OmniAuth initializer does not pass configuration?

[borgand]

The omniauth initializer:

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :shibboleth, 
    :info_fields => {:email => 'mail'},
    :extra_fields => [:cn, :sn, :schacHomeOrganization]
end

Shibboleth strategy does see the eppn attribute and set it to uid - I can use that.
Also, logging request.env shows that all the wanted fields are present.

But for some reason it does not set rest of the configured fields.

If I hardcode these into the gemfile lib/omniauth/strategies/shibboleth.rb:

  option :info_fields, {:email => 'mail'}
  option :extra_fields, [:cn, :sn, :schacHomeOrganization]

It starts working.

So there is some glitch in how OmniAuth passes options to Shibboleth strategy.

[toyokazu]

Thank you for your comment.
I recently updated omniauth-shibboleth to deal with the following request:

#4

If you still use the older version, please try the latest 1.0.8.

If you use the latest one, I am sorry that I could not reproduce the problem in my environment...

In compensation, I just create a simple test application:

https://github.com/toyokazu/omniauth-shibboleth-testapp

If possible, could you test omniauth-shibboleth with that application? It includes Gemfile.lock
where my environment details are described. It may be a hint to debug your environment.

The following are the outputs in my environment.

at /session_viewer

Session Parameter Viewer

{:uid=>"akiyama", :name=>"Toyokazu Akiyama", :email=>"akiyama@example.ac.jp", :affiliation=>"faculty", :entitlement=>"akiyama@example.ac.jp"}
Signout

config/initializers/omniauth.rb

provider :shibboleth, {:uid_field => 'uid',
                       :info_fields => {:email => 'mail'},
                       :extra_fields => [:"unscoped-affiliation", :entitlement],
#                         :debug => true
}

It seems fine...
Hum...

If you find the problem in omniauth-shibboleth, please let me know.

Best Regards

[borgand]

In the beginning I was using 1.0.6 and then I noticed the new version. But after upgrading to 1.0.8 it did not get any better.

I will check the testcase (probably next week though) and keep you posted.

[borgand]

I modified your testapp to use rack-saml and got it working in my environment. Then I copied everything from your app to my app to make sure I had no typos - still nothing.

It was only when I began suspecting Devise and wanted to set up your testapp to use Devise, when I noticed that Devise initializer takes a configuration in the form:

config.omniauth :shibboleth

In the Devise Omniauth Facebook example doc I noticed that I can pass in other configuration too.

So the correct place to specify the configuration for omniauth-shibboleth is in config/initializers/devise.rb:

config.omniauth :shibboleth, {:uid_field => 'eppn',
                         :info_fields => {:email => 'mail', :name => 'cn', :last_name => 'sn'},
                         :extra_fields => [:schacHomeOrganization]
                  }

And config/initializers/omniauth.rb by itself is redundant.

There is one weird thing though - I did think that maybe the omniauth.rb initializer was not read for some reason, but I could use that file to toggle debug => true option and so did not look further into it.

Is it possible that omniauth initializer is read before (or executed before) Devise initializes Omniauth configuration and in my case Devise overrode some of the options, but not all of them (namely the debug).

Anyhow, the issue is resolved now. Thank you for your testapp.

[toyokazu]

Thank you very much for your detail investigation!

Since I am not an expert of devise, currently I do not know the solution of your problem...;(
But I think your investigation results will also help the other omniauth users :).

So thus, I would like to add a description in README about devise integration.

When I found some solution, I would like to update it.

Anyway, thank you for your contribution :)

[borgand]

I think that this is documentation issue on the Devise part - they don't mention that Devise's config overrides OmniAuth initializers, but constantly link to OmniAuth documentation that shows how to setup dedicated initializer.
I will file bug report to Devise on this.

For omniauth-shibboleth, I think you can leave it at that - just rewrite it as a notice for Devise users that they don't need separate initializer, but instead place it in Devise initializer as the example shows.

I would also move the notice right after the Setup Shibboleth Strategy block, so it is visible at the right moment.

[borgand]

Filed issue at heartcombo/devise/issues/2128

[toyokazu]

Thank you for your comment and I am sorry to be late reply.
I updated README.md to reflect your advice and refer your issue at device page.
Your request seems to be already introduced into the devise documents :)
So thus, I just refer your issue as a reference (remove the description 'not solved yet').

Best Regards