<img src=“https://travis-ci.org/digidentity/libsaml.png?branch=master” alt=“Build Status” />
Libsaml is a Ruby gem to easily create SAML 2.0 messages. This gem was written because other SAML gems were missing functionality such as XML signing.
Libsaml’s features include:
-
Bindings: HTTP-Post, HTTP-Redirect, HTTP-Artifact, SOAP
-
XML signing and verification
-
Pluggable backend for providers (FileStore backend included)
Copyright Digidentity BV, released under the MIT license. This gem was written by Benoist Claassen.
Place in your Gemfile:
gem 'libsaml', require: 'saml'
Below follows how to configure the SAML gem in a service provider.
Store the private key in: config/ssl/key.pem
Store the public key of the identity provider in: config/ssl/trust-federate.cert
Add the Identity Provider web container configuration file to config/metadata/service_provider.xml. This contains an encoded version of the public key, generate this in the ruby console by typing:
irb require 'openssl' require 'base64' pem = File.open("config/ssl/trust-federate.cert").read cert = OpenSSL::X509::Certificate.new(pem) output = Base64.encode64(cert.to_der).gsub("\n", "")
Add the Service Provider configuration file to config/metadata/service_provider.xml:
<?xml version="1.0" encoding="UTF-8"?> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" ID="_052c51476c9560a429e1171e8c9528b96b69fb57" entityID="my:very:original:entityid"> <md:SPSSODescriptor> <md:KeyDescriptor use="signing"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>SAME_KEY_AS_GENERATED_IN_THE_CONSOLE_BEFORE</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Post" index="0" Location="http://localhost:3000/saml/receive_response" isDefault="true"/> </md:SPSSODescriptor> </md:EntityDescriptor>
Set up an intializer in config/initializers/saml_config.rb:
Saml.setup do |config| config.entity_id = "my:very:original:entityid" config.provider_store = Saml::ProviderStore::File.new("config/metadata", "config/ssl/key.pem") # config.provider_store = SamlProvider end
By default this will use a SamlProvider model that uses the filestore, if you want a database driven model comment out the #provider_store function in the initializer and make a model that defines #find_by_entity_id:
class SamlProvider < ActiveRecord::Base include Saml::Provider def self.find_by_entity_id(entity_id) where(entity_id: entity_id).first! end end
Now you can make a SAML controller in app/controllers/saml_controller.rb:
class SamlController < ApplicationController def request_authentication provider = Saml.provider("my:very:original:entityid") destination = provider.single_sign_on_service_url(Saml::ProtocolBindings::HTTP_POST) authn_request = Saml::AuthnRequest.new(:destination => destination) @saml_attributes = Saml::Bindings::HTTPPost.create_form_attributes(authn_request) render text: @saml_attributes.to_yaml end def receive_response end end
Don’t forget to define the routes in config/routes.rb:
get "/saml/request_authentication" => "saml#request_authentication" get "/saml/receive_response" => "saml#receive_response"
-
Fork the project
-
Contribute your changes. Please make sure your changes are properly documented and covered by tests.
-
Send a pull request