SSO With Devise / Ruby on Rails

I have an existing application which uses the Devise gem to allow people to login. I’ve installed the additional gem devise_saml_authenticatable and followed the setup instructions here. When authenticating through Okta it always responds with 401 Unauthorized, even though the user’s account(s) are definitely working and authorized.

I’ve added the following to my devise.rb initializer.

config.saml_configure do |settings|
  url_base ||= "public url of my dev server"
  settings.issuer                         = url_base + "/users/saml/metadata"
  settings.assertion_consumer_service_url = url_base + "/users/saml/auth"
  settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
  settings.assertion_consumer_logout_service_url = url_base + "/users/saml/idp_sign_out"
  settings.authn_context                      = ""
  settings.idp_slo_target_url                 = ""
  settings.idp_cert_fingerprint_algorithm     = 'http://www.w3.org/2000/09/xmldsig#sha256'
  settings.idp_cert_fingerprint = "finger print in HEX"
  settings.idp_entity_id                  = "http://www.okta.com/exkb0ibo50PdGUUv50h7" 
  settings.idp_sso_target_url  = "https://caffenero.oktapreview.com/app/caffenero_hrportal_1/exkb0ibo50PdGUUv50h7/sso/saml" 
  settings.name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
end 

I’ve created an attribute-map.yml in the config directory with the following items:

"urn:mace:dir:attribute-def:uid": "user_name"
"urn:mace:dir:attribute-def:email": "email"

Can anyone give any pointers? (I can’t add the SAML response, because I get an error on this forum saying New users can only add two links in a post…)

@thenapking Any luck with getting Devise to work with okta? I also have a rails app that uses Devise and I’m not sure how easy/difficult it is to use Devise and okta together. Not sure why the don’t have any ruby examples either.

Yes. But I had to use omniauth with devise. If you can manage to get google/facebook omniauth logins to work with devise, you can then adapt this to use omniauth_saml. I’d completely avoid devise_saml_authenticatable, and also I wouldn’t bother trying to get any help out of Okta’s professional services either, the seem to have literally no knowledge of Ruby.

We don’t have any Ruby examples because we haven’t seen a lot of demand from developers. At Stormpath, we had a Ruby on Rails SDK, and it was our least used integration. That being said, we can fix that here at Okta! If we were to create Ruby examples, what use cases and libraries would you like to see?

Thanks @thenapking and @mraible. I would love to see example of how you would do SSO in a web application that uses Okta. To be more specific, I would like to use the Okta Single Sign On widget in my web app and then understand how I tie that to my users table in my Ruby on Rails app.

I’m a little lost at the moment, but I’ll continue to read and re-read the Okta documentation.

Thanks again.

Unfortunately, I appear not to be able to reply to this post properly because it says “new users can only mention 2 users in a post, and cannot add more than two links”. I now have several working examples of this, and although I wouldn’t have time to post up a proper github demo app, I can certainly give a list of steps to add Okta to your app using an omniauth SAML strategy.

1 Like

I was able to get it working following this link: http://blog.cloud66.com/adding-sso-to-your-rails-application-with-saml/

It goes over the basic, but I still have a lot to figure out.

I’m aware of that blog, and went through the instructions several times with vanilla builds and existing sites and never managed to get it to work.

@mraible Any chance this Shopify project may be useful for integration of Okta in Ruby? Seems to be just that.

Sent previous message too soon via some keyboard shortcut I was unaware of…

Thanks for the link @pboling! It looks like it could be useful for talking to our API, but I’m not sure it’ll help you with adding SSO to your RoR application.

If you are still working on this let me know I have it working with Okta and RoR. Also other saml providers like OneLogin if you’re interested.

1 Like

I just got a request to integrate okta login into an existing app using devise. So any help you can offer would be greatly appreciated.

@dcweber88 , which gems would you recommend for a new rails project to add SSO ?

I’m reading blog posts that suggest devise_saml_authenticatable (and some that hate it), and others that suggest ruby-saml. ruby 2.3.5 and rail 5.0.6.

The blog posts for Devise look more complex, but i’m looking for a recommendation from someone who has tried. Thank you!

We use Okta with all of our RoR apps. If this is still a problem I can post some examples on how to make it work.

We wrote a blog post that shows how to use Rails with Okta: Simple Authentication with Rails and OmniAuth.