Skip to content

Adding Shibboleth support

Jump to bottom
Joey Wildman edited this page Nov 1, 2024 · 3 revisions

The following is from a response to a slack message asking how to set up Autolab in 2024:

Following up on this: You want to configure Shibboleth as an omniauth provider, which should create a corresponding login button on the sign-in page. Unfortunately, the process is somewhat involved.

Steps:

  • Add shibboleth configuration for devise in config/initializers/devise.rb, e.g.:
config.omniauth :shibboleth, {uid_field: 'eppn',
                   info_fields: {first_name: 'givenName', last_name: 'sn', school: 'eduPersonSchoolCollegeName'},
  • Customize app/controllers/users/omniauth_callbacks_controller.rb and app/models/user.rb to handle populating names and other attributes when doing auto-creation of users (or to disable auto-creation).
  • Install and configure Passenger, including running passenger-install-apache2-module.
  • These are the relevant bits of the Apache config (adjust documentroot to taste):
DocumentRoot /opt/autolab/public
<Directory /opt/autolab/public>
<IfModule passenger_module>
        PassengerAppRoot /opt/autolab
</IfModule>
        AllowOverride all
        Options -MultiViews
        require all granted
        <FilesMatch ".*-[0-9a-f]{32,64}.(png|css|js|json)(.gz)?">
                ExpiresActive on
                ExpiresDefault "access plus 1 year"
        </FilesMatch>
</Directory>
<Location /assets>
<IfModule passenger_module>
        PassengerEnabled off
</IfModule>
        ShibDisable on
        Require all granted
</Location>
<IfModule passenger_module>
<Location /Shibboleth.sso>
        PassengerEnabled off
</IfModule>
</Location>

<Location /auth/users/auth/shibboleth/callback>
      AuthType shibboleth
      ShibRequestSetting requireSession 1
      #require shib-user ~ .*@andrew.cmu.edu$
      #<RequireAny>
      #require shib-attr affiliation Member@andrew.cmu.edu
      #require shib-user zenoss@andrew.cmu.edu
      #require shib-user t-cg2v@andrew.cmu.edu
      #</RequireAny>
</Location>
  • If you would like to enable auto-login, you must redirect from the sign-in page to Shibboleth login, and from logout to Shibboleth logout.

Some relevant PRs: 1870 1934

See something wrong or out of date? Did our wording trip you up? Bad documentation sucks for everyone--be sure to let us know if there's something out of place!

-- The Autolab Team

Table of Contents

Using Autolab

Getting Started Installing Autolab

Autolab in Production

Developing Autolab

Clone this wiki locally