Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support SAML 2.0 as IdP #7

Merged
merged 2 commits into from
Apr 19, 2019
Merged

Support SAML 2.0 as IdP #7

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
54b9e7f
#7 Using saml_idp as SAML 2.0 IdP
Eric-Guo Apr 18, 2019
7c1b67c
#7 Integrated with devise.
Eric-Guo Apr 19, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions Gemfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,10 @@ gem 'jbuilder', '~> 2.5'

gem 'devise'
gem 'doorkeeper-openid_connect'
# bundle config local.saml_idp /Users/guochunzhong/git/sso/saml_idp/
gem 'saml_idp', git: 'https://github.com/thape-cn/saml_idp', branch: :master
# Encrypted Assertions require the xmlenc gem in saml_idp
# gem 'xmlenc'
gem 'pundit'

# Use ActiveStorage variant
Expand Down
21 changes: 19 additions & 2 deletions Gemfile.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,14 @@
GIT
remote: https://github.com/thape-cn/saml_idp
revision: 26d83c43a5fac763ff06babe1fc95866e8eb09fa
branch: master
specs:
saml_idp (0.8.0)
activesupport (>= 3.2)
builder (>= 3.0)
nokogiri (>= 1.6.2)
uuid (>= 2.3)

GEM
remote: https://rubygems.org/
specs:
Expand Down Expand Up @@ -79,7 +90,7 @@ GEM
capistrano (~> 3.7)
capistrano-bundler
puma (~> 3.4)
capybara (3.16.2)
capybara (3.17.0)
addressable
mini_mime (>= 0.1.3)
nokogiri (~> 1.8)
Expand Down Expand Up @@ -136,6 +147,8 @@ GEM
loofah (2.2.3)
crass (~> 1.0.2)
nokogiri (>= 1.5.9)
macaddr (1.7.1)
systemu (~> 2.6.2)
mail (2.7.1)
mini_mime (>= 0.1.1)
marcel (0.3.3)
Expand Down Expand Up @@ -218,7 +231,7 @@ GEM
sprockets (> 3.0)
sprockets-rails
tilt
selenium-webdriver (3.141.592)
selenium-webdriver (3.141.5926)
childprocess (>= 0.5, < 2.0)
rubyzip (~> 1.2, >= 1.2.2)
simplecov (0.16.1)
Expand All @@ -245,6 +258,7 @@ GEM
sshkit (1.18.2)
net-scp (>= 1.1.2)
net-ssh (>= 2.8.0)
systemu (2.6.5)
thor (0.20.3)
thread_safe (0.3.6)
thread_safe (0.3.6-java)
Expand All @@ -258,6 +272,8 @@ GEM
tzinfo (>= 1.0.0)
uglifier (4.1.20)
execjs (>= 0.3.0, < 3)
uuid (2.3.9)
macaddr (~> 1.0)
warden (1.2.8)
rack (>= 2.0.6)
web-console (3.7.0)
Expand Down Expand Up @@ -308,6 +324,7 @@ DEPENDENCIES
puma (~> 3.11)
pundit
rails (~> 5.2.2)
saml_idp!
sassc-rails
selenium-webdriver
simplecov
Expand Down
13 changes: 12 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,9 @@ cp /usr/local/etc/openssl/cert.pem /usr/local/lib/ruby/gems/2.6.0/gems/httpclien
```


# Open ID Connect signing_key
# Generate signing key

## Open ID Connect

Just following [doorkeeper-openid_connect gem readme](https://github.com/doorkeeper-gem/doorkeeper-openid_connect#configuration):

Expand All @@ -37,3 +39,12 @@ openssl rsa -pubout -in oauth2id_oidc_private_key.pem -out oauth2id_oidc_public_
```

Notice replace oauth2id with your new site name, notice you can get public key from [/oauth/discovery/keys](https://oauth2id.dev/oauth/discovery/keys) as well.


