How do I integrate SAML into my Rails Application? - ruby-on-rails

I have a rails app that is currently an affiliate site with my customer's SSO Identity Provider. Currently it uses the CA SiteMinder Affiliate Agent, which is an apache module. The underlying SSO architecture is abstracted away and my Rails app only has to parse and HTTP Header to receive the values from my customer's Identity Server. I now have to convert my site away from the SiteMinder Apache Module and use SAML. Does anyone have experience with how this should be implemented? Is there an Apache Module that can continue the abstraction I'm used to now, or will my Rails application be responsible for parsing the SAML assertions?

OpenSAML is a library - it's not really a replacement for Site Minder. Perhaps you're thinking of OpenSSO. It is an open source product very similar to Site Minder that supports SAML and Apache.

My team implemented the SAML protocol in Ruby and it worked well. The were some minor hiccups in using some libraries to compute hash values, but it worked. I'm not sure if there is a better plug and play solution by now, but understanding the SAML authentication process and implementing our part only took a few days.

Related

Integrating mautic server with another java application

I'm new to mautic. We have an java application that manages authentication of its users. It also support openid connect/ jwt/oauth flows. We are planning to use mautic as a separate server . How do I integrate my application with mautic? Seems like the mautic only support SAML for SSO. Does that mean our application now need to act as SAML IDP? Or is there a way to get mautic to support JWT/oauth/openid connect
Can you clarify why you need to authenticate users, will these all be people who will be working in the back-end of Mautic? Otherwise you won't need to use authentication for regular folk accessing resources or landing pages you create, they don't need to log in.
The developer documentation would be a good place to start for all things technical/development, which you can find here: https://developer.mautic.org/ - this includes information about authorisation and specifically OAuth which might be helpful: https://developer.mautic.org/#authorization.
You'll find some documentation on using the SAML function here if you're going that route: https://www.mautic.org/docs/en/authentication/saml.html
Happy to help if you get stuck!

Authenticating on two different backend servers

Due to requirement changes we need to add a node server to our already existing system. We will be using sails.js for the realtime communication part of the app and redis store for session management. But the confusion now is what is the best way to authenticate the client app/user on both servers with one login form.
Any help will be much appreciated.
Unless you have specific limitations or widhes, this sounds like standard requirement for SSO (Single Sign-On) implementation. OAuth is wide-spread standard in this area.
Ruby have implementations for this, see this repository for example
OAuth2 A Ruby wrapper for the OAuth 2.0 specification.
As for reading materials, you can check this article:
Single Sign On (SSO) for Multiple Applications with Devise, OmniAuth
and Custom OAuth2 Implementation in Rails
This tutorial may also help.
Then, you can implement OAuth in your node js server, and other services when needed.
Or detail your question and specific requirements or limits for other options. Meanwhile, you can check this SO question on other non-SSO options.

how to implement oauth2 on java restful services

I need help with oauth2.0 and java restful (jersey), any help would be appreciated, I need to find way how oauth2 would be implemented. Here's the scenario, We have a web based application, now, there are clients engage to it. They're planning to have an API (Restful service) so that it will be consumed on mobile devices(android and ios). (They can login using mobile and update their accounts etc.).
Now, my problem is how will I integrate oauth2 for its security using java and how will I create Authorization server.
I used to have the same question and end up building an open-source project: srb4j, which is also based on Jersey and OAuth2.
Srb4j has implemented both token endpoints and resource endpoints for you. You can adopt a lot of its code to your own existing system.
# Sorry for this advert, but it may help you...
java-oauth-server is a new authorization server implementation in Java (JAX-RS, Jersey, Jetty) which supports OAuth 2.0 and OpenID Connect.
The implementation is DB-less, because authorization data (e.g. access tokens), settings of the authorization server itself and settings of client applications are stored in the database on cloud. Therefore, you don't have to set up a database server before starting the authorization server.
Just 4 commands for downloading and starting the authorization server.
git clone https://github.com/authlete/java-oauth-server.git
cd java-oauth-server
vi authlete.properties
mvn jetty:run
The source tree of java-oauth-server is very small and customization points are abstracted as SPI (Service Provider Interface), so it will be easy to incorporate the authorization server implementation into your existing web service.
The implementation supports RFC 7636 (Proof Key for Code Exchange by OAuth Public Clients). It is a new specification (released on Sep. 2015) about a countermeasure against the authorization code interception attack. If you want to expose Web APIs to mobile applications, I recommend that you look for an implementation that supports RFC 7636.
An explanation about RFC 7636 with graphical figures is here.
I ended up using this library https://github.com/BrightcoveLearning/oauth-client-examples/tree/master/amber-java and works like a charm, thanks to the author.

How to use LDAP on window azure?

Am new to ADFS and LDAP, our project is mixed of technology mongoDb, nodeJS and rails. we are planning on deploying mongodb, Nodejs or Rails on Windows Azure, as LDAP is been used for active directory on ruby.how LDAP used in window azure. is there any performance change in using ADFS in ruby compare to LDAP in ruby. if yes, how can i implement ADFS on RUBY
Is anyone know how its possible. thanks in advance.
Is your LDAP server going to stay on-premises? Just to be clear, ADFS is not equivalent to LDAP. ADFS is a "Security Token Service" (STS). LDAP is a Directory.
Since you mention ADFS, presumably your apps will authenticate users on (on-premises) Active Directory. ADFS can only authenticate users on AD, not on arbitrary directories.
To connect your node.js and ruby app to ADFS you would need to implement either WS-Federation or SAML Protocol. These are the 2 protocols supported by ADFS. You can read more about it here.
Alternatively, you can implement your own STS and connect it with whatever you want (ADFS or LDAP). If you do this, then you have more control on what kind of protocols to implement in your app (e.g. OAuth2 or something else). It seems there are more libraries you can leverage compared to WS-Fed / SAML.
There are many open source STSs you can look at. IdentityServer is one of them, and people have successfully built solutions on it. You will have to host this yourself.
Another alternative is to rely on a 3rd party service like Auth0 (which is available on the Windows Azure store). (Disclaimer: this is a product I'm working on).

Single Sign On-- SSO

Please I would like someone to tell me if dotNetOpenAuth single-sign-on.
All I want to achieve is to be able to seamlessly logging to all domains without redirect to third party system for authorisation or Authentication within a mixture programming platforms e.g (PHP or .Net)
DotNetOpenAuth library is a simple library to implement Single Sign On for .NET based application. The only issue I faced was related to performance. It was found to be a known issue with a particular API that cause the sluggishnes.
DotNetOpenAuth can be used for SSO solutions, but each new web site a user visits does need to perform a redirect to the identity provider. In a controlled SSO environment, that provider may never appear to the user, so the login is totally transparent. There are a couple of samples of an SSO configuration that comes with the DotNetOpenAuth download.
DotNetOpenAuth will help you do what you want to do provided you can support OpenID from PHP. You need to implement a provider (the site that authenticates you against a DB or other store), and a consumer (the site you want to log into).
My recommendation would be to consider the authentication protocol you wish to use rather than a specific library at first. In the case if DotNet OpenAuth it has support for:
OpenID
OAuth
InfoCard
These are just a few of the protocols available. You should also look into the SAML family of protocols, in particular SAML 2.0.
There are implementations of SAML for PHP, .NET, and many other platforms. You might want to look at a comparison between OpenID and SAML in order to choose which is better for you.

Resources