Skip to content

Home

Jump to bottom
J. Scott Johnson edited this page Oct 28, 2016 · 12 revisions

Welcome to the saml_idp wiki!

I'm a relative SAML Newbie and I'm attempting to leverage saml_idp to build a ruby based idp where my users can login via devise and then other web sites they are trying to use can authenticate against that. I'm attempting to use this wiki to document the process for other people. First of all I'd like to say thank you to Jon Phenow who has done wonderful work extending the original ruby-saml-idp with all of the back end work necessary to make this possible.

I would comment that his statement "it should be straight forward ..." is fairly inaccurate. Just the need to mess with x.509 certs means that its not straight forward. Certs are never simple.

Here's what I have found to be the process for building an IdP:

Step 0 - Install the Gem

Add this:

gem 'saml_idp'

to Gemfile and then bundle install

Step 1 - Add To Your Routes file

get '/saml/auth' => 'saml_idp#new'
get '/saml/metadata' => 'saml_idp#show'
post '/saml/auth' => 'saml_idp#create'
match '/saml/logout' => 'saml_idp#logout', via: [:get, :post, :delete]

Step 2 - Create a Controller and It is inherit not Include for Your Controller

Change the include mentioned to the readme to an inherit - See: https://github.com/sportngin/saml_idp/issues/57

class SamlIdpController < SamlIdp::IdpController

  def idp_authenticate(email, password) # not using params intentionally
    user = User.by_email(email).first
    user && user.valid_password?(password) ? user : nil
  end
  private :idp_authenticate

  def idp_make_saml_response(found_user) # not using params intentionally
    # NOTE encryption is optional
    encode_response found_user, encryption: {
      cert: saml_request.service_provider.cert,
      block_encryption: 'aes256-cbc',
      key_transport: 'rsa-oaep-mgf1p'
    }
  end
  private :idp_make_saml_response

  def idp_logout
    user = User.by_email(saml_request.name_id)
    user.logout
  end
  private :idp_logout
end

Note: You are going to need to define a class method called by_email on your user model for this to work.

Step 3 - Test the Controller in Development Mode

Goto:

http://localhost:YOUR_PORT/saml/metadata

And you should see some big XML response. If you do then this is actually working.

Step 4 - Note This Only Works in Production and Development

Don't try and run this on a staging server -- it doesn't work and you will get this error: undefined method `make_response!' for SamlIdpController:Class

I don't understand why but when I moved my staging server, on a hunch, over to production it worked perfectly. Welcome to bizarroville; crap happens.

Step 5 - Add an initializer

In the directory config/initializers you want to create saml.rb with the contents that Jon describes on the home page. Don't screw up and put it in config as I did or you'll then spend quite a bit of time scratching your head going "why aren't my changes showing up". Initializers are loaded ONLY at startup so shut down your script/server and then restart it. And go back to the /saml/metadata url and you'll likely get this error:

OpenSSL::PKey::RSAError in SamlIdpController#show Neither PUB key nor PRIV key: nested asn1 error

Despite being an error, that's actually a huge win since it indicates progress. I'm off to solve that now.

Step 5 - Getting Your Data Into the /saml/metadata url

This is the stage I'm up to now. More when I get there.

Clone this wiki locally