-
Notifications
You must be signed in to change notification settings - Fork 182
Home
Welcome to the saml_idp wiki!
I'm a relative SAML Newbie and I'm attempting to leverage saml_idp to build a ruby based idp where my users can login via devise and then other web sites they are trying to use can authenticate against that. I'm attempting to use this wiki to document the process for other people. First of all I'd like to say thank you to Jon Phenow who has done wonderful work extending the original ruby-saml-idp with all of the back end work necessary to make this possible.
I would comment that his statement "it should be straight forward ..." is fairly inaccurate. Just the need to mess with x.509 certs means that its not straight forward. Certs are never simple.
Here's what I have found to be the process for building an IdP:
Add this:
gem 'saml_idp'
to Gemfile and then bundle install
get '/saml/auth' => 'saml_idp#new'
get '/saml/metadata' => 'saml_idp#show'
post '/saml/auth' => 'saml_idp#create'
match '/saml/logout' => 'saml_idp#logout', via: [:get, :post, :delete]
Change the include mentioned to the readme to an inherit - See: https://github.com/sportngin/saml_idp/issues/57
class SamlIdpController < SamlIdp::IdpController
def idp_authenticate(email, password) # not using params intentionally
user = User.by_email(email).first
user && user.valid_password?(password) ? user : nil
end
private :idp_authenticate
def idp_make_saml_response(found_user) # not using params intentionally
# NOTE encryption is optional
encode_response found_user, encryption: {
cert: saml_request.service_provider.cert,
block_encryption: 'aes256-cbc',
key_transport: 'rsa-oaep-mgf1p'
}
end
private :idp_make_saml_response
def idp_logout
user = User.by_email(saml_request.name_id)
user.logout
end
private :idp_logout
end
Note: You are going to need to define a class method called by_email on your user model for this to work.
Goto:
http://localhost:YOUR_PORT/saml/metadata
And you should see some big XML response. If you do then this is actually working.
Don't try and run this on a staging server -- it doesn't work and you will get this error: undefined method `make_response!' for SamlIdpController:Class
I don't understand why but when I moved my staging server, on a hunch, over to production it worked perfectly. Welcome to bizarroville; crap happens.
In the directory config/initializers you want to create saml.rb with the contents that Jon describes on the home page. Don't screw up and put it in config as I did or you'll then spend quite a bit of time scratching your head going "why aren't my changes showing up". Initializers are loaded ONLY at startup so shut down your script/server and then restart it. And go back to the /saml/metadata url and you'll likely get this error:
OpenSSL::PKey::RSAError in SamlIdpController#show
Neither PUB key nor PRIV key: nested asn1 error
Despite being an error, that's actually a huge win since it indicates progress. I'm off to solve that now.
This is the stage I'm up to now. More when I get there.