Shibboleth configuration for Rails

[Arrk-sakets]

Hi,

I have application name DigitalData. I have configured SP and IDP on my local server. When I call sp.digital.org/secure it goes to idp login page and return response. but the response goes to /var/www/html/secure folder. My requirement is like when i click on DigitalData application login link it should go to IDP login page and should return to my application controller. What configuration i need to do in rails application and apache server?

Kindly help soon.

Thanks.....

[toyokazu]

Hi,

How do you host your application? Using Passenger? Or some other methods?
Please write the details of your environment.

As described in README.md, omniauth-shibboleth assumes using Passenger (mod_passenger) to host Rails application because it uses environment variables to obtain Shibboleth attributes, not using request header. So thus, I recommend you to use Passenger with omniauth-shibboleth. If you use passenger, all you have to do is to configure your Apache and Rails as written in README.md.

https://github.com/toyokazu/omniauth-shibboleth

[Arrk-sakets]

Hi,

Yes i am using passenger and apache server. In httpd.conf file i have done following configuration

<VirtualHost *:80>
ServerName www.digitaldata.com
DocumentRoot /mnt/hgfs/digitaldata/public
RackBaseURI /
<Directory /mnt/hgfs/digitaldata/public>
Allow from all

<Location /secure>
AuthType shibboleth
ShibRequireSession On
require valid-user

It works fine and it goes to idp /secure site and it accepts credential and come back with response. I dont know why but my response URL is like Shibboleth.sso/SAML/POST. What configuration i am missing so the URL should be /secure/callback. And in rails application what i need to do for reading the response?

[toyokazu]

O.K.

Can I ask you why do you protect '/secure' path? If you use the
Shibboleth SP example configuration, it is meaningless... And you
should use SSL/TLS to protect your SP site by using Shibboleth because
SAML basically assumes the transport is protected by cryptgraphic
technology. Of course, I think you can set up your Shibboleth without
SSL/TLS, but it is not default configuration. If you would like to do
that, please refer Shibboleth documents.

If you correctly set up omniauth-shibboleth, when you access to the
path '/auth/shibboleth' (in your case
https://www.digitaldata.com/auth/shibboleth), you will be redirected
to '/auth/shibboleth/callback'. Does it correctly work?

If so, in omniauth examples, you must add the routes to the 'callback
path' like the followings.

% vi config/routes.rb
YourApp::Application.routes.draw do
  match '/auth/:provider/callback' => 'sessions#create'
  match '/auth/failure' => 'sessions#failure'
  match '/signout' => 'sessions#destroy', :as => :signout
...

At least, you need /auth/:provider/callback because that is the target
path where omniauth callbacks are directed from Twitter, OpenID or
some other ID providers. You must write your application code to check
session["omniauth.auth"].

In omniauth-shibboleth, when you access to '/auth/shibboleth', it is
just redirected to '/auth/shibboleth/callback', because
omniauth-shibboleth assumes that '/auth/shibboleth/callback' is
protected by Shibboleth SP and Rack (Rails) can obtain environment
variables from Shibboleth SP at the same path. As I already told you,
omniauth-shibboleth just re-pack environment variables into
session["omniauth.auth"] AuthHash. Why should the environment
variables are re-pack into AuthHash? Because it is the standard
authentication process in OmniAuth.

So thus, if your omniauth-shibboleth is correctly configured, all you
have to do is to protect '/auth/shibboleth/callback' by configuring
your httpd.conf.

[Arrk-sakets]

Thanks mate.
Its bit confusing. Suppose i follow your approach like i use omniauth-shibboleth. I integrate the same with my rails application. For that i need 'omniauth','omniauth-shibboleth' gems. And i need to install oa-enterprise/ gem. Am i correct?
Then can you please guide me how i will access my SP or IDP using /auth/shibboleth. Because currently i was going through /secure. Using omniauth approach how i will connect to my shibboleth server or IDP server so i can login through that shibboleth. My queries are if i setup my application using https://github.com/toyokazu/omniauth_shibboleth/wiki article. How i will configure /auth/shibboleth to my SP? So very simple i want to remove /secure path and i want to use /auth/shibboleth and want to talk to my SP or IDP.

[toyokazu]

I am sorry that omniauth_shibboleth is older version works with omniauth-0.x. Please use omniauth-shibboleth (not under bar but hyphen) which works with omniauth-1.0. If you use the newer one, you need not to install oa-enterprise. Just 'omniauth' and 'omniauth-shibboleth'.

If possible, please submit the newer comment into newer project.

https://github.com/toyokazu/omniauth-shibboleth

And please refer newer documents.

I am not sure about your second question about /auth/shibboleth. I do not know why you have '/secure' path. I thought that you just write mod_shib config in httpd.conf. So thus, if you do not want that, I think you just delete the configuration from httpd.conf.

[toyokazu]

Please refer the related issue.

toyokazu/omniauth-shibboleth#1