Add support for Subjects on AuthNRequests by the new name_identifier_value_requested setting

pitbulk · pitbulk · commit 041d1980f250 · 2019-03-21T12:11:11.000+01:00
diff --git a/README.md b/README.md
@@ -189,6 +189,17 @@ def init
 end
 ```
 
+If the SP knows who should be authenticated in the IdP, then can provide that info as follows:
+
+```ruby
+def init
+  request = OneLogin::RubySaml::Authrequest.new
+  saml_settings.name_identifier_value_requested = "testuser@example.com"
+  saml_settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+  redirect_to(request.create(saml_settings))
+end
+```
+
 Once you've redirected back to the identity provider, it will ensure that the user has been authorized and redirect back to your application for final consumption. This can look something like this (the `authorize_success` and `authorize_failure` methods are specific to your application):
 
 ```ruby
@@ -503,6 +514,9 @@ pp(response.attributes.multi(:not_exists))
 The `saml:AuthnContextClassRef` of the AuthNRequest can be provided by `settings.authn_context`; possible values are described at [SAMLAuthnCxt]. The comparison method can be set using `settings.authn_context_comparison` parameter. Possible values include: 'exact', 'better', 'maximum' and 'minimum' (default value is 'exact').
 To add a `saml:AuthnContextDeclRef`, define `settings.authn_context_decl_ref`.
 
+In a SP-initiaited flow, the SP can indicate to the IdP the subject that should be authenticated. This is done by defining the `settings.name_identifier_value_requested` before
+building the authrequest object.
+
 
 ## Signing
 
diff --git a/lib/onelogin/ruby-saml/authrequest.rb b/lib/onelogin/ruby-saml/authrequest.rb
@@ -121,6 +121,18 @@ def create_xml_document(settings)
           issuer = root.add_element "saml:Issuer"
           issuer.text = settings.issuer
         end
+
+        if settings.name_identifier_value_requested != nil
+          subject = root.add_element "saml:Subject"
+
+          nameid = subject.add_element "saml:NameID"
+          nameid.attributes['Format'] = settings.name_identifier_format if settings.name_identifier_format
+          nameid.text = settings.name_identifier_value_requested
+
+          subject_confirmation = subject.add_element "saml:SubjectConfirmation"
+          subject_confirmation.attributes['Method'] = "urn:oasis:names:tc:SAML:2.0:cm:bearer"
+        end
+
         if settings.name_identifier_format != nil
           root.add_element "samlp:NameIDPolicy", {
               # Might want to make AllowCreate a setting?
diff --git a/lib/onelogin/ruby-saml/settings.rb b/lib/onelogin/ruby-saml/settings.rb
@@ -45,6 +45,7 @@ def initialize(overrides = {}, keep_security_attributes = false)
       attr_accessor :sp_name_qualifier
       attr_accessor :name_identifier_format
       attr_accessor :name_identifier_value
+      attr_accessor :name_identifier_value_requested
       attr_accessor :sessionindex
       attr_accessor :compress_request
       attr_accessor :compress_response
diff --git a/test/request_test.rb b/test/request_test.rb
@@ -121,6 +121,23 @@ class RequestTest < Minitest::Test
       assert_match /<samlp:NameIDPolicy[^<]* Format='urn:oasis:names:tc:SAML:2.0:nameid-format:transient'/, inflated
     end
 
+    it "create the SAMLRequest URL parameter with Subject" do
+      settings.name_identifier_value_requested = "testuser@example.com"
+      settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+      auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
+      assert_match /^http:\/\/example\.com\?SAMLRequest=/, auth_url
+      payload = CGI.unescape(auth_url.split("=").last)
+      decoded = Base64.decode64(payload)
+      zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+      inflated = zstream.inflate(decoded)
+      zstream.finish
+      zstream.close
+
+      assert inflated.include?('<saml:Subject>')
+      assert inflated.include?("<saml:NameID Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'>testuser@example.com</saml:NameID>")
+      assert inflated.include?("<saml:SubjectConfirmation Method='urn:oasis:names:tc:SAML:2.0:cm:bearer'/>")
+    end
+
     it "accept extra parameters" do
       auth_url = OneLogin::RubySaml::Authrequest.new.create(settings, { :hello => "there" })
       assert_match /&hello=there$/, auth_url
diff --git a/test/settings_test.rb b/test/settings_test.rb
@@ -15,7 +15,7 @@ class SettingsTest < Minitest::Test
         :idp_cert, :idp_cert_fingerprint, :idp_cert_fingerprint_algorithm, :idp_cert_multi,
         :idp_attribute_names, :issuer, :assertion_consumer_service_url, :assertion_consumer_service_binding,
         :single_logout_service_url, :single_logout_service_binding,
-        :sp_name_qualifier, :name_identifier_format, :name_identifier_value,
+        :sp_name_qualifier, :name_identifier_format, :name_identifier_value, :name_identifier_value_requested,
         :sessionindex, :attributes_index, :passive, :force_authn,
         :compress_request, :double_quote_xml_attribute_values, :protocol_binding,
         :security, :certificate, :private_key,
