attributes on request of Markus Hagman
- 11. 2007: Integrated WAYF Service in Moodle
- 12. 2008: Shibboleth 2.x and Single Logout support added
+- 1. 2008: Added logout hook and moved Shibboleth config strings to utf8 auth
+ language files.
Moodle Configuration with Dual login
-------------------------------------------------------------------------------
For IIS you have protect the auth/shibboleth directory directly in the
RequestMap of the Shibboleth configuration file (shibboleth.xml). See
-
- https://spaces.internet2.edu/display/SHIB/xmlaccesscontrol?topic=XMLAccessControl
+ https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapper and
+ https://spaces.internet2.edu/display/SHIB2/NativeSPAccessControl
-2. As Moodle admin, go to the 'Administrations >> Users >> Authentication
- Options' and click on the the 'Shibboleth' settings.
+2. As Moodle admin, go to the 'Administrations >> Users >> Authentication' and
+ click on the the 'Shibboleth' settings.
3. Fill in the fields of the form. The fields 'Username', 'First name',
'Surname', etc. should contain the name of the environment variables of the
Shibboleth attributes that you want to map onto the corresponding Moodle
- variable (e.g. 'HTTP_SHIB_PERSON_SURNAME' for the person's last name, refer
+ variable (e.g. 'Shib-Person-surname' for the person's last name, refer
the Shibboleth documentation or the documentation of your Shibboleth
federation for information on which attributes are available).
Especially the 'Username' field is of great importance because
to the the URL of the file 'moodle/auth/shibboleth/index.php'.
This will enforce Shibboleth login.
-4.b If you want to use the Moodle internal WAYF service, you have to activate it
+4.b If you want to use the Moodle integrated WAYF service, you have to activate it
in the Moodle Shibboleth authentication settings by checking the
'Moodle WAYF Service' checkbox and providing a list of entity IDs in the
'Identity Providers' textarea together with a name and an optional
SessionInitiator URL, which usually is an absolute or relative URL pointing
to the same host. If no SessionInitiator URL is given, the default one
- '/Shibboleth.sso' will be used.
+ '/Shibboleth.sso' (only works for Shibboleth 1.3.x) will be used. For
+ Shibboleth 2.x you have to add '/Shibboleth.sso/DS' as a SessionInitiator.
Also see https://spaces.internet2.edu/display/SHIB/SessionInitiator
+ and https://spaces.internet2.edu/display/SHIB2/NativeSPSessionInitiator
Important Note: If you upgraded from a previous version of Moodle and now
want to use the integrated WAYF, you have to make sure that
3. After the SP upgrade, use this account to log into Moodle and adapt the
attribute mapping in 'Site Administration -> Users -> Shibboleth' to reflect
the changed attribute names.
-4. Test the login with a Shibboleth account
-5. If all is working, disable manual authentication again
+ You find the attribute names in the file /etc/shibboleth/attribute-map.xml
+ listed as the 'id' value of an attribute definition.
+4. If you are using the integrated WAYF, you may have to set the third parameter
+ of each entry to '/Shibboleth.sso/DS'
+5. Test the login with a Shibboleth account
+6. If all is working, disable manual authentication again
********************************************************************************
How to add logout support
logout. Hopefully, the Moodle logout helps to motivate the developers to
implement SLO :)
-Also see https://spaces.internet2.edu/display/SHIB2/SLOIssues for some
+Also see https://spaces.internet2.edu/display/SHIB2/SLOIssues and
+https://spaces.internet2.edu/display/SHIB2/NativeSPLogoutInitiator for some
background information on this topic.
--------------------------------------------------------------------------------
return;
}
+
+ /**
+ * Hook for logout page
+ *
+ */
+ function logoutpage_hook() {
+ global $redirect;
+
+ // Only do this if logout handler is defined
+ if (
+ isset($this->config->logout_handler)
+ && !empty($this->config->logout_handler)
+ ){
+ // Backup old redirect url
+ $temp_redirect = $redirect;
+
+ // Overwrite redirect in order to send user to Shibboleth logout page and let him return back
+ $redirect = $this->config->logout_handler.'?return='.urlencode($temp_redirect);
+ }
+ }
+
+
/**
* Prints a form for configuring this authentication plugin.
if (isset($config->organization_selection) && !empty($config->organization_selection)) {
set_config('organization_selection', $config->organization_selection, 'auth/shibboleth');
}
+ set_config('logout_handler', $config->logout_handler, 'auth/shibboleth');
set_config('login_name', $config->login_name, 'auth/shibboleth');
set_config('convert_data', $config->convert_data, 'auth/shibboleth');
set_config('auth_instructions', $config->auth_instructions, 'auth/shibboleth');
set_config('changepasswordurl', $config->changepasswordurl, 'auth/shibboleth');
+ // Overwrite alternative login URL if integrated WAYF is used
if (isset($config->alt_login) && $config->alt_login == 'on'){
set_config('alt_login', $config->alt_login, 'auth/shibboleth');
set_config('alternateloginurl', $CFG->wwwroot.'/auth/shibboleth/login.php');
} else {
- set_config('alt_login', 'off', 'auth/shibboleth');
- set_config('alternateloginurl', '');
+ // Check if integrated WAYF was enabled and is now turned off
+ // If it was and only then, reset the Moodle alternate URL
+ if ($this->config->alt_login == 'on'){
+ set_config('alt_login', 'off', 'auth/shibboleth');
+ set_config('alternateloginurl', '');
+ }
$config->alt_login = 'off';
}
projects / moodle.git / commitdiff