- 10. 2007: Removed the requirement for email address, surname and given name
attributes on request of Markus Hagman
- 11. 2007: Integrated WAYF Service in Moodle
-- 12. 2008: Single Logout support added
+- 12. 2008: Shibboleth 2.x and Single Logout support added
Moodle Configuration with Dual login
-------------------------------------------------------------------------------
?>
--
+How to upgrade your Service Provider to 2.x
+-------------------------------------------------------------------------------
+
+In case your upgrade your Service Provider 1.3.x to 2.x, be aware of the fact
+that in version 2.0 the default behaviour regarding attribute propagation
+changed.
+While the Service Provider 1.3.x published the Shibboleth attributes to the
+web server environment as HTTP Request headers, the Service Provider 2.x
+publishes attributes as environment variables, which increases the security for
+some platforms.
+However, this change has the effect that the attribute names change.
+E.g. while the surname attribute was published as 'HTTP_SHIB_PERSON_SURNAME'
+with 1.3.x, this attribute will be available in $_SERVER['Shib-Person-surname']
+or depending on your /etc/shibboleth/attribute-map.xml file just as
+$_SERVER['sn'].
+Because Moodle needs to know what Shibboleth attributes it shall map onto which
+Moodle user profile field, one has to make sure the mapping is updated as well
+after the Service Provider upgrade.
+
+********************************************************************************
+Because you risk locking yourself out of Moodle it is strongly
+recommended to use the following approach when upgrading the Service Provider:
+1. Enable manual authentication before the upgrade.
+2. Make sure that you have at least one manual account with administration
+ privileges working before upgrading your Service Provider to 2.x.
+3. After the SP upgrade, use this account to log into Moodle and adapt the
+ attribute mapping in 'Site Administration -> Users -> Shibboleth' to reflect
+ the changed attribute names.
+4. Test the login with a Shibboleth account
+5. If all is working, disable manual authentication again
+********************************************************************************
How to add logout support
--------------------------------------------------------------------------------
Channel="back"
Location="https://#YOUR_MOODLE_HOSTNAME#/moodle/auth/shibboleth/logout.php" />
+<!--
+If possible, you should use only the back channel logout once it is working.
+-->
+<!--
<Notify
Channel="front"
Location="https://#YOUR_MOODLE_HOSTNAME#/moodle/auth/shibboleth/logout.php" />
-
+-->
--
-The restart the Shibboleth daemon and check the log file for errors. If there
-were no errors, you cat test the logout feature by accessing Moodle,
+Then restart the Shibboleth daemon and check the log file for errors. If there
+were no errors, you can test the logout feature by accessing Moodle,
authenticating via Shibboleth and the access the URL:
#YOUR_MOODLE_HOSTNAME#/Shibboleth.sso/Logout (assuming you have a standard
Shibboleth installation). If everything worked well, you should see a Shibboleth
Single Logout is only supported with SAML2 and so far only with the Shibboleth
Service Provider 2.x.
As of December 2008, the Shibboleth Identity Provider 2.1.1 does not yet support
-Single Logout (SLO). Therefore, the logout feature doesn't make that much
-sense yet. One of the reasons why SLO isn't supported yet is because there aren't
- many applications yet that were adapted to support front and back channel
+Single Logout (SLO). Therefore, the single logout feature cannot be used yet.
+One of the reasons why SLO isn't supported yet is because there aren't many
+applications yet that were adapted to support front and back channel
logout. Hopefully, the Moodle logout helps to motivate the developers to
implement SLO :)
Also see https://spaces.internet2.edu/display/SHIB2/SLOIssues for some
-background information.
+background information on this topic.
--------------------------------------------------------------------------------
In case of problems and questions with Shibboleth authentication, contact
update_user_login_times();
// Don't show username on login page
- $SESSION->set_moodle_cookie('nobody');
+ set_moodle_cookie('nobody');
set_login_session_preferences();
// If we can find any (user independent) Shibboleth attributes but no user
// attributes we probably didn't receive any user attributes
- elseif (!empty($_SERVER['HTTP_SHIB_APPLICATION_ID'])) {
+ elseif (!empty($_SERVER['HTTP_SHIB_APPLICATION_ID']) || !empty($_SERVER['Shib-Application-ID'])) {
print_error('shib_no_attributes_error', 'auth' , '', '\''.$pluginconfig->user_attribute.'\', \''.$pluginconfig->field_map_firstname.'\', \''.$pluginconfig->field_map_lastname.'\' and \''.$pluginconfig->field_map_email.'\'');
} else {
print_error('shib_not_set_up_error', 'auth');
projects / moodle.git / commitdiff