Thanks for the response Alex, to be honest I'm getting in a muddle trying to figure out how this works / fits together, but I'm picking up bits and pieces here and there. I'll take a look at RESTful authentication and have a play.
Can I check I understand this right? From what I understand the user tries to access and Shibboleth restricted resource, Apache redirects the user away to the Identity Provider to authenticate themselves and then when they are redirected back Apache adds this additional header to each subsequent request to Mongrel? Or is it a header that is added by the client and sent through with each subsequent request until they are logged out? I guess your application deals with the user once they are already authenticated and that work is done outside of they rails app. Do you have any sample configuration for the Shibboleth setup? I've seen something called saml2ruby which has been used to interface with the service provider directly, and I guess setting those headers in another way its not greatly documented and I guess not required if Apache can do everything for you. Is this just for Apache, I think this client uses Nginx and that might be a problem? Thanks again RobL Alex wrote: > Rob, > > Turns out Shib is really easy to get working once you have shibd up > and kicking. > > First, take a look at the restful_authentication plugin to see how > they handle authentication: Relevantly, there's a @current_user > instance variable with a setter that looks like this: > > def current_user > @current_user ||= user_from_database || user_from_session || > user_from_login > end > > As a before_filter, the system makes use of #logged_in? To determine > if a current user could be found. That code is a simple !! > current_user; > > Now, shibboleth adds fields to the request headers of all incoming > traffic. Instead of doing the logged_in filter, we just set something > up to create or find a database record that corresponds to the user. > This looks like this (For the shib variable 'eppn'), assuming that > your User table has a field named eppn. > > def current_user > @current_user ||= User.find_or_create_by_eppn(request.env['eppn']) > end > > That's it! Of course, you're going to need a way to ensure that > database record is meaningful in the context of your application - In > our situation, we test for the presence of contact information and > then prompt the user to add it if none exists, but it doesn't really > matter because the data in our IP to DNA lookup table is sorted by > their eppn anyway. > > E-mail back if my sample code doesn't work! > > -Alex > > On Oct 13, 3:53 pm, Rob Lacey <[EMAIL PROTECTED]> wrote: > >> Can anyone direct me to a really good tutorial on Shibboleth integration >> with Rails, or indeed some sample code? I've been tearing my hair out >> all day on this one. >> >> Thanks >> >> RobL >> > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
