlns:ns2='urn:oasis:names:tc:SAML:2.0:assertion'>

to

<ns2:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_af8308e366f325cccdc0b0aade6abfb8d2a6" IssueInstant="2012-04-04T17:37:22Z" Version="2.0">

seems other libraries have similar issues. see brendon/canonix#2

Hi,

Is anyone working on adding the metadata exchange feature documented in:
https://github.com/onelogin/ruby-saml#metadata-based-configuration

Being able to parse the remote IdP metadata would help a lot in taking this library into use. Also the SP would be able to react to possible sudden changes in IdP metadata.

Tomi

Shall we delete these two branches?

• 0-9-1-dev
• develop

It doesn't seem like it is possible to specify https://github.com/onelogin/ruby-saml#clock-drift

I get errors when I try something like:

gitlab_rails['omniauth_providers'] = [
        {
            'name' => 'saml',
             args: {
                     assertion_consumer_service_url: '.../users/auth/saml/callback',
                     idp_cert_fingerprint: '...',
                     idp_sso_target_url: '...',
                     issuer: '...',
                     allowed_clock_drift: 300
                   }
        }
]

RubyGems.org doesn't report a license for your gem. This is because it is not specified in the gemspec of your last release.

via e.g.

  spec.license = 'MIT'
  # or
  spec.licenses = ['MIT', 'GPL-2']

Including a license in your gemspec is an easy way for rubygems.org and other tools to check how your gem is licensed. As you can imagine, scanning your repository for a LICENSE file or parsing the README, and then attempting to identify the license or licenses is much more difficult and more error prone. So, even for projects that already specify a license, including a license in your gemspec is a good practice. See, for example, how rubygems.org uses the gemspec to display the rails gem license.

There is even a License Finder gem to help companies/individuals ensure all gems they use meet their licensing needs. This tool depends on license information being available in the gemspec. This is an important enough issue that even Bundler now generates gems with a default 'MIT' license.

I hope you'll consider specifying a license in your gemspec. If not, please just close the issue with a nice message. In either case, I'll follow up. Thanks for your time!

Appendix:

If you need help choosing a license (sorry, I haven't checked your readme or looked for a license file), GitHub has created a license picker tool. Code without a license specified defaults to 'All rights reserved'-- denying others all rights to use of the code.
Here's a list of the license names I've found and their frequencies

p.s. In case you're wondering how I found you and why I made this issue, it's because I'm collecting stats on gems (I was originally looking for download data) and decided to collect license metadata,too, and make issues for gemspecs not specifying a license as a public service :). See the previous link or my blog post about this project for more information.

Hi,

I'm trying to use the SAML provider for gitlab. However, I'm not sure to understand how to manage the callback url (:assertion_consumer_service_url). Whatever the URL I used, I have a 404.

Is the callback should be implemented by me? If yes, is there a template somewhere? I must confess I surprised that omniauth-saml doesn't provide a callback service that maps SAML attributes to application attributes (where the mapping is defined like the idp_sso_Target_url

Thanks

It would be useful to support additional SAML token fields in the info hash that is returned during the callback phase. In particular, the additional information to be included in the info hash could include:

• issuer
• session_index
• session_not_on_or_after
• response.session_expires_at
• not_before
• not_on_or_after

These values are available from the ruby-saml gem Response class. I would be happy to supply a pull request with the corresponding code and test updates.

If I put any value other than {} for :request_attributes I get the following error:

no implicit conversion of Symbol into Integer

Which looks like it's coming from ruby-saml, but I'm not sure.

Like zombor/Validator@b485289

A lot of changes have been merged that increase the functionality of this gem. I wonder if we are ready for 1.5.

@md5 @bufferoverflow @ilikepi what do you guys think?

The README states that :assertion_consumer_service_url is a required option. However when I do a search I can only see a reference to this value inside a spec and no actual code.

Can I say this is actually not required but optional? If this is the case I'd be happy to make the documentation change and do a pull request.

