From: exe-cutor Date: Mon, 8 Dec 2008 10:49:44 +0000 (+0000) Subject: Merged various fixes from 19 stable X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=2f5237edea8b81f3154438796ab3e38992eeb0e1;p=moodle.git Merged various fixes from 19 stable --- diff --git a/auth/shibboleth/README.txt b/auth/shibboleth/README.txt index 03b1d2bb9a..c071f79e6b 100644 --- a/auth/shibboleth/README.txt +++ b/auth/shibboleth/README.txt @@ -20,7 +20,7 @@ Changes: - 10. 2007: Removed the requirement for email address, surname and given name attributes on request of Markus Hagman - 11. 2007: Integrated WAYF Service in Moodle -- 12. 2008: Single Logout support added +- 12. 2008: Shibboleth 2.x and Single Logout support added Moodle Configuration with Dual login ------------------------------------------------------------------------------- @@ -200,6 +200,37 @@ Example file: ?> -- +How to upgrade your Service Provider to 2.x +------------------------------------------------------------------------------- + +In case your upgrade your Service Provider 1.3.x to 2.x, be aware of the fact +that in version 2.0 the default behaviour regarding attribute propagation +changed. +While the Service Provider 1.3.x published the Shibboleth attributes to the +web server environment as HTTP Request headers, the Service Provider 2.x +publishes attributes as environment variables, which increases the security for +some platforms. +However, this change has the effect that the attribute names change. +E.g. while the surname attribute was published as 'HTTP_SHIB_PERSON_SURNAME' +with 1.3.x, this attribute will be available in $_SERVER['Shib-Person-surname'] +or depending on your /etc/shibboleth/attribute-map.xml file just as +$_SERVER['sn']. +Because Moodle needs to know what Shibboleth attributes it shall map onto which +Moodle user profile field, one has to make sure the mapping is updated as well +after the Service Provider upgrade. + +******************************************************************************** +Because you risk locking yourself out of Moodle it is strongly +recommended to use the following approach when upgrading the Service Provider: +1. Enable manual authentication before the upgrade. +2. Make sure that you have at least one manual account with administration + privileges working before upgrading your Service Provider to 2.x. +3. After the SP upgrade, use this account to log into Moodle and adapt the + attribute mapping in 'Site Administration -> Users -> Shibboleth' to reflect + the changed attribute names. +4. Test the login with a Shibboleth account +5. If all is working, disable manual authentication again +******************************************************************************** How to add logout support -------------------------------------------------------------------------------- @@ -217,14 +248,18 @@ just before the element. Channel="back" Location="https://#YOUR_MOODLE_HOSTNAME#/moodle/auth/shibboleth/logout.php" /> + + -- -The restart the Shibboleth daemon and check the log file for errors. If there -were no errors, you cat test the logout feature by accessing Moodle, +Then restart the Shibboleth daemon and check the log file for errors. If there +were no errors, you can test the logout feature by accessing Moodle, authenticating via Shibboleth and the access the URL: #YOUR_MOODLE_HOSTNAME#/Shibboleth.sso/Logout (assuming you have a standard Shibboleth installation). If everything worked well, you should see a Shibboleth @@ -236,14 +271,14 @@ Limitations: Single Logout is only supported with SAML2 and so far only with the Shibboleth Service Provider 2.x. As of December 2008, the Shibboleth Identity Provider 2.1.1 does not yet support -Single Logout (SLO). Therefore, the logout feature doesn't make that much -sense yet. One of the reasons why SLO isn't supported yet is because there aren't - many applications yet that were adapted to support front and back channel +Single Logout (SLO). Therefore, the single logout feature cannot be used yet. +One of the reasons why SLO isn't supported yet is because there aren't many +applications yet that were adapted to support front and back channel logout. Hopefully, the Moodle logout helps to motivate the developers to implement SLO :) Also see https://spaces.internet2.edu/display/SHIB2/SLOIssues for some -background information. +background information on this topic. -------------------------------------------------------------------------------- In case of problems and questions with Shibboleth authentication, contact diff --git a/auth/shibboleth/auth.php b/auth/shibboleth/auth.php index 6fe37a5490..f76067a70a 100644 --- a/auth/shibboleth/auth.php +++ b/auth/shibboleth/auth.php @@ -46,8 +46,8 @@ class auth_plugin_shibboleth extends auth_plugin_base { * Returns true if the username and password work and false if they are * wrong or don't exist. * - * @param string $username The username - * @param string $password The password + * @param string $username The username (with system magic quotes) + * @param string $password The password (with system magic quotes) * @return bool Authentication success or failure. */ function user_login($username, $password) { @@ -140,6 +140,7 @@ class auth_plugin_shibboleth extends auth_plugin_base { */ function get_attributes() { $configarray = (array) $this->config; + $moodleattributes = array(); foreach ($this->userfields as $field) { if (isset($configarray["field_map_$field"])) { diff --git a/auth/shibboleth/index.php b/auth/shibboleth/index.php index 90ba89a7b9..7961af7b3a 100644 --- a/auth/shibboleth/index.php +++ b/auth/shibboleth/index.php @@ -43,7 +43,7 @@ update_user_login_times(); // Don't show username on login page - $SESSION->set_moodle_cookie('nobody'); + set_moodle_cookie('nobody'); set_login_session_preferences(); @@ -87,7 +87,7 @@ // If we can find any (user independent) Shibboleth attributes but no user // attributes we probably didn't receive any user attributes - elseif (!empty($_SERVER['HTTP_SHIB_APPLICATION_ID'])) { + elseif (!empty($_SERVER['HTTP_SHIB_APPLICATION_ID']) || !empty($_SERVER['Shib-Application-ID'])) { print_error('shib_no_attributes_error', 'auth' , '', '\''.$pluginconfig->user_attribute.'\', \''.$pluginconfig->field_map_firstname.'\', \''.$pluginconfig->field_map_lastname.'\' and \''.$pluginconfig->field_map_email.'\''); } else { print_error('shib_not_set_up_error', 'auth'); diff --git a/auth/shibboleth/login.php b/auth/shibboleth/login.php index 7f7c032125..32c1478120 100644 --- a/auth/shibboleth/login.php +++ b/auth/shibboleth/login.php @@ -21,7 +21,7 @@ httpsrequired(); /// Define variables used in page if (!$site = get_site()) { - print_error("siteisnotdefined", 'debug'); + error("No site found!"); } if (empty($CFG->langmenu)) { @@ -38,8 +38,8 @@ httpsrequired(); $loginurl = (!empty($CFG->alternateloginurl)) ? $CFG->alternateloginurl : ''; - if ($SESSION->get_moodle_cookie() == '') { - $SESSION->set_moodle_cookie('nobody'); // To help search for cookies + if (get_moodle_cookie() == '') { + set_moodle_cookie('nobody'); // To help search for cookies } if (!empty($CFG->registerauth) or is_enabled_auth('none') or !empty($CFG->auth_instructions)) {