Is it possible to add multiple IDP?

[codeboxanvo]

Hi all,

I would like to confirm that omniauth supoorts multiple IDPs. If yes, please provide a guide for that.

Thanks

[md5]

It looks like you should be able to use Omniauth's setup phase to do this: https://github.com/intridea/omniauth/wiki/Setup-Phase

[vuhailuyen1991]

Hi @md5 thanks for your suggestions. I manipulate the setup phase like this:

def saml_setup
    company = Company.find_by_sub_domain(sub_domain)
    settings = company.company_auth_provider.auth_settings
    request.env['omniauth.strategy'].options[:idp_cert_fingerprint] = settings.idp_cert_fingerprint
    request.env['omniauth.strategy'].options[:idp_sso_target_url] = settings.idp_sso_target_url
    render text: "saml setup phase.", status: 404
  end

But somehow, the it could not decrypt the response:

Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, Invalid Signature on SAML Response

Any idea?

[md5]

@vuhailuyen1991 It looks like you configured it using setup: true and adding a route for /auth/saml/setup that points to your saml_setup action.

Did you see a redirect to the correct :idp_sso_target_url and it's just the signature validation that's failing?

[jturkel]

FWIW - I was able to get multiple IDPs working using the Omniauth setup phase with URL path segments rather than subdomains e.g. http://myapp.com/users/auth/saml/a5749671-b208-408f-94b8-ffa31a845f05. Using subdomains wasn't feasible for me due to our DNS setup. A gist with details can be found here. You'll probably need to pull in #56 so options aren't accidentally shared across requests.

[RajnikRadadiya]

Have any idea how to generate idp_sso_target_url?

[md5]

@Rajniktc :idp_sso_target_url should be given to you by your IdP.

[RajnikRadadiya]

Thank you @md5.
That was my mistack.
I need following information for our application.
Have any idea how to generate or this information should be provide by IDP.
idp_cert
idp_cert_fingerprint
idp_cert_fingerprint_validator

[md5]

Your IdP should give you either the :idp_cert or the :idp_cert_fingerprint. You only need one of them, not both.

You probably don't need :idp_cert_fingerprint_validator. That option takes a function for checking if a fingerprint is valid and is used if your SP expects to receive responses signed by different IdPs. The use case for that option is described in #31.

[RajnikRadadiya]

We need to test our application with testing IDP.
Any IDP Available for testing.

[medexdev]

how would you configure for devise integration and multiple idps?

[medexdev]

never mind. i omitted config in devise.rb file and it works.

[cmalpeli]

@medexdev do you mean that for multiple idps and devise you don't provide the config info inside devise.rb?

[medexdev]

yes. do not provide config info inside devise.rb. Use this gist provided by @jturkel. that works for me.

[jturkel]

You can also use the https://github.com/salsify/omniauth-multi-provider gem.

[bruno-toledo]

Hi, is ":idp_sso_target_url" required for IdP-Initiated SSO process ?

[kmwhite]

@bruno-toledo Old post, but in our setup, IdP-initiated auths just hit the /auth/saml/callback route. In there, I validate the SAMLResponse param and continue with the authentication flow.

I'm no security expert, but my understanding is that where a SP-initiated auth calls back to and where the IdP-initiated auth goes to are effectively the same. It reads a lot like the consume action in https://github.com/onelogin/ruby-saml#the-initialization-phase. I know this is the omniauth-saml library, but it uses the ruby-saml code internally.