Add SAML authentication

Gemfile

@@ -52,6 +52,7 @@ gem 'omniauth-bn-office365', git: 'https://github.com/blindsidenetworks/omniauth
 gem 'omniauth-bn-launcher', git: 'https://github.com/blindsidenetworks/omniauth-bn-launcher.git', tag: '0.1.3'
 gem 'bn-ldap-authentication', git: 'https://github.com/blindsidenetworks/bn-ldap-authentication.git', tag: '0.1.1'
 gem 'net-ldap'
+gem 'omniauth-saml'
 
 # BigBlueButton API wrapper.
 gem 'bigbluebutton-api-ruby'

Gemfile.lock

@@ -202,6 +202,9 @@ GEM
     omniauth-oauth2 (1.5.0)
       oauth2 (~> 1.1)
       omniauth (~> 1.2)
+    omniauth-saml (1.10.1)
+      omniauth (~> 1.3, >= 1.3.2)
+      ruby-saml (~> 1.7)
     omniauth-twitter (1.4.0)
       omniauth-oauth (~> 1.1)
       rack
@@ -283,6 +286,8 @@ GEM
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 1.7)
     ruby-progressbar (1.10.1)
+    ruby-saml (1.11.0)
+      nokogiri (>= 1.5.10)
     safe_yaml (1.0.5)
     sassc (2.0.1)
       ffi (~> 1.9)
@@ -375,6 +380,7 @@ DEPENDENCIES
   omniauth-bn-launcher!
   omniauth-bn-office365!
   omniauth-google-oauth2
+  omniauth-saml
   omniauth-twitter
   pagy
   pg (~> 0.18)

app/assets/stylesheets/main.scss

@@ -133,6 +133,17 @@
   }
 }
 
+.customBtn-saml {
+  @extend .customBtn;
+  background: $button-color-blue;
+
+  .customBtn-image {
+    background: #ffffff image-url("saml-logo.png") no-repeat left top;
+    background-size: 18px 18px;
+    padding:10px 10px 10px 10px;
+  }
+}
+
 .customBtn-microsoft_windows {
   @extend .customBtn;
   background: #00a1f1;

app/helpers/application_helper.rb

@@ -22,7 +22,7 @@
 module ApplicationHelper
   # Determines which providers can show a login button in the login modal.
   def iconset_providers
-    providers = configured_providers & [:google, :twitter, :office365, :ldap]
+    providers = configured_providers & [:google, :twitter, :office365, :ldap, :saml]
 
     providers.delete(:twitter) if session[:old_twitter_user_id]
 

config/initializers/omniauth.rb

@@ -16,6 +16,9 @@
 Rails.application.config.omniauth_google = ENV['GOOGLE_OAUTH2_ID'].present? && ENV['GOOGLE_OAUTH2_SECRET'].present?
 Rails.application.config.omniauth_office365 = ENV['OFFICE365_KEY'].present? &&
                                               ENV['OFFICE365_SECRET'].present?
+Rails.application.config.omniauth_saml = ENV['SAML_ISSUER'].present? && ENV['SAML_IDP_URL'].present? &&
+                                         ENV['SAML_IDP_CERT_FINGERPRINT'].present?
+
 
 SETUP_PROC = lambda do |env|
   OmniauthOptions.omniauth_options env
@@ -59,6 +62,21 @@
       redirect_uri: redirect,
       setup: SETUP_PROC
     end
+    if Rails.configuration.omniauth_saml
+      Rails.application.config.providers << :saml
+
+      provider :saml,
+        issuer: ENV['SAML_ISSUER'],
+        idp_sso_target_url: ENV['SAML_IDP_URL'],
+        idp_cert_fingerprint: ENV['SAML_IDP_CERT_FINGERPRINT'],
+        name_identifier_format: ENV['SAML_NAME_IDENTIFIER'],
+        attribute_statements: {
+          nickname: [ENV['SAML_USERNAME_ATTRIBUTE'] || 'urn:mace:dir:attribute-def:eduPersonPrincipalName'],
+          email: [ENV['SAML_EMAIL_ATTRIBUTE'] || 'urn:mace:dir:attribute-def:mail'],
+          name: [ENV['SAML_COMMONNAME_ATTRIBUTE'] || 'urn:mace:dir:attribute-def:cn']
+        },
+        uid_attribute: ENV['SAML_UID_ATTRIBUTE']
+    end
   end
 end
 

config/locales/en.yml

@@ -408,6 +408,7 @@ en:
     office365: Office 365
     twitter: Twitter
     ldap: LDAP
+    saml: SAML
   recaptcha:
     errors:
       recaptcha_unreachable: Oops, we failed to validate your reCAPTCHA response. Please try again.

sample.env

@@ -75,6 +75,33 @@ LDAP_AUTH=
 LDAP_PASSWORD=
 LDAP_ROLE_FIELD=
 
+# SAML Login Provider (optional)
+#
+#   You can use SAML authentication by providing the values below.
+#   SAML_ISSUER is the name of your application. Some identity providers might need this to establish the identity of the service provider requesting the login.
+#     The location of this SP's metadata can be used here; For example : https://bigbluebutton.yourdomain.tld/auth/saml/metadata
+#   SAML_IDP_URL is the URL to which the authentication request should be sent. This would be on the identity provider. It can be found in the
+#     IDP's metadata in the <md:SingleSignOnService> tag
+#   SAML_IDP_CERT_FINFERPRINT is the fingerprint of the certificate used by the IDP, for example "25:72:85:66:C9:94:22:98:36:84:11:E1:88:C7:AC:40:98:F9:E7:82".
+#     You can get the fingerprint by downloading the IDP's certificate and running :
+#   openssl x509 -noout -in torproject.pem -fingerprint -sha1
+#   SAML_NAME_IDENTIFIER describes the format of the username required by this application.
+#     If you need the email address, use "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress". See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf section 8.3
+#      for other options. Note that the identity provider might not support all options. If not specified, the IdP is free to choose the name identifier format used in the response
+#   SAML_...._ATTRIBUTE : Attributes from the SAML response should be mapped to the attributes used by greenlight. The defaults are based upon https://wiki.surfnet.nl/display/surfconextdev/Attributes+in+SURFconext
+#
+#   The information about this SP (metadata) can be found on your server http://<example.com>/auth/saml/metadata
+#
+SAML_ISSUER=
+SAML_IDP_URL=
+SAML_IDP_CERT_FINGERPRINT=
+SAML_NAME_IDENTIFIER=
+SAML_UID_ATTRIBUTE=
+SAML_USERNAME_ATTRIBUTE=
+SAML_EMAIL_ATTRIBUTE=
+SAML_COMMONNAME_ATTRIBUTE=
+
+
 # Set this to true if you want GreenLight to support user signup and login without
 # Omniauth. For more information, see:
 #