Single tenant support with Osso Mock IDP #4
Conversation
|
Hi, when I try and run this app, I get the following error. I assume it's something to do with the metadata XML file that you describe, but while you indicate that it "includes the SSO URL and x509 certificate", you don't fully explain how to get that information into the Rails app. What's needed in order to make this app fully functional?
|
|
Hi Kevin! (@kgilpin) Thanks so much for your question! If you (or anyone else!) found this app through Github, there's a companion blog post here that should help you - https://ossoapp.com/blog/saml-sso-rails That said, you're right this concerns the x509 certificate that is provided by Osso's Mock IDP - https://github.com/enterprise-oss/sinatra-ruby-idp/blob/main/metadata.xml#L7 You'll want to plug that x509 cert string in here - https://github.com/enterprise-oss/saml-rails/pull/4/files#diff-766c34fd6533171eaf54300c153f89d6002c35c02cfc9c5b219251f85180ad07R42 It's best practice to use ENV or Rails credentials for a secret like this rather than committing to source, but since it's all a mocked thing anyhow you could paste that string (without the opening and closing tags) right into the controller. That way Normally you'd also have to grab the SSO URL out of that metadata, but again due to the Mock IDP's testing nature, the URL that is hardcoded as part of this PR is the correct URL to use. So if you provide the x509 cert string that should be enough to get things running. Feel free to shoot me an email at [email protected] I'd be happy to help further if this doesn't get you unstuck! |
This PR adds SAML SSO support for a single tenant who is a "customer" of Osso's Mock Idp.
We use a Ruby gem from OneLogin ruby-saml to encode a
SAMLRequestand decode theSAMLResponse.SAML Configuration
When configuring SAML SSO for a tenant, you must work with the tenant to configure your application to talk securely with their Identity Provider.
On the IDP's side, since this is a Mock IDP, there's no configuration required - the mock IDP is designed to take a valid
SAMLRequest, allow a user to "sign in" with any email and password, and then redirects the user with a validSAMLResponse.The Mock IDP provides a federated metadata XML file that includes the SSO URL and x509 certificate that your application uses to send the user to the IDP login and to decode the SAMLResponse respectively.
Sign in UX
Since we're dealing with a single tenant, we know that every user will log in using the same Identity Provider instance. We don't make an effort to support alternative login approaches, like email / password, and are able to place a button on the sign in form that sends the user to their IDP.