## SAML 2.0

```bash
openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:2048 -keyout oauth2id_saml_key.key -out oauth2id_saml_cert.crt
# Show SHA1 Fingerprint
openssl x509 -in oauth2id_saml_cert.crt -noout -sha256 -fingerprint
```
22 changes: 22 additions & 0 deletions app/controllers/saml_idp_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
class SamlIdpController < SamlIdp::IdpController
before_action :authenticate_user!, except: [:show]

# override create and make sure to set both "GET" and "POST" requests to /saml/auth to #create
def create
if user_signed_in?
@saml_response = idp_make_saml_response(current_user)
render :template => "saml_idp/idp/saml_post", :layout => false
return
else
# it shouldn't be possible to get here, but lets render 403 just in case
render :status => :forbidden
end
end

# NOT USED def idp_authenticate(email, password)

def idp_make_saml_response(found_user) # not using params intentionally
encode_response found_user
end
private :idp_make_saml_response
end
2 changes: 1 addition & 1 deletion config/credentials.yml.enc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Zi0l3qTRKl6027eFAaB/VNAPXeHFS1eX/MD9filQFggwhYnrGFfeQd3DYN8PTCgfLjipZb6NBlBhne3wMxPz0jLSj15LsCJ99eXCCvwaGGqRrNLv3ymPjAPVPXBvOOtnepJmn2/Vc/YEf/GNASU10CiNT6ioRY0DopHRdq08hfqm/NRYXYl0285pvvABz0YGMiBzhRrBGp4NQWFeECfFDWRFfvYvpDMjIHP0MM4avPOhbh73CHD2jDNhoPWRAsY22RQHDBRXHXVfNzyIOViHhW+VndIpGVK4SuYADjnPwFB/fhDeZ7/lhn00oOkvZAaOqzFOGDdZiGEAhnIMScFITOy4Y3o0vAqBlScfG2VdhncDl8NYqBKuKNNUdnDsqLSCFcu7aMAGXMD8md1cy+1IF7bVxWMP8WU/oaGR6v5L0KfBNHPX04qPHekIS7U3ZqFiw4+wc/IYt6rfwE/6N722Umbdk7cVr9c4DRhIIN0pfrMW77YAzZS/hymE7ygWij+uHkp3gx7Iah9cX0noIdTR2WR9to6JvGg8DNp7HJuMwKLhBpGCv2wsgz6KMy7kkzzTIDgbYNXF7Pi+710W6w3wsbLp7rhsne5Zo5/r25puZOZPyK/lJOIptyU5X0rRejtn6kgxfQa5cPS9sWU3O+3Mg7ijRlKTqCakTX0t8ke5S3S+rXevTx5hl3BL388dM/r/R6rvUHfZobgapTdVpqJrNHupu9GZjrKyhN0FCBsdgZoq1ZN3TrY85xU5jZa1q8CN2FkuqNnpn2fQx/PV8WWqAHo9Zj3g34ZHKkkV6dfArwVQMouNeWwvpK3XKOEqQwx3Nx9apX0J74aOVzYsxR9ciQaY1Ufn7aeBlAEae1h1IooNwa1tjZxEu5BksXzF+AQxseuU+UWNmW6Et68CT9YOXiSReJRtiPuViAn6pwj9wnCXMN9Zsr8B8upntGGv6J6DrdetCLToliCtOTITbK1o4A330yCvclJwzOw+iAnPcl33P++0Y86ByIK+o7k26ck/rOnreQZv6ine/Ny+rAQF3Fc0A+hL4XPei5HePrARpSR1C2iuH3ODYwgO35QlO+1vvG1CIon11meDXqkOmxi8Z8nZ2bWH8h+l4M4IRJA+2537zi+qYsPr0FnPvJulhpxxy7NOVizOFIiAilkcDIIzqRPJzJtNCE2aLOvApJsW8r0cbcGfkSELypi8xf/ibJEiFGZIkJdN6cMPQcm6bBuaX5yDjwBiMyEkqCfSn+x7tcwLooCZDRCGOzpwDLXgSI3g0yVjzIEESvhANd8W7nxZrawDSCi3cXhvUPMT644bWfqI8WRjsdQJXV15jU+F5Jlr09ny65rui970ychV1/X23EdQ39ywaIFXISiobgW8MOGxc+2f8pOa7z0hLNdepQaAtWE+Y6XP6ugClcDwoDamdHxDHPzvKljKTTfOwJ/h3dRa14c0otmOcVux+jpLppRqWB3JDo8XBt7C4o6WMVNig+mIwQnGZSQHj76HYH05fZGO0gk5wCkUZKGk7cIaXfm2MgqIbjlgoBqWzQVPW1DtEjbL3G/t0nPUGffv/3x0aszx35uqAcMnelitRoKDoybncY/A1ymP+VK5w4Gj3/ZDQYWeNZYMKvlIaKoCyptuh2kmP3HgBKNHFeeK1rwbwNuB2SxhnTeYBSpvGhpqXsxiWs27jDNjp87bhuhfez8ny32fZB0mccql06QgAGUqPDlTh+yssJjX1Yy2kvwuEKc/pV+iFv8frssWjuNTqBzLfmGNaaNXIYVRvk5QO0czzyXtsWU309cptVTkuXOwc41VlIBhGRApAq8SM6OTqodM4UG1raI+Y8fZl/gg4g2FF6ZC9j+jNghhnAjSc0PlP+VB6Yiaf5MoEkvzE/CfcX0m+B4vDVoqXnM2mqX51w9cIWQurD5AW1GvKMD+TYb2FoRl/bhbAHUWnsoFQpfOMnfJNzcQHhoxrS3TE2TfO8hhIfv7iMff0D69yGpOv1jRh6yKJ2WAjidHJtGr7JaWxqoub0vddP1G+KZE8WXrfYFlGS5r5UaQSFfYlBQ+/8yaCe//eqQX+VMNFX5a1El5fgNRS6rzSfSg4utMAqmmH8+vOBY8/UcDuycM4YFn1EhUUvv29Fg96mSAML5Sp1kXJnEW7MvTzkuR1+hYx3PxECTjAbpDDlbOm2jRsEsmloD7laBMpO6tw6LL+Rrp40Zp7BSuFcsn6HIn+rPquQ0meWk3zcR8AxyZiXd61BcPbhMSISxkdbZyTi5aM91pNCFQppD/a8mjaVr3vLSLLtSzsi2WLyvqGGOEYXEkaT5XPPf7ccTnHXubIfkTfCsxGIVtGAz3HGvtDl9KtAZ4OleEz0PcWjhK46vb8+f0+kwmvku2xNFPJE53Ce6KgXyxFwjpRfWydhjMbOjxRk1HJ3X1e8HTmMgk4qCz3Tm+XLjFNHl7C9IFgtsIvVDc/a8iaULA/GM1C3jAMvH3dY1MyRvEKF9A4ZEgBYxEilCJ6g8G5I6sXDMwQmafrGOvFllEkmeMVWQduCfRvdJ6Bh+O0ixy9CoU6FQYx+AVjGfNxnSc6nluw9N2RDFvJAy6Sz9nL/dLai3RTMqQLht5Iyvz8AvkKEy2wsewLhVz5MZ7stoEYqXrelAZVnQOMX58ZplHK13F1fczb52uQeuKY3akJc+UH1+2cZnZqBZB6OKO+f9cWND4jUefzMeG/N1nrphh8NIaDacKRSwc1xswQcQYoAHdz3uKOlbFsKCebn71z3T5GPjYNpTshVtWO6kJgI+PIgbHKKfXzzeb7MYySZ8HXhRhI5tVyUMl7N8w8jINt54LmX5T+vNhx05+C56dK3XWWQ/Cab72Zt4M0vLZeM9kcjFJgrlFuMKAkAqOXXXSNhaG0nVBz8/w7RXc2ZXV992i/ukZYoCv6OE6PLqKKM/SaG8jDrFZUgHuSmsxXuGtfr9NyeDajo7F9td0n+iF+f97BuK2H2GM/HjdTp9znM5WdW8zZcdMx2CRuLY+2kwtGPbGQs59rb1r/c1NGJh7PLnYxP2ywqvxlNzwx6Wgj6kMMjZrLU2RtCI9ZuSkugstCbJ9ooKR4KDJZ5b5ZHXtj8keYXCAfb5+RTVL2DPqbXP1ebt33sirPSAkriik1LZ/sDY16NJf3Wex19T7K2G9YyAG2xwfW/Pm1uTpEFjOpSrGXpXo0Sz0jlGwa7LPcRUkA+W/ouXIZtdi+4i6zCL7n0YE/ASQE+2B9dZbH2uh6TqacxtZx/jcnn4qM0Eba/a2TstUtO13A4/u/wTp0nF+jLNCWNqQOsNjDXGCWjYrHK0U2jx8ri+YeqAlZcU619wIV4FFHX4ML+dDJKxAC24OQyByeIy7fvy4roYCCU4HH1CTp0Ujb1s=--49ksQzPq5rhRh87G--3pjvVtmDmgoEKoWXPTUFLw==
neSMGcrugSf0HpWuEklOG6ZOK6lW4qc8idnQ9qtjJptwwxkVqwr3y0Jml5+DSXf4aRCWcK7lL4tXouDEz51lzp3mVAG3TBaL0ON4YnIO9ygYbrUHkuRaplXrhhY6YoudfNCvn5mlUvCJVK9tjVUDtpIbAGqfNXeA4HydC42Q63N0Tue2QJoitwl91yGXAtdAIX0TNPy+D0rkia04R9t+L8PI2L7vBzzngk46/Mz6e/Lusbj/KQqG0/QRZ8vwX2R5I5YDYIkfGbASfzq1bJbwAgA8CZHOnm2H5C0uZW/Q9zWW9l0jYcWhRrwE1qGywLTFQi9hVXpTxhDvqgP5e1GikEIJEvav8uptbdYUW3maoDx0m0TtbozyUf3aCYH4Xj+J89sBP6tVYuF063bhoOCND538HGbVeHbaVCOwxB7T2FycE/wtTz9anZdV2gFa5zlt2HuAQZ5sIAtO+QXmrlNYg/cyoc3pktyO1St/xi9fpYg9rqBdO8cMnwnOmWjqmNC7ZKcy6LLdqkCNU8Kt4pdNUPlpmq/aKfYkoCj/1Qv9zyDLznYIrvAPNU8rP8TXXchik24yiBKSqrohqqjzrm93MptJ6Asfh+U15h712i6b7vXBOk7Lhfb9Sl3YhfUf684iTLQ8zYu76JqNh3Em9e/hVRa4obTm78x5ijSTqLF3a1G+S50S7IxLA8BSs3kU7F5NjTcGqVA9LXifqmxsO2x/M8wEcdkiIpmftCwnKWuc7afKXLZtu+JQ9rxOCtuai9ovEidqvIFtQ/XMdBVUOzPk6biK2uUsnaN2tbehoiadVbq6+57Tlux5iwur6kN5ryq/9eyiex0WXmezAiz1I/YhCqwVmx8z2WcHxQeRK1oqf4Gy1x3qNLlMnH8QJ9oKtmDJOLEjY1VHCsfilqUG9vKnPWwFZE0zww1gcZOekXrNIbV7cVSAOMErewK3FyxxWLixIFszf43dnRRqcQj9BGVDMErdJ4wrPyIXXC0TZUBv6mcDqJFNVjF8i8UHvxoI/MINwxVLnm9vtSqgOU0L6AXENRlQyGAKvwqLftPffVUkw3xtWHymhUTomb5xAXRFTZuWbFWSVl8a2AQWmy8MBi2c9/xm0Azg3he0elhBGacFYuMRrPC4VVZEkwvaOFPxLvdGxXH4ijsSRm0GoYoaD474fhoq2f5H+k9zW2piACRoq01XlSs7LcXREqXmTdAlOjHy7QWE7gFjkc2hXvZLI6lJVps6KQhIj9L7ge5tNSJMaLqqUJs86gTXm0KNLpR9cTSMxPw+riczqlFDvhLhgBO5gSjEaNx77gWD4n/LmLSQnOXHXrNqEF4P62sIfyXDMwIU3PQm9brj5B8dXOePtu6BXhGSiykgEAfjc7qGn62rrXREqMIe63HSqxH8CgaGDPZkhlAYCD1knc70+v+FFudTerS9ggfiJ/0bBXo9EpW4c3TUjVeWSXqoHGu9IWWVbaHMYsge2zHyuEVghTRPSvk9cYQdoy8769N6xVkmJRWh+Z/ngPkGhuYwYGA4y9efdc2Gw/f/cb8Tz/dG4NFdBwxn1bhq9aMa0L4Y4GWVJY1GP1VZ1+vsqHpO3gEuHoEmoFcvVEfoFTdICMjwYHIxk6Jz6s59nNLKX++VPbZCmJJQZXkFUMEeWaSl8sMgC+V+pdkxUCJr4kEBlkTvJzcp2Elc2dmXpbAwksZOjY9Qu/sKZG5j3m1gji2YQ+uEbBUzp5SiQkJWJTgNODvuh6jluh4+MKhtB4BuijNh1wV74oiXR96usS0M/LyISNORG7ulfyJj2MxZaV6pTvjwgMrnlB7IhhDfA+Z148CGTtOEnZOlESMbvYfkMtxN2/THRxJZ6h01gp2NxwR/YEnLb7YkKpIzUTONlZHiO55ayxWp93vT3257mHbLFqw7FPvSWGclJCmLa0XT8HYpBbSYBk3Uqw/VX684DdmXqeTEgISU+dv+XdloFVrvpRuHeCFrB9jNjRh70i9Q2SAhX5X0ZisAQq0CLWjaahFzNQYDLCpGll7/h0vVrrtLml2KjbkTIwT2oA+qHiNim1QeF5zugJanFROkgCo7xkwNxLZZVylceAn4HSsOOvo42oHYEWYwapDkPFiiZCjiNO3hJNqRjdWgN8dbFvEbaP0eWwwTXx3QdTB64LCchK6zPTN254Wr6xgHphRu7yVaVPNnJk+vSoCcu6JAltf4WZ8KfW+EDc+lQeuC1195tXdJbkp/kBH9hGvxmp6aPB/geYFq0IpTBiqYieGyxv3EbUWES4Qu8TxNv8RX4YslUZ1p3jc/M1wH9fZxZp5F8Jm1mZQOY4WcBoSo8+ed74vicjvdqGWa+yXNN7rb05My8p2kekXawSCqTt56DVYsxN7/tNPq9OqpHlnWshy/30XSiJ/3MYdP1puGt6XeB6y+do6MqGdtnJRuCOtcO3GtUs64JqEKRQaXnYovHQ6bZgMt7hIIEguaLJe6g15bualnnYV00KELJroBZjAHLjgc07drpBiCDlb0oytL52B/5Bm/5tdKsmVWSZc4Lzm8R4ikTZpEHsTllfMoQ30t4f6ykZ1uAq3tSJGvM5Qv20248Q8Wj6KeVAsDQPwJvVLiNSu8fCx/cbU719W/Ox1vJBvT0EF/jSdNFUW2juGvDH0rgnlSp2UBMk/9M7m885XREMfRONox/qOPZZP1OFlHUknT7nFgPA7mojcnEejQ2dZCniNaLQAET6XQly/1UK9xR1VjaF0jxePwln8rqeSwtOn31I3QRT5yVidMI9xibbXeq7F4rpb6fgnprNd9U896j2KGOpBGnHG0zlPA1NdPXD5c1al5t+vW9XH87XSrX+1LLlAjEcbsIWGHYm7Jamy0g/4m3InkydR/IFmcZX2MjtL0Nutj2ftAuCDihmW3lTvWpOK4rvjbYehEK4cs5v1cbx38GEalSgTjn4X/1VpXDkLxGpYDysaSBHmaIhojaVItY6OHLlZyg3uFukqztEioTXpve52zIx2s86ZxMFqrEvGrhHWliDR0q+vghkPsuEV8yTHopkU0Q3YxYI4y/YrYMgFldTdlgVgCU2cgRMet8BRuUTlVVCC6N58pugqyGPh5BlzaCuQl3HHfXguD0AQ8qlQcp21h+xv5wZ+NhkE2RBLEBpCFr1Ba3wYWXrteVfIfeA/SyKYboy/D2Ltn5KlLeseuQGqkdD9x84d7Q4lw/ak6UAFcMlj4ZVZWXIGDYPaIB4XOertxidsGh7LC7U6DZILlH/s3tUqTo6cPcTL1ulhBrmQbCH8c/N+rlX7+PEVnFUC6M3w2Q2Az8BNxGDDPD+XwrUvh1sHt3Rd/8U2xl8stqK0s0SdWd0ypuumXi50BX4m7CmlRmDZDugJOKBuRET1aWpwoQBV6qZbcjnGLoY6e3WBD1RgQ2U2RRPI6M3Svuq4WxaHG2q+UZCFKZzAKTj55mX1gONiyuCiCgfuwjSFCNH5COzuscuFrePdMWQkatVVWvAz3zskPDQ+CZfuu3idBr9svQ6b6qKNDaOt6c/EzeSmjpI3cpAkLAuTh3tWzkfT+U+fKtzpYiDJtrE003xfMwkkRSzthZsAD0dmzw4RxPOoDWsDNAbu8hqaUTFlYlXSZ6kj1LVFISHgFMy1zjzRywloWns0Bc5rLhiGMA7L+j0kSnok68pfwq8uRemG5ip9k1xCn12m//POdLu2t3KxA9gRhQfjCIyZPg0Bc60rpY9KvGxt0GiWH4kuSCB83X8MxX3rwqDTbfh2JEEt7YjqOr2Liruc/ezENnPeeDHubovjAyW4TNg1LehaPwZ4CiBuwkk05a6pv9AO2SjVJyNQa3mrCw4/98O+LTq2eofdRM6GOt2zGSPNJsHezR9nJeGjJWtuYK5q+gdHOEWe15bhv2xDKgG0HVKmEDW2CPLjyhKmMwnGCDZK1cuWvAFjC/MeQACMp39BgHYgVxjLLn/h+n7Q4T0oZeXIoYXJu1grQlJXvih9JZneelIfLQwuuYfsy7ojrWayBpfisxNFUAHZySYa4Q1EO4VZMx4rUa2HELXKdNvwgOaCAvOlrLWt7r6/VRbG+6xIXdW6vf/rwE0vT3nj4qQFU11fZnAnFJHVBlr3fKE4P6kKpjQ9r9Yu5wj6o+MBICTCcNE4mx0QT9KX5ysAt/7HLMhg2J8frNxBDWSZfB7jLIqJ4GkBlURZvwaCMN6BDwlMjlNb742GRyUgGVLh3aEgHCCzrn2n7EMR+4ZNows/rEvtw8kUA1ogLncrza9SYMUFibCa8mlgZewmZ1QVz4jAbvDgd4iVoBVqh0whVEEpkoZJlceDf/SVw5MZF9DfeQbIabNebbzmGWU/DA0tHmAD6egWySXucfW3rKSovJ7M5hH8HsPbX612bI/Qw0WcptYZ7tIVCo83F+w+Pb7NTNnp2SQAn1mnGuzhDKe14t4z75Ktsq0zTGzycm5nDtjCEXGbZG+fHuvUhiDXxpz9EHKtAR9NRSeBPUUy5edP1yeeDONGXuu9hyYIlc3zz9pexb+vm1/zPvSmEZVLHitC2HsjKCGDuX27nISHyCKoSvcLBPhOsspjabSf8bCbKYqnt5oIE0Sqe0QXD2tKLqxg0PlOJW8cMKkPcpKENMuPkSb764FsPW1RzwtPy8JZB2l1MbEmgBM6mkBH4N8X15nw6hyTy8UMzhDyfo8J1u+hwvqzVc/i4G+z01EJ8d6Jn7zXG/jzgFUPNACf0a5NxIkMTmwdejUz1xr3KA41wifQB5qaK4yrtCQcRNmAAmqsaegS/n5VpuWi1wzAocYFKF7qR2xYmzc84SGkHe7km2/FmGUD6tNoeiHlBsDmzmIUQ8quZ8oZkDo2cy+o55EC5+zFwYz3yoTFuBhSmf0eoTmWVFntOlzQlNsvKIUJ2ZQrIgSmt26jDxrhZlPdFe6hHyD7cQRgnJu6hgbJzWd2ORU0Lb1c1aVSvkDaRhiUrU21OTGXyYxcP4KrvXtlz6k71c0wyr9DvdSX6jKkzY4LiFPrZPZDgvGRYM+DAdsb9LCwcCoAEzyPpVAHgrB8wtXgKoLMBD5iQ3uC7aRlC8XfWhKbmbEiGthBj8ukhU5aCZOGirIKy2dLabtgASEEOrmMt/1rZmgD7shpWlD4M8h6EegT2eD4yA2fqY42tvo1fP9/I62uXhMit+pEPRVnYhBGPw/NazWZDnEvhlBdk9bRm9ehV61VKwp6XUM6p4aYR//NPOW+3qFBCxQPXxCTA90LRMWiVaSLh+ihZuSfXOXggU04PgKa45CCw+QtfD+SgqFkoU6P1gwU+oQcfgGtJmhVsXGM0Eo2c7zR4NHSQGn7AqxvxpH23b/pyv+7l/2LHh5LqmBx6MlWXcTOCDTK4ZS1wjfl/Gqj9E9hDWescYaLDlZUPtc07XSxuuIG8UZkHyaG+K9lbz+VSiwsHdsJC/udT/uTCSZB0Fl0Cg9i35fHoGPKBkA+B6y1MzrFtedcTy9S5vCy5/hdc4b4Y/VPNMCKUdHSNTk6+NRX1iSX4A/NMY95ETupwxy51xpXgH3zEmIGL6bdwnxMBfimHsuHa5lFehG8Q+ZmtzPqZoWmIfPCg8DGWyWPdOsN6Ea1TAx6K9M+tgXRdYFI7lPZ7lVi++qCZt4I4yYAX6/4th05OfGDymWMcBFm9v5rLM89S74k6ln+rIQvjybx3YDOOQ7ic9GW62G1WWlmtYuaIO04C//XiLokYIOjnxLec6XUt5OYSFYdO7jHoox6Mjnziv33VJpIXtBKGvYh3+jX3aLlyJlJhgDplv9Nug1Z7pHtBd0Yt8PGia1WL9b9QmBLjuG7MrayOQZYFDh6Bb4bs8dQY/jQXmyH/yXGpi02/0vMPfNYA05fDlRzad5UbwSm7/88lG