Thanks @MrGeneration. The documentation only appears to cover setting the IDP certificate in the configuration.
In the omniauth-saml it would be great if at least the following were availble via the UI as individual fields, or maybe allow a custom JSON struct to be added with advanced features that is passed to the underlying library?
:issuer - The name of your application. Some identity providers might need this to establish the identity of the service provider requesting the login. Required .
- settings.certificate = “CERTIFICATE TEXT WITH HEAD AND FOOT”
- settings.private_key = “PRIVATE KEY TEXT WITH HEAD AND FOOT”
- settings.security[:authn_requests_signed] = true # Enable or not signature on AuthNRequest
- settings.security[:logout_requests_signed] = true # Enable or not signature on Logout Request
- settings.security[:logout_responses_signed] = true # Enable or not signature on Logout Response
- settings.security[:want_assertions_signed] = true # Enable or not the requirement of signed assertion
- settings.security[:metadata_signed] = true # Enable or not signature on Metadata
These options are described https://github.com/omniauth/omniauth-saml/issues/141, https://github.com/onelogin/ruby-saml#signing and under https://github.com/onelogin/ruby-saml#signing (the last bullet on this page).
These are all common options and requirements for many SAML implementations. As it allows for signing/encryption of metadata being passed across the internet beyond just SSL from the webserver.
It would also be great if we could manage group membership via attributes from SAML attribute isMemberOf (for example) as well as specify which URN use for all different attributes that could feed into user profiles such as Name, email, department, group membership, roles, etc…
Thank you for your time!