search

apokalipto / devise_saml_authenticatable

Devise SAML 2.0 authentication strategy
MIT License
297 stars 154 forks source link

Cooperation with WSO2 Identity Server - Part of attributes outside the saml2:Subject #143

Closed BSorbus closed 5 years ago

BSorbus commented 5 years ago

Hi,

How do I map the attributes from the WSO2 identity server (5.7) to the model and how to configure the devise?

Response from WSO2IS:

...
<saml2:Subject>
    <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">ror@email.com</saml2:NameID>
    <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="_14594aff-0ed0-418f-9945-7efaf88842d1"
        NotOnOrAfter="2019-04-23T08:37:42.914Z" Recipient="http://localhost:3000/users/saml/auth"/></saml2:SubjectConfirmation>
</saml2:Subject>
...
<saml2:AttributeStatement>
    <saml2:Attribute Name="givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">ror-first-name</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">ror@email.com</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">ror_profile_name</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="lastname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">ror_profile_name</saml2:AttributeValue>
    </saml2:Attribute>
</saml2:AttributeStatement>

attribute-map.yml :


"emailaddress": "email"
"givenname": "first_name"
"lastname": "last_name"
"username": "username"

``` ...did not work

(Rails 5.2.3, Ruby 2.5.3, WSO2IS 5.7)
adamstegman commented 5 years ago

Can you clarify what you mean when you say it did not work? What specific results were you looking for and what did you get? Was this for a new user or an existing user? Was anything logged out (for instance)?

You may need to add in some logging to discover what attributes are actually found in the SAML response. For instance, You could create your own user update hook and log out each attribute that's attempted: https://github.com/apokalipto/devise_saml_authenticatable/blob/3934b53af92a4ea91b3d3c266535c020a4b807c9/lib/devise_saml_authenticatable.rb#L98.

BSorbus commented 5 years ago

And it became clear!

When I first logged in, I marked in WSO2 passing only "nameID" (emailAddress). My mistake! The attribute-map mechanism works great!