aspace-oauth (SAML) plugin

[Deirdre Kirmis]

Hi all .. I've just spent about a week trying to get the aspace-oauth plugin to work with our shib IDP. The IdP > SP redirect completes and the callback hits AS, the callback phase is entered and the session persists. There are no cert or metadata errors that I can see. What's failing is request.env["omniauth.auth"] is always null ("Authentication failed (no auth hash)". 

What I'm wondering is, do I need to have a separate URL for the staff page vs using https://<oursite>/staff ? 

The staff interface is currently deployed under a subpath (/staff), so the callback URL is: /staff/auth/saml/callback instead of the expected: /auth/saml/callback

It appears the app is not properly populating the auth hash in this subpath setup, even though the request reaches the callback.

Has anyone successfully used SAML/OmniAuth with ArchivesSpace when the staff UI is behind a prefix like /staff? Or is moving to a dedicated staff subdomain (no prefix) effectively required for reliable SAML authentication?

Appreciate any guidance or confirmation before I proceed with a domain + IdP metadata change.

Thank you!