...
  # ==> OmniAuth
  # Add a new OmniAuth provider. Check the wiki for more information on setting
  # up on your models and hooks.
  # config.omniauth :github, 'APP_ID', 'APP_SECRET', scope: 'user,public_repo'
  config.omniauth :shibboleth, {:uid_field => 'eppn',
                                :info_fields => {
                                     :email => 'mail', :name => 'displayName'
                                },
  }
 ...

 ...
  ## allow omniauth (including shibboleth) logins - this will create a local user based on an omniauth/shib login
  ## if they haven't logged in before
  def self.from_omniauth(auth)
    Rails.logger.info "auth = #{auth.inspect}"
    where(email: auth.info.email).first_or_create do |user|
      user.email = auth.info.email
      user.password = Devise.friendly_token[0,20]
    end
  end
 ...

...
<!-- uwNetID -->

    <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uwnetid"/>
    <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>

<!-- gws_groups -->
    <Attribute name="urn:mace:dir:attribute-def:isMemberOf" id="gws_groups"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="gws_groups"/>
...

<Location /users/auth/shibboleth/callback>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  #require valid-user
  # Need to request 'SP (Service Provider) access' from UWIT for the specific UW Group to the specific instance of Shibboleth. (You need to be an approved Shibboleth something or another in order to make the request -- Ian, Mike, or email [email protected])
  Require shib-attr gws_groups urn:mace:washington.edu:groups:uw_employee
</Location>

# Location for /Shibboleth.sso must be within <VirtualHost *:443> in order for Shibboleth to work
<Location /Shibboleth.sso>
  AuthType None
  Require all granted
</Location>