Class: Users::SamlSessionsController

Inherits:
Devise::SamlSessionsController
  • Object
show all
Defined in:
app/controllers/users/saml_sessions_controller.rb

Instance Method Summary collapse

Instance Method Details

#after_sign_in_checkObject

On the initial return from the SSO the client does not send along its cookies (CORS/CSRF/XSS protections). Instead, we redirect the user after the sign-in to this endpoint, such that we get their cookies. Then we can check whether we were supposed to sign them in for a different community.



32
33
34
35
36
37
38
39
40
41
42
 
# File 'app/controllers/users/saml_sessions_controller.rb', line 32

def 
  if cookies.encrypted[:signing_in_for].present? &&
     cookies.encrypted[:signing_in_for] != RequestContext.community_id
    (current_user)
    return
  end

  return unless (current_user, true)

  redirect_to (current_user)
end

#createObject

This method is almost the same code as the Users::SessionsController#create, and any changes made here should probably also be applied over there.



18
19
20
21
22
23
24
25
26
27
 
# File 'app/controllers/users/saml_sessions_controller.rb', line 18

def create
  super do |user|
    return unless (user, false)

    # SSO Only - Redirect to filler endpoint to actually get the clients cookie values (not sent to us here).
    # We need to check cookies because we may be signing in for another community.
    redirect_to 
    return
  end
end

#newObject

Called when someone is redirected to sign into the application using SSO/SAML.



3
4
5
6
7
8
9
10
11
12
13
14
 
# File 'app/controllers/users/saml_sessions_controller.rb', line 3

def new
  # If this is not the base community, then redirect them there for the sign in
  base = base_community
  if base.id != RequestContext.community_id
    redirect_to "//#{base.host}#{(RequestContext.community_id)}",
                allow_other_host: true
    return
  end

  # If we are the base community, use normal behavior
  super
end

#sign_in_request_from_otherObject

Another community requests to sign in via this community.



45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
 
# File 'app/controllers/users/saml_sessions_controller.rb', line 45

def 
  # Check whether the requested community actually exists
  unless Community.exists?(params[:id])
    raise ArgumentError, 'User is trying to sign in to non-existing community'
  end

  # Store in a cookie which community we are signing in for such that we can redirect back after the sign in.
  cookies.encrypted[:signing_in_for] = {
    value: params[:id],
    httponly: true,
    expires: 15.minutes.from_now
  }

  # If already signed in, sign them in in the other community as well. Otherwise redirect to SAML sign in.
  if user_signed_in?
    (current_user)
  else
    redirect_to new_saml_user_session_path
  end
end

#sign_in_return_from_baseObject

User was signed in at the base community, now sign in here.



67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
 
# File 'app/controllers/users/saml_sessions_controller.rb', line 67

def 
  # Figure out which user was signed in.
  # If we get a blank result then the message is either too old or the user messed with it.
   = (params[:message])
  if .blank?
    flash[:notice] = nil
    flash[:danger] = 'Something went wrong signing in, please try again.'
    redirect_to root_path
  end

  # Determine the user we are trying to sign in as and report error if we can't
  user = User.find()
  if user.nil?
    flash[:notice] = nil
    flash[:danger] = 'Something went wrong signing in, please contact support.'
    redirect_to root_path
  end

  # Actually sign in the user and handle the post-sign-in behavior
  (user)
  return unless (user, true)

  # Finish with default devise behavior for sign ins
  redirect_to (user)
end