idp cert changes

Gemfile

@@ -135,7 +135,7 @@ gem 'stripe'
 ## to populate db with sample data
 gem 'faker'
 
-gem 'ruby-saml', '~> 1.11.0'
+gem 'ruby-saml', '~> 1.14'
 
 group :production, :staging do
   # we dont want request timing out in development while using byebug

Gemfile.lock

@@ -427,14 +427,14 @@ GEM
     netrc (0.11.0)
     newrelic_rpm (8.9.0)
     nio4r (2.5.8)
-    nokogiri (1.13.7)
+    nokogiri (1.13.8)
       mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
-    nokogiri (1.13.7-arm64-darwin)
+    nokogiri (1.13.8-arm64-darwin)
       racc (~> 1.4)
-    nokogiri (1.13.7-x86_64-darwin)
+    nokogiri (1.13.8-x86_64-darwin)
       racc (~> 1.4)
-    nokogiri (1.13.7-x86_64-linux)
+    nokogiri (1.13.8-x86_64-linux)
       racc (~> 1.4)
     oauth (0.5.10)
     orm_adapter (0.5.0)
@@ -558,8 +558,9 @@ GEM
     rubocop-rspec (2.12.1)
       rubocop (~> 1.31)
     ruby-progressbar (1.11.0)
-    ruby-saml (1.11.0)
-      nokogiri (>= 1.5.10)
+    ruby-saml (1.14.0)
+      nokogiri (>= 1.10.5)
+      rexml
     ruby-vips (2.1.4)
       ffi (~> 1.12)
     ruby2_keywords (0.0.5)
@@ -775,7 +776,7 @@ DEPENDENCIES
   rubocop-performance
   rubocop-rails
   rubocop-rspec
-  ruby-saml (~> 1.11.0)
+  ruby-saml (~> 1.14)
   scout_apm
   seed_dump
   sentry-rails (~> 5.3)

app/controllers/saml_controller.rb

@@ -9,7 +9,7 @@ class SamlController < ApplicationController
   end
 
   def consume
-    response          = OneLogin::RubySaml::Response.new(params[:SAMLResponse])
+    response          = OneLogin::RubySaml::Response.new(params['SAMLResponse'])
     response.settings = saml_settings
 
     # We validate the SAML Response and check if the user already exists in the system
@@ -18,35 +18,60 @@ class SamlController < ApplicationController
       session[:userid] = response.nameid
       session[:attributes] = response.attributes
     else
-      ChatwootExceptionTracker.new(response.errors, account: Account.first).capture_exception # This method shows an error message
-
-      # List of errors is available in response.errors array
+      Rails.logger.error response.errors
     end
   end
 
+  def metadata
+    settings = saml_settings
+    meta = OneLogin::RubySaml::Metadata.new
+    render xml: meta.generate(settings, true)
+  end
+
+  def logout
+    # If we're given a logout request, handle it in the IdP logout initiated method
+    idp_logout_request
+  end
+
+  # Method to handle IdP initiated logouts
+  def idp_logout_request
+    settings = saml_settings
+    logout_request = OneLogin::RubySaml::SloLogoutrequest.new(params[:SAMLRequest], settings: settings)
+    unless logout_request.is_valid?
+      error_msg = "IdP initiated LogoutRequest was not valid!. Errors: #{logout_request.errors}"
+      Rails.logger.error error_msg
+      render inline: error_msg
+    end
+    Rails.logger.info "IdP initiated Logout for #{logout_request.nameid}"
+
+    # Actually log out this session
+    reset_session
+
+    logout_response = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, logout_request.id, nil, RelayState: params[:RelayState])
+    redirect_to logout_response
+  end
+
   private
 
   def saml_settings
     settings = OneLogin::RubySaml::Settings.new
 
-    settings.assertion_consumer_service_url = "http://#{request.host}/saml/consume"
-    settings.sp_entity_id                   = "http://#{request.host}/saml/metadata"
-    settings.idp_entity_id                  = 'https://app.onelogin.com/saml/metadata/1835014'
-    settings.idp_sso_target_url            = 'https://app.onelogin.com/trust/saml2/http-post/sso/1835014'
-    settings.idp_slo_target_url            = 'https://app.onelogin.com/trust/saml2/http-redirect/slo/1835014'
-    settings.name_identifier_format = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
+    settings.soft = true
 
-    # Optional for most SAML IdPs
-    settings.authn_context = 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
-    # or as an array
-    settings.authn_context = [
-      'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport',
-      'urn:oasis:names:tc:SAML:2.0:ac:classes:Password'
-    ]
+    settings.assertion_consumer_service_url = 'https://staging.chatwoot.com/saml/consume'
+    settings.sp_entity_id                   = 'https://staging.chatwoot.com/saml/metadata'
+
+    settings.idp_entity_id                  = 'https://app.onelogin.com/saml2'
+    settings.idp_sso_target_url             = 'https://chatwoot-dev.onelogin.com/trust/saml2/http-redirect/sso/ef91ee22-a899-4a96-8329-0381dbdf71cf'
+    settings.idp_slo_target_url             = 'https://chatwoot-dev.onelogin.com/trust/saml2/http-redirect/slo/1857853'
+
+    settings.name_identifier_format         = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
+    settings.idp_cert_fingerprint           = 'FD:17:5E:81:F8:F5:88:EF:21:AB:94:44:3E:4A:C4:72:94:E2:63:AE'
+    settings.idp_cert_fingerprint_algorithm = 'http://www.w3.org/2000/09/xmldsig#sha1'
 
     # Optional bindings (defaults to Redirect for logout POST for ACS)
     settings.single_logout_service_binding      = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' # or :post, :redirect
-    settings.assertion_consumer_service_binding = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' # or :post, :redirect
+    settings.assertion_consumer_service_binding = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' # or :post, :redirect
 
     settings
   end

config/routes.rb

@@ -231,6 +231,8 @@ Rails.application.routes.draw do
   resources :saml, only: [:index] do
     collection do
       post :consume
+      get :metadata
+      get :logout
     end
   end