- 02. 2006: Simplified authentication so that authorization works properly
Added instructions for IIS
- 11. 2006: User capabilities are now loaded properly as of Moodle 1.7+
-
+- 03. 2007: Adapted authentication method to Moodle 1.8
Moodle Configuration with Dual login
-------------------------------------------------------------------------------
For IIS you have protect the auth/shibboleth directory directly in the
RequestMap of the Shibboleth configuration file (shibboleth.xml). See
- https://authdev.it.ohio-state.edu/twiki/bin/view/Shibboleth/xmlaccesscontrol?topic=XMLAccessControl
+
+ https://spaces.internet2.edu/display/SHIB/xmlaccesscontrol?topic=XMLAccessControl
2. As Moodle admin, go to the 'Administrations >> Users >> Authentication
- Options' and select the 'Shibboleth' authentication method from the pop-up.
+ Options' and click on the the 'Shibboleth' settings.
3. Fill in the fields of the form. The fields 'Username', 'First name',
'Surname', etc should contain the name of the environment variables of the
lengths for each field in the user profile.
#############################################################################
-4. The large text field 'Instructions' must contain a link to the
- moodle/auth/shibboleth/index.php file which is protected by
- Shibboleth (see step 1) and causes the Shibboleth login procedure to start.
- You could also use HTML code in that field, e.g. to create your own
- Shibboleth login button.
+4. Save the changes for the 'Shibboleth settings'.
-5. Save the changes for the Shibboleth authentication method.
+5.a If you want Shibboleth as your only authentication method, set the
+ 'Alternate Login URL' in the 'Common settings' in
+ 'Administrations >> Users >> Authentication Options' to the the URL of the
+ file 'moodle/auth/shibboleth/index.php'. This will enforce Shibboleth login.
-Moodle Configuration with Shibboleth only login
--------------------------------------------------------------------------------
-If you want Shibboleth as your only authentication method, configure Moodle as
-described in the dual login section above and do the following steps:
+6.b If you want to use another authentication method together with Shibboleth,
+ in parallel, change the 'Instructions' in the 'Common settings' of the
+ 'Administrations >> Users >> Authentication Options' to contain a link to the
+ moodle/auth/shibboleth/index.php file which is protected by
+ Shibboleth (see step 1) and causes the Shibboleth login procedure to start.
+ You can also use HTML code in that field, e.g. to include an image as a
+ Shibboleth login button.
-4.a On the Moodle Shibboleth settings page, set the 'Alternate Login URL' to
- the URL of the file 'moodle/auth/shibboleth/index.php'
- This will enforce Shibboleth login.
+7. Save the changes for the 'Common settings'.
How the Shibboleth authentication works
--------------------------------------------------------------------------------
To get Shibboleth authenticated in Moodle a user basically must access the
Shibboleth-protected page /auth/shibboleth/index.php. If Shibboleth is the only
-authentication method (see 4.a), this happens automatically when a user wants to
+authentication method (see 5.a), this happens automatically when a user wants to
login in Moodle. Otherwise, the user has to click on the link on the login page
-you provided in step 4.
+you provided in step 5.b.
Moodle basically checks whether the Shibboleth attribute that you mapped
as the username is present. This attribute should only be present if a user is
<?php
/**
* @author Martin Dougiamas
+ * @author Lukas Haemmerle
* @license http://www.gnu.org/copyleft/gpl.html GNU Public License
* @package moodle multiauth
*
*
* Authentication using Shibboleth.
*
- * 10.2004 SHIBBOLETH Authentication functions v.0.1
- * 05.2005 Various extensions and fixes by Lukas Haemmerle
- * 10.2005 Added better error messags
- * 05.2006 Added better handling of mutli-valued attributes
* Distributed under GPL (c)Markus Hagman 2004-2006
*
+ * 10.2004 SHIBBOLETH Authentication functions v.0.1
+ * 05.2005 Various extensions and fixes by Lukas Haemmerle
+ * 10.2005 Added better error messags
+ * 05.2006 Added better handling of mutli-valued attributes
* 2006-08-28 File created, code imported from lib.php
* 2006-10-27 Upstream 1.7 changes merged in, added above credits from lib.php :-)
+ * 2007-03-09 Fixed authentication but may need some other changes
*/
if (!defined('MOODLE_INTERNAL')) {
* @return bool Authentication success or failure.
*/
function user_login($username, $password) {
+
// If we are in the shibboleth directory then we trust the server var
- if (!empty($_SERVER[$config->user_attribute])) {
- return ($_SERVER[$config->user_attribute] == $username);
+ if (!empty($_SERVER[$this->config->user_attribute])) {
+ return ($_SERVER[$this->config->user_attribute] == $username);
} else {
// If we are not, the user has used the manual login and the login name is
// unknown, so we return false.
