Commit bc8d4b3

mo <mo.khan@gmail.com>
2017-10-22 21:53:12
add authnstatement.
main
1 parent 762b8fd
Changed files (2)
app
models
saml_response.rb
spec
models
saml_response_spec.rb
app/models/saml_response.rb
@@ -15,13 +15,14 @@ class SamlResponse
   end
 
   class Builder
-    attr_reader :user, :request, :id, :reference_id
+    attr_reader :user, :request, :id, :reference_id, :now
 
     def initialize(user, request)
       @user = user
       @request = request
       @id = SecureRandom.uuid
       @reference_id = SecureRandom.uuid
+      @now = Time.now.utc
     end
 
     def to_xml
@@ -44,6 +45,11 @@ class SamlResponse
               xml.Audience request.issuer
             end
           end
+          xml.AuthnStatement authn_statement_options do
+            xml.AuthnContext do
+              xml.AuthnContextClassRef Namespaces::AuthnContext::ClassRef::PASSWORD
+            end
+          end
         end
       end
       xml.target!
@@ -63,7 +69,7 @@ class SamlResponse
       {
         ID: "_#{id}",
         Version: "2.0",
-        IssueInstant: Time.now.utc.iso8601,
+        IssueInstant: now.iso8601,
         Destination: request.acs_url,
         Consent: Namespaces::Consents::UNSPECIFIED,
         InResponseTo: request.id,
@@ -74,7 +80,7 @@ class SamlResponse
     def assertion_options
       {
         ID: "_#{reference_id}",
-        IssueInstant: Time.now.utc.iso8601,
+        IssueInstant: now.iso8601,
         Version: "2.0",
       }
     end
@@ -94,6 +100,14 @@ class SamlResponse
       }
     end
 
+    def authn_statement_options
+      {
+        AuthnInstant: now.iso8601,
+        SessionIndex: assertion_options[:ID],
+        SessionNotOnOrAfter: 3.hours.from_now.utc.iso8601,
+      }
+    end
+
     def name_id_format
       "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
     end
spec/models/saml_response_spec.rb
@@ -83,6 +83,11 @@ describe SamlResponse do
       expect(hash['Response']['Assertion']['Conditions']['NotBefore']).to eql(5.seconds.ago.utc.iso8601)
       expect(hash['Response']['Assertion']['Conditions']['NotOnOrAfter']).to eql(3.hours.from_now.utc.iso8601)
       expect(hash['Response']['Assertion']['Conditions']['AudienceRestriction']['Audience']).to eql(request.issuer)
+
+      expect(hash['Response']['Assertion']['AuthnStatement']['AuthnInstant']).to eql(Time.now.utc.iso8601)
+      expect(hash['Response']['Assertion']['AuthnStatement']['SessionNotOnOrAfter']).to eql(3.hours.from_now.utc.iso8601)
+      expect(hash['Response']['Assertion']['AuthnStatement']['SessionIndex']).to eql(hash['Response']['Assertion']['ID'])
+      expect(hash['Response']['Assertion']['AuthnStatement']['AuthnContext']['AuthnContextClassRef']).to eql('urn:oasis:names:tc:SAML:2.0:ac:classes:Password')
     end
   end
 end