Add SingleLogoutService back to metadata builder (#51)

Release v0.17.0-18f **Why:** Certain SAML clients use the SingleLogoutService elements in the metadata to configure their logout behavior. This was originally removed in #30 but it is unclear why.
18F · May 5, 2022 · 6e2be1f · 6e2be1f
1 parent 6dba2bf
commit 6e2be1f
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 3 deletions.
diff --git a/lib/saml_idp/configurator.rb b/lib/saml_idp/configurator.rb
@@ -14,6 +14,7 @@ class Configurator
  attr_accessor :attribute_service_location
  attr_accessor :single_service_post_location
  attr_accessor :single_logout_service_post_location
+ attr_accessor :remote_logout_service_post_location
  attr_accessor :attributes
  attr_accessor :service_provider
  attr_accessor :pkcs11

diff --git a/lib/saml_idp/metadata_builder.rb b/lib/saml_idp/metadata_builder.rb
@@ -37,6 +37,14 @@ def fresh
  Location: single_service_post_location
  descriptor.SingleSignOnService Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
  Location: single_service_post_location
+ descriptor.SingleLogoutService Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+ Location: single_logout_service_post_location
+ descriptor.SingleLogoutService Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+ Location: single_logout_service_post_location
+ if remote_logout_service_post_location.present?
+ descriptor.SingleLogoutService Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+ Location: remote_logout_service_post_location
+ end
  build_attribute descriptor
  end
 
@@ -149,6 +157,7 @@ def raw_algorithm
  attribute_service_location
  single_service_post_location
  single_logout_service_post_location
+ remote_logout_service_post_location
  technical_contact
  ].each do |delegatable|
  define_method(delegatable) do

diff --git a/lib/saml_idp/version.rb b/lib/saml_idp/version.rb
@@ -1,4 +1,4 @@
 # encoding: utf-8
 module SamlIdp
- VERSION = '0.16.0-18f'.freeze
+ VERSION = '0.17.0-18f'.freeze
 end
diff --git a/spec/lib/saml_idp/configurator_spec.rb b/spec/lib/saml_idp/configurator_spec.rb
@@ -11,6 +11,7 @@ module SamlIdp
  it { is_expected.to respond_to :attribute_service_location }
  it { is_expected.to respond_to :single_service_post_location }
  it { is_expected.to respond_to :single_logout_service_post_location }
+ it { is_expected.to respond_to :remote_logout_service_post_location }
  it { is_expected.to respond_to :name_id }
  it { is_expected.to respond_to :attributes }
  it { is_expected.to respond_to :service_provider }

diff --git a/spec/lib/saml_idp/metadata_builder_spec.rb b/spec/lib/saml_idp/metadata_builder_spec.rb
@@ -31,9 +31,23 @@ module SamlIdp
  expect(Saml::XML::Document.parse(subject.signed).valid_signature?(cloudhsm_idp_x509_cert_fingerprint)).to be_truthy
  end
 
- it "includes logout element" do
+ it "includes logout elements" do
  subject.configurator.single_logout_service_post_location = 'https://example.com/saml/logout'
- expect(subject.fresh).not_to include('SingleLogoutService')
+ subject.configurator.remote_logout_service_post_location = 'https://example.com/saml/remote_logout'
+ expect(subject.fresh.scan(/SingleLogoutService/).count).to eq(3)
+ expect(subject.fresh).to match(slo_regex('HTTP-POST', 'https://example.com/saml/logout'))
+ expect(subject.fresh).to match(slo_regex('HTTP-Redirect', 'https://example.com/saml/logout'))
+ expect(subject.fresh).to match(slo_regex('HTTP-POST', 'https://example.com/saml/remote_logout'))
+ end
+
+ it "skips remote logout if not present" do
+ subject.configurator.single_logout_service_post_location = 'https://example.com/saml/logout'
+ subject.configurator.remote_logout_service_post_location = nil
+ expect(subject.fresh.scan(/SingleLogoutService/).count).to eq(2)
+ end
+
+ def slo_regex(binding, location)
+ %r{<SingleLogoutService Binding=.+#{binding}.+ Location=.+#{location}.+/>}
  end
  end
 end