Implementing Single Sign On using OneLogin SAML

There are dozens of applications we use every day, having a separate set of login credentials for each application or service and remembering all the passwords can be hard. In this case, single sign-on comes as a rescue. It allows the access of connected applications or services using a single ID and password. With single sign-on, a user can access multiple applications with a single set of login credentials. This reduces the need of logging in to each application separately. The best example for this is, once you login into your Gmail it is not necessary for you to go through the authentication process once again for using youtube or drive. Single sign-on can also help to log and monitor the user activities. Recently I have implemented this single sign-on in one of my rails application. So in this article, we will see how to implement single sign-on with OneLogin SAML in a Ruby On Rails application.

SSO:

Single sign-on (SSO) is an authentication process that allows a user to access multiple applications with one set of login credentials.We can implement this functionality in many ways, here we are doing it using SAML implementation.

SAML:

Security Assertion Markup Language is an XML-based, open-standard data format for exchanging authentication and authorization data between the identity provider and a service provider.

Service Provider (SP):

It is an entity which provides the service – in our case, it is an application.

Identity Provider (IDP):

It provides the identities and authenticates the users. It contains the user profile – additional information about the user such as first name, last name, job code, phone number, address, etc.

I am using OneLogin as an Identity Provider. We have to use Ruby SAML library for implementing the client side of a SAML authorization, i.e. it provides a means for managing authorization initialization and confirmation requests from identity providers.

We can implement both SP-initiated login and IDP initiated login

First, we will implement the client side authorization part.

Implementation:

1) Add these gems to your Gemfile and run bundle install.

 


   gem 'ruby-saml', '~> 1.0.0'

   gem 'nokogiri', '~> 1.5.10'

2) This method will be the initialization point for sp initiated login(Ignore the saml_sso_settings method call for now). This will hit the onelogin and there it will authorize the user and redirect back to the Single-Sign-On(SSO) URL that we mentioned in the oneLogin settings

 


# This will redirect to the onelogin and authenticates the user

 def sp_initiated_login

   saml_request = OneLogin::RubySaml::Authrequest.new

   redirect_to(saml_request.create(saml_sso_settings))

 end

3)When a user wants to login via our Onelogin app(IDP login), he will click on our oneLogin app then OneLogin will send a response to this method. In this response, it will send the user information. Here, if we need we can add code to create a user if the user is not there in our system.

 


 # When user clicks on SSO app in onelogin it will send response to this method

 def idp_initiated_login

   saml_response  = OneLogin::RubySaml::Response.new(params[:SAMLResponse])

   saml_response.settings = saml_sso_settings

   # We validate the SAML Response and check if the user already exists in the system

   if saml_response.is_valid?

      # authorize_success, log the user

      session[:userid] = saml_response.nameid

      session[:attributes] = saml_response.attributes

   else

     # show an error message

   end

 end

4) All SAML requests will be handled based on the settings provided in saml_settings method. These settings info we can get from metadata.  

 


   # I used the XML Meta Data given by oneLogin to get saml settings.

   # Another way we can configure settings using OneLogin::RubySaml::Settings method

   def saml_sso_settings

     metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new

     metadata_parser.parse(METADATA)

   end

5) Let’s wrap everything in a controller

 


class SamlController < ApplicationController

 # This will redirect to the onelogin and authenticates the user

 def sp_initiated_login

   saml_request = OneLogin::RubySaml::Authrequest.new

   redirect_to(request.create(saml_sso_settings))

 end

 # When user clicks on SSO app in onelogin it will send response to this method

 def idp_initiated_login

   saml_response          = OneLogin::RubySaml::Response.new(params[:SAMLResponse])

   saml_response.settings = saml_sso_settings

   # We validate the SAML Response and check if the user already exists in the system

   if saml_response.is_valid?

      # authorize_success, log the user

      session[:userid] = saml_response.nameid

      session[:attributes] = saml_response.attributes

   else

     # show an error message

   end

 end

 private

   # I used the XML Meta Data given by oneLogin to get saml settings.

   # Another way we can configure settings using OneLogin::RubySaml::Settings method

   def saml_sso_settings

     metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new

     metadata_parser.parse(METADATA)

   end

end

6) Create an account in OneLogin and sign in. Now to test our SAML setup we are going to use SAML connector provided by OneLogin. Click on “Add Apps” and search for SAML connector and click on it and save it.

 

7) It will be available on “Company Apps” page. Now click on “SAML connector” it will redirect to edit page and then click on the configuration page.Here we have to enter the SSO URL(alias ACS (consumer) URL in OneLogin) and ACS Validator a regular expression which is used to validate the ACS URL. Enter the below details and save it.

ACS URL: “http://[host name]/saml/idp_initiated_login”
ACS URL Validator: “http:\/\/[host name]\/saml\/idp_initiated_login\/”

 

8) And in the “Parameters” tab you can configure the parameters you need.

 

9) Now go to “All Users” page and click on your email and a new page will open. On that page go to “Application” tab and assign that application.

 

10) Now we can see the app on the homepage.

 

11) Now click on that app it will redirect to our application home page with user logged in.

 

12) With this setup only we can log in to our application using onelogin. But, to enable this for all users we have to request for new OneLogin app connector

 

13) After submitting the form the OneLogin Support team will contact you with and will make the app public in 2-3 weeks.

 

Conclusion:

Hope this blog is informative and helped you to implement single sign-on with OneLogin SAML.  In my next blog, we will see how to implement SLO(Single Logout) using OneLogin SAML. If you have any difficulties while implementing or for any other queries comment below.