}
}
+
+
+ /**
+ * Returns the user information for 'external' users. In this case the
+ * attributes provided by Shibboleth
+ *
+ * @return array $result Associative array of user data
+ */
function get_userinfo($username) {
// reads user information from shibboleth attributes and return it in array()
global $CFG;
// Check whether we have got all the essential attributes
if (
- empty($_SERVER[$config->user_attribute])
- || empty($_SERVER[$config->field_map_firstname])
- || empty($_SERVER[$config->field_map_lastname])
- || empty($_SERVER[$config->field_map_email])
+ empty($_SERVER[$this->config->user_attribute])
+ || empty($_SERVER[$this->config->field_map_firstname])
+ || empty($_SERVER[$this->config->field_map_lastname])
+ || empty($_SERVER[$this->config->field_map_email])
) {
- error(get_string( 'shib_not_all_attributes_error', 'auth' , "'".$config->user_attribute."' ('".$_SERVER[$config->user_attribute]."'), '".$config->field_map_firstname."' ('".$_SERVER[$config->field_map_firstname]."'), '".$config->field_map_lastname."' ('".$_SERVER[$config->field_map_lastname]."') and '".$config->field_map_email."' ('".$_SERVER[$config->field_map_email]."')"));
+ error(get_string( 'shib_not_all_attributes_error', 'auth' , "'".$this->config->user_attribute."' ('".$_SERVER[$this->config->user_attribute]."'), '".$this->config->field_map_firstname."' ('".$_SERVER[$this->config->field_map_firstname]."'), '".$this->config->field_map_lastname."' ('".$_SERVER[$this->config->field_map_lastname]."') and '".$this->config->field_map_email."' ('".$_SERVER[$this->config->field_map_email]."')"));
}
$attrmap = $this->get_attributes();
// Provide an API to modify the information to fit the Moodle internal
// data representation
if (
- $config->convert_data
- && $config->convert_data != ''
- && is_readable($config->convert_data)
+ $this->config->convert_data
+ && $this->config->convert_data != ''
+ && is_readable($this->config->convert_data)
) {
// Include a custom file outside the Moodle dir to
// modify the variable $moodleattributes
- include($config->convert_data);
+ include($this->config->convert_data);
}
return $result;
/**
* Processes and stores configuration data for this authentication plugin.
+ *
+ *
+ * @param object $config Configuration object
*/
function process_config($config) {
// set to defaults if undefined
set_config('auth_instructions', $config->auth_instructions, 'auth/shibboleth');
set_config('changepasswordurl', $config->changepasswordurl, 'auth/shibboleth');
+ // Check values and return false if something is wrong
+ if (!file_exists($config->convert_data) || !is_readable($config->convert_data)){
+ return false;
+ }
+
return true;
}
/**
* Cleans and returns first of potential many values (multi-valued attributes)
+ *
+ * @param string $string Possibly multi-valued attribute from Shibboleth
*/
function get_first_string($string) {
$list = split( ';', $string);
<td><?php print_string("auth_shib_username_description", "auth") ?></td>
</tr>
+<!--
+This is kind of obsolete because the login instructions are now centralized
+On the other hand it would be great for Shibboleth to have seperate login
+instructions
+-->
+<!--
<tr valign="top">
<td align="right"><?php print_string("instructions", "auth") ?>:</td>
<td>
</td>
<td>
<?php
-
+
print_string("auth_shib_instructions_help", "auth", htmlspecialchars($CFG->wwwroot.'/auth/shibboleth/index.php'));
helpbutton("text", get_string("helptext"));
?>
</td>
</tr>
+-->
<tr valign="top">
<td align="right"><?php print_string("auth_shib_convert_data", "auth") ?>:</td>
<td><?php print_string("auth_shib_convert_data_description", "auth") ?></td>
</tr>
+
<tr valign="top">
<td align="right"><?php print_string('auth_shib_changepasswordurl', 'auth') ?>: </td>
<td>
// Designed to be redirected from moodle/login/index.php
require('../../config.php');
- require('lib.php');
if (isloggedin() && $USER->username != 'guest') { // Nothing to do
if (isset($SESSION->wantsurl) and (strpos($SESSION->wantsurl, $CFG->wwwroot) === 0)) {
}
$pluginconfig = get_config('auth/shibboleth');
-
+ $shibbolethauth = get_auth_plugin('shibboleth');
+
// Check whether Shibboleth is configured properly
if (empty($pluginconfig->user_attribute)) {
error(get_string( 'shib_not_set_up_error', 'auth'));
/// Check if the user has actually submitted login data to us
- if ($user = authenticate_user_login($frm->username, $frm->password)) {
-
- // Let's get them all set up.
- $USER = $user;
-
- add_to_log(SITEID, 'user', 'login', "view.php?id=$USER->id&course=".SITEID, $USER->id, 0, $USER->id);
-
+ if ($shibbolethauth->user_login($frm->username, $frm->password)) {
+
+ $USER = authenticate_user_login($frm->username, $frm->password);
+
+ $USER->loggedin = true;
+ $USER->site = $CFG->wwwroot; // for added security, store the site in the
+
update_user_login_times();
set_moodle_cookie($USER->username);
set_login_session_preferences();
-
+
+ unset($SESSION->lang);
+ $SESSION->justloggedin = true;
+
+ add_to_log(SITEID, 'user', 'login', "view.php?id=$USER->id&course=".SITEID, $USER->id, 0, $USER->id);
+
if (user_not_fully_set_up($USER)) {
$urltogo = $CFG->wwwroot.'/user/edit.php?id='.$USER->id.'&course='.SITEID;
// We don't delete $SESSION->wantsurl yet, so we get there later
load_all_capabilities(); /// This is what lets the user do anything on the site :-)
redirect($urltogo);
+
+ exit;
+ }
+
+ else {
+ // For some weird reason the Shibboleth user couldn't be authenticated
}
}
projects / moodle.git / commitdiff