I configured Gitlab with omniauth-saml, roughly the same way as one would configure CAS. I ran into a strange problem:

On first successful SAML login, a new Gitlab user is created. However, I am redirected back to the login page with the message You need to sign in before continuing. Subsequent logins give a 422 error. After some research, I managed to fix the 422 error myself 0265fcb, turns out that the name_id is not necessarily the same for each SAML assertion.

However, I am still unable to login. Each click on the Saml button on the login form, will just redirect me back to the login form with the You need to sign in before continuing. message. I do not have a lot of experience with Ruby, so I don't really know where to start looking.

Relevant, anonymised log lines:

Started GET "/users/auth/saml" for 0.0.0.0 at 2014-02-15 09:15:26 +0100
Started POST "/users/auth/saml/callback" for 0.0.0.0 at 2014-02-15 09:15:27 +0100
Processing by OmniauthCallbacksController#saml as HTML
  Parameters: {"SAMLResponse"=>"[removed base64 encoded SAML assertion]"}
Can't verify CSRF token authenticity
Redirected to https://gitlab.example.com/
Completed 302 Found in 21ms (ActiveRecord: 3.7ms)
Started GET "/" for 0.0.0.0 at 2014-02-15 09:15:28 +0100
Processing by DashboardController#show as HTML
Completed 401 Unauthorized in 2ms
Started GET "/users/sign_in" for 0.0.0.0 at 2014-02-15 09:15:28 +0100

add support for an idp_sso_target_url such as http://www.example.com/sso?provider=foobar

https://github.com/PracticallyGreen/omniauth-saml/blob/master/lib/omniauth/strategies/saml.rb#L93

It appears that saml.rb expects the email attribute to have a name of "email" or "mail". The SAML IDP we are authenticating against returns "emailAddress". I don't know if that is non-standard but we can't do anything about it.

I monkey patched the class to get this working in our environment.

Would you be open to adding optional configuration parameters to map the attributes to the values expected in the info block?

option :email_attribute_name, :email
option :first_name_attribute_name, :first_name
option :last_name_attribute_name, :last_name
option :name_attribute_name, :name
...
info do
        {
          :name  => @attributes[options[:name_attribute_name]],
          :email => @attributes[options[:email_attribute_name]],
          :first_name => @attributes[options[:first_name_attribute_name]],
          :last_name => @attributes[options[:last_name_attribute_name]]
        }
end

The sample above may break some existing installs because currently the SAML runs through a few potential names for a few of these attributes. So to replicate that behavior we could do the following:

option :email_attribute_name, :email
option :first_name_attribute_name, :first_name
option :last_name_attribute_name, :last_name
option :name_attribute_name, :name
...
info do
        {
          :name  => @attributes[options[:name_attribute_name]],
          :email => @attributes[options[:email_attribute_name]] || @attributes[:mail],
          :first_name => @attributes[options[:first_name_attribute_name]]  || @attributes[:firstname] || @attributes[:firstName],
          :last_name => @attributes[options[:last_name_attribute_name]] || @attributes[:lastname] || @attributes[:lastName]
        }
end

I will work on the PR if you are receptive to this approach.

Hi,

I'm trying to debug why the redirect does not work and the saml flow does not begin. I'm not able to find what is missing in my code. Can you help me? This is what I have. What am I getting wrong?

require 'sinatra'
require 'omniauth-saml'

use Rack::Session::Cookie
use OmniAuth::Strategies::SAML,
:assertion_consumer_service_url => "http://idp.local.com:3000/auth/saml/callback",
:issuer => "https://idp.local.com/shibboleth-sp",
:idp_sso_target_url => "https://openidp.org/idp/profile/SAML2/Redirect/SSO",
:idp_cert_fingerprint => "63:49:58:C9:59:57:A5:09:13:DA:62:FE:14:2C:1B:93:A8:3C:6D:B7",
:name_identifier_format => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"

class SAMLLoginApplication < Sinatra::Base

get '/' do
"Hello World #{SecureRandom.uuid}"
end

Support both GET and POST for callbacks

%w(get post).each do |method|
send(method, "/auth/:provider/callback") do
env['omniauth.auth'] # => OmniAuth::AuthHash
end
end

configure :development do
$logger = Logger.new(STDOUT)
OmniAuth.config.logger = $logger
end

end

According to section 2.4.1.1 of Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0 spec, multiple signing certs may be provided for a given IdP. This provider does not currently support this functionality. One reason this matters is because AzureAD via SAML 2.0 happens to use multiple signing certs which makes this gem incompatible with AzureAD.

