omniauthv2-shibboleth 1.3.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.idea/misc.xml +4 -0
- data/.idea/modules.xml +8 -0
- data/.idea/omniauth-shibboleth.iml +71 -0
- data/.idea/vcs.xml +6 -0
- data/.idea/workspace.xml +284 -0
- data/Gemfile +4 -0
- data/Gemfile.lock +49 -0
- data/README.md +232 -0
- data/Rakefile +5 -0
- data/lib/omniauth/strategies/shibboleth.rb +109 -0
- data/lib/omniauth-shibboleth/version.rb +5 -0
- data/lib/omniauth-shibboleth.rb +8 -0
- data/omniauth-shibboleth-1.3.1.gem +0 -0
- data/omniauth-shibboleth.gemspec +27 -0
- data/spec/omniauth/strategies/shibboleth_spec.rb +362 -0
- data/spec/spec_helper.rb +11 -0
- metadata +131 -0
data/README.md
ADDED
@@ -0,0 +1,232 @@
|
|
1
|
+
# OmniAuth Shibboleth strategy
|
2
|
+
|
3
|
+
![Gem Version](http://img.shields.io/gem/v/omniauth-shibboleth.svg)
|
4
|
+
![Build Status](https://github.com/lukaskoenen/omniauth-shibboleth/actions/workflows/main.yml/badge.svg)
|
5
|
+
|
6
|
+
OmniAuth Shibboleth strategy is an OmniAuth strategy for authenticating through Shibboleth (SAML). If you do not know OmniAuth, please visit OmniAuth wiki.
|
7
|
+
|
8
|
+
https://github.com/intridea/omniauth/wiki
|
9
|
+
|
10
|
+
The detail of the authentication middleware Shibboleth is introduced in Shibboleth wiki.
|
11
|
+
|
12
|
+
https://wiki.shibboleth.net/
|
13
|
+
|
14
|
+
OmniAuth basically works as a middleware of Rack applications. It provides environment variable named 'omniauth.auth' (auth hash) after authenticating a user. The 'auth hash' includes the user's attributes. By providing user attributes in the fixed format, applications can easily implement authentication function using multiple authentication methods.
|
15
|
+
|
16
|
+
OmniAuth Shibboleth strategy uses the 'auth hash' for providing user attributes passed by Shibboleth SP. It enables developers to use Shibboleth and the other authentication methods, including local auth, together in one application.
|
17
|
+
|
18
|
+
Currently, this document is written for Rails applications. If you tried the other environments and it requires some difficulities, please let me know in the Issues page.
|
19
|
+
|
20
|
+
https://github.com/toyokazu/omniauth-shibboleth/issues
|
21
|
+
|
22
|
+
## Getting Started
|
23
|
+
|
24
|
+
### Setup Gemfile and Install
|
25
|
+
|
26
|
+
% cd rails-app
|
27
|
+
% vi Gemfile
|
28
|
+
gem 'omniauth-shibboleth'
|
29
|
+
% bundle install
|
30
|
+
|
31
|
+
### Setup Shibboleth Strategy
|
32
|
+
|
33
|
+
To use OmniAuth Shibboleth strategy as a middleware in your rails application, add the following file to your rails application initializer directory.
|
34
|
+
|
35
|
+
% vi config/initializer/omniauth.rb
|
36
|
+
Rails.application.config.middleware.use OmniAuth::Builder do
|
37
|
+
provider :shibboleth
|
38
|
+
end
|
39
|
+
|
40
|
+
% vi config/initializer/omniauth.rb
|
41
|
+
Rails.application.config.middleware.use OmniAuth::Builder do
|
42
|
+
provider :shibboleth, {
|
43
|
+
:shib_session_id_field => "Shib-Session-ID",
|
44
|
+
:shib_application_id_field => "Shib-Application-ID",
|
45
|
+
:debug => false,
|
46
|
+
:extra_fields => [
|
47
|
+
:"unscoped-affiliation",
|
48
|
+
:entitlement
|
49
|
+
]
|
50
|
+
}
|
51
|
+
end
|
52
|
+
|
53
|
+
In the above example, 'unscoped-affiliation' and 'entitlement' attributes are additionally provided in the raw_info field. They can be referred like request.env["omniauth.auth"]["extra"]["raw_info"]["unscoped-affiliation"]. The detail of the omniauth auth hash schema is described in the following page.
