Ruby on rails 使用Ping联邦成员实现Rails SSO
在我的RubyonRails项目中,我需要实现SAMLSO,并将Ping标识作为我的IDP。我使用的gem是Ruby on rails 使用Ping联邦成员实现Rails SSO,ruby-on-rails,devise,single-sign-on,saml,onelogin,Ruby On Rails,Devise,Single Sign On,Saml,Onelogin,在我的RubyonRails项目中,我需要实现SAMLSO,并将Ping标识作为我的IDP。我使用的gem是designe\u saml\u authenticable 在我的config/initializers/designe.rb中,我有: config.saml_route_helper_prefix = 'saml' # ==> SAML config.saml_create_user = true config.saml_update_user = true
designe\u saml\u authenticableconfig/initializers/designe.rb中,我有:
config.saml_route_helper_prefix = 'saml'
# ==> SAML
config.saml_create_user = true
config.saml_update_user = true
config.saml_default_user_key = :email
config.saml_session_index_key = :session_index
config.saml_use_subject = true
config.idp_entity_id_reader = DeviseSamlAuthenticatable::DefaultIdpEntityIdReader
config.idp_settings_adapter = nil
config.saml_configure do |settings|
settings.assertion_consumer_service_url = "#{Settings.devise_callback}/users/saml/auth"
settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
settings.name_identifier_format = Settings.clientname.sso.name_identifier_format
settings.issuer = "#{Settings.devise_callback}/users/saml/meta_data"
settings.idp_entity_id = Settings.clientname.sso.idp_entity_id
settings.authn_context = ""
settings.idp_slo_target_url = Settings.clientname.sso.idp_slo_target_url
settings.idp_sso_target_url = Settings.clientname.sso.idp_sso_target_url
settings.idp_cert_fingerprint = Settings.clientname.sso.idp_cert_fingerprint
settings.idp_cert_fingerprint_algorithm = 'http://www.w3.org/2000/09/xmldsig#sha256'
end
在我的app/models/user.rb中,我有
devise :database_authenticatable, :rememberable, :trackable, :validatable, :recoverable, :timeoutable, :session_limitable, :saml_authenticatable
除了使用我客户的IDP之外,我还使用Onelogin和Okta设置了IDP,上面的代码工作得非常好
与Onelogin和Okta不同,Ping Identity提供的我的客户的IDP不会首先显示用于输入电子邮件的页面,然后显示另一个用于输入密码的页面。换句话说,没有像Onelogin和Okta那样的IDP登录页面
所以问题是,现在我有客户端的IDP实体id、SSO目标URL、SLO目标URL、指纹。如何通过表单向IDP进行身份验证并登录用户
到目前为止我已经试过了
=form_tag(Settings.sso.idp_sso_target_url, html: {role: 'form'}, method: :post) do |f|
.form-group
label for="email" Email
= email_field_tag :email
.form-group
label for="password" Password
= password_field_tag :password
button.btn.btn-info.btn-sm type="submit" Submit
|
其中Settings.sso.idp\u sso\u target\u url是看起来像https://auth2test.clientname.ca/idp/SSO.saml2
使用Ping作为IDP,我得到了以下结果:
<S11:Envelope><S11:Body><S11:Fault><faultcode>soapenv:Client</faultcode><faultstring>Invalid Request</faultstring></S11:Fault></S11:Body></S11:Envelope>
这是给错误无效的电子邮件或密码(我相信这是正确的)
我非常怀疑我是否在正确的轨道上。请给我指一下正确的方向。多谢各位
= form_for(resource, as: resource_name, url: saml_user_session_path(resource_name), html: {role: 'form'}) do |f|
.form-group
label for="email" Email
= f.email_field :email, autofocus: true, autocomplete: "email", class: 'form-control', placeholder: 'Email', id: 'email'
.form-group
label for="password" Password
= f.password_field :password, autocomplete: "off", placeholder: 'Password', class: 'form-control', id: 'password'
button.btn.btn-info.btn-sm type="submit" Submit
|