Open codeboxanvo opened 8 years ago
It looks like you should be able to use Omniauth's setup
phase to do this: https://github.com/intridea/omniauth/wiki/Setup-Phase
Hi @md5 thanks for your suggestions. I manipulate the setup phase like this:
def saml_setup
company = Company.find_by_sub_domain(sub_domain)
settings = company.company_auth_provider.auth_settings
request.env['omniauth.strategy'].options[:idp_cert_fingerprint] = settings.idp_cert_fingerprint
request.env['omniauth.strategy'].options[:idp_sso_target_url] = settings.idp_sso_target_url
render text: "saml setup phase.", status: 404
end
But somehow, the it could not decrypt the response:
Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, Invalid Signature on SAML Response
Any idea?
@vuhailuyen1991 It looks like you configured it using setup: true
and adding a route for /auth/saml/setup
that points to your saml_setup
action.
Did you see a redirect to the correct :idp_sso_target_url
and it's just the signature validation that's failing?
FWIW - I was able to get multiple IDPs working using the Omniauth setup
phase with URL path segments rather than subdomains e.g. http://myapp.com/users/auth/saml/a5749671-b208-408f-94b8-ffa31a845f05
. Using subdomains wasn't feasible for me due to our DNS setup. A gist with details can be found here. You'll probably need to pull in https://github.com/PracticallyGreen/omniauth-saml/pull/56 so options aren't accidentally shared across requests.
Have any idea how to generate idp_sso_target_url?
@Rajniktc :idp_sso_target_url
should be given to you by your IdP.
Thank you @md5.
That was my mistack.
I need following information for our application.
Have any idea how to generate or this information should be provide by IDP.
idp_cert
idp_cert_fingerprint
idp_cert_fingerprint_validator
Your IdP should give you either the :idp_cert
or the :idp_cert_fingerprint
. You only need one of them, not both.
You probably don't need :idp_cert_fingerprint_validator
. That option takes a function for checking if a fingerprint is valid and is used if your SP expects to receive responses signed by different IdPs. The use case for that option is described in #31.
We need to test our application with testing IDP. Any IDP Available for testing.
how would you configure for devise integration and multiple idps?
never mind. i omitted config in devise.rb file and it works.
@medexdev do you mean that for multiple idps and devise you don't provide the config info inside devise.rb?
yes. do not provide config info inside devise.rb. Use this gist provided by @jturkel. that works for me.
You can also use the https://github.com/salsify/omniauth-multi-provider gem.
Hi, is ":idp_sso_target_url" required for IdP-Initiated SSO process ?
@bruno-toledo Old post, but in our setup, IdP-initiated auths just hit the /auth/saml/callback route. In there, I validate the SAMLResponse param and continue with the authentication flow.
I'm no security expert, but my understanding is that where a SP-initiated auth calls back to and where the IdP-initiated auth goes to are effectively the same. It reads a lot like the consume
action in https://github.com/onelogin/ruby-saml#the-initialization-phase. I know this is the omniauth-saml
library, but it uses the ruby-saml
code internally.
Hi all,
I would like to confirm that omniauth supoorts multiple IDPs. If yes, please provide a guide for that.
Thanks