Commit 5a3fbcc

mo <mo.khan@gmail.com>
2017-12-17 18:50:34
ensure RelayState is sent back to issuer.
main
1 parent 7ade187
Changed files (3)
app
controllers
sessions_controller.rb
Gemfile
Gemfile.lock
app/controllers/sessions_controller.rb
@@ -5,10 +5,13 @@ class SessionsController < ApplicationController
     target_binding = request.post? ? :http_post : :http_redirect
     binding = idp.single_sign_on_service_for(binding: target_binding)
     @saml_request = binding.deserialize(raw_params)
-    return render_error(:forbidden, model: @saml_request) if @saml_request.invalid?
-    return post_back(@saml_request, current_user) if current_user?
-
-    session[:saml] = { params: raw_params.to_h, binding: target_binding }
+    if @saml_request.valid?
+      session[:saml] = { params: raw_params.to_h, binding: target_binding }
+      return post_back(@saml_request, current_user) if current_user?
+    else
+      logger.error(@saml_request.errors.full_messages)
+      return render_error(:forbidden, model: @saml_request)
+    end
   end
 
   def create
@@ -58,12 +61,13 @@ class SessionsController < ApplicationController
     if request.post?
       saml_params
     else
-      Hash[request.query_string.split("&").map { |x| x.split("=", 2) }]
+      Hash[request.query_string.split("&amp;").map { |x| x.split("=", 2) }].symbolize_keys
     end
   end
 
   def post_back(saml_request, user)
-    @url, @saml_params = saml_request.response_for(user, binding: :http_post, relay_state: saml_params[:RelayState]) do |builder|
+    relay_state = session[:saml][:params][:RelayState]
+    @url, @saml_params = saml_request.response_for(user, binding: :http_post, relay_state: relay_state) do |builder|
       @saml_response_builder = builder
     end
     reset_session
Gemfile
@@ -61,7 +61,7 @@ end
 # Windows does not include zoneinfo files, so bundle the tzinfo-data gem
 gem 'tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw, :jruby]
 gem 'dotenv-rails'
-gem 'saml-kit', '0.2.7'
+gem 'saml-kit', '0.2.8'
 gem 'rails-assets-bootstrap', source: 'https://rails-assets.org'
 gem 'jwt'
 gem 'activerecord-session_store'
Gemfile.lock
@@ -175,7 +175,7 @@ GEM
     ruby_dep (1.5.0)
     rubyzip (1.2.1)
     safe_yaml (1.0.4)
-    saml-kit (0.2.7)
+    saml-kit (0.2.8)
       activemodel (>= 4.2.0)
       builder (~> 3.2)
       nokogiri (~> 1.8)
@@ -256,7 +256,7 @@ DEPENDENCIES
   rails-controller-testing
   rails_12factor
   rspec-rails (~> 3.6)
-  saml-kit (= 0.2.7)
+  saml-kit (= 0.2.8)
   sass-rails (~> 5.0)
   selenium-webdriver
   spring