So - I started out learning that there is a client and server half of the setup, the idp is the Identity Provider, that is the half we were going to be - so domo could check against us.
We grabbed the gem https://github.com/lawrencepit/ruby-saml-idp
And we rolled master back to the version that was the last released gem (known state)
And.. hacked it a bit so we could pass multiple groups and a name: https://github.com/RepairShopr/ruby-saml-idp/commit/07d2df4b61296b67e4bfd6674456cbf0c51174c6
Then, in our app we did mostly what the readme said to do:
class SamlIdpController < SamlIdp::IdpController
skip_before_filter :verify_authenticity_token
before_filter :allow_iframe_requests
before_filter :setup_admin_account
layout 'application_no_nav'
def idp_authenticate(email, password)
user = User.where(:email => params[:email]).first
if user && user.valid_password?(params[:password]) && user.account.settings.domo_enabled
return user
else
return nil
end
end
def idp_make_saml_response(user)
encode_SAMLResponse(user.email, name: user.full_name, groups: ["Customers",user.account_id])
end
private
def setup_admin_account
@account = Account.find_by(subdomain: "admin")
end
def allow_iframe_requests
response.headers.delete('X-Frame-Options')
end
end
You'll notice a layout specified, this isn't inheriting from application_controller so you get no template, we have a special one for things like this.
Also, rails 4 includes a cool header that blocks iframes - so the domo test button didn't work. See the before_filter above for that fix.
Then.. we weren't able to send groups as an array (which we didn't require, but I thought would be nice) so that got hacked in there.
Our domo configuration page looks like this:
Here is the config: https://dl.dropboxusercontent.com/u/15079951/repairshopr/Domo.png