|
54
|
+
|
55
|
+
https://github.com/intridea/omniauth/wiki/Auth-Hash-Schema
|
56
|
+
|
57
|
+
'eppn' attribute is used as uid field. 'displayName' attribute is provided as request.env["omniauth.auth"]["info"]["name"].
|
58
|
+
|
59
|
+
These can be changed by :uid_field, :name_field option. You can also add any "info" fields defined in Auth-Hash-Schema by using :info_fields option.
|
60
|
+
|
61
|
+
% vi config/initializer/omniauth.rb
|
62
|
+
Rails.application.config.middleware.use OmniAuth::Builder do
|
63
|
+
provider :shibboleth, {
|
64
|
+
:uid_field => "uid",
|
65
|
+
:name_field => "displayName",
|
66
|
+
:info_fields => {
|
67
|
+
:email => "mail",
|
68
|
+
:location => "contactAddress",
|
69
|
+
:image => "photo_url",
|
70
|
+
:phone => "contactPhone"
|
71
|
+
}
|
72
|
+
}
|
73
|
+
end
|
74
|
+
|
75
|
+
In the previous example, Shibboleth strategy does not pass any :info fields and use 'uid' attribute as uid fields.
|
76
|
+
|
77
|
+
### More flexible attribute configuration
|
78
|
+
|
79
|
+
If you need more flexible attribute definition, you can use lambda (Proc) to define your attributes. In the following example, 'uid' attribute is chosen from 'eppn' or 'mail', 'info'/'name' attribute is defined as a concatenation of 'cn' and 'sn' and 'info'/'affiliation' attribute is defined as 'affiliation'@my.localdomain. 'request_param' parameter is a method defined in OmniAuth::Shibboleth::Strategy. You can specify attribute names by downcase strings in either request_type, :env, :header and :params.
|
80
|
+
|
81
|
+
% vi config/initializer/omniauth.rb
|
82
|
+
Rails.application.config.middleware.use OmniAuth::Builder do
|
83
|
+
provider :shibboleth, {
|
84
|
+
:uid_field => lambda {|request_param| request_param.call('eppn') || request_param.call('mail')},
|
85
|
+
:name_field => lambda {|request_param| "#{request_param.call('cn')} #{request_param.call('sn')}"},
|
86
|
+
:info_fields => {
|
87
|
+
:affiliation => lambda {|request_param| "#{request_param.call('affiliation')}@my.localdomain"},
|
88
|
+
:email => "mail",
|
89
|
+
:location => "contactAddress",
|
90
|
+
:image => "photo_url",
|
91
|
+
:phone => "contactPhone"
|
92
|
+
}
|
93
|
+
}
|
94
|
+
end
|
95
|
+
|
96
|
+
### !!!NOTICE!!! devise integration issue
|
97
|
+
|
98
|
+
When you use omniauth with devise, the omniauth configuration is applied before devise configuration and some part of the configuration overwritten by the devise's. It may not work as you assume. So thus, in that case, currently you should write your configuration only in device configuration.
|
99
|
+
|
100
|
+
config/initializers/devise.rb:
|
101
|
+
```ruby
|
102
|
+
config.omniauth :shibboleth, {:uid_field => 'eppn',
|
103
|
+
:info_fields => {:email => 'mail', :name => 'cn', :last_name => 'sn'},
|
104
|
+
:extra_fields => [:schacHomeOrganization]
|
105
|
+
}
|
106
|
+
```
|
107
|
+
|
108
|
+
The detail is discussed in the following thread.
|
109
|
+
|
110
|
+
https://github.com/plataformatec/devise/issues/2128
|
111
|
+
|
112
|
+
|
113
|
+
### How to authenticate users
|
114
|
+
|
115
|
+
In your application, simply direct users to '/auth/shibboleth' to have them sign in via your company's Shibboleth SP and IdP. '/auth/shibboleth' url simply redirect users to '/auth/shibboleth/callback', so thus you must protect '/auth/shibboleth/callback' by Shibboleth SP.
|
116
|
+
|
117
|
+
Example shibd.conf:
|
118
|
+
|
119
|
+
<Location /application_path/auth/shibboleth/callback>
|
120
|
+
AuthType shibboleth
|
121
|
+
ShibRequestSetting requireSession 1
|
122
|
+
require valid-user
|
123
|
+
</Location>
|
124
|
+
|
125
|
+
Shibboleth strategy just checks the existence of Shib-Session-ID or Shib-Application-ID.
