OmniAuth WS-Fed

The OmniAuth-WSFed authentication strategy can be used with the following technologies under scenarios requiring the WS-Federation protocol for authentication. These services are typically used for Identity Federation and Single Sign-On across large organizations or authentication domains.

• Windows Azure ACS
• ADFS 2.0
• Corporate Secure Token Servers (STSs)

Installation

Add this line to your application's Gemfile:

    gem 'omniauth-wsfed'

And then execute:

$ bundle install

Or install it globally as:

$ gem install omniauth-wsfed

Configuration

Use the WSFed strategy as a middleware in your application:

require 'omniauth'

use OmniAuth::Strategies::WSFed,
  :issuer_name           => "http://your-azure-acs-namespace.accesscontrol.windows.net",
  :issuer                => "https://your-azure-acs-namespace.accesscontrol.windows.net/v2/wsfederation",
  :realm                 => "http://my.relyingparty/realm",
  :reply                 => "http://localhost:3000/auth/wsfed/callback",
  :id_claim              => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
  :idp_cert_fingerprint  => "FC96D2983…"

or in your Rails application:

in Gemfile:

gem 'omniauth-wsfed'

and in config/initializers/omniauth.rb:

Rails.application.config.middleware.use OmniAuth::Builder do

  provider :wsfed,
    :issuer_name           => "http://your-azure-acs-namespace.accesscontrol.windows.net",
    :issuer                => "https://your-azure-acs-namespace.accesscontrol.windows.net/v2/wsfederation",
    :realm                 => "http://my.relyingparty/realm",
    :reply                 => "http://localhost:3000/auth/wsfed/callback",
    :id_claim              => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
    :idp_cert_fingerprint  => "FC96D2983…"

end

Configuration Options

• :issuer_name - The URI name of your Identity Provider (IdP). Required

• :issuer - The IdP web endpoint (URL) to which the authentication request should be sent. Required.

• :idp_cert_fingerprint - The SHA1 fingerprint of the IdP's signing certificate (e.g. "90:CC:16:F0:8D:…"). This is provided by the IdP when setting up the trust relationship. This option or :idp_cert must be present.

• :idp_cert - The IdP's certificate in PEM format. This option or :idp_cert_fingerprint must be present.

• :realm - Your site's security realm. This is a URI defining the realm to which the IdP must issue a secure token. Required

• :reply - The reply-to URL in your application for which a WSFed response should be posted. Defaults to the OmniAuth callback URL. Optional

• :id_claim - Name of the authentication claim that you want to use as OmniAuth's uid property.

• :saml_version - The version of SAML tokens. Defaults to 2.

Authors and Credits

Authored by Keith Beckman.

Special thanks to the developers of the following projects from which I borrowed from for omniauth-wsfed:

• PracticallyGreen / omniauth-saml
• onelogin / ruby-saml