This change would require a change to the ruby-saml gem so this cannot be immediately implemented using the ruby-saml gem. However, the discussion in the relevant pull request indicates that those changes will be made relatively soon (perhaps end of September 2016).

https://github.com/onelogin/ruby-saml

"Version 0.8.x changes the namespace of the gem from OneLogin::Saml to OneLogin::RubySaml. Please update your implementations of the gem accordingly."

If you could make a release to include the updated ruby-saml dependency, I would much appreciate it.

the other (metadata) phase added in #8 is calling the setup phase on every request, even non-omniauth requests. this is inefficient and breaks apps which have custom setup phases which check for saml requests.

I recent setup SAML authenticate with an IDP, they don't return a name_id field in their response. So I ended up forting the gem and removed the name_id validation. I am wondering why we need to validate that if it is not required in the SAML protocol.

if @name_id.nil? || @name_id.empty?
    raise OmniAuth::Strategies::SAML::ValidationError.new("SAML response missing 'name_id'")
end

Ran into this issue when receiving an attribute with multiple values. The 0.8 line of ruby-saml does not allow multiple values for any attributes and will instead take the first value in these cases. By bumping the dependency to '~> 0.9.1', we get the new Attributes objects that allow us to get an array of values without changing the default behavior when using hash access.

I implemented it on our fork, specifically on this commit to bump the version (and bump its gem version) and this commit to do a quick, dirty hack to fix the specs (and update the Gemfile.lock).

Hi, I have hit some problems trying to set up the gem, and I guess that I am missing something, but I am not sure what exactly. Please advise.

I have configured the gem with these parameters that I received from the idp:

    issuer: 'my app name'
    assertion_consumer_service_url: my_callback_url
    idp_sso_target_url: https://idpprovider/SLO.saml2
    idp_cert: "-----BEGIN CERTIFICATE-----\nMIIEET ... Yfte7A==\n-----END CERTIFICATE-----"
    name_identifier_format: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'

When I send a request to the idp, it looks like this:

<samlp:AuthnRequest AssertionConsumerServiceURL="http://my_callback_url"
                    Destination="https://idpprovider/SLO.saml2"
                    ID="_c564cad0-774f-0133-8254-02199c956c29"
                    IssueInstant="2015-11-27T16:13:51Z"
                    Version="2.0"
                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    >
    <saml:Issuer>My app name</saml:Issuer>
    <samlp:NameIDPolicy AllowCreate="true"
                        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
                        />
</samlp:AuthnRequest>

and the response is: 500 Server Error.
Am I doing something wrong?
Is the certificate supposed to be a part of the request (because it is missing from the request)?
Should the certificate be specified the way I do it?

Do I need to serve a metadata file from my app?

I try to use omniauth-saml in Gitlab. The url https://gitlab.example.com/users/auth/saml/metadata gives me a 404. I am not very familiar with ruby, but spec/omniauth/strategies/saml_spec.rb doesn't seem to contain any reference to a metadata feature either. How can I get the metadata URL for my Gitlab installation?

What about using conventional changelog and generated CHANGELOG.md file from git commit messages? There is a gem to generate this: https://rubygems.org/gems/conventional-changelog

Some words about Conventional Changelog and why I believe it is a good thing:

• directly see if a commit is a feature, fix, style change, etc.
  

• become able to generate a useful CHANGELOG.md out from the git repo (issue trackers might change, but git history and commit messages stay)
  

• many projects are using it, especially in the web, node.js area, e.g.
  

