Rails and Single Sign on

pk16 · August 22, 2007, 3:19pm

Hi, I want to slowly start bringing in Rails to my company. I found an opportunity with some fairly basic web forms that end users will manage entering data into. The data will be used in an ETL process later on. Building it will be the easy part, however, those in the enterprise will require that its accessible from the enterprise portal and uses their current setup of utilizing LDAP to first log into the portal to authenticate and then use oblix(oracle access manager) to intercept someone clicking on a link that will drive them to my site is something I don't know how to do with Rails.

Can anyone provide assistance or point me in the right direction? my google searches haven't yielded much as of yet. One last thing, does anyone know if rails will work with Oracle HTTP server? and how to set up fast CGI for that? I'm hoping it can since Oracle HTTP server is build based on Apache.

Bob_Showalter · August 22, 2007, 5:50pm

I don't know anything about oblix, but I have put a Junebug wiki (http://www.junebugwiki.com -- a Camping app, not a rails app, but the same technique would apply) behind a single-sign-in infrastructure based on CoSign (http://weblogin.org). With CoSign, you have an Apache module that handles the authentication, so it's not handled at the application level. The basic idea was:

1. Create a CoSign protected url-space in the Apache server.

2. Use Apache mod_proxy to proxy this space to the Junebug wiki mongrel.

3. Tweak the junebug code to pick up credentials from the environment variables set by the CoSign filter.

Works great. Maybe that will give you some ideas...

Pete7 · August 22, 2007, 5:52pm

The best way to do it, and what we do here, is authenticate against our e-mail server.

For more: http://daniel.collectiveidea.com/blog/2007/2/8/rails-plugin-imap_authenticatable

pk16 · August 22, 2007, 6:44pm

Both are good suggestions that I will look into but I'm forced to use the existing LDAP/Oblix setup. I guess what I was looking for was if someone specifically set this up. Maybe I can look at the two solutions and come up with some ideas. Ultimately, a user will log in once to the portal and then my rails app will need to read some header parameters that it gets sent back to it from oblix and then initialize the log in to rails. I guess I'm looking for how to do that...

bphogan · August 22, 2007, 7:01pm

set a before_filter that uses net/http to request whether or not the user is logged into the portal.

This is gonna be really rough code… I don’t know how to do what you want, but I do something similar using a different central auth system.

def get_remote_auth_filter

     # Get validation from remote system
    h = Net::HTTP.new '[auth.mydomain.com](http://auth.mydomain.com)', 443
    h.use_ssl = true
    doc = REXML::

Document.new(h.get(“/some/remote/url/that/returns/headers_or_something”).body) result = REXML::XPath.first(doc, ‘//root/user/text()’) if result = “logged in” # move on

    else
       flash[:notice] = "not logged in"
       redirect_to main_url
    end

end

Maybe that will get you on the right track