Add support for ForceAuthn in AuthnRequests (#50)

18F · Nov 29, 2021 · c17301e · c17301e
1 parent 2d86fed
commit c17301e
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 1 deletion.
diff --git a/lib/saml_idp/request.rb b/lib/saml_idp/request.rb
@@ -67,6 +67,12 @@ def request
  end
  end
 
+ def force_authn?
+ return nil unless authn_request?
+
+ request["ForceAuthn"] == 'true'
+ end
+
  def requested_authn_context
  return authn_context_node.content if authn_request? && authn_context_node
  end

diff --git a/lib/saml_idp/version.rb b/lib/saml_idp/version.rb
@@ -1,4 +1,4 @@
 # encoding: utf-8
 module SamlIdp
- VERSION = '0.14.3-18f'.freeze
+ VERSION = '0.15.0-18f'.freeze
 end
diff --git a/spec/lib/saml_idp/request_spec.rb b/spec/lib/saml_idp/request_spec.rb
@@ -10,6 +10,10 @@ module SamlIdp
 
  let(:raw_authn_unspecified_name_id_format) { "<samlp:AuthnRequest AssertionConsumerServiceURL='http://localhost:3000/saml/consume' Destination='http://localhost:1337/saml/auth' ID='_af43d1a0-e111-0130-661a-3c0754403fdb' IssueInstant='2013-08-06T22:01:35Z' Version='2.0' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>localhost:3000</saml:Issuer><samlp:RequestedAuthnContext Comparison='exact'><saml:AuthnContextClassRef xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>" }
 
+ let(:raw_authn_forceauthn_present) { "<samlp:AuthnRequest AssertionConsumerServiceURL='http://localhost:3000/saml/consume' Destination='http://localhost:1337/saml/auth' ID='_af43d1a0-e111-0130-661a-3c0754403fdb' IssueInstant='2013-08-06T22:01:35Z' Version='2.0' ForceAuthn='true' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>localhost:3000</saml:Issuer><samlp:RequestedAuthnContext Comparison='exact'><saml:AuthnContextClassRef xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>" }
+
+ let(:raw_authn_forceauthn_false) { "<samlp:AuthnRequest AssertionConsumerServiceURL='http://localhost:3000/saml/consume' Destination='http://localhost:1337/saml/auth' ID='_af43d1a0-e111-0130-661a-3c0754403fdb' IssueInstant='2013-08-06T22:01:35Z' Version='2.0' ForceAuthn='false' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>localhost:3000</saml:Issuer><samlp:RequestedAuthnContext Comparison='exact'><saml:AuthnContextClassRef xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>" }
+
  describe "deflated request" do
  let(:deflated_request) { Base64.encode64(Zlib::Deflate.deflate(raw_authn_request, 9)[2..-5]) }
 
@@ -83,6 +87,22 @@ module SamlIdp
  expect(authn_request.issuer).to eq(nil)
  expect(authn_request.valid?).to eq(false)
  end
+
+ it 'defaults to force_authn = false' do
+ expect(subject.force_authn?).to be_falsey
+ end
+
+ it 'properly parses ForceAuthn="true" if passed' do
+ authn_request = described_class.new raw_authn_forceauthn_present
+
+ expect(authn_request.force_authn?).to be_truthy
+ end
+
+ it 'properly parses ForceAuthn="false" if passed' do
+ authn_request = described_class.new raw_authn_forceauthn_false
+
+ expect(authn_request.force_authn?).to be_falsey
+ end
  end
 
  describe "authn request with unspecified name id format" do