ruby-on-railsrubyrubygemsadfsadfs2.0

Problem with using Rails / ADFS integration gem omiauth-wsfed

I have been trying to set my Ruby Rails App to be remotely accessed by a partner of mine which uses ADFS 2.0 for providing SSO possibilities. I have been using omniauth-wsfed gem but failed.

I have set omniauth.rb as below:

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :wsfed,
      :issuer_name     => "http://fs.sib.com.br/adfs/services/trust",
      :issuer                => "https://fs.sib.com.br/adfs/ls/",
      :realm                 => "https://qa.wit.com",
      :reply                 => "https://qa.wit.com/students/auth/wsfed/callback",
      :saml_version     => "2.0",
      :id_claim              => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
      :idp_cert_fingerprint  => "--94061be1aba531da005d5f22bf6796b7cd69b3---"
end

Error log is:

ERROR -- omniauth: (wsfed) Authentication failure! invalid_authn_token: OmniAuth::Strategies::WSFed::ValidationError, AuthN token (wresult) missing in callback.

Does anybody suspect what is wrong ?

Solution

  • I am assuming you have configured your omniauth.rb properly where:

    Issuer Name: This should be in the format of the adfs sever domain followed by /adfs/services/trust

Issuer: This is where your login requests will be sent, normally it will be the path /adfs/ls on the ADFS server.

Realm: This should match the domain that you provide in your federation metadata document

Reply: This is where you want the response from ADFS to be returned to in your application. This is normally the path /auth/wsfed/callback when using Omniauth.

SAML Version: The version of SAML tokens. Defaults to 2

ID Claim: This is the name of the claim field that ADFS will return that should be used as the unique identifier.

IDP Cert Fingerprint: Your Windows Administrator should be able to tell you this, but if not a way to find it is to put in any string, do a test login to ADFS — this will fail when doing the callback as the certificate doesn’t match, however if you inspect the response in the Chrome Web Inspector you will be able to see the X509 Certificate in the response. You can then use OpenSSL tools, or this online tool to get the fingerprint of the certificate.

    Also Setting up callback routes like below

    match '/auth/:provider/callback' => 'sessions#create', via: [:get, :post]  
match '/auth/failure' => 'sessions#failure', via: [:get]

    The **controller#action** can differ depending on how your application is structured.

    You can handle the callback in the same way you would any Omniauth provider.

    def create
  auth = request.env["omniauth.auth"]  
  auth.uid # Gets the UID value of the user that has just signed in
  # Create a session, redirect etc
end

    you can refer below repo for further reference.

    https://blog.craig.io/using-microsoft-adfs-with-ruby-on-rails-and-omniauth-a26237c64f8d

    https://github.com/kbeckman/omniauth-wsfed

    Hope it helps.