Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SAML + Ruby

SAML + Ruby

Hugh Evans

July 28, 2015
Tweet

More Decks by Hugh Evans

Other Decks in Technology

Transcript

  1. Single Sign-On • One identity can span many services! •

    The Identity Provider (IdP) holds the identity and authenticates the user! • The Service Providers (SP) consume the IdP’s assertions to allow users access! • All happens in the browser
  2. Use cases • Useful for Service-oriented architecture and micro services!

    • Useful when you don’t want to have to join servers to existing directories! • Useful for enterprises - many SaaS products now offer SAML on their higher level plans
  3. Things to note • It’s JIT provisioning so systems will

    only discover new users when they first sign in! • It uses XML (yuk)! • System clocks of SPs and IdPs have to match within a defined time range (~2 sec) to protect against replay attacks! • You can encode attributes in the SAML package to send from the IdP to the SP
  4. Creating an SP • OneLogin provide a gem that works

    with most IdPs ruby-­‐saml   • You can get it working with the free OneLogin IdP service! • You may want to use encoded attributes to set permission group levels
  5. Creating an IdP • The saml_idp gem works well! •

    You can integrate it pretty easily with an identity store such as Devise! • We’ve used this combination to create a production IdP https://account.amc.org.au/! • We also added an assume user function which is super handy for support