I tried to find the abve mentioned keys / settings but couldn’t, thus I don’t know if they’re supported by the gem itself and if what their default values are.
The configuration options possible are visible in Zammads UI within Security -> Third-Party -> SAML. That’s about what you can configure with Zammad.
Thanks @MrGeneration. The documentation only appears to cover setting the IDP certificate in the configuration.
In the omniauth-saml it would be great if at least the following were availble via the UI as individual fields, or maybe allow a custom JSON struct to be added with advanced features that is passed to the underlying library?
:issuer - The name of your application. Some identity providers might need this to establish the identity of the service provider requesting the login. Required .
settings.certificate = “CERTIFICATE TEXT WITH HEAD AND FOOT”
settings.private_key = “PRIVATE KEY TEXT WITH HEAD AND FOOT”
settings.security[:authn_requests_signed] = true # Enable or not signature on AuthNRequest
settings.security[:logout_requests_signed] = true # Enable or not signature on Logout Request
settings.security[:logout_responses_signed] = true # Enable or not signature on Logout Response
settings.security[:want_assertions_signed] = true # Enable or not the requirement of signed assertion
settings.security[:metadata_signed] = true # Enable or not signature on Metadata
These are all common options and requirements for many SAML implementations. As it allows for signing/encryption of metadata being passed across the internet beyond just SSL from the webserver.
It would also be great if we could manage group membership via attributes from SAML attribute isMemberOf (for example) as well as specify which URN use for all different attributes that could feed into user profiles such as Name, email, department, group membership, roles, etc…
Sorry, I can’t really provide input on your request.
In my opinion that’d be a feature request.
In general if you’re trying to use options that potentially weaken security, chances may decrease. :x
But there’s no fast forward for that except for custom changes on your code which I wouldn’t suggest.
How would I put in a feature request? Also, these features would actually improve security such as a signing and encryption between the IDP and the SP.