[Doc] Rails_Integration behavior changed in v1.0.0

[taketo1113]

In saml_idp v1.0.0, the automatic head :forbidden response when SAML request validation fails has been removed.
As a result, the sample code on the Rails_Integration documentation (Wiki) page no longer behaves as expected.

• https://github.com/saml-idp/saml_idp/wiki/Rails_Integration

• SamlIDP v1 #239

Expected behavior

When SAML request validation fails, the response should be HTTP 403 (Forbidden).

Actual behavior

When SAML request validation fails, the response is HTTP 200 (OK).

Proposed fix

I do not have permission to edit the Wiki, so I am describing a proposed change here.

Since validate_saml_request no longer returns a head :forbidden response, I updated the sample code to render an error message with an HTTP 403 status in each action (:new, :create, and :logout) instead of relying on a before_action callback.

• https://github.com/saml-idp/saml_idp/wiki/Rails_Integration

# How to integrate with Rails app
...
## Create your new controller for your SAML IdP feature
...
     protect_from_forgery
 
-    before_action :validate_saml_request, only: [:new, :create, :logout]
-
     def new
-      render template: "saml_idp/idp/new"
+      if validate_saml_request
+        render template: "saml_idp/idp/new"
+      else
+        @saml_idp_fail_msg = "Invalid SAML Request."
+        render template: "saml_idp/idp/new", status: :forbidden
+      end
     end
... 
     def create
-      unless params[:email].blank? && params[:password].blank?
-        person = idp_authenticate(params[:email], params[:password])
-        if person.nil?
-          @saml_idp_fail_msg = "Incorrect email or password."
-        else
-          @saml_response = idp_make_saml_response(person)
-          render :template => "saml_idp/idp/saml_post", :layout => false
-          return
-        end
+      unless validate_saml_request
+        @saml_idp_fail_msg = "Invalid SAML Request."
+        render template: "saml_idp/idp/new", status: :forbidden
+        return
       end
-      render :template => "saml_idp/idp/new"
+
+      person = idp_authenticate(params[:email], params[:password])
+      if person.nil?
+        @saml_idp_fail_msg = "Incorrect email or password."
+        render template: "saml_idp/idp/new", status: :unprocessable_content # if use rack 3.0 and below, use `status: :unprocessable_entity`
+        return
+      end
+
+      @saml_response = idp_make_saml_response(person)
+      render template: "saml_idp/idp/saml_post", layout: false
     end
 
     def logout
       idp_logout
       @saml_response = idp_make_saml_response(nil)
-      render :template => "saml_idp/idp/saml_post", :layout => false
+      render template: "saml_idp/idp/saml_post", layout: false
     end
 
     def idp_logout
...

I have attached a git patch file for the changes described above.

• update-rails-integration.patch