使用Rails / ADFS集成gem omiauth-wsfed时遇到问题

时间:2019-06-15 16:11:40

标签: ruby-on-rails ruby rubygems adfs adfs2.0

我一直试图将我的Ruby Rails App设置为由我的合作伙伴进行远程访问,该合作伙伴使用ADFS 2.0提供SSO可能性。我一直在使用omniauth-wsfed gem,但是失败了。

我将omniauth.rb设置如下:

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :wsfed,
      :issuer_name     => "http://fs.sib.com.br/adfs/services/trust",
      :issuer                => "https://fs.sib.com.br/adfs/ls/",
      :realm                 => "https://qa.wit.com",
      :reply                 => "https://qa.wit.com/students/auth/wsfed/callback",
      :saml_version     => "2.0",
      :id_claim              => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
      :idp_cert_fingerprint  => "--94061be1aba531da005d5f22bf6796b7cd69b3---"
end

错误日志为:

ERROR -- omniauth: (wsfed) Authentication failure! invalid_authn_token: OmniAuth::Strategies::WSFed::ValidationError, AuthN token (wresult) missing in callback.

有人怀疑错在哪里吗?

1 个答案:

答案 0 :(得分:0)

我假设您已经在以下位置正确配置了omniauth.rb:

Issuer Name: This should be in the format of the adfs sever domain followed by /adfs/services/trust

Issuer: This is where your login requests will be sent, normally it will be the path /adfs/ls on the ADFS server.

Realm: This should match the domain that you provide in your federation metadata document

Reply: This is where you want the response from ADFS to be returned to in your application. This is normally the path /auth/wsfed/callback when using Omniauth.

SAML Version: The version of SAML tokens. Defaults to 2

ID Claim: This is the name of the claim field that ADFS will return that should be used as the unique identifier.

IDP Cert Fingerprint: Your Windows Administrator should be able to tell you this, but if not a way to find it is to put in any string, do a test login to ADFS — this will fail when doing the callback as the certificate doesn’t match, however if you inspect the response in the Chrome Web Inspector you will be able to see the X509 Certificate in the response. You can then use OpenSSL tools, or this online tool to get the fingerprint of the certificate.

还设置如下的回调路由

match '/auth/:provider/callback' => 'sessions#create', via: [:get, :post]  
match '/auth/failure' => 'sessions#failure', via: [:get]

**controller#action**的不同取决于应用程序的结构。

您可以像处理任何Omniauth提供程序一样处理回调。

def create
  auth = request.env["omniauth.auth"]  
  auth.uid # Gets the UID value of the user that has just signed in
  # Create a session, redirect etc
end

您可以在下面的回购中引用以获取更多参考。

https://blog.craig.io/using-microsoft-adfs-with-ruby-on-rails-and-omniauth-a26237c64f8d

https://github.com/kbeckman/omniauth-wsfed

希望有帮助。

相关问题
最新问题