Shibboleth authentication in Rails

Asked 24/11, 2014 at 22:52 Answered 30/1, 2018 at 19:10

I am having a struggle getting this to work so I've created a hell-world Rails app to try and get this to work.

Here's the repo with the code that is not working: https://github.com/pitosalas/shibtry

Here's what I've done starting from an empty Rails application:

I've added two gems to gem files:

gem 'omniauth-shibboleth'
gem 'rack-saml'

I got the shibboleth meta data from my university's web site and converted it using shib_conv.rb into the corresponding YAML: ./config.yml
I've updated routes adding get '/auth/:provider/callback', to: 'sessions#create'
I've put a breakpoint at SessionController#create

I've added initializers: omniauth.rb:

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :shibboleth, {
    :shib_session_id_field     => "Shib-Session-ID",
    :shib_application_id_field => "Shib-Application-ID",
    :debug                     => true,
    :extra_fields => [
      :"unscoped-affiliation",
      :entitlement
    ]
  }
end

I've added rack_sam.rb initializer:

Rails.application.config.middleware.insert_after Rack::ETag, Rack::Saml,
  { :metadata => "#{Rails.root}/config/metadata.yml"}

Now, run the server and go to http://0.0.0.0:3000/auth/shibboleth and I get an error:
```
undefined method `[]' for nil:NilClass'
```
which is traced back to this line in rack-saml/misc/onelogin_setting.rb line 13 which is:
```
settings.idp_sso_target_url = @metadata['saml2_http_redirect']
```
in other words, looking for the metadata hash for that key. It happens that in my metadata.yml file that key is present, but by the time I get to this onelogin_setting.rb line 13, @metadata is nil (it should contain the contents of the file) and consequently that key doesn't exist.

And that's where, for now, the trail dries up.

Thyrotoxicosis answered 24/11, 2014 at 22:52 Comment(3)

hi, did you ever get this working? i could really use some help in order to set this up with my university as well. – Agostino 30/1, 2018 at 0:2

Yes, I did it in a totally different way. I used google's own mechanism to allow an app to log in. developers.google.com/identity/sign-in/web – Thyrotoxicosis 30/1, 2018 at 19:9

gotcha, unfortunately i need to do this via shibboleth for an app at my university. if you have any potential hints or clues onto how to make it work, i am all ears. I am also getting this error. – Agostino 30/1, 2018 at 19:58

I bypassed Shibboleth totally. My goal was to allow login to my universities authentication system specifically to allow students to log in with their student login, which is fronted by google apps. So this was much easier: https://developers.google.com/identity/sign-in/web/

Thyrotoxicosis answered 30/1, 2018 at 19:10 Comment(2)

by doing this, are you still able to retrieve a student's metadata or profile information? – Agostino 30/1, 2018 at 20:1

Yes, some, depending on what the college allows – Thyrotoxicosis 30/1, 2018 at 21:25

Looks like you forgot to add your config file to the initializer:

Rails.application.config.middleware.insert_after Rack::ETag, Rack::Saml,
 {
   :metadata => "#{Rails.root}/config/metadata.yml",
   :config => "#{Rails.root}/config/rack-saml.yml"
 }

And the saml_idp setting in the rack-saml.yml must match the key for the idp_lists entry in your metadata.yml

Myrmeco answered 19/4, 2015 at 13:23 Comment(0)

Recommended topics

Hot tags