-
Notifications
You must be signed in to change notification settings - Fork 45
Home Realm Discovery
There are a couple of different configurations available for OmniAuth-WSFed that allow the developer to implement WS-Federation home realm discovery. These configurations are listed in descending order of elegance and user experience.
When requestors supply the WHR query string parameter to your OmniAuth-WSFed strategy endpoint, the parameter is maintained and included in the redirect to your federation provider (along with the normal WS-Fed query string parameters). If you use Azure ACS or ADFS 2.0 as your Federation Provider (FP), either should handle WHR gracefully and automatically redirect the user to the Identity Provider (IdP) whose issuer name matches the value of WHR. If the value of WHR does not match the name of any configured IdP, a home realm discovery page will be displayed by the FP forcing the user to manually choose their IdP.
To implement this approach, simply inform your trusted federation clients to include the WHR query string parameter in their web request. Note: This is the best approach for clients to bookmark your site.
http://my.testsite.com/auth/wsfed?whr=http://my.federatedclient.com/idp
In this scenario, your application will host a page that containing a list of IdPs available to your application. Azure ACS offers a JSON feed that includes all of the configured IdPs for your ACS namespace allowing you to create a home realm discovery page that matches the theme of your application.
To implement this approach, configure your OmniAuth-WSFed settings to include the path to your site's home realm discovery page.
:home_relm_discovery_path => "auth/wsfed/home_realm_discovery"This gem includes bonus support for Azure's ACS IdP feed that parses JSON responses into a workable Ruby hash.
idp_feed = AzureACS::IdPFeed.new("https://my.azure-acs/idp/feed")
@identity_providers = idp_feed.identity_providersThis is the easiest scenario to implement because it requires absolutely no work on the application developer's part. However, it's the least desirable as far as user experience is concerned as there is oftentimes no control over the styling of the federation provider's page. If you use Azure ACS as an FP, a vanilla (lightly-styled) home realm discovery page is provided allowing the user to pick their IdP, but there is no control over its appearance.