使用gem devise_saml_authenticatable和Ping身份（ping联合）的Ruby on Rails SSO实现

Question

对于我的rails项目，我正在使用SAML实施SSO。 devise和devise_saml_authenticatable是管理用户和登录/注销用户的工具。

我的User.rb具有以下设计声明： devise :database_authenticatable, :registerable, :rememberable, :trackable, :validatable, :recoverable, :timeoutable, :session_limitable, :saml_authenticatable重要的是，实际上:saml_authenticatable

在我的config/devise.rb中，我有：

config.saml_route_helper_prefix = 'saml'
  # ==> SAML
  config.saml_create_user = true
  config.saml_update_user = true
  config.saml_default_user_key = :email
  config.saml_session_index_key = :session_index
  config.saml_use_subject = true
  config.idp_entity_id_reader = DeviseSamlAuthenticatable::DefaultIdpEntityIdReader
  config.idp_settings_adapter = nil

  config.saml_configure do |settings|
    settings.assertion_consumer_service_url     = "https://myapp.xxx.com/users/saml/auth"
    settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    settings.name_identifier_format             = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
    settings.issuer                             = "https://myapp.xxx.com/users/saml/metadata"
    settings.idp_entity_id                      = "https://auth2test.clientname.ca"
    settings.authn_context                      = ""
    settings.idp_slo_target_url                 = "https://auth2test.clientname.ca/idp/SLO.saml2"
    settings.idp_sso_target_url                 = "https://auth2test.clientname.ca/idp/SSO.saml2"
    settings.idp_cert_fingerprint               = 'B0:39:.....'
    settings.idp_cert_fingerprint_algorithm     = 'http://www.w3.org/2000/09/xmldsig#sha256'
  end

在我的routes.rb中，我定义了devise_for :users，得到的路线包括：

new_user_session GET      /users/sign_in(.:format)                                 devise/sessions#new
                                 user_session POST     /users/sign_in(.:format)                                 devise/sessions#create
                         destroy_user_session DELETE   /users/sign_out(.:format)                                devise/sessions#destroy
                            new_user_password GET      /users/password/new(.:format)                            devise/passwords#new
                           edit_user_password GET      /users/password/edit(.:format)                           devise/passwords#edit
                                user_password PATCH    /users/password(.:format)                                devise/passwords#update
                                              PUT      /users/password(.:format)                                devise/passwords#update
                                              POST     /users/password(.:format)                                devise/passwords#create
                        new_saml_user_session GET      /users/saml/sign_in(.:format)                            devise/saml_sessions#new
                            saml_user_session POST     /users/saml/auth(.:format)                               devise/saml_sessions#create
                    destroy_saml_user_session DELETE   /users/sign_out(.:format)                                devise/saml_sessions#destroy
                        metadata_user_session GET      /users/saml/metadata(.:format)                           devise/saml_sessions#metadata
                idp_destroy_saml_user_session GET|POST /users/saml/idp_sign_out(.:format)                       devise/saml_sessions#idp_sign_out
                                     new_user GET      /users/new(.:format)                                     users#new
                                    edit_user GET      /users/:id/edit(.:format)                                users#edit
                                         user PATCH    /users/:id(.:format)                                     users#update
                                              PUT      /users/:id(.:format) 

当尝试访问IDP上的登录页面（即Ping Identity提供的登录页面）时，我不断收到错误消息：

Unexpected System Error
Sorry for the inconvenience. Please contact your administrator for assistance and provide the reference number below to help locate and correct the problem.
Reference#: XXXX

客户端不知道，但提供了IDP元数据XML：

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="somestring" cacheDuration="PT1440M" entityID="https://auth2test.clientname.ca">
   <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="false">
      <md:KeyDescriptor use="signing">
         <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
               <ds:X509Certificate>...Certificate Details.</ds:X509Certificate>
            </ds:X509Data>
         </ds:KeyInfo>
      </md:KeyDescriptor>
      <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://auth2test.clientname.ca/idp/SLO.saml2" />
      <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://auth2test.clientname.ca/idp/SLO.saml2" />
      <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
      <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://auth2test.clientname.ca/idp/SSO.saml2" />
      <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://auth2test.clientname.ca/idp/SSO.saml2" />
      <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Name="firstname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" />
      <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Name="lastname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" />
   </md:IDPSSODescriptor>
   <md:ContactPerson contactType="administrative">
      <md:Company>Client company name</md:Company>
   </md:ContactPerson>
</md:EntityDescriptor>

有什么建议/解决方案吗？预先感谢！