Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Newbie question: writing a rails app to use my university's SIB services #8

Open
pitosalas opened this issue Oct 6, 2014 · 9 comments
Open

Newbie question: writing a rails app to use my university's SIB services #8

pitosalas opened this issue Oct 6, 2014 · 9 comments

Comments

@pitosalas
Copy link

I'm having a hard time understanding how to connect the bits and pieces to make this work, although according to my IT people it should be 'simple'. So I have some questions:

  1. As I am deploying to Heroku I can't really run a separate shib sp, so my understanding is that therefore I should use the rack-saml gem here. Is this correct?

  2. According to my it guy all I need to do is to provide him with the 'saml metadata' which is an xml file. I am not clear where to get that.

  3. Best would be if you could point me at a simple/complete example doing something similar, which is a rails app that uses shib for authentication. (I don't even require using oauth2 if that is an unnecessary complication...)

Any help would be greatly appreciated!!
@toyokazu
Copy link
Owner

Sorry to be late reply.
I would like to answer quickly.

  1. As I am deploying to Heroku I can't really run a separate shib sp, so my understanding is that therefore I should use the rack-saml gem here. Is this correct?

Yes, you are right.

  1. According to my it guy all I need to do is to provide him with the 'saml metadata' which is an xml file. I am not clear where to get that.

As default, it can be downloaded from rack-saml enabled SP URL (http://target_host/Shibboleth.sso/Metadata).

  1. Best would be if you could point me at a simple/complete example doing something similar, which is a rails app that uses shib for authentication. (I don't even require using oauth2 if that is an unnecessary complication...)

You can also use ruby-saml directly for your application. rack-saml just uses ruby-saml to handle SAML request/response. While there may be the other options, I am currently not sure.

Current rack-saml is not compatible with latest ruby-saml as indicated by the following pull request.

#9

I would like to fix it. Please wait for a moment.

@tadas-s
Copy link

tadas-s commented May 26, 2015

It's an old post but I'd like to add something for those who'll bump into this:

rack-saml will probably not work for you to provide sign-in via university Sibboleth IDP because of this:

Current implementation supports only Onelogin SAML assertion handler. It does not support to sign AuthnRequest and encrypt Response. So thus, the assertion encription function should be disabled at IdP side for rack-saml SPs.

Due to privacy and security concerns most university IDPs require SP to support encrypted responses. This is definitely the case with http://testshib.org and http://www.ukfederation.org.uk .

@toyokazu
Copy link
Owner

toyokazu commented Jun 5, 2015

Sorry to be late reply.
Yes. You are right. Currently, rack-saml can be used for the SPs which does not require nervous attributes, for example, a SP just requires organization name like electric journal service :)

If many of you want use it with nervous attributes, encryption function must be implemented.

Currently, I can not have enough time for it, but if I receive many requests, I would like to ask colleagues to do it :)

@jasonheffner
Copy link

I see signed assertions in this branch from makerbot,

https://github.com/makerbot/rack-saml/tree/feature/signed-assertions

is there any progress on assertion encryption? since it appears OneLogin::RubySaml does supprt this ability now?

@toyokazu
Copy link
Owner

Hi,

Yes. Current version can encrypt assertion using OneLogin::Ruby::SAML function by @kerlin 's contribution. I think you can use it by specifying sp_cert and sp_key by configuration. If you cannot use it, please provide your feedback.

@jasonheffner
Copy link

Thanks @toyokazu I had missed that update. I might suggest updating the docs to remove that limitation then. That's excellent news and much appreciated.

@toyokazu
Copy link
Owner

Thank you for your comment. Unfortunately, I cannot have time to test the function by myself. If you already confirmed the assertion encryption function, please let me know. I'd like to update the document.

@webattitude
Copy link

Thanks @toyokazu I had missed that update. I might suggest updating the docs to remove that limitation then. That's excellent news and much appreciated.

Hi @jasonheffner, did you manage to have this working ?

@jasonheffner
Copy link

@webattitude I believe we had at the time, but then switched to handling authentication at the transport layer using apache as a proxy. It's just been too long to remember all the details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@toyokazu @pitosalas @tadas-s @jasonheffner @webattitude