Project

force_unspecified

0.0
No commit activity in last 3 years
No release in over 3 years
force_unspecifiedsorah/force_unspecifiedHomepageDocumentationSource CodeBug TrackerWiki
Rack app redirects to a SAML IdP URL with changing NameIdPolicy in SAMLRequest to unspecified
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
2,380
Stars
0
Forks
0
Watchers
2
 Releases
Current version
0.1.0
Total releases
1
First release
2017-12-19
Latest release
2017-12-19
 Pull Requests
Open Pull Requests
0
Closed Pull Requests
2
Merged Pull Requests
0
Pull Request Acceptance Rate
0%
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2020-04-16
Reverse Dependencies
0

 Dependencies

Development

bundler
>= 0
rake
>= 0

Runtime

rack
>= 0
 Project Readme

ForceUnspecified: Rack app redirects to a SAML IdP URL with maniplating SAMLRequest

Supported manipulation

RequestedAuthnContext

Remove samlp:RequestedAuthnContext from request to allow authenticating users using authentication methods other than passwords (e.g. X.509, Azure AD passwordless)

NameIDPolicy

  • Before: <samlp:NameIDPolicy AllowCreate='true' Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'/>
  • After: <samlp:NameIDPolicy AllowCreate='true' Format='urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'/>

Some IdP, e.g. Azure Active Directory, forces user's true identifier even if an admin set customized User Identifier to the IdP, when a SAML request comes with NameIDPolicy Format=emailAddress. This is a simple Rack app that replaces all policies to unspecified before passing to IdP.

This may be unneeded as of Apr 2021 (Azure AD now allows to configure NameID details)

Installation

# Gemfile
gem 'force_unspecified'
# config.ru
require 'force_unspecified'
run ForceUnspecified

Usage

  1. Set your RP to use https://force_unspecified/manipulate/OPTIONS/ORIGINAL_URL as a IdP SAML URL.
    • (where force_unspecified is your deployment URL of this app, and ORIGINAL_URL is your original IdP SAML URL)
    • e.g. https://force_unspecified/manipulate/RequestedAuthnContext,NameIDPolicy/login.example.org/SAML
  2. When RP sends a user to this app, this app changes nameid-format to unspecified, then redirects to the IdP.
  3. Happiness

Development

After checking out the repo, run bin/setup to install dependencies. Then, run rake spec to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.

To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/sorah/force_unspecified.

License

The gem is available as open source under the terms of the MIT License.