对于我的Ruby on Rails项目,我想对SSO使用多个IDP。我正在使用devise和devise_saml_authenticatable宝石。
说我现在有这两个IDP:
http://localhost:4434/users/saml/sign_in
http://www.another_idp_entity_id.biz
在https://github.com/apokalipto/devise_saml_authenticatable中,我的config/initializers/devise.rb看起来像
Devise.setup do |config|
...Other configs
class IdPSettingsAdapter
def self.settings(idp_entity_id)
callback = Rails.env.development? ? 'http://localhost:4434' : ENV['CALLBACK_ADDRESS']
case idp_entity_id
when "http://localhost:4434/users/saml/sign_in"
{
assertion_consumer_service_url: "#{callback}/users/saml/auth",
assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
name_identifier_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
issuer: "#{callback}/users/saml/metadata",
idp_entity_id: "http://localhost:4434/users/saml/sign_in",
authn_context: "",
idp_slo_target_url: "https://xxx.okta.com/app/xxx_1/exkb54ho042xBVrQm356/sso/saml",
idp_sso_target_url: "",
idp_cert_fingerprint: 'A3:FE:AA:9F:F2:29:C5....',
idp_cert_fingerprint_algorithm: 'http://www.w3.org/2000/09/xmldsig#sha256'
}
when "http://www.another_idp_entity_id.biz"
{
assertion_consumer_service_url: "http://localhost:3000/users/saml/auth",
assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
name_identifier_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
issuer: "http://localhost:3000/saml/metadata",
idp_entity_id: "http://www.another_idp_entity_id.biz",
authn_context: "",
idp_slo_target_url: "http://another_idp_slo_target_url.com",
idp_sso_target_url: "http://another_idp_sso_target_url.com",
idp_cert: "another_idp_cert"
}
else
{}
end
end
end
# ==> SAML
config.saml_create_user = true
config.saml_update_user = true
config.saml_default_user_key = :email
config.saml_session_index_key = :session_index
config.saml_use_subject = true
config.idp_entity_id_reader =
DeviseSamlAuthenticatable::DefaultIdpEntityIdReader
config.idp_settings_adapter = IdPSettingsAdapter
end
这将给我错误raise "Invalid settings, idp_sso_target_url is not set!" if settings.idp_sso_target_url.nil?。
我尝试仅使用1个IDP,但不使用IdPSettingsAdapter,但在# ==> SAML下使用以下附加代码:
config.saml_create_user = true
config.saml_update_user = true
config.saml_default_user_key = :email
config.saml_session_index_key = :session_index
config.saml_use_subject = true
config.idp_entity_id_reader = DeviseSamlAuthenticatable::DefaultIdpEntityIdReader
config.idp_settings_adapter = nil
callback = Rails.env.development? ? 'http://localhost:4434' : ENV['CALLBACK_ADDRESS']
config.saml_configure do |settings|
settings.assertion_consumer_service_url = "#{callback}/users/saml/auth"
settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
settings.name_identifier_format = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
settings.issuer = "#{callback}/users/saml/metadata"
settings.authn_context = ""
settings.idp_slo_target_url = ""
settings.idp_sso_target_url = "https://xxx.okta.com/app/xxx1/exkb54ho042xBVrQm356/sso/saml"
settings.idp_cert_fingerprint = 'A3:FE:AA:9F:F2:29:C5...'
settings.idp_cert_fingerprint_algorithm = 'http://www.w3.org/2000/09/xmldsig#sha256'
end
它将起作用,并将我重定向到Okta进行登录。但是,它只有1个IDP,我需要它与多个IDP一起使用。
谢谢!