Reputation: 11
Rails omniauth-saml gem is not signing the SAMLRequest
Apologies in advance for any incorrect terminology in this post. We are not SAML experts and have been following various gem README's and forum/blog posts to get as far as we have in our set up.
We need to create a SAML integration with an IDP that is requiring a signed 'handshake' before allowing our application to pass to their login page. We have set up SAML with the Rails omniauth-saml gem (https://github.com/omniauth/omniauth-saml) and have successfully tested integration with Okta. However, the IDP we are trying to integrate with is not accepting our AuthnRequest. Based on their logs, we believe that this has to do with our SAMLRequest not being signed correctly. The omniauth-saml documentation does not provide any information about signing requests, but we were able to find information in the OneLogin ruby-saml gem which the omniauth-saml gem builds off of (https://github.com/onelogin/ruby-saml). We have set the signing services mentioned in onelogin/ruby-saml all to true and added signature method and digest methods, but our SAMLRequest still doesn't seem to be signed correctly. This is our settings information:
# we set security
security = {authn_requests_signed: true, embed_sign: true, metadata_signed: true, soft: false, signature_method: XMLSecurity::Document::RSA_SHA1, digest_method: XMLSecurity::Document::SHA1}
idp_metadata.merge(
certificate: EXAMPLE_PUBLIC_CERT,
private_key: EXAMPLE_PRIVATE_CERT,
# we're using the environment variable here because each deploy of
# our app has a different domain name
issuer: "https://" + ENV['MAIL_HOST'] + "/users/auth/saml/metadata",
assertion_consumer_service_url: "https://" + ENV['MAIL_HOST'] + "/users/auth/saml/callback",
assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
# these attributes are set elsewhere
request_attributes: attributes,
security: security
)
We are using the omniauth-saml generated path for redirecting to the IDP with the SAMLRequest GET param: user_saml_omniauth_authorize_path
We couldn't find any information about additional parameters that should be passed to the authorize_path to force signing or anything along those lines.
It is our understanding that if our SAMLRequest was being signed correctly, the consumer of the SAMLRequest would need the 509Certificate information from our metadata xml to decode it, but we are able to decode the SAMLRequest in the generic OneLogin decoder without additional information.
Any help with forcing the Authn signing of our SAMLRequest would be very much appreciated.
Upvotes: 1
Views: 877
Answers (0)
Related Questions
- Send Dynamic params with omniauth-saml
- OpenProject OmniAuth SAML Single-Sign On Integration
- google saml setup and configuration with omniauth-saml in rails
- How to validate new SAML certificate
- Setting up SAML callback in Rails using Devise and OmniAuth-SAML
- ruby-saml SAMLRequest as POST instead of GET
- configuration for devise with omniauth-saml
- Get raw SAML response from omniauth-saml failure callback
- Devise + OmniAuth Saml: ActionController::InvalidAuthenticityToken
- Omniauth-saml in Rails: Route not found error for /auth/saml/metadata