+7h2z2vL2JE0T/4MBaP8NaIcv7e6j3hS2j9C8rQ0zaWA2+ojeA6Igvy7ZRj+T3U1xsEhZ1ekWSQy6k32E6OiKe9S2Rxh3TT89VaUqaKBkAwQaHPTaW2wMJ+RM2adYluogJs/GnruHUyBm2c3yl4as0YRSGo0+fFDhZnZ2J1tvZrYGGs3Sr5zVZKqPRJrPEtt1kFPOXlrwOQg5e9h4lAqlzOsmgI9/kRGINHXJY0KcPrnJ4IiCFt1waWe9BRj+CSYUvrC3dxAowG3VuXvzD507tKWXBon3koe2oBeiimF1aCIE4ExSdhCluWQv2prqTgwBgA8ImMmi30qH8lnpoZ+zgI3/v5N+aiX4iPumrJxN1D2FPaVdoaifGxAZP4k3YzqW5Sg72E3naeEr96k6FlX+oVmCQflQ/KUuPcULu5lGg7Hi0/RbQL+flyAe0bGg3E2miij3qSjTqgPYQleMy4rj2wZkI1ajr68qFQXb76v5dVbZxUYcUQtkgFB6FVJaQhOAhmgHX0wJNimTvlAPAndaRZtqsStS4rU3lgg7A1+UWbaVZUUou7sglBpOHq6zB9eL42QlMNcrclNVnLE5OcS7s1Fq5YRnf0/PSjlDDj3+EaA5o5GH6XIimjKUxIZYpUpD/qpeJEG1E+qfSMoLUAiQg9nWHrW2XhWK2+8TI4PLy9zZ3a9HCB6gXYxl8/bkCNlQt+QSawkmuH2HYV+HDtcI8ZbvYIjbrwBSQJalc3l5r1xErDxX5P4lDDqYZZ8kFfljfoGJebp6vgaJsGXzL1y+/FotHEtYtBYmq8ElWFusuHQp6mF9bR3NoNPppd2Z63QwlaU+SEzDuoUDbE3bQDpJbNbGKngncpjcUPgapOrHThzoOpqLXri99iLOSyZUnjxrlp+idqQ6ftP7Yyu3KHD+Zh2tv0Rndv6qbkQmxdrlt8AB1jEhvDF6BlhcOtegPXmjgBHL41GalVFEGAqHAoQZPko39wnwnFYbA0gfePTTqD6WJ/slEe58SBGhSDPUEBNKtmGBurg5DmI5u3kHPEB9pOElL7SGVSANLZ8Mei/mLKuUb2iX9q69CGglDGNTdMcwRdalAAqzPWlx39G0oGm92YQ4EKbSMk6Mkmeb5DSl0Dd4RYTypfnu4YjZgH7gbmRPK/CRffRknYRNKUOAmF8E3W6/5WMdg/u085QkDysGZogIeEIdx7gzz39qk0OSSmgNw/0h0NUCniTxEzn7hXZVFgZdzFPOc0hin3nWwZ6ALcsbKj4t+05A0PUTByLmiriHE1UgVdBuTX3B4aFnoEGx9mjF1+aV8epMUdMDmna9XjcAt8Pcvajdsm7E9ExGyiHptpECTjH1Pg3fAe52jO8Aruhn5ZBxVa9lSbsYhYQzc7qvoMba+1JX/1RTKRtr/dg2ez1Xd5xbsVtxahmYRIaVdHM1gSdNB5weQfvroGKranQFDH5Mxnr/SJPfQRg+5bnSNACBkMMt4I5HkdknwOdEr9LkEdrCebaXt+KH5zdi6LwvHrA4bZY90V5aXBoW2AnJoSyiYyuVFoOsDZnu5Ty1Ijjf5mLWWB6xX6CYIDUocG60oakKFPGp6HO/B1GjoPDtJFTAxt3Oywi5MWDYh4X5y5zcxzGnip5dAEdltVgr7w3VR5/ZEK5Hna7MFEarpbeEseaKLfUafvtBTJ2717vIK4PWVPswE1+/bXD+pdP6US9gfBD8ilILQXu7ZgcB8YGDoaNO6Ef7Omhsfp1drEkV7evYQ9LTBp2ICSbRv6j4mKOumyEr2i7BSp3mhwDQ==--eCt64NCUxaif3the--CoRHjhLz0u7G5XwtKlPZAA==
53 changes: 53 additions & 0 deletions config/initializers/saml_idp.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
SamlIdp.configure do |config|
if Rails.env.development?
base = 'https://oauth2id.test'
else
base = 'https://oauth2id.dev'
end

