Properly test a Rails app with shibboleth auth

A Rails app with Shibboleth is not as easy to test as an app with say LDAP authentication. 

Functional tests work, but at a cost: the ENV name changes. In production (mod_passenger) the surname might be 'sn'. In test it is 'HTTP_SN'.

Sometime people write some env-driven if blocks to stub a user's login in development. Each time you need to change user's data you need to fix the controller.

The solution is:

• outfactor the data fetching from ENV is a custom class;
• use system test to mock the class above.

Some source code on github shows you the details.

Check the system test:

test/system/login_users_test.rb

The translation class is in:

app/lib

Rails6 shibboleth single logout through notify

This is a proof of concept of a Ruby on Rails application with Shibboleth authentication, pure rails session and a working single sign off.

This application follows: SLOWebappAdaptation .

Short things first: it is not worth. There are easier ways to have Ruby on Rails and SAML2 auth to go hand in hand, with single logout included.

The hard part is not the Shibboleth one: you just need to add a Notify

The matter is this setup is completely against a few Rails' conventions:

• SOAP support has been dropped from Rails since version 1.2;
• you are not expect to tweak with arbitrary session objects which in turn means:
• you can't use the trusted cookie session store but you have to switch to the harder database-backed session store, which by the way you need to customize a bit to hold the Shib-Session-ID data;
• you need to fight against encrypted sessions, the default.

If nevertheless interested, have a look at source code on github.

Shibboleth-Idp4 impersonation: fetch the impersonating user as an attribute.

In the Shibboleth IdP it's possible to enable the impersonation intercept to enable help desk to impersonate users.

The impersonation is an amazing feature very well designed.

You can enable it in three steps:

• enable the module;
• add a p:postAuthenticationFlows="#{ {'impersonate'} }" attr to the SAML2 property to the relying party list involved (relying-party.xml);
• configure it on conf/access-control.xml (legacy configuration file in conf/intercept is useless).

The documentation proposes a workflow where a help desk operator has to be authorized to impersonate johndoe user by adding the johndoe value to a certain operator's attribute.

If your requirements allow any help desk operator to impersonate any user, the configuration can be simply:

	<?xml version="1.0" encoding="UTF-8"?>
	<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:context="http://www.springframework.org/schema/context"
	xmlns:util="http://www.springframework.org/schema/util"
	xmlns:p="http://www.springframework.org/schema/p"
	xmlns:c="http://www.springframework.org/schema/c"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
	http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
	http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
	default-init-method="initialize"
	default-destroy-method="destroy">
	<!-- Limits who can impersonate based on group membership. -->
	<entry key="GeneralImpersonationPolicy">
	<bean parent="shibboleth.PredicateAccessControl">
	<constructor-arg>
	<bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate">
	<property name="attributeValueMap">
	<map>
	<entry key="isMemberOf">
	<list>
	<value>example:impersonate</value>
	</list>
	</entry>
	</map>
	</property>
	</bean>
	</constructor-arg>
	</bean>
	</entry>
	<!-- Controls the impersonation scenarios to allow. -->
	<!-- Impersonate any user on the https://sp.example.org/shibboleth SP -->
	<entry key="SpecificImpersonationPolicy">
	<bean parent="shibboleth.PredicateAccessControl">
	<constructor-arg>
	<bean parent="shibboleth.Conditions.AND">
	<constructor-arg>
	<bean parent="shibboleth.Conditions.TRUE" />
	</constructor-arg>
	<constructor-arg>
	<bean parent="shibboleth.Conditions.RelyingPartyId"
	c:candidates="#{{'https://sp.example.org/shibboleth'}}" />
	</constructor-arg>
	</bean>
	</constructor-arg>
	</bean>
	</entry>
	<!--
	your other beans here
	-->
	</util:map>
	</beans>

view raw access-control.xml hosted with ❤ by GitHub

The impersonation event is logged on the IdP. But if you want to let the SP to know about it, you can leverage the "populate the impersonated principal name into the attached SubjectContext" phase of the module. What you need is a acript that picks the added Subject and turns it to an attribute:

	import org.slf4j.*
	import net.shibboleth.idp.attribute.*
	import net.shibboleth.idp.authn.context.SubjectContext
	logger = LoggerFactory.getLogger("org.example.idp.scripted.groovy.impersonatingPrincipalName")
	subjectContext = profileContext.getSubcontext(SubjectContext.class)
	impersonating_principal_name = subjectContext.impersonatingPrincipalName
	logger.debug("impersonating_principal_name: {}", impersonating_principal_name)
	impersonatingPrincipalName.addValue(impersonating_principal_name)

view raw impersonatingPrincipalName.groovy hosted with ❤ by GitHub

Add it to attribute-resolver.xml:

	<AttributeDefinition id="impersonatingPrincipalName" xsi:type="ScriptedAttribute" language="groovy">
	<ScriptFile>%{idp.home}/script/impersonatingPrincipalName.groovy</ScriptFile>
	</AttributeDefinition>

view raw AttributeDefinition.xml hosted with ❤ by GitHub

Of course the attribute format can be embedded in the declaration or be pulled in from a property file in conf/attributes/custom:

	# impersonatingPrincipalName
	id=impersonatingPrincipalName
	transcoder=SAML2StringTranscoder
	displayName.en=impersonatingPrincipalName
	# displayName.bacedifo=if you want bacedifo speakers understand it
	description.en=original impersonating user name
	# description.bacedifo=same as above
	saml2.name=urn:mace:example.org:attribute-def:impersonatingPrincipalName
	saml1.encodeType=false

view raw impersonatingPrincipalName.properties hosted with ❤ by GitHub