class Maestrano::Saml::Metadata

Public Instance Methods

generate(settings) click to toggle source
# File lib/maestrano/saml/metadata.rb, line 13
def generate(settings)
  meta_doc = REXML::Document.new
  root = meta_doc.add_element "md:EntityDescriptor", {
      "xmlns:md" => "urn:oasis:names:tc:SAML:2.0:metadata"
  }
  sp_sso = root.add_element "md:SPSSODescriptor", {
      "protocolSupportEnumeration" => "urn:oasis:names:tc:SAML:2.0:protocol",
      # Metadata request need not be signed (as we don't publish our cert)
      "AuthnRequestsSigned" => false,
      # However we would like assertions signed if idp_cert_fingerprint or idp_cert is set
      "WantAssertionsSigned" => (!settings.idp_cert_fingerprint.nil? || !settings.idp_cert.nil?)
  }
  if settings.issuer != nil
    root.attributes["entityID"] = settings.issuer
  end
  if settings.assertion_consumer_logout_service_url != nil
    sp_sso.add_element "md:SingleLogoutService", {
        # Add this as a setting to create different bindings?
        "Binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
        "Location" => settings.assertion_consumer_logout_service_url,
        "ResponseLocation" => settings.assertion_consumer_logout_service_url,
        "isDefault" => true,
        "index" => 0
    }
  end
  if settings.name_identifier_format != nil
    name_id = sp_sso.add_element "md:NameIDFormat"
    name_id.text = settings.name_identifier_format
  end
  if settings.assertion_consumer_service_url != nil
    sp_sso.add_element "md:AssertionConsumerService", {
        # Add this as a setting to create different bindings?
        "Binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
        "Location" => settings.assertion_consumer_service_url,
        "isDefault" => true,
        "index" => 0
    }
  end
  # With OpenSSO, it might be required to also include
  #  <md:RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" xsi:type="query:AttributeQueryDescriptorType" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"/>
  #  <md:XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"/>

  meta_doc << REXML::XMLDecl.new
  ret = ""
  # pretty print the XML so IdP administrators can easily see what the SP supports
  meta_doc.write(ret, 1)

  ret
end