update saml controller and views

because of using another gem (saml_idp)

app/controllers/saml_idp_controller.rb

@@ -1,28 +1,38 @@
 class SamlIdpController < ActionController::Base
   include SamlIdp::Controller
 
-  before_action :validate_saml_request
-
   def new
-    if super_admin_signed_in?
+    if validate_saml_request
-      @saml_response = encode_SAMLResponse(current_super_admin.email, saml_attributes)
+      render template: 'saml_idp/new'
-      render :template => "saml_idp/idp/saml_post", :layout => false
     else
-      redirect_to root_path, alert: t("errors.messages.saml_not_authorized")
+      head :forbidden
     end
   end
 
-  def metadata
+  def show
-    render layout: false, content_type: "application/xml", formats: :xml
+    render xml: SamlIdp.metadata.signed
+  end
+
+  def create
+    if validate_saml_request
+      if super_admin_signed_in?
+        @saml_response = idp_make_saml_response(current_super_admin)
+        render template: 'saml_idp/saml_post', layout: false
+      else
+        redirect_to root_path, alert: t("errors.messages.saml_not_authorized")
+      end
+    else
+      head :forbidden
+    end
   end
 
   private
 
-  def saml_attributes
+  def idp_make_saml_response(super_admin)
-    admin_attributes = %[<saml:AttributeStatement><saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"><saml:AttributeValue>#{current_super_admin.email}</saml:AttributeValue></saml:Attribute><saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue>ds|#{current_super_admin.id}</saml:AttributeValue></saml:Attribute></saml:AttributeStatement>]
+    encode_response super_admin, encryption: {
-    {
+      cert: saml_request.service_provider.cert,
-      issuer_uri: saml_auth_url,
+      block_encryption: 'aes256-cbc',
-      attributes_provider: admin_attributes
+      key_transport: 'rsa-oaep-mgf1p'
     }
   end
 end

app/views/saml_idp/new.html.erb

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+  </head>
+  <body onload="document.forms[0].submit();" style="visibility:hidden;">
+    <%= form_tag do %>
+      <%= hidden_field_tag("SAMLRequest", params[:SAMLRequest]) %>
+      <%= hidden_field_tag("RelayState", params[:RelayState]) %>
+    <% end %>
+  </body>
+</html>

app/views/saml_idp/saml_post.html.erb

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+  </head>
+  <body onload="document.forms[0].submit();" style="visibility:hidden;">
+    <%= form_tag(saml_acs_url) do %>
+      <%= hidden_field_tag("SAMLResponse", @saml_response) %>
+      <%= hidden_field_tag("RelayState", params[:RelayState]) %>
+      <%= submit_tag "Submit" %>
+    <% end %>
+  </body>
+</html>

config/routes.rb

@@ -3,7 +3,7 @@ Rails.application.routes.draw do
 
   get '/saml/auth' => 'saml_idp#new'
   post '/saml/auth' => 'saml_idp#create'
-  get '/saml/metadata' => 'saml_idp#metadata'
+  get '/saml/metadata' => 'saml_idp#show'
 
   #
   # Manager

spec/controllers/saml_idp_controller_spec.rb

@@ -1,23 +1,50 @@
 describe SamlIdpController do
+  before do
+    allow_any_instance_of(SamlIdpController).to receive(:validate_saml_request).and_return(valid_saml_request)
+  end
+
   describe '#new' do
     let(:action) { get :new }
 
-    context 'without superadmin connected' do
+    context 'with invalid saml request' do
-      it { expect(action).to redirect_to root_path }
+      let(:valid_saml_request) { false }
-
+      it { expect(action).to have_http_status(:forbidden) }
-      it "display alert" do
-        action
-        expect(flash[:alert]).to eq("Vous n’êtes pas autorisé à accéder à ce service.")
-      end
     end
 
-    context 'with superadmin connected' do
+    context 'with valid saml request' do
-      let(:superadmin) { create(:super_admin) }
+      let(:valid_saml_request) { true }
-      before { sign_in superadmin }
 
-      it 'encode saml response' do
+      it { expect(action).to have_http_status(:ok) }
-        expect(subject).to receive(:encode_SAMLResponse).with(superadmin.email, anything())
+    end
-        action
+  end
+  describe '#create' do
+    let(:action) { post :create }
+
+    context 'with invalid saml request' do
+      let(:valid_saml_request) { false }
+      it { expect(action).to have_http_status(:forbidden) }
+    end
+
+    context 'with valid saml request' do
+      let(:valid_saml_request) { true }
+
+      context 'without superadmin connected' do
+        it { expect(action).to redirect_to root_path }
+
+        it "display alert" do
+          action
+          expect(flash[:alert]).to eq("Vous n’êtes pas autorisé à accéder à ce service.")
+        end
+      end
+
+      context 'with superadmin connected' do
+        let(:superadmin) { create(:super_admin) }
+        before { sign_in superadmin }
+
+        it 'encode saml response' do
+          expect(subject).to receive(:idp_make_saml_response).with(superadmin)
+          action
+        end
       end
     end
   end