From 6b5a9f115ebdd8802410991a7b803c9ef5edf61c Mon Sep 17 00:00:00 2001 From: Peter Karman Date: Tue, 7 Mar 2017 11:00:35 -0600 Subject: [PATCH] SAML Authn defaults to LOA1 if not specified **Why**: There is no LOA0 and some SPs are using off-the-shelf integrations that do not allow for customization. --- .../concerns/saml_idp_auth_concern.rb | 6 +++++- spec/controllers/saml_idp_controller_spec.rb | 16 +++------------- 2 files changed, 8 insertions(+), 14 deletions(-) diff --git a/app/controllers/concerns/saml_idp_auth_concern.rb b/app/controllers/concerns/saml_idp_auth_concern.rb index 8b3b599611c..5bd62de97a9 100644 --- a/app/controllers/concerns/saml_idp_auth_concern.rb +++ b/app/controllers/concerns/saml_idp_auth_concern.rb @@ -30,7 +30,11 @@ def add_sp_metadata_to_session end def requested_authn_context - @requested_authn_context ||= saml_request.requested_authn_context + @requested_authn_context ||= saml_request.requested_authn_context || default_authn_context + end + + def default_authn_context + Saml::Idp::Constants::LOA1_AUTHN_CONTEXT_CLASSREF end def link_identity_from_session_data diff --git a/spec/controllers/saml_idp_controller_spec.rb b/spec/controllers/saml_idp_controller_spec.rb index dc5155e2e44..31f6726d215 100644 --- a/spec/controllers/saml_idp_controller_spec.rb +++ b/spec/controllers/saml_idp_controller_spec.rb @@ -210,24 +210,14 @@ end context 'authn_context is missing' do - it 'renders nothing with a 401 error' do + it 'defaults to LOA1' do stub_analytics allow(@analytics).to receive(:track_event) saml_get_auth(missing_authn_context_saml_settings) - expect(response.status).to eq(401) - expect(response.body).to be_empty - - analytics_hash = { - authn_context: nil, - errors: ['Unauthorized authentication context'], - service_provider: 'http://localhost:3000', - valid: false, - } - - expect(@analytics).to have_received(:track_event). - with(Analytics::SAML_AUTH, analytics_hash) + expect(response.status).to eq(302) + expect(@analytics).to_not have_received(:track_event) end end