SAML + Ruby

Transcript

1. SAML+ Ruby

2. Security Assertion Markup Language

3. Single Sign-On • One identity can span many services! •

   The Identity Provider (IdP) holds the identity and authenticates the user! • The Service Providers (SP) consume the IdP’s assertions to allow users access! • All happens in the browser

4. Lifted from https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language

5. Use cases • Useful for Service-oriented architecture and micro services!

   • Useful when you don’t want to have to join servers to existing directories! • Useful for enterprises - many SaaS products now offer SAML on their higher level plans

6. Things to note • It’s JIT provisioning so systems will

   only discover new users when they first sign in! • It uses XML (yuk)! • System clocks of SPs and IdPs have to match within a defined time range (~2 sec) to protect against replay attacks! • You can encode attributes in the SAML package to send from the IdP to the SP

7. Creating an SP • OneLogin provide a gem that works

   with most IdPs ruby-­‐saml   • You can get it working with the free OneLogin IdP service! • You may want to use encoded attributes to set permission group levels

8. Creating an IdP • The saml_idp gem works well! •

   You can integrate it pretty easily with an identity store such as Devise! • We’ve used this combination to create a production IdP https://account.amc.org.au/! • We also added an assume user function which is super handy for support