3
A generic SAML strategy for OmniAuth.
5
https://github.com/PracticallyGreen/omniauth-saml
9
* [OmniAuth](http://www.omniauth.org/) 1.2+
10
* Ruby 1.9.x or Ruby 2.1.x
14
Use the SAML strategy as a middleware in your application:
18
use OmniAuth::Strategies::SAML,
19
:assertion_consumer_service_url => "consumer_service_url",
21
:idp_sso_target_url => "idp_sso_target_url",
22
:idp_sso_target_url_runtime_params => {:original_request_param => :mapped_idp_param},
23
:idp_cert => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
24
:idp_cert_fingerprint => "E7:91:B2:E1:...",
25
:idp_cert_fingerprint_validator => lambda { |fingerprint| fingerprint },
26
:name_identifier_format => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
29
or in your Rails application:
37
and in `config/initializers/omniauth.rb`:
40
Rails.application.config.middleware.use OmniAuth::Builder do
42
:assertion_consumer_service_url => "consumer_service_url",
43
:issuer => "rails-application",
44
:idp_sso_target_url => "idp_sso_target_url",
45
:idp_sso_target_url_runtime_params => {:original_request_param => :mapped_idp_param},
46
:idp_cert => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
47
:idp_cert_fingerprint => "E7:91:B2:E1:...",
48
:idp_cert_fingerprint_validator => lambda { |fingerprint| fingerprint },
49
:name_identifier_format => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
53
For IdP-initiated SSO, users should directly access the IdP SSO target URL. Set the `href` of your application's login link to the value of `idp_sso_target_url`. For SP-initiated SSO, link to `/auth/saml`.
57
The service provider metadata used to ease configuration of the SAML SP in the IdP can be retrieved from `http://example.com/auth/saml/metadata`. Send this URL to the administrator of the IdP.
61
* `:assertion_consumer_service_url` - The URL at which the SAML assertion should be
62
received. If not provided, defaults to the OmniAuth callback URL (typically
63
`http://example.com/auth/saml/callback`). Optional.
65
* `:issuer` - The name of your application. Some identity providers might need this
66
to establish the identity of the service provider requesting the login. **Required**.
68
* `:idp_sso_target_url` - The URL to which the authentication request should be sent.
69
This would be on the identity provider. **Required**.
71
* `:idp_sso_target_url_runtime_params` - A dynamic mapping of request params that exist
72
during the request phase of OmniAuth that should to be sent to the IdP after a specific
73
mapping. So for example, a param `original_request_param` with value `original_param_value`,
74
could be sent to the IdP on the login request as `mapped_idp_param` with value
75
`original_param_value`. Optional.
77
* `:idp_cert` - The identity provider's certificate in PEM format. Takes precedence
78
over the fingerprint option below. This option or `:idp_cert_fingerprint` or `:idp_cert_fingerprint_validator` must
81
* `:idp_cert_fingerprint` - The SHA1 fingerprint of the certificate, e.g.
82
"90:CC:16:F0:8D:...". This is provided from the identity provider when setting up
83
the relationship. This option or `:idp_cert` or `:idp_cert_fingerprint_validator` MUST be present.
85
* `:idp_cert_fingerprint_validator` - A lambda that MUST accept one parameter
86
(the fingerprint), verify if it is valid and return it if successful. This option
87
or `:idp_cert` or `:idp_cert_fingerprint` MUST be present.
89
* `:name_identifier_format` - Used during SP-initiated SSO. Describes the format of
90
the username required by this application. If you need the email address, use
91
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress". See
92
http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf section 8.3 for
93
other options. Note that the identity provider might not support all options.
94
If not specified, the IdP is free to choose the name identifier format used
95
in the response. Optional.
97
* See the `OneLogin::RubySaml::Settings` class in the [Ruby SAML gem](https://github.com/onelogin/ruby-saml) for additional supported options.
101
Authored by [Rajiv Aaron Manglani](http://www.rajivmanglani.com/), Raecoo Cao, Todd W Saxton, Ryan Wilcox, Steven Anderson, Nikos Dimitrakopoulos, Rudolf Vriend and [Bruno Pedro](http://brunopedro.com/).
105
Copyright (c) 2011-2014 [Practically Green, Inc.](http://www.practicallygreen.com/).
106
All rights reserved. Released under the MIT license.
108
Permission is hereby granted, free of charge, to any person obtaining a copy
109
of this software and associated documentation files (the "Software"), to deal
110
in the Software without restriction, including without limitation the rights
111
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
112
copies of the Software, and to permit persons to whom the Software is
113
furnished to do so, subject to the following conditions:
115
The above copyright notice and this permission notice shall be included in
116
all copies or substantial portions of the Software.
118
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
119
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
120
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
121
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
122
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
123
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN