OmniAuth WS-Fed

The OmniAuth-WSFed authentication strategy can be used with the following technologies under scenarios requiring the WS-Federation protocol for authentication. These services are typically used for Identity Federation and Single Sign-On across large organizations or authentication domains.

• Windows Azure ACS
• ADFS 2.0
• Corporate Secure Token Servers (STSs)

Installation

Add this line to your application's Gemfile:

    gem 'omniauth-wsfed'

And then execute:

$ bundle install

Or install it globally as:

$ gem install omniauth-wsfed

Configuration

Use the WSFed strategy as a middleware in your application:

require 'omniauth'

use OmniAuth::Strategies::WSFed,
  :issuer_name              => "http://your-azure-acs-namespace.accesscontrol.windows.net",
  :issuer                   => "https://your-azure-acs-namespace.accesscontrol.windows.net/v2/wsfederation",
  :realm                    => "http://my.relyingparty/realm",
  :reply                    => "http://localhost:3000/auth/wsfed/callback",
  :id_claim                 => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
  :idp_cert_fingerprint     => "FC96D2983…",
  :response_param           => "wresult",
  :response_in_base64       => true,
  :response_elements_prefix => "ds"

or in your Rails application:

in Gemfile:

gem 'omniauth-wsfed'

and in config/initializers/omniauth.rb:

Rails.application.config.middleware.use OmniAuth::Builder do

  provider :wsfed,
    :issuer_name              => "http://your-azure-acs-namespace.accesscontrol.windows.net",
    :issuer                   => "https://your-azure-acs-namespace.accesscontrol.windows.net/v2/wsfederation",
    :realm                    => "http://my.relyingparty/realm",
    :reply                    => "http://localhost:3000/auth/wsfed/callback",
    :id_claim                 => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
    :idp_cert_fingerprint     => "FC96D2983…",
    :response_param           => "wresult",
    :response_in_base64       => true,
    :response_elements_prefix => "ds"

end

Configuration Options

• :issuer_name - The URI name of your Identity Provider (IdP). Required

• :issuer - The IdP web endpoint (URL) to which the authentication request should be sent. Required.

• :idp_cert_fingerprint - The SHA1 fingerprint of the IdP's signing certificate (e.g. "90:CC:16:F0:8D:…"). This is provided by the IdP when setting up the trust relationship. This option or :idp_cert must be present.

• :idp_cert - The IdP's certificate in PEM format. This option or :idp_cert_fingerprint must be present.

• :realm - Your site's security realm. This is a URI defining the realm to which the IdP must issue a secure token. Required

• :reply - The reply-to URL in your application for which a WSFed response should be posted. Defaults to the OmniAuth callback URL. Optional

• :id_claim - Name of the authentication claim that you want to use as OmniAuth's uid property.

• :saml_version - The version of SAML tokens. Defaults to 2.

• :response_param - The name of the param sent by the auth provider. Defaults to "wresult".

• :response_in_base64 - Defines if the response is in Base64 and has to be decoded. Defaults to "false".

• :response_elements_prefix - Prefix used in the response to mark references and types. It usually is "ds" or "dsig". Defaults to "ds".

Authors and Credits

Authored by Keith Beckman.

Special thanks to the developers of the following projects from which I borrowed from for omniauth-wsfed:

• PracticallyGreen / omniauth-saml
• onelogin / ruby-saml