Code Your Ruby App to Provide SSO via OneLogin
Using the Toolkit
The lib
folder contains the files you’ll copy into your Rails application. But first, let’s take a look at the sample application located here. It’s a ready-to-run SAML relying party (or service provider). The saml_controller.rb
file contains all of the logic needed to authenticate using SAML:
require 'onelogin/saml'
class SamlController < ApplicationController
skip_before_filter :verify_authenticity_token, :only => [:consume]
def index
# insert identity provider discovery logic here
settings = Account.get_saml_settings
request = Onelogin::RubySaml::Authrequest.new
redirect_to(request.create(settings))
end
def consume
response = Onelogin::RubySaml::Response.new(params[:SAMLResponse])
# insert identity provider discovery logic here
response.settings = Account.get_saml_settings
logger.info "NAMEID: #{response.name_id}"
if response.is_valid?
session[:userid] = response.name_id
redirect_to :action => :complete
else
redirect_to :action => :fail
end
end
end
The index action initiates the SAML exchange.
To know where to redirect the user with the authentication request, we need to establish the user’s identity provider. This depends on your application. If accounts have a dedicated subdomain name (e.g. mycompany.accountingapp.com
) or if SAML authentication for accounts is limited to certain IP ranges, you need to look up account information based on whatever information you already have about the user.
The consume action receives the SAML assertion. Again, you need to know the identity provider the user belongs to, but now you have a clue: use response.nameid
to retrieve the username or email address in the SAML assertion. Then use the information to retrieve the identity provider information. You can then verify that the SAML assertion is actually from the identity provider configured on the account.
What Needs to be Configured
In the example above, SAML settings are retrieved using the get_saml_settings
method on the account object. This example is generic and get_saml_settings
doesn’t take any parameters. You’ll need to add your own information here (subdomain
and ip_address
, for example) when fetching the account, and hence SAML settings.
The following information needs to be available on the account:
-
assertion_consumer_service_url
The URL at which the SAML assertion should be received. In this example,
http://localhost:3000/saml/consume
would be correct. -
issuer
The name of your application. Some identity providers might need this to establish the identity of the service provider requesting the login.
-
idp_sso_target_url
The URL to which the authentication request should be sent. This would be on the identity provider.
-
idp_cert_fingerprint
The certificate fingerprint, e.g. “
90:cc:16:f0:8D:a6:D1:c6:BB:27:2D:ba:93:80:1A:1f:16:8e:4E:08
”. This is provided from the identity provider when setting up the relationship. -
name_identifier_format
Describes the format of the username required by this application. If you need the email address, use “
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
”. See section 8.3 of Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0 for other options. Note that the identity provider might not support all options.
Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.
StackOverflow discussions about "onelogin saml ruby"
-
Q: CAS vs. SAML vs. OAuth2
Asked Mar 14 2015https://github.com/onelogin/ruby-saml CASino and https://github.com/rbCAS/casino-activerecord_authenticator And I am sure there are hundreds of OAuth related gems. I just want a separate Rails … simple enough. At my company, we have a bunch of Ruby on Rails applications. I want to build an SSO authentication service which all those applications should use. Trying to do some research on how to go …
-
A: SAML 2.0 SSO for Ruby on Rails?
Answered Nov 20 2010I played with this one once: https://github.com/onelogin/ruby-saml It might be what you're looking for. …
-
A: Python SSO: pysaml2 and python3-saml
Answered Nov 16 2016Onelogin's SAML toolkit so if you used any other toolkit before (php-saml, ruby-saml, java-saml), will be easy for you to handle with it (similar methods, same settings). Differences Crypto: pysaml2 … Both projects are compatible with Shibboleth. pysaml2 is older than python3-saml, right now both support py2 and py3. Both are kinda active and documented. python3-saml follows the structure of …
-
Q: How to return multiple nameId formats in OneLogin Ruby metadata xml?
Asked Mar 12 2020: emailAddress, transient, persistent, unspecified, and X509SubjectName. My question is: Can OneLogin's Ruby gem be configured to return multiple name id formats in our applications saml metadata xml? There does not appear to be documentation on this via the gem: https://github.com/onelogin/ruby-saml … Question Can OneLogin's Ruby gem be configured to return multiple name id formats in our applications saml metadata xml? Context: We are a service provider that use's Onelogin's Ruby gem for SAML …
-
Q: Rails - Onelogin ruby-saml integration issue +
Asked Apr 08 2014I am facing issue in using ruby-saml in my Rails application. I am new to Ruby world. From here I got to know I could use ruby-saml tool kit for SAML SP. Now, when I tried to refer to OneLogin in … different errors. require 'onelogin/saml' or require 'onelogin/ruby-saml' Getting the errors like, cannot load such file -- onelogin/saml or cannot load such file -- onelogin/ruby-saml I installed the …

Loading...