  • Mozilla Accounts(fxa-xy)
    

  • angular.js
    

  • We use it internally on a platform and made very good experiences
    

Of course it requires a lot of discipline by the contributors, but from my experience on several OSS and internal projects, I can say it is really worth to use.

In #68, we were able to establish that Ruby 1.8.7 should probably work. When I run the specs locally, the Ruby 1.8 builds pass, but they are failing on Travis for some unknown reason.

Given that Ruby 1.8.7 was EOL'd in July 2014, it may not be worth maintaining compatibility. However, both omniauth and ruby-saml are making an effort to stay compatible with Ruby 1.8.7 and it doesn't seem to involve much of an effort (assuming the tests would pass), so it could be helpful to some users to keep things working for 1.8.7.

Hello,

Thank you for making this gem available, you rock!

I noticed that there are some changes in the repo that have not been released, but I would like to use in my project and would rather use a released gem than point my Gemfile directly to the github repo. Namely, the metadata endpoint.

v1.1.0...master

Would it be possible to release a new version of the gem? (1.1.1 maybe?). It seems that it would be 100% backward compatible.

Thanks,

I'm trying to integrate against the Schoology Learning Management System

They are an iDP and I hit the link inside Schoology which is meant to send a SAML request to my Rails app and launch.

When I hit the link a new page opens and it goes to:
http://schoology.xxx.com/apps/login/saml/initial?spentityid=822834723aa0dc7f209468fda2538a840561d576d&RelayState=http%3A%2F%2F127.0.0.1%3A3000%3Frealm%3Duser%26realm_id%3D28000593%26app_id%3D398907259%26is_ssl%3D0

And then a second later it redirects to:
http://schoology.xxx.com/oauth/authorize?SAMLRequest=fZHJasMwFEV%2FxTutZA12BkQcCM0mkG6Stotuiqy81iaW5OrJnb6%2BsktLsikSgofuPRykFWrb9WozxMYd4HUAjNkGEUJsvbvxDgcL4QjhrTVwf9hXpImxV4wJuch5WkIVnHMWQZsGAjKdQGxkMqO7rtbmTLJtgrZOj8S%2FPprG%2B86%2FfOYO3qN3%2BVnI3Op8QOYnxnj40H4ByXbbijwBFHVdl5zOyhNQLoqCiuJ5SfmSc7moT7KQ8xRFHGDnMGoXKyK5mFHBqSjvJFfjnj%2BS7CF5Tioy5yT7sJ1DNRpXZAhOeY0tKqctoIpGHTe3e5WCSv8%2BymWl%2F7%2FTBx%2B98R1Zr8a0muzC2upzUqBg%2BzbAil1e%2FUzX%2F7H%2BBg%3D%3D

And the error is given by this page as:
"Failed OAuth Request: Unknown request token"

Meanwhile on my server i have:
Started POST "/teachers/auth/saml" for 127.0.0.1 at 2015-10-14 16:23:24 -0400 I, [2015-10-14T16:23:24.095349 #23024] INFO -- omniauth: (saml) Request phase initiated. ActiveRecord::SessionStore::Session Load (0.6ms) SELECT "sessions".* FROM "sessions" WHERE "sessions"."session_id" = '18c44423b06704b2994acb3cabfb3ad9' ORDER BY "sessions"."id" ASC LIMIT 1

Created AuthnRequest: <samlp:AuthnRequest AssertionConsumerServiceURL='http://127.0.0.1:3000/teachers/auth/saml/callback' Destination='http://schoology.newton.k12.ma.us/oauth/authorize' ID= '_57e06f00-54df-0133-13fc-080027bd2326' IssueInstant='2015-10-14T20:23:24Z' Version='2.0' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protoco l'><saml:Issuer>makers-empire</saml:Issuer></samlp:AuthnRequest)