|
126
|
+
|
127
|
+
If you want to use omniauth-shibboleth without Apache or IIS, you can try **rack-saml**. It supports a part of Shibboleth SP functions.
|
128
|
+
|
129
|
+
https://github.com/toyokazu/rack-saml
|
130
|
+
|
131
|
+
Shibboleth strategy assumes the attributes are provided via environment variables because the use of ShibUseHeaders option may cause some problems. The details are discussed in the following page:
|
132
|
+
|
133
|
+
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSpoofChecking
|
134
|
+
|
135
|
+
To provide Shibboleth attributes via environment variables, we can not use proxy based approach, e.g. mod_proxy_balancer. Currently we can realize it by using Phusion Passenger as an application container. An example construction pattern is shown in presence_checker application (https://github.com/toyokazu/presence_checker/).
|
136
|
+
|
137
|
+
### :request_type option
|
138
|
+
|
139
|
+
You understand the issues using ShibUseHeaders, but and yet if you want to use the proxy based approach, you can use :request_type option. This option enables us to specify what kind of parameters are used to create 'omniauth.auth' (auth hash). This option can also be used to develop your Rails application without local IdP and SP by using :params option. The option values are:
|
140
|
+
|
141
|
+
- **:env** (default) The environment variables are used to create auth hash.
|
142
|
+
- **:header** The auth hash is created from header vaiables. In the Rack middleware, since header variables are treated as environment variables like HTTP_*, the specified variables are converted as the same as header variables, HTTP_*. This :request_type is basically used for mod_proxy_balancer approach.
|
143
|
+
- **:params** The query string or POST parameters are used to create auth hash. This :request_type is basically used for development phase. You can emulate SP function by providing parameters as query string. In this case, please do not forget to add Shib-Session-ID or Shib-Application-ID value which is used to check the session is created at SP.
|
144
|
+
|
145
|
+
The following is an example configuration.
|
146
|
+
|
147
|
+
% vi config/initializer/omniauth.rb
|
148
|
+
Rails.application.config.middleware.use OmniAuth::Builder do
|
149
|
+
provider :shibboleth, { :request_type => :header }
|
150
|
+
end
|
151
|
+
|
152
|
+
If you use proxy based approach, please be sure to add ShibUseHeaders option in mod_shib configuration.
|
153
|
+
|
154
|
+
<Location /secure>
|
155
|
+
AuthType shibboleth
|
156
|
+
ShibRequestSetting requireSession 1
|
157
|
+
ShibUseHeaders On
|
158
|
+
require valid-user
|
159
|
+
</Location>
|
160
|
+
|
161
|
+
### debug mode
|
162
|
+
|
163
|
+
When you deploy a new application, you may want to confirm the assumed attributes are correctly provided by Shibboleth SP. OmniAuth Shibboleth strategy provides a confirmation option :debug. If you set :debug true, you can see the environment variables provided at the /auth/shibboleth/callback uri.
|
164
|
+
|
165
|
+
% vi config/initializer/omniauth.rb
|
166
|
+
Rails.application.config.middleware.use OmniAuth::Builder do
|
167
|
+
provider :shibboleth, { :debug => true }
|
168
|
+
end
|
169
|
+
|
170
|
+
### :multi_values option
|
171
|
+
|
172
|
+
If your application want to receive multiple values as one attribute, Shibboleth passes them as follows:
|
173
|
+
|
174
|
+
user2@example2.com;user1@example1.com;user3@example3.com
|
175
|
+
|
176
|
+
If your application only wants the first entry sorted by alphabetical order, you can use flexible attribute configuration as follows (since semicolons in attribute values are escaped with a backslash, escaped semicolons are skiped for splitting):
|
177
|
+
|
178
|
+
% vi config/initializer/omniauth.rb
|
179
|
+
Rails.application.config.middleware.use OmniAuth::Builder do
|
180
|
+
provider :shibboleth, {
|
181
|
+
:info_fields => {
|
182
|
+
:email => lambda {|request_param| request_param.call('email').split(/(?<!\\);/).sort[0]}
|
183
|
+
}
|
184
|
+
}
|
185
|
+
end
|
186
|
+
|
187
|
+
However, if you use device to integrate omniauth, lambda function cannot be used. In such a situation, if you still think that attribute conversions in the middleware is required, you can use :multi_values option.
