2
votes

I'm trying to understand how to integrate SSO (Single sign-on) and ADFS (Active Directory Federation Services) into an existing Ruby On Rails application hosted on a linux environment served by nginx.

Considering a partner (a company using Active record directory) and a service provider (the rails application).

It seems that the service provider web server must run an ADFS Web Agent that will handle the authentication process with the partner and ultimately redirect the user to the rails app with a token an a claim that would be used to identify the user in the app.

My main concern is about this ADFS Web Agent:

Am I understanding correctly that it must be running on the service provider side ? (I'm not interested on the partner side). If so, what would be the best way to integrate ADFS SSO with our app that is served by nginx on a linux OS? Do I need a windows server running a federation server ?

Thank you in advance for any help !

3
Are you using devise or omniauth? I had a similar situation configuring SSO for shibboleth/touchstone and found an omniauth strategy for it.errata

3 Answers

2
votes

ADFS handles two protocols - WS-Fed and SAML. ADFS 3.0 handles the Authorisation code grant in OAuth 2.0 (but not OpenID Connect),

So to get your Rails app. to talk to ADFS, it needs to support one of those protocols.

If it can do that, there is no need for any other server.

Perhaps something like ruby-saml.

Look here: SAML 2.0 SSO for Ruby on Rails?

The other approach is to use OAuth / REST to get to some intermediate federation server and then SAML / WS-Fed out the other side.

Auth0 and Ping-Federate support this kind of approach.

2
votes

Read this excellent post. Practical and clear.

1
votes

If you are using omniauth or if you are able to use it have a look at this: https://github.com/highgroove/omniauth-saml-rstr