Skip to content

Instantly share code, notes, and snippets.

@scott

scott/saml-aad.yml Secret

Created Sep 1, 2019
Embed
What would you like to do?
Sample config file for Helpy Pro SAML using Azure AD
omniauth:
providers:
saml:
# Name for the attribute service. Defaults to Required attributes.
attribute_service_name: "Helpy"
# The URL at which the SAML assertion should be received.
# Should be of the format yourURL/users/auth/saml/callback
assertion_consumer_service_url: "https://<yourdomain>/users/auth/saml/callback"
# SP Entity ID, Recommended to set the URL where the SP metadata
# is published. This will be yourdomain/users/auth/saml/metadata
issuer: "helpypro"
# idp Entity. Required by most Identity Providers
idp_entity: '<Azure AD Identifier>'
# The identity provider's certificate in PEM format. Takes
# precedence over the fingerprint option below. This option
# or :idp_cert_fingerprint or :idp_cert_fingerprint_validator
# must be present.
idp_cert: '<SAML Signing Certificate- Base64 certificate>'
# The SHA1 fingerprint of the certificate, e.g. "90:CC:16:F0:8D:...".
# This is rovided from the identity provider when setting up the
# relationship. This option or :idp_cert or
# :idp_cert_fingerprint_validator MUST be present.
# idp_cert_fingerprint:
# The URL to which the authentication request should be sent. This would be on
# the identity provider. Required.
idp_sso_target_url: '<Azure AD Login URL>'
# The URL to which the single logout request and response should be sent.
# This would be on the identity provider. Optional
idp_slo_target_url: '<Azure AD Logout URL>'
# For IdP initiated logout, logout requests from the IdP should go to
# /auth/saml/slo (this can be advertised in metadata by setting the
# single_logout_service_url
single_logout_service_url: 'https://<yourdomain>/users/auth/saml/slo'
# Where to redirect the user after login off
slo_default_relay_state: "https://<yourdomain>"
# Used to build the metadata file to inform the IdP to send certain
# attributes along with the SAMLResponse messages. Defaults to requesting
# name, first_name, last_name and email attributes. See the
# OneLogin::RubySaml::AttributeService class in the Ruby SAML gem for
# the available options for each attribute. Set to {} to disable this
# from metadata.
#request_attributes: [
# {
# name: "urn:oid:2.16.840.1.113730.3.1.241",
# name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
# friendly_name: "displayName",
# is_required: true
# },
# {
# name: "urn:oid:0.9.2342.19200300.100.1.3",
# name_format: "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
# friendly_name: "email",
# is_required: true
# }
# ]
# Used to map Attribute Names in a SAMLResponse to entries in the OmniAuth
# info hash. For example, if your SAMLResponse contains an Attribute called
# 'EmailAddress', specify {:email => ['EmailAddress']} to map the Attribute
# to the corresponding key in the info hash. URI-named Attributes are also
# supported, e.g. {:email =>
# ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']}.
# Note: All attributes can also be found in an array under
# auth_hash[:extra][:raw_info], so thi setting should only be used to map
# attributes that are part of the OmniAuth info hash schema.
#
# a value for email and name are REQUIRED for Helpy SSO. Email should also
# be unique.
attribute_statements: {
email: ["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email"],
name: ["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"]
}
# Attribute that uniquely identifies the user. If unset, the name identifier
# returned by the IdP is used.
# uid_attribute: "uid"
# SIGNED REQUESTS
# The following are related to signing of requests.
# See https://github.com/onelogin/ruby-saml#signing
# In order to be able to sign, define the private key and the public cert
# of the service provider
# certificate: '<cert>'
# private_key: '<key>'
# The settings related to sign are stored in the security attribute of
# the settings
# security: {
# authn_requests_signed: true,
# signature_method: XMLSecurity::Document::RSA_SHA256
# }
# Used during SP-initiated SSO. Describes the format of the username required
# by this application. If you need the email address, use
# "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress".
# See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
# section 8.3 for other options. Note that the identity provider might not
# support all options. If not specified, the IdP is free to choose the name
# identifier format used in the response. Optional.
# name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.