The OmniAuth-WSFed authentication strategy can be used with the following technologies under scenarios requiring the WS-Federation protocol for authentication. These services are typically used for Identity Federation and Single Sign-On across large organizations or authentication domains.
- ADFS 2.0
- Corporate Secure Token Servers (STSs)
- Windows Azure ACS (retired on November 7, 2018)
Add this line to your application's Gemfile:
gem 'omniauth-wsfed'And then execute:
$ bundle install
Or install it globally as:
$ gem install omniauth-wsfed
Use the WSFed strategy as a middleware in your application:
require 'omniauth'
use OmniAuth::Strategies::WSFed,
:issuer_name => "http://your-azure-acs-namespace.accesscontrol.windows.net",
:issuer => "https://your-azure-acs-namespace.accesscontrol.windows.net/v2/wsfederation",
:realm => "http://my.relyingparty/realm",
:reply => "http://localhost:3000/auth/wsfed/callback",
:id_claim => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
:idp_cert_fingerprint => "FC96D2983…"or in your Rails application:
in Gemfile:
gem 'omniauth-wsfed'and in config/initializers/omniauth.rb:
Rails.application.config.middleware.use OmniAuth::Builder do
provider :wsfed,
:issuer_name => "http://your-azure-acs-namespace.accesscontrol.windows.net",
:issuer => "https://your-azure-acs-namespace.accesscontrol.windows.net/v2/wsfederation",
:realm => "http://my.relyingparty/realm",
:reply => "http://localhost:3000/auth/wsfed/callback",
:id_claim => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
:idp_cert_fingerprint => "FC96D2983…"
end-
:issuer_name- The URI name of your Identity Provider (IdP). Required -
:issuer- The IdP web endpoint (URL) to which the authentication request should be sent. Required. -
:idp_cert_fingerprint- The SHA1 fingerprint of the IdP's signing certificate (e.g. "90:CC:16:F0:8D:…"). This is provided by the IdP when setting up the trust relationship. This option or:idp_certmust be present. (openssl x509 -noout -fingerprint -sha1 -in cert.pem) -
:idp_cert- The IdP's certificate in PEM format. This option or:idp_cert_fingerprintmust be present. -
:realm- Your site's security realm. This is a URI defining the realm to which the IdP must issue a secure token. Required -
:reply- The reply-to URL in your application for which a WSFed response should be posted. Defaults to the OmniAuth callback URL. Optional -
:id_claim- Name of the authentication claim that you want to use as OmniAuth's uid property. -
:saml_version- The version of SAML tokens. Defaults to 2.
Authored by Keith Beckman and MAK IT.
Special thanks to the developers of the following projects from which I borrowed from for omniauth-wsfed: