Recently, we integrated our SAML service provider(SP) with multiple identity providers(IDPs) to facilitate Single sign-on(SSO) using Devise with OmniAuth.
Before we jump into the specifics, here is SAML definition from wikipedia.
Security Assertion Markup Language (SAML, pronounced sam-el) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider(IDP) and a service provider(SP).
Here is the official overview on how to integrate OmniAuth with Devise.
After following the overview,
this is how our
user.rb looked like.
1# config file 2Devise.setup do |config| 3 config.omniauth :saml, 4 idp_cert_fingerprint: 'fingerprint', 5 idp_sso_target_url: 'target_url' 6end 7 8#user.rb file 9devise :omniauthable, :omniauth_providers => [:saml]
The problem with above configuration is that it supports only one SAML IDP.
To have support for multiple IDPs, we re-defined files as below.
1# config file 2Devise.setup do |config| 3 config.omniauth :saml_idp1, 4 idp_cert_fingerprint: 'fingerprint-1', 5 idp_sso_target_url: 'target_url-1' 6 strategy_class: ::OmniAuth::Strategies::SAML, 7 name: :saml_idp1 8 9 config.omniauth :saml_idp2, 10 idp_cert_fingerprint: 'fingerprint-2', 11 idp_sso_target_url: 'target_url-2' 12 strategy_class: ::OmniAuth::Strategies::SAML, 13 name: :saml_idp2 14end 15 16#user.rb file 17devise :omniauthable, :omniauth_providers => [:saml_idp1, :saml_idp2]
Let's go through the changes one by one.
1. Custom Providers:
Instead of using standard provider
we configured custom providers (
in the first line of configuration
as well as in
2. Strategy Class:
In case of the standard provider(
Devise can figure out
on its own.
For custom providers,
we need to explicitly specify it.
3. OmniAuth Unique Identifier:
After making the above two changes,
everything worked fine
except OmniAuth URLs.
For some reason, OmniAuth was still listening
saml scoped path
instead of new provider names
1# Actual metadata path used by OmniAuth 2/users/auth/saml/metadata 3 4# Expected metadata path 5/users/auth/saml_idp1/metadata 6/users/auth/saml_idp2/metadata
After digging in
OmniAuth code bases,
we discovered provider
In the absence of this configuration,
OmniAuth falls back to strategy class name
to build the path.
As we could not find any code in Devise
saml scoped path
(we were expecting Devise to pass
assigning same value as
OmnitAuth started listening to the correct URLs.
4. Callback Actions:
Lastly, we added both actions in
1class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController 2 3 def saml_idp1 4 # Implementation 5 end 6 7 def saml_idp2 8 # Implementation 9 end 10 11 # ... 12 # Rest of the actions 13end
With these changes along with the official guide mentioned above, our SP was able to authenticate users from multiple IDPs.