Working with Shibboleth

[davidcharlesweber]

Has anyone had luck getting this working with a shibboleth IdP? The IdP I am working with isn't being very helpful here, but they are returning a "Error decoding Shibboleth SSO request"

Right now I am starting to believe that they may require a x509 cert for a metadata exchange. Does anyone know for sure on this or have it working with the devise gem?

[jproctor]

The exact details will depend on how the IdP is configured. In most cases, yes, you will need to do some kind of metadata exchange—not only do you need information about the IdP (which you provide through configuration), but often it needs to be configured to accept authentication requests from your application. Encryption is a fairly common requirement, and getting it right is a little fussy. X.509 certificates are easy to generate, though; my sysadmin pointed me to this page.

I believe Chrome and Firefox both have plugins available that will show you SAML packets as they are exchanged. I found that, plus a friendly IdP administrator, invaluable in authenticating with Shib.

[davidcharlesweber]

I agree it is a little fussy. Any thoughts on where to include the cert and key? I've been attempting things according to the ruby-saml docs which this gem is built on. But I think I am having trouble getting the cert/key into the request when using the adapter:

idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
@settings = idp_metadata_parser.parse_remote(current_tenant.idp_setup.idp_entity_id)
@settings.certificate = ENV['SSO_CERT']
@settings.private_key = ENV['SSO_KEY']

Shouldn't I see the cert in the AuthnRequst in the rails server logs?

[adamstegman]

I might be misunderstanding what you're trying to do, but if that certificate and key are for signing requests sent to the IdP, it's part of the settings you configure in devise.rb:

config.saml_configure do |settings|
  settings.certificate = "CERTIFICATE TEXT WITH HEAD AND FOOT"
  settings.private_key = "PRIVATE KEY TEXT WITH HEAD AND FOOT"
end