Thursday, December 04, 2008

Inkling with SAML 2.0 Single Sign On

We've been working on quite an interesting and difficult project here at Inkling, single sign on using SAML 2.0.  We have been beta testing it with a client of ours using a Siteminder identity server and have been pleased so far with the results.  

Here is a 30 second video of Inkling integrated with OpenSSO (Sun's open source identity server).  Please forgive the music; single sign on can be kind of boring to watch.  Also this was a big accomplishment for our development team, so it needed a bit of flare. :) 

Please let us know if you also have a need for single sign on with SAML 2.0 soon and would like to start beta testing with it.  

For any developers reading this, this work was powered by saml2ruby, which Todd Saxton and Pat Patterson contributed.  saml2ruby was created largely as a proof of concept, but over the last couple months, we've made improvements to it.  For example we fixed a security flaw it had, similar to the one Google had in their SAML 2.0 implementation in September of this year.  We also found the XML cannonicalization library used for this wasn't doing a good enough job to verify XML digital signatures properly for identity servers other than OpenSSO at the time.  

The current plan we have with Pat's blessing is to move saml2ruby over to github, where hopefully it can get even more attention and love from the rubyists there.  We'll also provide our patches as well as soon share some lessons learned with this whole experience of SAML, service providers, identity servers, etc.  


Skatebomb said...

How long did this project take to implement, cradle-to-grave?

nate said...

It's hard to look at our example and use that as a baseline. There's not examples of public Ruby on Rails applications out there doing SAML 2.0. So we had to start from square zero.

I'll share some details of what we went through in a later post, but when we started we looked at tons of different standalone options: Shibboleth, OpenSSO, simplesamlphp to name a few open source ones. And commercial products like Ping Identity.

We'd go down the path of testing each one out, but for all different reasons we would have to stop pursuing them and move onto the next solution. We even tried to use what's called a "saml agent" or a "policy agent" supplied by a client to at least provide SAML SSO for that individual client, but that proved to be something we just couldn't maintain in our software environment due to what was required in changing how we configure Apache.

In the end we decided to crack open saml2ruby to see how far it was and we had some great success early on using it to talk to OpenSSO. Which isn't surprising because the code came from employees at Sun. But once we started testing it against another Identity Server like Siteminder, the digital signatures weren't working, and it was very difficult to troubleshoot.

All in all, it took about 3 months. 1 month of that has been using and fixing saml2ruby, and most of that time is doing things like understanding the SAML 2.0 specification and fixing XML canonicalization for ruby.

I believe now with our fixes and some tutorials, a current Rails app could become a SAML 2.0 service provider in just a few hours. That assumes the Rails developer is handy with their login/security code already, maybe even already implemented something like the openid plugin for example.

Unknown said...

I'm going about implementing SAML in the same way. I found XML Canonization gem to be lacking and tried to clean it up a bit. I've rewritten the relying_party lib and implemented a session controller not unlike what you might see with a restful openid auth.

I just came across which appears to implement the full SAML2 core spec. I haven't gotten to deep with it yet but it looks the most promising from what I've seen.

Anonymous said...

I'll forgive the cheesy music - but it's hard to figure the new mail received at around :09-:10 - I glanced down at my icon twice - the first time thinking I got mail, and the second time while watching the video to make sure I wasn't crazy about getting new mail.

dylan said...

Hey there - it would be great to see the improvements you made to saml2ruby - did you end up putting the results on github?

Unknown said...

any movement on getting the updated ruby2saml code up on github? I need to implement SAML2 service provider functionality within a Rails app and have not really been able to find much helpful information, tutorials, or sample code out there.