Skip to content

Latest commit

 

History

History
105 lines (70 loc) · 3.74 KB

README.md

File metadata and controls

105 lines (70 loc) · 3.74 KB

OmniAuth WS-Fed

Gem Version Code Climate Build Status

The OmniAuth-WSFed authentication strategy can be used with the following technologies under scenarios requiring the WS-Federation protocol for authentication. These services are typically used for Identity Federation and Single Sign-On across large organizations or authentication domains.

  • ADFS 2.0
  • Corporate Secure Token Servers (STSs)
  • Windows Azure ACS (retired on November 7, 2018)

Installation

Add this line to your application's Gemfile:

    gem 'omniauth-wsfed'

And then execute:

$ bundle install

Or install it globally as:

$ gem install omniauth-wsfed

Configuration

Use the WSFed strategy as a middleware in your application:

require 'omniauth'

use OmniAuth::Strategies::WSFed,
  :issuer_name           => "http://your-azure-acs-namespace.accesscontrol.windows.net",
  :issuer                => "https://your-azure-acs-namespace.accesscontrol.windows.net/v2/wsfederation",
  :realm                 => "http://my.relyingparty/realm",
  :reply                 => "http://localhost:3000/auth/wsfed/callback",
  :id_claim              => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
  :idp_cert_fingerprint  => "FC96D2983…"

or in your Rails application:

in Gemfile:

gem 'omniauth-wsfed'

and in config/initializers/omniauth.rb:

Rails.application.config.middleware.use OmniAuth::Builder do

  provider :wsfed,
    :issuer_name           => "http://your-azure-acs-namespace.accesscontrol.windows.net",
    :issuer                => "https://your-azure-acs-namespace.accesscontrol.windows.net/v2/wsfederation",
    :realm                 => "http://my.relyingparty/realm",
    :reply                 => "http://localhost:3000/auth/wsfed/callback",
    :id_claim              => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
    :idp_cert_fingerprint  => "FC96D2983…"

end

Configuration Options

  • :issuer_name - The URI name of your Identity Provider (IdP). Required

  • :issuer - The IdP web endpoint (URL) to which the authentication request should be sent. Required.

  • :idp_cert_fingerprint - The SHA1 fingerprint of the IdP's signing certificate (e.g. "90:CC:16:F0:8D:…"). This is provided by the IdP when setting up the trust relationship. This option or :idp_cert must be present. (openssl x509 -noout -fingerprint -sha1 -in cert.pem)

  • :idp_cert - The IdP's certificate in PEM format. This option or :idp_cert_fingerprint must be present.

  • :realm - Your site's security realm. This is a URI defining the realm to which the IdP must issue a secure token. Required

  • :reply - The reply-to URL in your application for which a WSFed response should be posted. Defaults to the OmniAuth callback URL. Optional

  • :id_claim - Name of the authentication claim that you want to use as OmniAuth's uid property.

  • :saml_version - The version of SAML tokens. Defaults to 2.

Authors and Credits

Authored by Keith Beckman and MAK IT.

Special thanks to the developers of the following projects from which I borrowed from for omniauth-wsfed: