使用Ping Federate实现Rails SSO

时间:2019-03-25 20:55:46

标签: ruby-on-rails devise single-sign-on saml onelogin

在我的Ruby on Rails项目中,我需要使用Ping Identity作为IDP来实现SAML SSO。我正在使用的宝石是devise_saml_authenticatable

在我的config/initializers/devise.rb中,我有:


config.saml_route_helper_prefix = 'saml'
  # ==> SAML
  config.saml_create_user = true
  config.saml_update_user = true
  config.saml_default_user_key = :email
  config.saml_session_index_key = :session_index
  config.saml_use_subject = true
  config.idp_entity_id_reader = DeviseSamlAuthenticatable::DefaultIdpEntityIdReader
  config.idp_settings_adapter = nil

  config.saml_configure do |settings|
    settings.assertion_consumer_service_url     = "#{Settings.devise_callback}/users/saml/auth"
    settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    settings.name_identifier_format             = Settings.clientname.sso.name_identifier_format
    settings.issuer                             = "#{Settings.devise_callback}/users/saml/meta_data"
    settings.idp_entity_id                      = Settings.clientname.sso.idp_entity_id
    settings.authn_context                      = ""
    settings.idp_slo_target_url                 = Settings.clientname.sso.idp_slo_target_url
    settings.idp_sso_target_url                 = Settings.clientname.sso.idp_sso_target_url
    settings.idp_cert_fingerprint               = Settings.clientname.sso.idp_cert_fingerprint
    settings.idp_cert_fingerprint_algorithm     = 'http://www.w3.org/2000/09/xmldsig#sha256'
  end

我的app/models/user.rb中有

devise :database_authenticatable, :rememberable, :trackable, :validatable, :recoverable, :timeoutable, :session_limitable, :saml_authenticatable

除了使用客户端的IDP之外,我还使用Onelogin和Okta设置了IDP,并且上面的代码可以正常工作。

与Onelogin和Okta不同,Ping Identity提供的我的客户的IDP不会首先显示用于输入电子邮件的页面,然后显示用于输入密码的另一页面。换句话说,没有像Onelogin和Okta这样的IDP登录页面。

所以问题是,现在我有了客户的IDP的实体ID,SSO目标URL,SLO目标URL,指纹。如何通过表单向IDP进行身份验证并登录用户?

到目前为止,我已经尝试过

=form_tag(Settings.sso.idp_sso_target_url, html: {role: 'form'}, method: :post) do |f|
    .form-group
      label for="email"  Email
      = email_field_tag :email
    .form-group
      label for="password"  Password
      = password_field_tag :password
      button.btn.btn-info.btn-sm type="submit"  Submit
      |  

其中Settings.sso.idp_sso_target_url是SSO目标网址,看起来像https://auth2test.clientname.ca/idp/SSO.saml2

使用Ping作为IDP,我得到了:

<S11:Envelope><S11:Body><S11:Fault><faultcode>soapenv:Client</faultcode><faultstring>Invalid Request</faultstring></S11:Fault></S11:Body></S11:Envelope>

然后我使用Onelogin作为IDP进行了测试,它只是将我重定向到我输入电子邮件的页面。

我也尝试过

  = form_for(resource, as: resource_name, url: saml_user_session_path(resource_name), html: {role: 'form'}) do |f|
    .form-group
      label for="email"  Email
      = f.email_field :email, autofocus: true, autocomplete: "email", class: 'form-control', placeholder: 'Email', id: 'email'
    .form-group
      label for="password"  Password
      = f.password_field :password, autocomplete: "off", placeholder: 'Password', class: 'form-control', id: 'password'
    button.btn.btn-info.btn-sm type="submit"  Submit
            | &nbsp;

这是错误消息无效的电子邮件或密码(我确定是正确的)。

我非常怀疑自己是否走对了。请指出正确的方向。非常感谢你!

0 个答案:

没有答案