search

apokalipto / devise_saml_authenticatable

Devise SAML 2.0 authentication strategy
MIT License
296 stars 153 forks source link

How Can I use this gem to connect with Okta? #77

Closed sachin-metacube closed 7 years ago

sachin-metacube commented 7 years ago

Please help me with connecting to Okta, is there any example app or guide, please help.

adamstegman commented 7 years ago

I don't have an Okta instance to test with, but I found this documentation: http://developer.okta.com/standards/SAML/setting_up_a_saml_application_in_okta

If your model is User, try these values in step 7 for a Rails app on your machine:

Follow the normal Usage guide for this gem. Use the values from step 10 in config/initializers/devise.rb:

  config.saml_configure do |settings|
    # ...
    settings.idp_entity_id = "<issuer URL>"
    settings.idp_sso_target_url = "<SAML SSO endpoint>"
    settings.idp_cert_fingerprint = "<Okta certificate fingerprint>"
  end

I don't know how to set up the attribute map for Okta. But if you only need login, you may be able to set config.saml_use_subject to true and make sure your Okta application is set to use the email as the subject.

Let me know how it goes. I'd be pretty excited about getting an Okta guide in the wiki.

sachin-metacube commented 7 years ago

Hi @adamstegman

I am getting this error:

OneLogin::RubySaml::ValidationError in SamlSessionsController#create Issuer of the Assertion not found or multiple.

Here is my configuration, what could be the reason?

{
        issuer: 'http://localhost:3000/',
        assertion_consumer_service_url: 'http://localhost:3000/users/saml/auth',
        assertion_consumer_service_binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
        idp_entity_id: 'http://www.okta.com/exk99qjq46HUb7Kf10h7',
        authn_context: 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport',
        name_identifier_format: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
        security: {
          authn_requests_signed: false,
          logout_requests_signed: false,
          logout_responses_signed: false,
          metadata_signed: false,
          digest_method: XMLSecurity::Document::SHA1,
          signature_method: XMLSecurity::Document::RSA_SHA1
        },
        idp_cert:  <<-CERT.chomp
-----BEGIN CERTIFICATE-----
MIIDpDCCAoygAwIBAgIGAVlzv1HDMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi02OTc4MjkxHDAaBgkqhkiG9w0BCQEW
DWluZm9Ab2t0YS5jb20wHhcNMTcwMTA2MTIyNjE1WhcNMjcwMTA2MTIyNzE1WjCBkjELMAkGA1UE
BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV
BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNjk3ODI5MRwwGgYJ
KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
yY4rLI1OOToVfD23Hqa8xLgZXXsdQOlt8FLJ1bYOK6luYHTGZVm/iuu6kgXxWVgPDTIwyD1mqdDW
ZcySbwsP9lrL/qXdgMFBPOlTvYlN02Zpvk0ukUk5b0okNshu/3EdPtQj2LyFXN+k4vEB/iJD10MR
B8GOz64vOYEchy434Lyydl3pmEGo6ac1psS0l8cJTuxUaMtD84IvZJ2I7XYjlak/bvwyzUeZqfhT
ndcq3LU3AQVO3JgNwE4eeItHX4GulBIVl2J1A+Ieddb4um1NxS6JtUmeo4nV3QKDEGVVDi1DQ626
Ed+Uwt0TwegjP87BwLAqPF2/i6ozJh3sz/OUWQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCwH/HW
g4coZb3gafEgtgt1aSHLy9ptL2R8q7+FGEdHeI1g/ryCNaE4lfBXkAm8qF24ue3GNr8nY23gKtea
Hj/DnWnbr6f2hwbayML2bwn4ngslKQXwZCdLJEKTvY0Z2L5ACq4jv4kmNWP6OGRahLRxZIT/WN3T
rZBW8mNiIJ0PshH1CSkPrb5tv8pLoNVSOrofYno/lWAOF4pH+gbediAz7TpCFiDhv/IMLFpYfGWs
Hc4EfPUBltKflV6uPmauLFthMFRS/4ULua1HyzKpkWwFxmVQVXAMsG+Cf0A0bHm9EcIyh3fARI2P
gW9Sw1De4BqCILn/H9oJO9WSpUVeMIY
-----END CERTIFICATE-----
        CERT
      }
adamstegman commented 7 years ago

That means that Okta is not sending an Issuer element, or is sending more than one. A security update in ruby-saml 1.4.0 added this validation to ensure the response is valid.

It might help to inject some code to dump the SAML response as XML so you can get a better idea of what's in it. Look for Issuer elements, or the lack of them. Then opening a support ticket with Okta might help, to ask them how to ensure an Issuer element is present, or how to ensure only one Issuer element is present, depending on what you find.

taylor01 commented 7 years ago

here is a screenshot of a working Okta configuration for a local dev/test configuration.

screen shot 2017-02-24 at 11 27 36 am

khash commented 7 years ago

@taylor01 I have the same setup and can sign in but can't get the payload custom attributes in (https://github.com/apokalipto/devise_saml_authenticatable/issues/87) Any pointers please?

taylor01 commented 7 years ago

here is a copy of my attribute-map.yml

# attribute-map.yml

  # "urn:mace:dir:attribute-def:uid": "user_name"
  # "urn:mace:dir:attribute-def:email": "email"
  "last_name": "last_name"
  "first_name": "first_name"
adamstegman commented 7 years ago

I added a wiki page to document this: https://github.com/apokalipto/devise_saml_authenticatable/wiki/Okta. Thanks @taylor01 for your help!

Asrani-Aman commented 4 months ago

can anyone please provide saml_sessions_controller.rb for okta integration?