Ruby SAML
| Upstream URL | Security Risk | Abandonment Risk |
|---|---|---|
| https://github.com/SAML-Toolkits/ruby-saml | Very High | Very Low |
External contacts
The maintainer is reachable via the public GitHub issue tracker. Security reports are taken via GHSA.
Security posture
This gem implements the logic for SAML authentication, which is used for the OmniAuth SAML strategy used by MoR for authenticating administrators. It is therefore is of critical importance for the security of MoR. Sign in bypass could expose all aspects of the storefront to a third party attacker, including customer addresses, order histories, and API credentials for Stripe, Facebook, and others.
Abandonment risk
The primary maintainer runs his own consultancy around SAML. It is very unlikely that the gem will be abandoned.
It would be great to financially support ruby-saml when we are able to do so.
Versioning policy
Updates will be picked up by bundle during our monthly updates. We are not
directly pinning any specific version, though OmniAuth SAML is doing so.
Updates, even patch releases, may have breaking changes per their documentation. We must be careful to test all SAML flows when updating the gem.