feat: allow request uuid to be stored

Introduces a :store_request_uuid option for later comparison with InResponseTo

By default it saves the request uuid in the session as "saml_transaction_id",
but also accepts a proc that will then be called with the uuid for custom storage.

Author: James Edwards-Jones

README.md

@@ -143,6 +143,10 @@ Note that when [integrating with Devise](#devise-integration), the URL path will
 
 * `:uid_attribute` - Attribute that uniquely identifies the user. If unset, the name identifier returned by the IdP is used.
 
+* `:store_request_uuid` - Used to store the request's UUID for later verification of InReponseTo.
+  By default it saves the request uuid in the session as "saml_transaction_id",
+  but also accepts a proc that will then be called with the uuid for custom storage.
+
 * See the `OneLogin::RubySaml::Settings` class in the [Ruby SAML gem](https://github.com/onelogin/ruby-saml) for additional supported options.
 
 ## IdP Metadata

lib/omniauth/strategies/saml.rb

@@ -30,15 +30,26 @@ def self.inherited(subclass)
       option :slo_default_relay_state
       option :uid_attribute
       option :idp_slo_session_destroy, proc { |_env, session| session.clear }
+      option :store_request_uuid
 
       def request_phase
         authn_request = OneLogin::RubySaml::Authrequest.new
 
+        store_request_uuid(authn_request.uuid)
+
         with_settings do |settings|
           redirect(authn_request.create(settings, additional_params_for_authn_request))
         end
       end
 
+      def store_request_uuid(uuid)
+        if options.store_request_uuid.respond_to?(:call)
+          options.store_request_uuid.call(uuid)
+        elsif options.store_request_uuid
+          session["saml_transaction_id"] = uuid
+        end
+      end
+
       def callback_phase
         raise OmniAuth::Strategies::SAML::ValidationError.new("SAML response missing") unless request.params["SAMLResponse"]