Until now those RoR applications have their own login and user administrations. This provides a security risk. You need to go by all those applications, one by one, to remove or disable accounts of employees who left the company, to make sure they cannot log in anymore on those applications. So we started to replace those user account administration with the same SSO possibilities as the Office 365 applications. When that is complete, you only have to disable the account of the employee on a single point, in Active Directory, and ADFS will make sure he or she cannot log in anymore in any of the applications.
I've found a gem which, with a little configuration, can be used to do exactly that. DeviseSamlAuthenticatable is a Single-Sign-On authentication strategy for Devise that relies on SAML. It uses ruby-saml to handle all the SAML related things.
- I am assuming devise is already setup in your application. If not, then refer to https://github.com/plataformatec/devise for how to setup devise in your application. When you are using ActiveAdmin, you should have devise already set up as it is default setup when using ActiveAdmin. If not, refer to https://github.com/activeadmin/activeadmin/wiki how to do so.
- Add this line to your application's Gemfile:
- Execute bundle install:
In app/models/<YOUR USER MODEL>.rb set the :saml_authenticatable strategy. In a default ActiveAdmin implementation the model is admin_user.rb:
And add a method to load the SAML data into the user, also in admin_user.rb:
In the config directory create a YAML file (config/attribute-map.yml) which will contain the mappings from the attributes in the SAML response of ADFS to the attributes used in admin_user.rb:
Add a SAML sessions controller in app/controller/saml_sessions_controller.rb:
Set the new routes in config/routes.rb:
In config/initializers/devise.rb add the configuration settings for saml authenticatable:
Generate a new self-signed certificate for your newly created Service Provider:
openssl req -x509 -newkey rsa:2048 -keyout sp_private.key -out sp_certificate.pem -days 3650 -nodesWhile your application is running, the metadata of the SP should now be available at https://your.application.com/admin/saml/metadata.
Add the newly created sp to ADFS (see https://technet.microsoft.com/en-us/library/dd807132(v=ws.11).aspx for help how to do that).
Some extra help
When I tried implement everything I had some trouble with choosing the correct certificate which I should use for the IDP, and whether I got the correct attributes in my SAML response from the ADFS. I found https://www.samltool.com a great tool for this.
- With https://www.samltool.com/validate_response.php you can validate your SAML responses.
- https://www.samltool.com/base64.php lets you decode/encode your SAML messages,
- https://www.samltool.com/encrypt.php lets you encrypt
- and https://www.samltool.com/decrypt.php lets you decrypt the embedded cypher.