-
Notifications
You must be signed in to change notification settings - Fork 182
IdP_Configuration
To configure your SAML IdP, you need to define configure
in SamlIdP
module in your ruby application. You can override some configurations with the option of encode_response
method in your controller.
By default SAML Assertion will be signed with an algorithm which defined to config.algorithm. Because SAML assertions contain secure information used for authentication such as NameID.
Signing SAML Response is optional, but some security perspective SP services might require Response message itself must be signed. For that, you can enable it with config.signed_message option. More about SAML spec
Following example is showing that minimum configuration for development environment.
SamlIdp.configure do |config|
base = "http://example.com"
config.x509_certificate = <<-CERT
-----BEGIN CERTIFICATE-----
CERTIFICATE DATA
-----END CERTIFICATE-----
CERT
config.secret_key = <<-CERT
-----BEGIN RSA PRIVATE KEY-----
KEY DATA
-----END RSA PRIVATE KEY-----
CERT
# config.password = "secret_key_password"
# config.algorithm = :sha256 # Default: sha1 only for development.
# config.organization_name = "Your Organization"
# config.organization_url = "http://example.com"
# config.base_saml_location = "#{base}/saml"
# config.reference_id_generator # Default: -> { SecureRandom.uuid }
# config.single_logout_service_post_location = "#{base}/saml/logout"
# config.single_logout_service_redirect_location = "#{base}/saml/logout"
# config.attribute_service_location = "#{base}/saml/attributes"
# config.single_service_post_location = "#{base}/saml/auth"
# config.session_expiry = 86400 # Default: 0 which means never
# config.signed_message = true # Default: false which means unsigned SAML Response
# Principal (e.g. User) is passed in when you `encode_response`
#
# config.name_id.formats =
# { # All 2.0
# email_address: -> (principal) { principal.email_address },
# transient: -> (principal) { principal.id },
# persistent: -> (p) { p.id },
# }
# OR
#
# {
# "1.1" => {
# email_address: -> (principal) { principal.email_address },
# },
# "2.0" => {
# transient: -> (principal) { principal.email_address },
# persistent: -> (p) { p.id },
# },
# }
# If Principal responds to a method called `asserted_attributes`
# the return value of that method will be used in lieu of the
# attributes defined here in the global space. This allows for
# per-user attribute definitions.
#
## EXAMPLE **
# class User
# def asserted_attributes
# {
# phone: { getter: :phone },
# email: {
# getter: :email,
# name_format: Saml::XML::Namespaces::Formats::NameId::EMAIL_ADDRESS,
# name_id_format: Saml::XML::Namespaces::Formats::NameId::EMAIL_ADDRESS
# }
# }
# end
# end
#
# If you have a method called `asserted_attributes` in your Principal class,
# there is no need to define it here in the config.
# config.attributes # =>
# {
# <friendly_name> => { # required (ex "eduPersonAffiliation")
# "name" => <attrname> # required (ex "urn:oid:1.3.6.1.4.1.5923.1.1.1.1")
# "name_format" => "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", # not required
# "getter" => ->(principal) { # not required
# principal.get_eduPersonAffiliation # If no "getter" defined, will try
# } # `principal.eduPersonAffiliation`, or no values will
# } # be output
#
## EXAMPLE ##
# config.attributes = {
# GivenName: {
# getter: :first_name,
# },
# SurName: {
# getter: :last_name,
# },
# }
## EXAMPLE ##
# config.technical_contact.company = "Example"
# config.technical_contact.given_name = "Jonny"
# config.technical_contact.sur_name = "Support"
# config.technical_contact.telephone = "55555555555"
# config.technical_contact.email_address = "[email protected]"
service_providers = {
"some-issuer-url.com/saml" => {
fingerprint: "9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D",
metadata_url: "http://some-issuer-url.com/saml/metadata",
# We now validate AssertionConsumerServiceURL will match the MetadataURL set above.
# *If* it's not going to match your Metadata URL's Host, then set this so we can validate the host using this list
response_hosts: ["foo.some-issuer-url.com"]
},
}
# `identifier` is the entity_id or issuer of the Service Provider,
# settings is an IncomingMetadata object which has a to_h method that needs to be persisted
config.service_provider.metadata_persister = ->(identifier, settings) {
fname = identifier.to_s.gsub(/\/|:/,"_")
FileUtils.mkdir_p(Rails.root.join('cache', 'saml', 'metadata').to_s)
File.open Rails.root.join("cache/saml/metadata/#{fname}"), "r+b" do |f|
Marshal.dump settings.to_h, f
end
}
# `identifier` is the entity_id or issuer of the Service Provider,
# `service_provider` is a ServiceProvider object. Based on the `identifier` or the
# `service_provider` you should return the settings.to_h from above
config.service_provider.persisted_metadata_getter = ->(identifier, service_provider){
fname = identifier.to_s.gsub(/\/|:/,"_")
FileUtils.mkdir_p(Rails.root.join('cache', 'saml', 'metadata').to_s)
full_filename = Rails.root.join("cache/saml/metadata/#{fname}")
if File.file?(full_filename)
File.open full_filename, "rb" do |f|
Marshal.load f
end
end
}
# Find ServiceProvider metadata_url and fingerprint based on our settings
config.service_provider.finder = ->(issuer_or_entity_id) do
service_providers[issuer_or_entity_id]
end
end
Following attributes you can override with option of encode_response
method in your controller.
- Encryption
encryption: {
cert: saml_request.service_provider.cert,
block_encryption: 'aes256-cbc',
key_transport: 'rsa-oaep-mgf1p'
}
Move configuration related examples and documentation to this wiki page.