I ran into a problem today while working with the Ruby SAMLToolkit, an open source project by the OneLogin Identity Provider. This toolkit offers a relatively easy way to implement SAML authentication into your Rails application. Ratified in 2005 as an OASIS standard, SAML is definitely a great protocol to use for single sign on solutions in your application.
Since SAML is an XML based protocol, I’m sure you can image that in the Rails world, the nokogiri gem would prove useful in implementing SAML single sign on inside a rails app, since nokogiri enables robust document parsing, which is needed for the XML used by SAML.
And sure enough, the Ruby SAML Toolkit utilizes nokogiri!
But there’s a gotcha here. Nokogiri has a Nokogiri::XML module with a few constants: XML_C14N_1_0, XML_C14N_EXCLUSIVE_1_0, and. XML_C14N_1_1. These constants are utilized depending on the standard serialization of the SAML XML being processed during the single sign on handshakes between your application and the identity provider.
Now during SAML authentication, a request is made to a SAML initialization action in your controller. This action collects some settings, which are then passed to your identity provider.
If you are using the Ruby SAML Toolkit, your identity provider is probably OneLogin, but it doesn’t have to be.
When these settings/credentials are received by the IDP, the user must either login to the IDP to validate, or if they are already logged in, the IDP will pass that user’s credentials back to your application. A SAML consume controller action will then validate the packet from the IDP, and if all goes well, allow the user into the system. And example of what the consumption action might look like is below:
def consume response = OneLogin::RubySaml::Response.new(params[:SAMLResponse]) response.settings = saml_settings #a custom method in your controller that contains your app's saml settings to validate against if response.is_valid? #authenticate the user end end
It is during the response.is_valid? call that you can run into problems. The Ruby SAMLToolkit requires nokogiri to contain the XML module constants mentioned above. Older versions of nokogiri may give you a “Missing Constant Error: XML_C14N_EXCLUSIVE_1_0”, or a missing constant error with one of the other constants.
To remedy this, try updating to the latest version of nokogiri, which at the time of this article is 220.127.116.11. But be careful, nokogiri 1.6 and higher now bundles libxml2 with the gem. If this update gives you any trouble, this StackOverflow article may help.
Hope this helps you get past any missing constant errors you may run into while utilizing the Ruby SAML Toolkit! If you run into any other interesting problems or have any questions about the toolkit, please comment, and I’ll do my best to help out 🙂