And then it seems to be putting a huge bunch of data into my session:
(0.1ms) BEGIN SQL (1.8ms) UPDATE "sessions" SET "data" = $1, "updated_at" = $2 WHERE "sessions"."id" = 1 [["data", "BAh7B0kiFG9tbmlhdXRoLnBhcmFtcwY6BkVUewdJIhFTQU1MUmVzcG9uc2UG\nOwBUSSIC4CtQSE5oYld4d09sSmxjM0J2Ym5ObElIaHRiRzV6T25OaGJXeHdQ\nU0oxY200NmIyRnphWE02Ym1GdFpYTTZkR002VTBGTlREb3lMakE2Y0hKdmRH\nOWpiMndpS.... etc"

Is there something going wrong the base64 encoding here? (I use a db store for sessions)

Any help would be most appreciated.

I do not have a fingerprint or certificate in my config - would this cause this?

Right now there is no check on the StatusCode, which can returns multiple failures. Instead the first error that is triggered is "SAML response missing 'name_id'' while there is actually might be more going on underneath, making it hard to debug.

ruby-saml does check it in its validation, but since the check for name_id happens earlier, you will never see it. I'm not really sure what the right solution would be, I think moving up the valid? call could do the trick but not sure of the consequences of that.

I'm happy to explore the possibilities but checking here first.

However, as a longer term solution I'd like to figure out what org or user account this gem should belong to. If you'd like to take active ownership speak up.

The current maintainer is @danwiding, but in a comment on #66 he stated a desire to discuss a possible transfer of that responsibility. I figured it makes sense to hold that discussion in its own issue, so here we are.

Here was my initial response, in full:

If no one organization wants to take over maintainership, it might make sense to follow the model adopted for Ryan Bates' CanCan gem. In that case, the community basically created its own organization to hold their fork. They also renamed the gem, presumably since they did not have access to the original on rubygems.org, but perhaps that step would not be necessary in this case.

I'm hoping to get single signout working with Omniauth-saml. My understanding is that ruby-saml supports this now, but as far as I can tell, this project does not. Is this something that could be added? (Or documented?)

Could you provide a quick tutorial, or even links, on how to integrate omniauth-saml with the widely used https://github.com/plataformatec/devise?

https://github.com/apokalipto/devise_saml_authenticatable has limitations that are deal breakers for us, and the usual sources (Stackoverflow, Google in general) hasn't helped.

Devise's Omniauth integration, for example, requires an app ID and secret that Onelogin's SAML connector doesn't provide.

Thanks in advance.

Hiya,

I'm experiencing this exact problem: http://stackoverflow.com/questions/4133650/how-to-distinguish-class-classa-from-moduleclassa

I've added this gem as a devise strategy, and have a model named Document, after signing in any calls to an action from the document controller uses the REXML::Document to evaluate against instead of my apps Document class.

What would be the best way to work around this issue?

Thanks!
Joe

ruby-saml has been updated to 1.2.0. Should we update our dependency?

I just spent a bunch of time debugging an issue using omniauth-saml with Devise. We are using the "fallback" functionality introduced in #15 to dynamically set our :assertion_consumer_service_url to the Omniauth callback_url.

The issue we ran into was that the :assertion_consumer_service_url was being calculated and cached based on the callback_url of the first request to be handled. This was then being used for subsequent requests, even if the hostname for the request was not the same, resulting in the user being sent to the wrong hostname after logging in with the IdP.

I wasn't able to determine whether this is a bug in rails, devise, omniauth, or omniauth-saml, but I was able to work around it by monkey-patching this strategy like so:

class OmniAuth::Strategies::SAML
  alias_method :original_request_phase, :request_phase
  def request_phase
    options[:assertion_consumer_service_url] = nil
    original_request_phase
  end
end

During my debugging, I was able to determine that a different instance of OmniAuth::Strategies::SAML was being used for each call to request_phase, but that those instances all shared the same instance of OmniAuth::Strategy::Options. However, when I added an initialize method to my monkey-patched version of OmniAuth::Strategies::SAML, I did not see it getting called more than once.

