-
Git clone this project
-
Bundle install
-
Register the SAML entity on your identity provider
-
Go to openidp.feide.no/simplesaml/module.php/metaedit/index.php
-
Click Register New Account and follow instructions
-
Once you’re logged in, click Add New Entity
-
Make up an entity ID
-
Use the same value for the name and description fields
-
Under the SAML 2.0 tab, set the AssertionConsumerService endpoint to something like: localhost:3000/saml/consume
-
-
Change app/models/account.rb to be something like:
-
settings.assertion_consumer_service_url = “localhost:3000/sessions/complete”
-
settings.issuer = # THE ENTITY ID/NAME YOU ENTERED ABOVE
-
settings.idp_sso_target_url = “openidp.feide.no/simplesaml/saml2/idp/SSOService.php”
-
settings.idp_cert_fingerprint = “c9ed4dfb07caf13fc21e0fec1572047eb8a7a4cb”
-
-
Run the Rails server
-
You browse to localhost:3000/saml
-
You’re redirected to a URL like openidp.feide.no/simplesaml/saml2/idp/SSOService.php?SAMLRequest=nZNBb9swDIXv%2BxWG7…
-
If you’re not currently logged in at the identity provider, you’ll see a login page
-
After logging in, you might see another “consent about releasing personal information” page that you must click Yes Continue to
-
You’re redirected to POST to localhost:3000/saml/consume with SAMLResponse => “PHNhb”… (a really long encrypted string)
-
The response object will look something like:
response: #<Onelogin::Saml::Response:0xb6e14d74
@name_id="_8345e8a3b8fb03c55071ffa7320b40eda8523faef2",
@options={},
@settings=#<Onelogin::Saml::Settings:0xb6df274c
@idp_sso_target_url="https://openidp.feide.no/simplesaml/saml2/idp/SSOService.php",
@name_identifier_format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
@issuer="DanielAtQuickLeftComTest",
@idp_cert_fingerprint="c9ed4dfb07caf13fc21e0fec1572047eb8a7a4cb",
@assertion_consumer_service_url="http://localhost:3000/sessions/complete">, @document=<UNDEFINED> ... </>,
@response="PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJ
-
The Rails app then redirects to either complete, or fail if not response.is_valid?
-
The /saml/complete page will show you a NameID like _8345e8a3b8fb03c55071ffa7320b40eda8523faef2 and a link to Logout (logs out from the Rails app not the identity provider)
-
You can logout for real by going to openidp.feide.no/simplesaml/module.php/selfregister/index.php and clicking on Logout