0

We're using HTTP redirect-binding for providing SAML authentication using omniauth-saml gem. For testing purpose, we've configured ADFS in the windows instance and created a URL for login page.

We're able to login using some credentials by directly hitting the URL in browser.

But when we're using omniauth-saml gem to provide HTTP redirect-binding, then it shows "Invalid URI" error. Here's the error backtrace:

System.UriFormatException: Invalid URI: The format of the URI could not be determined.
   at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlSignInContext.ValidateCore()
   at Microsoft.IdentityServer.Web.Protocols.ProtocolContext.Validate()
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.GetRequiredPipelineBehaviors(ProtocolContext pContext)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.EvaluateHomeRealm(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Here's the SAML URL:

https://ads.DOMAIN.com/adfs/ls/idpinitiatedSignOn.aspx?SAMLRequest=fZHBbsIwEER%2FJTefEjtpwMEiSFG5oFJVAsqhl8pxXLDi2KnXRnx%2BHVAleulxtDNPs7tL4IMeWRP82ezkd5DgkwZAOq%2BsebYGwiDdXrqLEvJ9t63R2fuRYSzFjNCuzDNzcrbPlMUhhgDzCMITEwuudctFj5J1hCrDJ%2BI9DxHAO8h6sPoiIRN2iPoLsAasulEZ5RX3sturk3kzGYfxipLNukafdJ7n7YyWKVks8rRsiUx5O6%2FSednmtGwFoQWNVoAgNwY8N75GBcmrlFRpUR0IZU8FK2YfKDnGtrdCRUZQch20ATb1rlFwhlkOCpjhgwTmBds3r1sWjYz%2FnuYxMv6fGZ31VliNVsvJzW7t3OrlvvzBBfBL%2FDi5q79PWf0

Here's the Omniauth SAML configuration:

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :saml,
    :assertion_consumer_service_url     => "https://www.google.com", # Tried some more callback URLs as well
    :issuer                             => "MyTrust",
    :idp_sso_target_url                 =>  "https://ads.DOMAIN.com/adfs/ls/idpinitiatedSignOn.aspx",
    :idp_cert                           => '-----BEGIN CERTIFICATE-----
MIIDBzCCAe+gAwIBAgIJAIuOuO5YI79hMA0GCSqGSIb3DQEBBQUAMBoxGDAWBgNV
BAMMD2Fkcy5rc29s.........
-----END CERTIFICATE-----'
end

Also, we're using Self-signed certificate for the ADFS. But I don't think it should be the problem as the logs is not showing certificate related error.

Radix
  • 2,527
  • 1
  • 19
  • 43
  • I think the error seems to be related to callback URL. – Kedarnag Mukanahallipatna Aug 28 '18 at 08:30
  • @KedarnagMukanahallipatna Even if we've provided some random callback URL (like google.com) then still we got the same error. Callback will only be called when the user will successfully authenticated i.e. after the login form. – Radix Aug 28 '18 at 08:55
  • @KedarnagMukanahallipatna I've added code in the question as well. – Radix Aug 28 '18 at 09:02

1 Answers1

2

Atlast, I'm able to fix the problem by updating the "Relying Party Identifier" Name similar to "Display Name" of a Relying party trust.

Here's the link for more info: https://kb.informatica.com/ipssolution/1/Pages/1/513730.aspx

Radix
  • 2,527
  • 1
  • 19
  • 43