I am using rack-saml together with omniauth-shibboleth strategy in Devise-Omniauth setup.

Rack-saml README suggests that protected_path should be set to /auth/shibboleth/callback but that creates a authentication loop, as each return from IdP results in a new authentication attempt.

So I have set this protected_path: /users/auth/shibboleth
And it seems to be working - I get authenticated and when I set omniauth-shibboleth into :dev_mode, the callback shows me that the info is successfully retrieved from IdP and stored in rack.session:

rack.session: {"_rack_saml"=>{"ds.session"=>{}, "saml_authreq.session"=>{}, "saml_res.session"=>{"env"=>{"eppn"=>"86772186cfdcb34bd772a43f494576f6 ...

But without dev_mode, I get failure:

no shibboleth session

Digging into code, I get the feeling that rack-saml does not extract attributes from session into ENV. Why is that?

Have I missed something?

omniauth-shibboleth returns no_shibboleth_session error when Shib-Session-ID and Shib-Application-ID are null at callback path (in omniauth with devise case /users/auth/shibboleth/callback).

return fail!(:no_shibboleth_session) unless (request.env['Shib-Session-ID'] || request.env['Shib-Application-ID'])

In your case, rack-saml does not set Shib-Session-ID or Shib-Application-ID at /users/auth/shibboleth/callback. If you want to use omniauth-shibboleth at /users/auth/shibboleth, you must set protected_path of rack-saml to /users/auth/shibboleth/callback. Would you try that configuration.

Thanks.

You are correct of course.
I had already tried /users/auth/shibboleth/callback but I had not updated metadata at IdP accordingly (I did not notice, it contained the URL and thought it is provided with every request) and so IdP posted back to wrong URL, initiating new authn-request again.

Now it is posting to the correct URL.

Thank you for your confirmation.
I just added the description of how to connect devise to README.