使用 Rails / ADFS 集成 gem omiauth-wsfed 时出现问题
Problem with using Rails / ADFS integration gem omiauth-wsfed
我一直在尝试将我的 Ruby Rails 应用程序设置为由我的合作伙伴远程访问,该合作伙伴使用 ADFS 2.0 提供 SSO 可能性。我一直在使用 omniauth-wsfed gem 但失败了。
我设置了omniauth.rb如下:
Rails.application.config.middleware.use OmniAuth::Builder do
provider :wsfed,
:issuer_name => "http://fs.sib.com.br/adfs/services/trust",
:issuer => "https://fs.sib.com.br/adfs/ls/",
:realm => "https://qa.wit.com",
:reply => "https://qa.wit.com/students/auth/wsfed/callback",
:saml_version => "2.0",
:id_claim => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
:idp_cert_fingerprint => "--94061be1aba531da005d5f22bf6796b7cd69b3---"
end
错误日志为:
ERROR -- omniauth: (wsfed) Authentication failure! invalid_authn_token: OmniAuth::Strategies::WSFed::ValidationError, AuthN token (wresult) missing in callback.
有没有人怀疑哪里出了问题?
我假设您已正确配置 omniauth.rb,其中:
Issuer Name: This should be in the format of the adfs sever domain followed by /adfs/services/trust
Issuer: This is where your login requests will be sent, normally it will be the path /adfs/ls on the ADFS server.
Realm: This should match the domain that you provide in your federation metadata document
Reply: This is where you want the response from ADFS to be returned to in your application. This is normally the path /auth/wsfed/callback when using Omniauth.
SAML Version: The version of SAML tokens. Defaults to 2
ID Claim: This is the name of the claim field that ADFS will return that should be used as the unique identifier.
IDP Cert Fingerprint: Your Windows Administrator should be able to tell you this, but if not a way to find it is to put in any string, do a test login to ADFS — this will fail when doing the callback as the certificate doesn’t match, however if you inspect the response in the Chrome Web Inspector you will be able to see the X509 Certificate in the response. You can then use OpenSSL tools, or this online tool to get the fingerprint of the certificate.
也像下面这样设置回调路由
match '/auth/:provider/callback' => 'sessions#create', via: [:get, :post]
match '/auth/failure' => 'sessions#failure', via: [:get]
**controller#action** 可能因您的应用程序结构而异。
您可以像处理任何 Omniauth 提供商一样处理回调。
def create
auth = request.env["omniauth.auth"]
auth.uid # Gets the UID value of the user that has just signed in
# Create a session, redirect etc
end
您可以参考下面的回购协议以供进一步参考。
https://blog.craig.io/using-microsoft-adfs-with-ruby-on-rails-and-omniauth-a26237c64f8d
https://github.com/kbeckman/omniauth-wsfed
希望对您有所帮助。
我一直在尝试将我的 Ruby Rails 应用程序设置为由我的合作伙伴远程访问,该合作伙伴使用 ADFS 2.0 提供 SSO 可能性。我一直在使用 omniauth-wsfed gem 但失败了。
我设置了omniauth.rb如下:
Rails.application.config.middleware.use OmniAuth::Builder do
provider :wsfed,
:issuer_name => "http://fs.sib.com.br/adfs/services/trust",
:issuer => "https://fs.sib.com.br/adfs/ls/",
:realm => "https://qa.wit.com",
:reply => "https://qa.wit.com/students/auth/wsfed/callback",
:saml_version => "2.0",
:id_claim => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
:idp_cert_fingerprint => "--94061be1aba531da005d5f22bf6796b7cd69b3---"
end
错误日志为:
ERROR -- omniauth: (wsfed) Authentication failure! invalid_authn_token: OmniAuth::Strategies::WSFed::ValidationError, AuthN token (wresult) missing in callback.
有没有人怀疑哪里出了问题?
我假设您已正确配置 omniauth.rb,其中:
Issuer Name: This should be in the format of the adfs sever domain followed by /adfs/services/trust
Issuer: This is where your login requests will be sent, normally it will be the path /adfs/ls on the ADFS server.
Realm: This should match the domain that you provide in your federation metadata document
Reply: This is where you want the response from ADFS to be returned to in your application. This is normally the path /auth/wsfed/callback when using Omniauth.
SAML Version: The version of SAML tokens. Defaults to 2
ID Claim: This is the name of the claim field that ADFS will return that should be used as the unique identifier.
IDP Cert Fingerprint: Your Windows Administrator should be able to tell you this, but if not a way to find it is to put in any string, do a test login to ADFS — this will fail when doing the callback as the certificate doesn’t match, however if you inspect the response in the Chrome Web Inspector you will be able to see the X509 Certificate in the response. You can then use OpenSSL tools, or this online tool to get the fingerprint of the certificate.
也像下面这样设置回调路由
match '/auth/:provider/callback' => 'sessions#create', via: [:get, :post]
match '/auth/failure' => 'sessions#failure', via: [:get]
**controller#action** 可能因您的应用程序结构而异。
您可以像处理任何 Omniauth 提供商一样处理回调。
def create
auth = request.env["omniauth.auth"]
auth.uid # Gets the UID value of the user that has just signed in
# Create a session, redirect etc
end
您可以参考下面的回购协议以供进一步参考。
https://blog.craig.io/using-microsoft-adfs-with-ruby-on-rails-and-omniauth-a26237c64f8d
https://github.com/kbeckman/omniauth-wsfed
希望对您有所帮助。