|
188
|
+
|
189
|
+
- **:raw** (default) Raw multiple values are passed to the application.
|
190
|
+
- **:first** The first entry of multiple values is passed to the application.
|
191
|
+
- **lambda function** The other descriptions are regarded as lambda function written in String form. The string will be evaluated as Ruby code and used for processing multiple values in the attribute.
|
192
|
+
|
193
|
+
If you specify :first, you can obtain `user2@example.com` in the above example.
|
194
|
+
|
195
|
+
% vi config/initializer/omniauth.rb
|
196
|
+
Rails.application.config.middleware.use OmniAuth::Builder do
|
197
|
+
provider :shibboleth, {
|
198
|
+
:multi_values => :first
|
199
|
+
}
|
200
|
+
end
|
201
|
+
|
202
|
+
If you need the first attribute in alphabetical order, you can specify lambda function in String form as follows:
|
203
|
+
|
204
|
+
% vi config/initializer/omniauth.rb
|
205
|
+
Rails.application.config.middleware.use OmniAuth::Builder do
|
206
|
+
provider :shibboleth, {
|
207
|
+
:multi_values => 'lambda {|param_value| param_value.nil? ? nil : param_value.split(/(?<!\\\\);/).sort[0]}'
|
208
|
+
}
|
209
|
+
end
|
210
|
+
|
211
|
+
|
212
|
+
## License (MIT License)
|
213
|
+
|
214
|
+
omniauth-shibboleth is released under the MIT license.
|
215
|
+
|
216
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
217
|
+
of this software and associated documentation files (the "Software"), to deal
|
218
|
+
in the Software without restriction, including without limitation the rights
|
219
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
220
|
+
copies of the Software, and to permit persons to whom the Software is
|
221
|
+
furnished to do so, subject to the following conditions:
|
222
|
+
|
223
|
+
The above copyright notice and this permission notice shall be included in
|
224
|
+
all copies or substantial portions of the Software.
|
225
|
+
|
226
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
227
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
228
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
229
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
230
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
231
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
232
|
+
THE SOFTWARE.
|
data/Rakefile
ADDED
@@ -0,0 +1,109 @@
|
|
1
|
+
module OmniAuth
|
2
|
+
module Strategies
|
3
|
+
class Shibboleth
|
4
|
+
include OmniAuth::Strategy
|
5
|
+
|
6
|
+
option :shib_session_id_field, 'Shib-Session-ID'
|
7
|
+
option :shib_application_id_field, 'Shib-Application-ID'
|
8
|
+
option :uid_field, 'eppn'
|
9
|
+
option :name_field, 'displayName'
|
10
|
+
option :info_fields, {}
|
11
|
+
option :extra_fields, []
|
12
|
+
option :debug, false
|
13
|
+
option :fail_with_empty_uid, false
|
14
|
+
option :request_type, :env
|
15
|
+
option :multi_values, :raw
|
16
|
+
|
17
|
+
def request_phase
|
18
|
+
[
|
19
|
+
302,
|
20
|
+
{
|
21
|
+
'Location' => script_name + callback_path + query_string,
|
22
|
+
'Content-Type' => 'text/plain'
|
23
|
+
},
|
24
|
+
["You are being redirected to Shibboleth SP/IdP for sign-in."]
|
25
|
+
]
|
26
|
+
end
|
27
|
+
|
28
|
+
def request_params
|
29
|
+
case options.request_type
|
30
|
+
when :env, 'env', :header, 'header'
|
31
|
+
request.env
|
32
|
+
when :params, 'params'
|
33
|
+
request.params
|
34
|
+
end
|
35
|
+
end
|
36
|
+
|
37
|
+
def request_param(key)
|
38
|
+
multi_value_handler(
|
39
|
+
case options.request_type
|
40
|
+
when :env, 'env'
|
41
|
+
request.env[key]
|
42
|
+
when :header, 'header'
|
43
|
+
request.env["HTTP_#{key.upcase.gsub('-', '_')}"]
|
44
|
+
when :params, 'params'
|
45
|
+
request.params[key]
|
46
|
+
end
|
47
|
+
)
|
48
|
+
end
|
49
|
+
|
50
|
+
def multi_value_handler(param_value)
|
51
|
+
case options.multi_values
|
52
|
+
when :raw, 'raw'
|
53
|
+
param_value
|
54
|
+
when :first, 'first'
|
55
|
+
return nil if param_value.nil?
