Newbie question: writing a rails app to use my university's SIB services

[pitosalas]

I'm having a hard time understanding how to connect the bits and pieces to make this work, although according to my IT people it should be 'simple'. So I have some questions:

1. As I am deploying to Heroku I can't really run a separate shib sp, so my understanding is that therefore I should use the rack-saml gem here. Is this correct?

2. According to my it guy all I need to do is to provide him with the 'saml metadata' which is an xml file. I am not clear where to get that.

3. Best would be if you could point me at a simple/complete example doing something similar, which is a rails app that uses shib for authentication. (I don't even require using oauth2 if that is an unnecessary complication...)

Any help would be greatly appreciated!!

[toyokazu]

Sorry to be late reply. I would like to answer quickly.

1. As I am deploying to Heroku I can't really run a separate shib sp, so my understanding is that therefore I should use the rack-saml gem here. Is this correct?

Yes, you are right.

2. According to my it guy all I need to do is to provide him with the 'saml metadata' which is an xml file. I am not clear where to get that.

As default, it can be downloaded from rack-saml enabled SP URL (http://target_host/Shibboleth.sso/Metadata).

3. Best would be if you could point me at a simple/complete example doing something similar, which is a rails app that uses shib for authentication. (I don't even require using oauth2 if that is an unnecessary complication...)

You can also use ruby-saml directly for your application. rack-saml just uses ruby-saml to handle SAML request/response. While there may be the other options, I am currently not sure.

Current rack-saml is not compatible with latest ruby-saml as indicated by the following pull request.

https://github.com/toyokazu/rack-saml/pull/9

I would like to fix it. Please wait for a moment.

[tadas-s]

It's an old post but I'd like to add something for those who'll bump into this:

rack-saml will probably not work for you to provide sign-in via university Sibboleth IDP because of this:

Current implementation supports only Onelogin SAML assertion handler. It does not support to sign AuthnRequest and encrypt Response. So thus, the assertion encription function should be disabled at IdP side for rack-saml SPs.

Due to privacy and security concerns most university IDPs require SP to support encrypted responses. This is definitely the case with http://testshib.org and http://www.ukfederation.org.uk .

[toyokazu]

Sorry to be late reply. Yes. You are right. Currently, rack-saml can be used for the SPs which does not require nervous attributes, for example, a SP just requires organization name like electric journal service :)

If many of you want use it with nervous attributes, encryption function must be implemented.

Currently, I can not have enough time for it, but if I receive many requests, I would like to ask colleagues to do it :)

[jasonheffner]

I see signed assertions in this branch from makerbot,

https://github.com/makerbot/rack-saml/tree/feature/signed-assertions

is there any progress on assertion encryption? since it appears OneLogin::RubySaml does supprt this ability now?

[toyokazu]

Hi,

Yes. Current version can encrypt assertion using OneLogin::Ruby::SAML function by @kerlin 's contribution. I think you can use it by specifying sp_cert and sp_key by configuration. If you cannot use it, please provide your feedback.

[jasonheffner]

Thanks @toyokazu I had missed that update. I might suggest updating the docs to remove that limitation then. That's excellent news and much appreciated.

[toyokazu]

Thank you for your comment. Unfortunately, I cannot have time to test the function by myself. If you already confirmed the assertion encryption function, please let me know. I'd like to update the document.

[webattitude]

Thanks @toyokazu I had missed that update. I might suggest updating the docs to remove that limitation then. That's excellent news and much appreciated.

Hi @jasonheffner, did you manage to have this working ?

[jasonheffner]

@webattitude I believe we had at the time, but then switched to handling authentication at the transport layer using apache as a proxy. It's just been too long to remember all the details.