config.x509_certificate = Rails.application.credentials.oauth2id_x509_certificate!

config.secret_key = Rails.application.credentials.oauth2id_x509_secret_key!

# NameIDFormat
config.name_id.formats = {
email_address: -> (principal) { principal.email },
transient: -> (principal) { principal.id },
persistent: -> (p) { p.id },
}

service_providers = {
"https://saml-example.test/saml/metadata" => {
fingerprint: Rails.application.credentials.oauth2id_x509_sha256_fingerprint!,
metadata_url: "https://saml-example.test/saml/metadata"
},
}

# `identifier` is the entity_id or issuer of the Service Provider,
# settings is an IncomingMetadata object which has a to_h method that needs to be persisted
config.service_provider.metadata_persister = ->(identifier, settings) {
fname = identifier.to_s.gsub(/\/|:/,"_")
FileUtils.mkdir_p(Rails.root.join('cache', 'saml', 'metadata').to_s)
File.open Rails.root.join("cache/saml/metadata/#{fname}"), "r+b" do |f|
Marshal.dump settings.to_h, f
end
}

# `service_provider` is a ServiceProvider object. Based on the `identifier` or the
# `service_provider` you should return the settings.to_h from above
config.service_provider.persisted_metadata_getter = ->(identifier, service_provider){
fname = identifier.to_s.gsub(/\/|:/,"_")
FileUtils.mkdir_p(Rails.root.join('cache', 'saml', 'metadata').to_s)
full_filename = Rails.root.join("cache/saml/metadata/#{fname}")
if File.file?(full_filename)
File.open full_filename, "rb" do |f|
Marshal.load f
end
end
}

# Find ServiceProvider metadata_url and fingerprint based on our settings
config.service_provider.finder = ->(issuer_or_entity_id) do
service_providers[issuer_or_entity_id]
end
end
5 changes: 5 additions & 0 deletions config/routes.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,11 @@
use_doorkeeper
use_doorkeeper_openid_connect
resources :oauth2_applications, only: %i[update create]

get '/saml/auth' => 'saml_idp#create'
get '/saml/metadata' => 'saml_idp#show'
post '/saml/auth' => 'saml_idp#create'

devise_for :users, controllers: { sessions: 'user/sessions',
passwords: 'user/passwords',
confirmations: 'user/confirmations',
Expand Down