|
56
|
+
param_value.split(/(?<!\\);/).first.gsub('\\;', ';')
|
57
|
+
else
|
58
|
+
eval(options.multi_values).call(param_value)
|
59
|
+
end
|
60
|
+
end
|
61
|
+
|
62
|
+
def callback_phase
|
63
|
+
if options.debug
|
64
|
+
# dump attributes
|
65
|
+
return [
|
66
|
+
200,
|
67
|
+
{
|
68
|
+
'Content-Type' => 'text/plain'
|
69
|
+
},
|
70
|
+
["!!!!! This message is generated by omniauth-shibboleth. To remove it set :debug to false. !!!!!\n#{request_params.sort.map {|i| "#{i[0]}: #{i[1]}" }.join("\n")}"]
|
71
|
+
]
|
72
|
+
end
|
73
|
+
return fail!(:no_shibboleth_session) unless (request_param(options.shib_session_id_field.to_s) || request_param(options.shib_application_id_field.to_s))
|
74
|
+
return fail!(:empty_uid) if options.fail_with_empty_uid && option_handler(options.uid_field).empty?
|
75
|
+
super
|
76
|
+
end
|
77
|
+
|
78
|
+
def option_handler(option_field)
|
79
|
+
if option_field.class == String ||
|
80
|
+
option_field.class == Symbol
|
81
|
+
request_param(option_field.to_s)
|
82
|
+
elsif option_field.class == Proc
|
83
|
+
option_field.call(self.method(:request_param))
|
84
|
+
end
|
85
|
+
end
|
86
|
+
|
87
|
+
uid do
|
88
|
+
option_handler(options.uid_field)
|
89
|
+
end
|
90
|
+
|
91
|
+
info do
|
92
|
+
res = {
|
93
|
+
:name => option_handler(options.name_field)
|
94
|
+
}
|
95
|
+
options.info_fields.each_pair do |key, field|
|
96
|
+
res[key] = option_handler(field)
|
97
|
+
end
|
98
|
+
res
|
99
|
+
end
|
100
|
+
|
101
|
+
extra do
|
102
|
+
options.extra_fields.inject({:raw_info => {}}) do |hash, field|
|
103
|
+
hash[:raw_info][field] = request_param(field.to_s)
|
104
|
+
hash
|
105
|
+
end
|
106
|
+
end
|
107
|
+
end
|
108
|
+
end
|
109
|
+
end
|
Binary file
|
@@ -0,0 +1,27 @@
|
|
1
|
+
# -*- encoding: utf-8 -*-
|
2
|
+
require File.expand_path('../lib/omniauth-shibboleth/version', __FILE__)
|
3
|
+
|
4
|
+
Gem::Specification.new do |gem|
|
5
|
+
gem.add_dependency 'omniauth', '>= 2.0.0'
|
6
|
+
|
7
|
+
gem.add_development_dependency 'rack-test'
|
8
|
+
gem.add_development_dependency 'rack-session'
|
9
|
+
gem.add_development_dependency 'rake'
|
10
|
+
gem.add_development_dependency 'rspec', '>= 2.8'
|
11
|
+
|
12
|
+
gem.license = 'MIT'
|
13
|
+
|
14
|
+
gem.authors = ["Toyokazu Akiyama"]
|
15
|
+
gem.email = ["toyokazu@gmail.com"]
|
16
|
+
gem.description = %q{OmniAuth Shibboleth strategies for OmniAuth 1.x}
|
17
|
+
gem.summary = %q{OmniAuth Shibboleth strategies for OmniAuth 1.x}
|
18
|
+
gem.homepage = ""
|
19
|
+
|
20
|
+
gem.files = `find . -not \\( -regex ".*\\.git.*" -o -regex "\\./pkg.*" -o -regex "\\./spec.*" \\)`.split("\n").map{ |f| f.gsub(/^.\//, '') }
|
21
|
+
gem.test_files = `find spec/*`.split("\n")
|
22
|
+
gem.name = "omniauthv2-shibboleth"
|
23
|
+
gem.require_paths = ["lib"]
|
24
|
+
gem.version = OmniAuth::Shibboleth::VERSION
|
25
|
+
|
26
|
+
|
27
|
+
end
|