Skip to content
J. Scott Johnson edited this page Oct 28, 2016 · 12 revisions

Welcome to the saml_idp wiki!

I'm a relative SAML Newbie and I'm attempting to leverage saml_idp to build a ruby based idp where my users can login via devise and then other web sites they are trying to use can authenticate against that. I'm attempting to use this wiki to document the process for other people. First of all I'd like to say thank you to Jon Phenow who has done wonderful work extending the original ruby-saml-idp with all of the back end work necessary to make this possible.

I would comment that his statement "it should be straight forward ..." is fairly inaccurate. Just the need to mess with x.509 certs means that its not straight forward. Certs are never simple.

Here's what I have found to be the process for building an IdP:

Step 0 - Install the Gem

Add this:

gem 'saml_idp'

to Gemfile and then bundle install

Step 1 - Add To Your Routes file

get '/saml/auth' => 'saml_idp#new'
get '/saml/metadata' => 'saml_idp#show'
post '/saml/auth' => 'saml_idp#create'
match '/saml/logout' => 'saml_idp#logout', via: [:get, :post, :delete]

Step 2 - Create a Controller and It is inherit not Include for Your Controller

Change the include mentioned to the readme to an inherit - See: https://github.com/sportngin/saml_idp/issues/57

class SamlIdpController < SamlIdp::IdpController

  def idp_authenticate(email, password) # not using params intentionally
    user = User.by_email(email).first
    user && user.valid_password?(password) ? user : nil
  end
  private :idp_authenticate

  def idp_make_saml_response(found_user) # not using params intentionally
    # NOTE encryption is optional
    encode_response found_user, encryption: {
      cert: saml_request.service_provider.cert,
      block_encryption: 'aes256-cbc',
      key_transport: 'rsa-oaep-mgf1p'
    }
  end
  private :idp_make_saml_response

  def idp_logout
    user = User.by_email(saml_request.name_id)
    user.logout
  end
  private :idp_logout
end

Step 3 - Test the Controller in Development Mode

Goto http://localhost:YOUR_PORT/saml/metadata

And you should see some big XML response. If you do then this is actually working.

Step 4 - Note This Only Works in Production and Development

Don't try and run this on a staging server -- it doesn't work and you will get undefined method `make_response!' for SamlIdpController:Class

I don't understand why but when I moved my staging server, on a hunch, over to production it worked perfectly. Welcome to bizarroville.

Step 5 - Getting Your Data Into the /saml/metadata url

This is the stage I'm up to now. More when I get there.

Clone this wiki locally