Add omniauth saml

app/controllers/users/omniauth_callbacks_controller.rb

@@ -25,6 +25,22 @@ def passthru
     end
   end
 
+  def saml
+    @user = User.find_for_saml(request.env["omniauth.auth"], current_user)
+    if @user.persisted?
+      flash[:success] = I18n.t "devise.omniauth_callbacks.success", :kind => :saml
+      sign_in @user, :event => :authentication
+      user_session[:virtual_groups] = @user.ldap_groups
+      user_session[:full_login] = true
+    end
+    relay_state = request.env["action_dispatch.request.parameters"]["RelayState"]
+    if relay_state.nil?
+      redirect_to(root_path)
+    else
+      redirect_to(relay_state)
+    end 
+  end
+
   def after_omniauth_failure_path_for(scope)
     case failed_strategy.name
     when 'lti'

app/models/user.rb

@@ -29,7 +29,8 @@ class User < ActiveRecord::Base
   devise_list = [ :database_authenticatable, :invitable, :omniauthable,
                   :recoverable, :rememberable, :trackable, :validatable ]
   devise_list << :registerable if Settings.auth.registerable
-  devise_list << { authentication_keys: [:login] }
+
+  devise_list << { authentication_keys: [:login], omniauth_providers: [:saml] }
 
   devise(*devise_list)
 
@@ -109,6 +110,12 @@ def self.find_for_generic(access_token, signed_in_resource=nil)
     find_or_create_by_username_or_email(username, email, 'generic')
   end
 
+  def self.find_for_saml(auth_hash, signed_in_resource=nil)
+    email = auth_hash.info.email
+    username = email
+    find_or_create_by_username_or_email(username, email, 'saml')
+  end
+
   def self.find_for_identity(access_token, signed_in_resource=nil)
     username = access_token.info['email']
     # Use email for both username and email for the created user

config/initializers/devise.rb

@@ -339,7 +339,8 @@
   #
   # When using OmniAuth, Devise cannot automatically set OmniAuth path,
   # so you need to do it manually. For the users scope, it would be:
-  # config.omniauth_path_prefix = '/my_engine/users/auth'
+  config.omniauth_path_prefix = '/users/auth'
+
   OmniAuth.config.logger = Rails.logger
 end
 

config/settings.yml

@@ -102,6 +102,20 @@ auth:
         :password: <%= ENV['env_ldap_password'] %>
         :base: OU=UserAccounts,DC=library,DC=tamu,DC=edu
     <% end %>
+    <% if ENV['env_saml_assertion_consumer_service_url'] %>
+    - :name: TAMU SAML
+      :provider: :saml
+      :params:
+        :assertion_consumer_service_url: <%= ENV['env_saml_assertion_consumer_service_url'] %>
+        :issuer: <%= ENV['env_saml_issuer'] %>
+        :sp_entity_id: <%= ENV['env_saml_sp_entity_id'] %>
+        :idp_sso_service_url: <%= ENV['env_saml_idp_sso_service_url'] %>
+        :idp_slo_service_url: <%= ENV['env_saml_idp_slo_service_url'] %>
+        :idp_cert_fingerprint: <%= ENV['env_saml_idp_cert_fingerprint'] %>
+        :name_identifier_format: <%= ENV['env_saml_name_identifier_format'] %>
+        :attribute_statements:
+          :email: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name']
+    <% end %>
 google_analytics_tracking_id: "GTM-P7RSFMJ"
 
 supplemental_files: