but refactored to become class methods, and tweaked to reference the plugin's instantiated
config to get at the settings, rather than the global $CFG variable.
-When creating new plugins you can either extend the abstract auth_plugin_base class
+When creating new plugins you can either extend the abstract auth_plugin_base class
(defined in lib/authlib.php) or create a new one and implement all methods from
auth_plugin_base.
$frm->password="guest";
return;
}
-
+
if ($this->config->multiauth) {
$authCAS = optional_param("authCAS", '', PARAM_RAW);
if ($authCAS=="NOCAS")
*/
function ldap_connect($binddn='',$bindpwd='') {
// Cache ldap connections (they are expensive to set up
- // and can drain the TCP/IP ressources on the server if we
+ // and can drain the TCP/IP ressources on the server if we
// are syncing a lot of users (as we try to open a new connection
// to get the user details). This is the least invasive way
// to reuse existing connections without greater code surgery.
if ($bindresult) {
// Set the connection counter so we can call PHP's ldap_close()
// when we call $this->ldap_close() for the last 'open' connection.
- $this->ldapconns = 1;
+ $this->ldapconns = 1;
$this->ldapconnection = $connresult;
return $connresult;
}
// find users in DB that aren't in ldap -- to be removed!
// this is still not as scalable (but how often do we mass delete?)
if (!empty($this->config->removeuser)) {
- $sql = "SELECT u.id, u.username, u.email, u.auth
+ $sql = "SELECT u.id, u.username, u.email, u.auth
FROM {user} u
LEFT JOIN {tmp_extuser} e ON (u.username = e.username AND u.mnethostid = ?)
WHERE u.auth='cas'
return $text;
}
}
-?>
+
$casauth = get_auth_plugin('cas');
$casauth->sync_users(true);
-?>
\ No newline at end of file
// set to defaults if undefined (CAS)
- if (!isset ($config->hostname))
+ if (!isset ($config->hostname))
$config->hostname = '';
- if (!isset ($config->port))
+ if (!isset ($config->port))
$config->port = '';
- if (!isset ($config->casversion))
+ if (!isset ($config->casversion))
$config->casversion = '';
- if (!isset ($config->baseuri))
+ if (!isset ($config->baseuri))
$config->baseuri = '';
- if (!isset ($config->language))
+ if (!isset ($config->language))
$config->language = '';
- if (!isset ($config->proxycas))
+ if (!isset ($config->proxycas))
$config->proxycas = '';
- if (!isset ($config->logoutcas))
+ if (!isset ($config->logoutcas))
$config->logoutcas = '';
<?PHP
-// version $Id$
-
// List of CAS langages.
// You can add langages in /CAS/langage.
"english" => "English",
"french" => "French");
-
-?>
$dbauth = get_auth_plugin('db');
$dbauth->sync_users(true);
-?>
\ No newline at end of file
function user_signup($user, $notify=true) {
global $CFG, $DB;
require_once($CFG->dirroot.'/user/profile/lib.php');
-
+
$user->password = hash_internal_user_password($user->password);
if (! ($user->id = $DB->insert_record('user', $user)) ) {
print_error('auth_emailnoinsert','auth_email');
}
-
+
/// Save any custom profile field information
profile_save_data($user);
*/
function process_config($config) {
// set to defaults if undefined
- if (!isset($config->recaptcha)) {
- $config->recaptcha = false;
+ if (!isset($config->recaptcha)) {
+ $config->recaptcha = false;
}
-
+
// save settings
set_config('recaptcha', $config->recaptcha, 'auth/email');
return true;
}
-
+
/**
* Returns whether or not the captcha element is enabled, and the admin settings fulfil its requirements.
* @return bool
}
-?>
+
echo $OUTPUT->select(html_select::make($yesno, 'recaptcha', $config->recaptcha, false));
?></td>
<td><?php print_string('auth_emailrecaptcha', 'auth_email') ?></td>
-</tr>
+</tr>
<?php
print_auth_lock_options('email', $user_fields, get_string('auth_fieldlocks_help', 'auth'), false, false);
// find users in DB that aren't in ldap -- to be removed!
// this is still not as scalable (but how often do we mass delete?)
if (!empty($this->config->removeuser)) {
- $sql = "SELECT u.id, u.username, u.email, u.auth
+ $sql = "SELECT u.id, u.username, u.email, u.auth
FROM {user} u
LEFT JOIN {tmp_extuser} e ON (u.username = e.username AND u.mnethostid = ?)
WHERE u.auth='ldap'
*/
function ldap_connect($binddn='',$bindpwd='') {
// Cache ldap connections (they are expensive to set up
- // and can drain the TCP/IP ressources on the server if we
+ // and can drain the TCP/IP ressources on the server if we
// are syncing a lot of users (as we try to open a new connection
// to get the user details). This is the least invasive way
// to reuse existing connections without greater code surgery.
if ($bindresult) {
// Set the connection counter so we can call PHP's ldap_close()
// when we call $this->ldap_close() for the last 'open' connection.
- $this->ldapconns = 1;
+ $this->ldapconns = 1;
$this->ldapconnection = $connresult;
return $connresult;
}
// HTTPS is potentially required
httpsrequired();
-
+
if (($_SERVER['REQUEST_METHOD'] === 'GET' // Only on initial GET of loginpage
|| ($_SERVER['REQUEST_METHOD'] === 'POST'
&& (get_referer() != strip_querystring(qualified_me()))))
redirect($CFG->wwwroot.'/auth/ldap/ntlmsso_attempt.php');
}
}
-
+
// No NTLM SSO, Use the normal login page instead.
// If $SESSION->wantsurl is empty and we have a 'Referer:' header, the login
/**
* To be called from a page running under NTLM's
- * "Integrated Windows Authentication".
+ * "Integrated Windows Authentication".
*
- * If successful, it will set a special "cookie" (not an HTTP cookie!)
+ * If successful, it will set a special "cookie" (not an HTTP cookie!)
* in cache_flags under the "auth/ldap/ntlmsess" "plugin" and return true.
* The "cookie" will be picked up by ntlmsso_finish() to complete the
* process.
* On failure it will return false for the caller to display an appropriate
* error message (probably saying that Integrated Windows Auth isn't enabled!)
*
- * NOTE that this code will execute under the OS user credentials,
+ * NOTE that this code will execute under the OS user credentials,
* so we MUST avoid dealing with files -- such as session files.
* (The caller should define('NO_MOODLE_COOKIES', true) before including config.php)
*
}
/**
- * Find the session set by ntlmsso_magic(), validate it and
+ * Find the session set by ntlmsso_magic(), validate it and
* call authenticate_user_login() to authenticate the user through
* the auth machinery.
- *
+ *
* It is complemented by a similar check in user_login().
- *
- * If it succeeds, it never returns.
+ *
+ * If it succeeds, it never returns.
*
*/
function ntlmsso_finish() {
}
// Should never reach here.
return false;
- }
+ }
/**
* Sync roles for this user
}
-?>
+
$ldapauth = get_auth_plugin('ldap');
$ldapauth->sync_users(true);
-?>
+
{$config->forcechangepassword = 0; }
if (!isset($config->stdchangepassword))
{$config->stdchangepassword = 0; }
- if (!isset($config->passtype))
+ if (!isset($config->passtype))
{$config->passtype = 'plaintext';}
if (!isset($config->changepasswordurl))
{$config->changepasswordurl = ''; }
$PAGE->set_title("$site->fullname: $loginsite");
$PAGE->set_heading($site->fullname);
echo $OUTPUT->header();
- redirect($CFG->httpswwwroot . '/login/index.php?authldap_skipntlmsso=1',
+ redirect($CFG->httpswwwroot . '/login/index.php?authldap_skipntlmsso=1',
get_string('ntlmsso_failed','auth_ldap'), 3);
}
$sesskey = required_param('sesskey', PARAM_RAW);
$file = $CFG->dirroot . '/pix/spacer.gif';
-if ($authplugin->ntlmsso_magic($sesskey)
+if ($authplugin->ntlmsso_magic($sesskey)
&& file_exists($file)) {
if (!empty($authplugin->config->ntlmsso_ie_fastpath)) {
if (check_browser_version('MSIE')) {
redirect($CFG->wwwroot . '/auth/ldap/ntlmsso_finish.php');
}
- }
+ }
// Serve GIF
// Type
print_error('ntlmsso_iwamagicnotenabled','auth_ldap');
}
-?>
+
/**
* Confirm the new user as registered. This should normally not be used,
- * but it may be necessary if the user auth_method is changed to manual
+ * but it may be necessary if the user auth_method is changed to manual
* before the user is confirmed.
*/
- function user_confirm($username, $confirmsecret = null) {
+ function user_confirm($username, $confirmsecret = null) {
global $DB;
$user = get_complete_user_data('username', $username);
if (!empty($user)) {
if ($user->confirmed) {
return AUTH_CONFIRM_ALREADY;
- } else {
+ } else {
if (!$DB->set_field("user", "confirmed", 1, array("id"=>$user->id))) {
return AUTH_CONFIRM_FAIL;
}
}
-?>
+
-<?php // $Id$
+<?php
/**
* @author Martin Dougiamas
unset($logEntryObj->username);
$logEntryObj = $this->trim_logline($logEntryObj);
- $insertok = $DB->insert_record('mnet_log', $logEntryObj, false);
+ $insertok = $DB->insert_record('mnet_log', $logEntryObj, false);
if ($insertok) {
$MNET_REMOTE_CLIENT->last_log_id = $logEntryObj->remoteid;
}
-
-?>
}
redirect($CFG->wwwroot . $wantsurl);
-?>
+
attributes on request of Markus Hagman
- 11. 2007: Integrated WAYF Service in Moodle
- 12. 2008: Shibboleth 2.x and Single Logout support added
-- 1. 2008: Added logout hook and moved Shibboleth config strings to utf8 auth
+- 1. 2008: Added logout hook and moved Shibboleth config strings to utf8 auth
language files.
-- 3. 2009: Added various improvements and bug fixes reported by Ina Müller from
+- 3. 2009: Added various improvements and bug fixes reported by Ina M�ller from
university Tuebingen and Peter Ellis of University of Washington
- 4. 2009: Added another requirement for logout regarding the call back script
- 6. 2009: Changed handler URL when integrated Discovery Service is used
with something that fits your needs, e.g. 'require affiliation student'.
For IIS you have protect the auth/shibboleth directory directly in the
- RequestMap of the Shibboleth configuration file (shibboleth.xml or
- shibboleth2.xml).
-
+ RequestMap of the Shibboleth configuration file (shibboleth.xml or
+ shibboleth2.xml).
+
--
<Path name="moodle" requireSession="false" >
<Path name="auth/shibboleth/index.php" requireSession="true" >
...
</AccessControl>
</Path>
-</Path>
+</Path>
--
-
+
Also see:
https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapper and
https://spaces.internet2.edu/display/SHIB2/NativeSPAccessControl
-2. As Moodle admin, go to the 'Administrations >> Users >> Authentication' and
+2. As Moodle admin, go to the 'Administrations >> Users >> Authentication' and
click on the the 'Shibboleth' settings.
3. Fill in the fields of the form. The fields 'Username', 'First name',
#############################################################################
Shibboleth Attributes needed by Moodle:
For Moodle to work properly Shibboleth should at least provide the attribute
- that is used as username in Moodle. It has to be unique for all Shibboleth
+ that is used as username in Moodle. It has to be unique for all Shibboleth
Be aware that Moodle converts the username to lowercase. So, the overall
behaviour of the username will be case-insensitive.
- All attributes used for moodle must obey a certain length, otherwise Moodle
- cuts off the ends. Consult the Moodle documentation for further information
+ All attributes used for moodle must obey a certain length, otherwise Moodle
+ cuts off the ends. Consult the Moodle documentation for further information
on the maximum lengths for each field in the user profile.
#############################################################################
4.a If you want Shibboleth as your only authentication method with an external
- Where Are You From (WAYF) Service , set the 'Alternate Login URL' in the
- 'Common settings' in 'Administrations >> Users >> Authentication Options'
- to the the URL of the file 'moodle/auth/shibboleth/index.php'.
+ Where Are You From (WAYF) Service , set the 'Alternate Login URL' in the
+ 'Common settings' in 'Administrations >> Users >> Authentication Options'
+ to the the URL of the file 'moodle/auth/shibboleth/index.php'.
This will enforce Shibboleth login.
4.b If you want to use the Moodle integrated WAYF service, you have to activate it
- in the Moodle Shibboleth authentication settings by checking the
- 'Moodle WAYF Service' checkbox and providing a list of entity IDs in the
- 'Identity Providers' textarea together with a name and an optional
- SessionInitiator URL, which usually is an absolute or relative URL pointing
- to the same host. If no SessionInitiator URL is given, the default one
- '/Shibboleth.sso' (only works for Shibboleth 1.3.x) will be used. For
+ in the Moodle Shibboleth authentication settings by checking the
+ 'Moodle WAYF Service' checkbox and providing a list of entity IDs in the
+ 'Identity Providers' textarea together with a name and an optional
+ SessionInitiator URL, which usually is an absolute or relative URL pointing
+ to the same host. If no SessionInitiator URL is given, the default one
+ '/Shibboleth.sso' (only works for Shibboleth 1.3.x) will be used. For
Shibboleth 2.x you have to add '/Shibboleth.sso/DS' as a SessionInitiator.
Also see https://spaces.internet2.edu/display/SHIB/SessionInitiator
and https://spaces.internet2.edu/display/SHIB2/NativeSPSessionInitiator
Important Note: If you upgraded from a previous version of Moodle and now
want to use the integrated WAYF, you have to make sure that
- in step 1 only the index.php script in
- moodle/auth/shibboleth/ is protected but *not* the other
+ in step 1 only the index.php script in
+ moodle/auth/shibboleth/ is protected but *not* the other
scripts and especially not the login.php script.
-
+
If you were using the integrated WAYF alread with Shibboleth 1.3, it could
be that the integrated WAYF is not working anymore after you updated Moodle.
The reason is that the implicitly set default SessionInitiator changed in
5. Save the changes for the 'Shibboleth settings'.
- Important Note: If you went for 4.b (integrated WAYF service), saving the
+ Important Note: If you went for 4.b (integrated WAYF service), saving the
settings will overwrite the Moodle Alternate Login URL
using the Moodle web root URL.
6. If you want to use Shibboleth in addition to another authentication method
- not using the integrated WAYF service from 4.b, change the 'Instructions' in
+ not using the integrated WAYF service from 4.b, change the 'Instructions' in
'Administrations >> Users >> Manage authentication' to contain a link to the
moodle/auth/shibboleth/index.php file which is protected by
Shibboleth (see step 1.) and causes the Shibboleth login procedure to start.
authentication method (see 4.a), this happens automatically when a user selects
his home organization in the Moodle WAYF service or if the alternate login URL
is configured to be the protected /auth/shibboleth/index.php
-Otherwise, the user has to click on the link on the dual login page you
+Otherwise, the user has to click on the link on the dual login page you
provided in step 5.b.
Moodle basically checks whether the Shibboleth attribute that you mapped
Shibboleth dual login with custom login page
--------------------------------------------------------------------------------
You can create a dual login page that better fits your needs. For this
-to work, you have to set up the two authentication methods (e.g. 'Manual
+to work, you have to set up the two authentication methods (e.g. 'Manual
Accounts' and 'Shibboleth') and specify an alternate login link to your own dual
login page. On that page you basically need a link to the Shibboleth-protected
page ('/auth/shibboleth/index.php') for the Shibboleth login and a
-form that sends 'username' and 'password' to moodle/login/index.php. Set this
+form that sends 'username' and 'password' to moodle/login/index.php. Set this
web page then als alternate login page.
Consult the Moodle documentation for further instructions and requirements.
if ($_SERVER[$this->config->field_map_address] != '')
{
// $address contains something like 'SWITCH$Limmatquai 138$CH-8021 Zurich'
- // We want to split this up to get:
+ // We want to split this up to get:
// institution, street, zipcode, city and country
$address = $_SERVER[$this->config->field_map_address];
list($institution, $street, $zip_city) = split('\$', $address);
ereg(' (.+)',$zip_city, $regs);
$city = $regs[1];
-
+
ereg('(.+)-',$zip_city, $regs);
$country = $regs[1];
-
+
$result["address"] = $street;
$result["city"] = $city;
$result["country"] = $country;
How to upgrade your Service Provider to 2.x
-------------------------------------------------------------------------------
-In case your upgrade your Service Provider 1.3.x to 2.x, be aware of the fact
-that in version 2.0 the default behaviour regarding attribute propagation
+In case your upgrade your Service Provider 1.3.x to 2.x, be aware of the fact
+that in version 2.0 the default behaviour regarding attribute propagation
changed.
While the Service Provider 1.3.x published the Shibboleth attributes to the
-web server environment as HTTP Request headers, the Service Provider 2.x
+web server environment as HTTP Request headers, the Service Provider 2.x
publishes attributes as environment variables, which increases the security for
some platforms.
However, this change has the effect that the attribute names change.
-E.g. while the surname attribute was published as 'HTTP_SHIB_PERSON_SURNAME'
+E.g. while the surname attribute was published as 'HTTP_SHIB_PERSON_SURNAME'
with 1.3.x, this attribute will be available in $_SERVER['Shib-Person-surname']
-or depending on your /etc/shibboleth/attribute-map.xml file just as
+or depending on your /etc/shibboleth/attribute-map.xml file just as
$_SERVER['sn'].
Because Moodle needs to know what Shibboleth attributes it shall map onto which
Moodle user profile field, one has to make sure the mapping is updated as well
after the Service Provider upgrade.
********************************************************************************
-Because you risk locking yourself out of Moodle it is strongly
+Because you risk locking yourself out of Moodle it is strongly
recommended to use the following approach when upgrading the Service Provider:
-1. Enable manual authentication before the upgrade.
-2. Make sure that you have at least one manual account with administration
+1. Enable manual authentication before the upgrade.
+2. Make sure that you have at least one manual account with administration
privileges working before upgrading your Service Provider to 2.x.
-3. After the SP upgrade, use this account to log into Moodle and adapt the
- attribute mapping in 'Site Administration -> Users -> Shibboleth' to reflect
+3. After the SP upgrade, use this account to log into Moodle and adapt the
+ attribute mapping in 'Site Administration -> Users -> Shibboleth' to reflect
the changed attribute names.
- You find the attribute names in the file /etc/shibboleth/attribute-map.xml
+ You find the attribute names in the file /etc/shibboleth/attribute-map.xml
listed as the 'id' value of an attribute definition.
4. If you are using the integrated WAYF, you may have to set the third parameter
of each entry to '/Shibboleth.sso/DS'
How to add logout support
--------------------------------------------------------------------------------
-In order make Moodle support Shibboleth logout, one has to make the Shibboleth
-Service Provider (SP) aware of the Moodle logout capability. Only then the SP
+In order make Moodle support Shibboleth logout, one has to make the Shibboleth
+Service Provider (SP) aware of the Moodle logout capability. Only then the SP
can trigger Moodle's front or back channel logout handler.
To make the SP aware of the Moodle logout, you have to add the following to the
just before the <MetadataProvider> element.
--
-<Notify
+<Notify
Channel="back"
Location="https://#YOUR_MOODLE_HOSTNAME#/moodle/auth/shibboleth/logout.php" />
--
-Then restart the Shibboleth daemon and check the log file for errors. If there
-were no errors, you can test the logout feature by accessing Moodle,
+Then restart the Shibboleth daemon and check the log file for errors. If there
+were no errors, you can test the logout feature by accessing Moodle,
authenticating via Shibboleth and the access the URL:
-#YOUR_MOODLE_HOSTNAME#/Shibboleth.sso/Logout (assuming you have a standard
+#YOUR_MOODLE_HOSTNAME#/Shibboleth.sso/Logout (assuming you have a standard
Shibboleth installation). If everything worked well, you should see a Shibboleth
-page saying that you were successfully logged out and if you go back to Moodle
+page saying that you were successfully logged out and if you go back to Moodle
you also should be logged out from Moodle.
Requirements:
Single Logout (SLO). Therefore, the single logout feature cannot be used yet
in a Shibboleth only setup but there may be other SAML2 products that could
be used as Identity Provider, e.g. SimpleSAML PHP.
-One of the reasons why SLO isn't supported yet is because there aren't many
-applications yet that were adapted to support front and back channel
-logout. Hopefully, the Moodle logout helps to motivate the developers to
+One of the reasons why SLO isn't supported yet is because there aren't many
+applications yet that were adapted to support front and back channel
+logout. Hopefully, the Moodle logout helps to motivate the developers to
implement SLO. On the other hand, the easiest and safest way to log out
still is to tell users to quit their web browsers :)
-Also see https://spaces.internet2.edu/display/SHIB2/SLOIssues and
-https://spaces.internet2.edu/display/SHIB2/NativeSPLogoutInitiator for some
+Also see https://spaces.internet2.edu/display/SHIB2/SLOIssues and
+https://spaces.internet2.edu/display/SHIB2/NativeSPLogoutInitiator for some
background information on this topic.
--------------------------------------------------------------------------------
}
}
}
-
+
// Set shibboleth session ID for logout
$SESSION->shibboleth_session_id = $sessionkey;
}
-
+
/**
* Returns the user information for 'external' users. In this case the
* attributes provided by Shibboleth
$search_attribs = array();
foreach ($attrmap as $key=>$value) {
- // Check if attribute is present
+ // Check if attribute is present
if (!isset($_SERVER[$value])){
$result[$key] = '';
continue;
return;
}
-
+
/**
* Hook for logout page
*
*/
function logoutpage_hook() {
global $redirect;
-
+
// Only do this if logout handler is defined
if (
- isset($this->config->logout_handler)
+ isset($this->config->logout_handler)
&& !empty($this->config->logout_handler)
){
// Check if there is an alternative logout return url defined
if (
- isset($this->config->logout_return_url)
+ isset($this->config->logout_return_url)
&& !empty($this->config->logout_return_url)
){
// Set temp_redirect to alternative return url
// Backup old redirect url
$temp_redirect = $redirect;
}
-
+
// Overwrite redirect in order to send user to Shibboleth logout page and let him return back
$redirect = $this->config->logout_handler.'?return='.urlencode($temp_redirect);
}
if (!isset ($config->convert_data)) {
$config->convert_data = '';
}
-
+
if (!isset($config->changepasswordurl)) {
$config->changepasswordurl = '';
}
-
+
if (!isset($config->login_name)) {
$config->login_name = 'Shibboleth Login';
}
-
+
// Clean idp list
if (isset($config->organization_selection) && !empty($config->organization_selection) && isset($config->alt_login) && $config->alt_login == 'on') {
$idp_list = get_idp_list($config->organization_selection);
$config->organization_selection .= $idp.', '.$value[0].', '.$value[1]."\n";
}
}
-
+
// save settings
set_config('user_attribute', $config->user_attribute, 'auth/shibboleth');
-
+
if (isset($config->organization_selection) && !empty($config->organization_selection)) {
set_config('organization_selection', $config->organization_selection, 'auth/shibboleth');
}
set_config('convert_data', $config->convert_data, 'auth/shibboleth');
set_config('auth_instructions', $config->auth_instructions, 'auth/shibboleth');
set_config('changepasswordurl', $config->changepasswordurl, 'auth/shibboleth');
-
+
// Overwrite alternative login URL if integrated WAYF is used
if (isset($config->alt_login) && $config->alt_login == 'on'){
set_config('alt_login', $config->alt_login, 'auth/shibboleth');
set_config('alternateloginurl', $CFG->wwwroot.'/auth/shibboleth/login.php');
} else {
// Check if integrated WAYF was enabled and is now turned off
- // If it was and only then, reset the Moodle alternate URL
+ // If it was and only then, reset the Moodle alternate URL
if ($this->config->alt_login == 'on'){
set_config('alt_login', 'off', 'auth/shibboleth');
set_config('alternateloginurl', '');
}
$config->alt_login = 'off';
}
-
+
// Check values and return false if something is wrong
// Patch Anyware Technologies (14/05/07)
if (($config->convert_data != '')&&(!file_exists($config->convert_data) || !is_readable($config->convert_data))){
return false;
}
-
+
// Check if there is at least one entry in the IdP list
if (isset($config->organization_selection) && empty($config->organization_selection) && isset($config->alt_login) && $config->alt_login == 'on'){
return false;
}
}
-
+
/**
* Sets the standard SAML domain cookie that is also used to preselect
* the right entry on the local wayf
$IDPArray = appendCookieValue($selectedIDP, $IDPArray);
setcookie ('_saml_idp', generate_cookie_value($IDPArray), time() + (100*24*3600));
}
-
+
/**
- * Prints the option elements for the select element of the drop down list
+ * Prints the option elements for the select element of the drop down list
*
*/
function print_idp_list(){
$config = get_config('auth/shibboleth');
-
+
$IdPs = get_idp_list($config->organization_selection);
if (isset($_COOKIE['_saml_idp'])){
$idp_cookie = generate_cookie_array($_COOKIE['_saml_idp']);
do {
$selectedIdP = array_pop($idp_cookie);
} while (!isset($IdPs[$selectedIdP]) && count($idp_cookie) > 0);
-
+
} else {
$selectedIdP = '-';
}
-
+
foreach($IdPs as $IdP => $data){
if ($IdP == $selectedIdP){
echo '<option value="'.$IdP.'" selected="selected">'.$data[0].'</option>';
}
}
}
-
-
+
+
/**
* Generate array of IdPs from Moodle Shibboleth settings
*
* @param string Text containing tuble/triple of IdP entityId, name and (optionally) session initiator
- * @return array Identifier of IdPs and their name/session initiator
+ * @return array Identifier of IdPs and their name/session initiator
*/
function get_idp_list($organization_selection) {
$idp_list = array();
-
+
$idp_raw_list = split("\n", $organization_selection);
-
+
foreach ($idp_raw_list as $idp_line){
$idp_data = split(',', $idp_line);
if (isset($idp_data[2]))
{
- $idp_list[trim($idp_data[0])] = array(trim($idp_data[1]),trim($idp_data[2]));
+ $idp_list[trim($idp_data[0])] = array(trim($idp_data[1]),trim($idp_data[2]));
}
elseif(isset($idp_data[1]))
{
$idp_list[trim($idp_data[0])] = array(trim($idp_data[1]));
}
}
-
+
return $idp_list;
}
-
+
/**
* Generates an array of IDPs using the cookie value
*
- * @param string Value of SAML domain cookie
- * @return array Identifiers of IdPs
+ * @param string Value of SAML domain cookie
+ * @return array Identifiers of IdPs
*/
function generate_cookie_array($value) {
-
+
// Decodes and splits cookie value
$CookieArray = split(' ', $value);
$CookieArray = array_map('base64_decode', $CookieArray);
-
+
return $CookieArray;
}
-
+
/**
* Generate the value that is stored in the cookie using the list of IDPs
*
- * @param array IdP identifiers
+ * @param array IdP identifiers
* @return string SAML domain cookie value
*/
function generate_cookie_value($CookieArray) {
-
+
// Merges cookie content and encodes it
$CookieArray = array_map('base64_encode', $CookieArray);
$value = implode(' ', $CookieArray);
return $value;
}
-
+
/**
* Append a value to the array of IDPs
*
* @param string IdP identifier
* @param array IdP identifiers
- * @return array IdP identifiers with appended IdP
+ * @return array IdP identifiers with appended IdP
*/
function appendCookieValue($value, $CookieArray) {
-
+
array_push($CookieArray, $value);
$CookieArray = array_reverse($CookieArray);
$CookieArray = array_unique($CookieArray);
$CookieArray = array_reverse($CookieArray);
-
+
return $CookieArray;
}
-?>
+
<tr valign="top">
<td align="right"><?php print_string("auth_shib_integrated_wayf", "auth_shibboleth") ?>:</td>
<td>
- <input name="alt_login" type="checkbox" <?php
+ <input name="alt_login" type="checkbox" <?php
if ( isset($config->alt_login) and $config->alt_login == 'on' ){
echo 'checked="checked"';
}
<td align="right"><?php print_string("auth_shib_idp_list", "auth_shibboleth") ?>:</td>
<td>
<textarea name="organization_selection" rows="10" cols="30" style="overflow: auto; white-space: nowrap;"
-><?php
+><?php
if (!isset($config->organization_selection)){
echo 'urn:mace:organization1:providerID, Example Organization 1
https://another.idp-id.com/shibboleth, Other Example Organization, /Shibboleth.sso/DS/SWITCHaai
<tr valign="top">
<td align="right"><?php print_string("auth_shib_logout_url", "auth_shibboleth") ?>:</td>
<td>
- <input name="logout_handler" type="text" size="30" value="<?php
+ <input name="logout_handler" type="text" size="30" value="<?php
if ( isset($config->logout_handler) and !empty($config->logout_handler)){
echo $config->logout_handler;
}
<tr valign="top">
<td align="right"><?php print_string("auth_shib_logout_return_url", "auth_shibboleth") ?>:</td>
<td>
- <input name="logout_return_url" type="text" size="30" value="<?php
+ <input name="logout_return_url" type="text" size="30" value="<?php
if ( isset($config->logout_return_url) and !empty($config->logout_return_url)){
echo $config->logout_return_url;
}
<tr valign="top">
<td align="right"><?php print_string("auth_shib_auth_method", "auth_shibboleth") ?>:</td>
<td>
- <input name="login_name" type="text" size="30" value="<?php
+ <input name="login_name" type="text" size="30" value="<?php
if ( isset($config->login_name) and !empty($config->login_name)){
echo htmlentities($config->login_name);
} else {
}
redirect($urltogo);
-
+
}
$pluginconfig = get_config('auth/shibboleth');
$shibbolethauth = get_auth_plugin('shibboleth');
-
+
// Check whether Shibboleth is configured properly
if (empty($pluginconfig->user_attribute)) {
print_error('shib_not_set_up_error', 'auth');
/// Check if the user has actually submitted login data to us
if ($shibbolethauth->user_login($frm->username, $frm->password)) {
-
+
$USER = authenticate_user_login($frm->username, $frm->password);
-
+
$USER->loggedin = true;
- $USER->site = $CFG->wwwroot; // for added security, store the site in the
-
+ $USER->site = $CFG->wwwroot; // for added security, store the site in the
+
update_user_login_times();
-
+
// Don't show username on login page
set_moodle_cookie('nobody');
set_login_session_preferences();
-
+
unset($SESSION->lang);
$SESSION->justloggedin = true;
-
+
add_to_log(SITEID, 'user', 'login', "view.php?id=$USER->id&course=".SITEID, $USER->id, 0, $USER->id);
-
+
if (user_not_fully_set_up($USER)) {
$urltogo = $CFG->wwwroot.'/user/edit.php?id='.$USER->id.'&course='.SITEID;
// We don't delete $SESSION->wantsurl yet, so we get there later
load_all_capabilities(); /// This is what lets the user do anything on the site :-)
redirect($urltogo);
-
+
exit;
- }
-
+ }
+
else {
// For some weird reason the Shibboleth user couldn't be authenticated
}
print_error('shib_not_set_up_error', 'auth');
}
-?>
+
<div class="loginbox clearfix <?php echo $columns ?>">
<div class="loginpanel">
<!--<h2><?php print_string("returningtosite") ?></h2>-->
-
- <h2><?php
+
+ <h2><?php
if (isset($config->login_name) && !empty($config->login_name)){
echo $config->login_name;
} else {
<div class="guestsub">
<p><?php print_string("auth_shibboleth_select_organization", "auth_shibboleth"); ?></p>
<form action="login.php" method="post" id="guestlogin">
- <select name="idp">
+ <select name="idp">
<option value="-" ><?php print_string("auth_shibboleth_select_member", "auth_shibboleth"); ?></option>
<?php
print_idp_list();
</select><p><input type="submit" value="<?php print_string("select"); ?>" accesskey="s" /></p>
</form>
<p>
- <?php
+ <?php
print_string("auth_shibboleth_contact_administrator", "auth_shibboleth");
echo '<a href="mailto:'.get_admin()->email.'"> Moodle Administrator</a>.';
?>
<div class="signuppanel">
<h2><?php print_string("firsttime") ?></h2>
<div class="subcontent">
-<?php if (is_enabled_auth('none')) { // instructions override the rest for security reasons
+<?php if (is_enabled_auth('none')) { // instructions override the rest for security reasons
print_string("loginstepsnone");
} else if ($CFG->registerauth == 'email') {
if (!empty($CFG->auth_instructions)) {
require_once("../../config.php");
require_once($CFG->dirroot."/auth/shibboleth/auth.php");
-
+
//initialize variables
$errormsg = '';
$loginurl = (!empty($CFG->alternateloginurl)) ? $CFG->alternateloginurl : '';
- if (get_moodle_cookie() == '') {
+ if (get_moodle_cookie() == '') {
set_moodle_cookie('nobody'); // To help search for cookies
}
// Set SAML domain cookie
$config = get_config('auth/shibboleth');
-
+
$IdPs = get_idp_list($config->organization_selection);
if (isset($_POST['idp']) && isset($IdPs[$_POST['idp']])){
$selectedIdP = $_POST['idp'];
set_saml_cookie($selectedIdP);
-
+
// Redirect to SessionInitiator with entityID as argument
if (isset($IdPs[$selectedIdP][1]) && !empty($IdPs[$selectedIdP][1])){
// For Shibbolet 1.x Service Providers
$PAGE->set_heading($site->fullname);
$PAGE->set_focuscontrol('idp');
$PAGE->set_headingmenu('<div class="langmenu">'.$langmenu.'</div>');
-
+
echo $OUTPUT->header();
include("index_form.html");
echo $OUTPUT->footer();
-?>
+
-<?php // $Id$
+<?php
// Implements logout for Shibboleth authenticated users according to:
// - https://spaces.internet2.edu/display/SHIB2/NativeSPLogoutInitiator
$protocol = 'http://';
if ( isset($_SERVER['HTTPS']) && !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on'){
$protocol = 'https://';
-}
+}
// Front channel logout
if (
- isset($_GET['return'])
+ isset($_GET['return'])
&& isset($_GET['action'])
&& $_GET['action'] == 'logout'
){
-
+
// Logout out user from application
// E.g. destroy application session/cookie etc
require_logout();
-
+
// Finally, send user to the return URL
redirect($_GET['return']);
}
// Back channel logout
elseif (!empty($HTTP_RAW_POST_DATA)) {
-
+
// Requires PHP 5
-
-
+
+
// Set SOAP header
$server = new SoapServer($protocol.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'/LogoutNotification.wsdl');
-
-
+
+
$server->addFunction("LogoutNotification");
$server->handle();
-}
+}
// Return WSDL
else {
-
+
header('Content-Type: text/xml');
-
+
echo <<<WSDL
<?xml version ="1.0" encoding ="UTF-8" ?>
<definitions name="LogoutNotification"
<!--
This page either has to be called with the GET arguments 'action' and 'return' via
-a redirect from the Shibboleth Service Provider logout handler (front-channel
-logout) or via a SOAP request by a Shibboleth Service Provider (back-channel
+a redirect from the Shibboleth Service Provider logout handler (front-channel
+logout) or via a SOAP request by a Shibboleth Service Provider (back-channel
logout).
-Because neither of these two variants seems to be the case, the WSDL file for
+Because neither of these two variants seems to be the case, the WSDL file for
the web service is returned.
For more information see:
<schema targetNamespace="urn:mace:shibboleth:2.0:sp:notify"
xmlns="http://www.w3.org/2000/10/XMLSchema"
xmlns:notify="urn:mace:shibboleth:2.0:sp:notify">
-
+
<simpleType name="string">
<restriction base="string">
<minLength value="1"/>
</restriction>
</simpleType>
-
+
<element name="OK" type="notify:OKType"/>
<complexType name="OKType">
<sequence/>
</complexType>
-
+
</schema>
</types>
-
+
<message name="getLogoutNotificationRequest">
<part name="SessionID" type="notify:string" />
</message>
-
+
<message name="getLogoutNotificationResponse" >
<part name="OK"/>
</message>
-
+
<portType name="LogoutNotificationPortType">
<operation name="LogoutNotification">
<input message="getLogoutNotificationRequest"/>
<output message="getLogoutNotificationResponse"/>
</operation>
</portType>
-
+
<binding name="LogoutNotificationBinding" type="notify:LogoutNotificationPortType">
<soap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http"/>
<operation name="LogoutNotification">
<soap:operation soapAction="urn:xmethods-logout-notification#LogoutNotification"/>
</operation>
</binding>
-
+
<service name="LogoutNotificationService">
<port name="LogoutNotificationPort" binding="notify:LogoutNotificationBinding">
<soap:address location="{$protocol}{$_SERVER['HTTP_HOST']}{$_SERVER['PHP_SELF']}"/>
/******************************************************************************/
function LogoutNotification($SessionID){
-
+
global $CFG, $SESSION, $DB;
-
+
// Delete session of user using $SessionID
if(empty($CFG->dbsessions)) {
-
+
// File session
$dir = $CFG->dataroot .'/sessions';
if (is_dir($dir)) {
// Check if it is a file
if (is_file($dir.'/'.$file)){
$session_key = ereg_replace('sess_', '', $file);
-
+
// Read session file data
$data = file($dir.'/'.$file);
if (isset($data[0])){
$user_session = unserializesession($data[0]);
-
- // Check if we have found session that shall be deleted
+
+ // Check if we have found session that shall be deleted
if (isset($user_session['SESSION']) && isset($user_session['SESSION']->shibboleth_session_id)){
-
+
// If there is a match, delete file
if ($user_session['SESSION']->shibboleth_session_id == $SessionID){
// Delete session file
if (!empty($CFG->sessiontimeout)) {
$ADODB_SESS_LIFE = $CFG->sessiontimeout;
}
-
+
if ($user_session_data = $DB->get_records_sql('SELECT sesskey, sessdata FROM {sessions2} WHERE expiry > NOW()')) {
foreach ($user_session_data as $session_data) {
-
+
// Get user session
$user_session = adodb_unserialize( urldecode($session_data->sessdata) );
-
+
if (isset($user_session['SESSION']) && isset($user_session['SESSION']->shibboleth_session_id)){
-
+
// If there is a match, delete file
if ($user_session['SESSION']->shibboleth_session_id == $SessionID){
// Delete this session entry
}
}
}
-
+
// If now SoapFault was thrown the function will return OK as the SP assumes
-
+
}
/*****************************************************************************/
}
return( $variables );
}
-
-?>
/**
* Confirm the new user as registered. This should normally not be used,
- * but it may be necessary if the user auth_method is changed to manual
+ * but it may be necessary if the user auth_method is changed to manual
* before the user is confirmed.
*/
function user_confirm($username, $confirmsecret = null) {
- return AUTH_CONFIRM_ERROR;
+ return AUTH_CONFIRM_ERROR;
}
}
projects / moodle.git / commitdiff