I'm still going to try to reproduce this in a minimal test case, but I wanted to open this issue in case anyone else has observed this problem.

A simple fix in the case of omniauth-saml might be to avoid any code that mutates options, replacing it with code that makes a copy of options first before making any changes it needs (e.g. the defaulting of options[:assertion_consumer_service_url].

Hello,

I'm trying to use this gem with devise to log with google apps for business with their SAML protocol. Here is my conf

  config.omniauth :saml,
      issuer: "my_app_id",
      idp_sso_target_url: "https://accounts.google.com/o/saml2/idp?idpid=#{GOOGLE_APP_ID}",
      idp_cert: '-----BEGIN CERTIFICATE-----
cuting for privacy
-----END CERTIFICATE-----',
      name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"

I'm trying (if I understand correctly) to do a SP initiated connexion so I start with the url of my domain with /auth/saml that redirects me to the idp_sso_target_url and that's when I have the error

Error: app_not_configured_for_user

Service is not configured for this user.

I can see that there is an AuthnRequest that's created in my logs

[2016-09-22T08:39:45.412930 #26607] DEBUG -- : Created AuthnRequest: 
<samlp:AuthnRequest 
  AssertionConsumerServiceURL='https://mydomain.com/auth/saml/callback' 
  Destination='https://accounts.google.com/o/saml2?idpid=****' 
  ID='_********-****-****-****-************' 
  IssueInstant='2016-09-22T08:39:45Z' 
  Version='2.0' 
  xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion' 
  xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'>
<saml:Issuer>my_app_id</saml:Issuer>
<samlp:NameIDPolicy AllowCreate='true' Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'/>
</samlp:AuthnRequest>

Is there something I am missing, maybe you can point me in the right direction ?

After some mysterious Login Failures in our GitLab using omniauth saml i could identify the problem being the SAML response not being decoded properly.

Doing some more digging, i found this:
http://blog.zachallett.com/base64-decode64-does-bad-things-if-you-are-expecting-utf-8-encoded-strings/

Lacking any Ruby skills at all, i blindly appended .force_encoding('UTF-8').encode at this line in omniauth-saml-1.4.1/lib/omniauth/strategies/saml.rb :
response = (response =~ /^</) ? response : Base64.decode64(response)
Which fixed the problem for me.

I am trying to integrate our ADFS login with our application which uses ActiveAdmin in combination with Devise. I succesfully added omniauth-saml for that purpose. The application now redirects to ADFS, the login succeeds but than fails on the callback. I get the error Invalid ticket.

When I try to look into the response on the server in the omniauth-saml lib I can see it says: @document=<UNDEFINED> ... </> and @decrypted_document=<UNDEFINED> ... </>

The initializers/devise.rb reads:

config.omniauth :saml,
                assertion_consumer_service_url: 'https://my_server/admin/auth/saml/callback',
                issuer: 'https://my_server/',
                authn_context: 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport',
                idp_sso_target_url: 'https://my_adfs_server/adfs/ls/',
                assertion_consumer_service_binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
                assertion_consumer_logout_service_binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
                idp_sso_target_url_runtime_params: {original_request_param: :mapped_idp_param},
                name_identifier_format: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
                idp_cert: idp_certificate,
                request_attributes: {},
                attribute_statements: {email: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'],
                                       name: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'],
                                       first_name: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname'],
                                       last_name: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname']},
                private_key: sp_key,
                certificate: sp_certificate,
                security: {authn_requests_signed: true,
                           logout_requests_signed: true,
                           logout_responses_signed: true,
                           metadata_signed: true,
                           digest_method: XMLSecurity::Document::SHA1,
                           signature_method: XMLSecurity::Document::RSA_SHA1,
                           embed_sign: false}

How can I solve this?

Addition:
It appears that REXML::Document is unable to decrypt the Cypher inside of the SAML response. It fails to do so without errorring. When I try to do it myself by using https://www.samltool.com/decrypt.php I see no problems with it though.