From: exe-cutor <exe-cutor>
Date: Fri, 9 Oct 2009 11:10:58 +0000 (+0000)
Subject: shibboleth authentication: MDL-18597 Merged over changes to HEAD
X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=82909a9ae7dddc9d8b32ec105ef32ed6db6a1770;p=moodle.git

shibboleth authentication: MDL-18597 Merged over changes to HEAD
---

diff --git a/auth/shibboleth/README.txt b/auth/shibboleth/README.txt
index 850b59d26e..1a39df4228 100644
--- a/auth/shibboleth/README.txt
+++ b/auth/shibboleth/README.txt
@@ -25,6 +25,9 @@ Changes:
             language files.
 - 3.  2009: Added various improvements and bug fixes reported by Ina Müller from
             university Tuebingen and Peter Ellis of University of Washington
+- 4.  2009: Added another requirement for logout regarding the call back script
+- 6.  2009: Changed handler URL when integrated Discovery Service is used
+- 10. 2009: Fixed HTML entity preservation in Shibboleth settings
 
 Moodle Configuration with Dual login
 -------------------------------------------------------------------------------
@@ -33,11 +36,11 @@ Moodle Configuration with Dual login
    For Apache you have to define a rule like the following in the Apache config:
 
 --
-<Location ~  "/auth/shibboleth/index.php">
+<Directory  /path/to/moodle/auth/shibboleth/index.php>
         AuthType shibboleth
         ShibRequireSession On
         require valid-user
-</Location>
+</Directory>
 --
 
    To restrict access to Moodle, replace the access rule 'require valid-user'
@@ -106,6 +109,14 @@ Moodle Configuration with Dual login
                     in step 1 only the index.php script in 
                     moodle/auth/shibboleth/ is protected but *not* the other 
                     scripts and especially not the login.php script.
+    
+    If you were using the integrated WAYF alread with Shibboleth 1.3, it could
+    be that the integrated WAYF is not working anymore after you updated Moodle.
+    The reason is that the implicitly set default SessionInitiator changed in
+    Moodle as well as in Shibboleth. For Shibboleth 1.3 one therefore has to
+    add /Shibboleth.sso as third parameter whereas this is /Shibboleth.sso/DS
+    for Shibboleth 2.x.
+
 
 5.  Save the changes for the 'Shibboleth settings'.
 
@@ -257,7 +268,6 @@ recommended to use the following approach when upgrading the Service Provider:
 
 How to add logout support
 --------------------------------------------------------------------------------
-
 In order make Moodle support Shibboleth logout, one has to make the Shibboleth 
 Service Provider (SP) aware of the Moodle logout capability. Only then the SP 
 can trigger Moodle's front or back channel logout handler.
@@ -270,15 +280,6 @@ just before the <MetadataProvider> element.
 <Notify 
 	Channel="back"
 	Location="https://#YOUR_MOODLE_HOSTNAME#/moodle/auth/shibboleth/logout.php" />
-
-<!-- 
-If possible, you should use only the back channel logout once it is working.
--->
-<!--
-<Notify 
-	Channel="front"
-	Location="https://#YOUR_MOODLE_HOSTNAME#/moodle/auth/shibboleth/logout.php" />
--->
 --
 
 Then restart the Shibboleth daemon and check the log file for errors. If there 
@@ -293,15 +294,35 @@ Requirements:
 - PHP needs the Soap Extension, which maybe must installed manually:
   More information is available here http://ch.php.net/soap
 - Logout only works with Shibboleth Service Provider 2.1 or higher
+- /moodle/auth/shibboleth/logout.php *must not* be protected by Shibboleth!
+  In case all of Moodle is protected with Shibboleth, you have to add something
+  like this to your Apache configuration after all the other require rules
+
+--
+<Directory /path/to/moodle/auth/shibboleth/logout.php>
+	AuthType shibboleth
+	ShibRequireSession Off
+	require shibboleth
+</Directory>
+--
+  When using IIS, the same can be achieved by something like:
+--
+<Path name="auth/shibboleth/logout.php" requireSession="false" >
+--
+  in the shibboleth2.xml RequestMap.
+
 
 Limitations:
 Single Logout is only supported when SAML2 is used at the SP and the IdP.
-As of December 2008, the Shibboleth Identity Provider 2.1.1 does not yet support
-Single Logout (SLO). Therefore, the single logout feature cannot be used yet. 
+As of October 2009, the Shibboleth Identity Provider 2.1.4 does not yet support
+Single Logout (SLO). Therefore, the single logout feature cannot be used yet
+in a Shibboleth only setup but there may be other SAML2 products that could
+be used as Identity Provider, e.g. SimpleSAML PHP.
 One of the reasons why SLO isn't supported yet is because there aren't many 
 applications yet that were adapted to support front and back channel 
 logout. Hopefully, the Moodle logout helps to motivate the developers to 
-implement SLO :)
+implement SLO. On the other hand, the easiest and safest way to log out
+still is to tell users to quit their web browsers :)
 
 Also see https://spaces.internet2.edu/display/SHIB2/SLOIssues and 
 https://spaces.internet2.edu/display/SHIB2/NativeSPLogoutInitiator for some 
diff --git a/auth/shibboleth/config.html b/auth/shibboleth/config.html
index 46097f601c..0774427851 100755
--- a/auth/shibboleth/config.html
+++ b/auth/shibboleth/config.html
@@ -66,7 +66,7 @@
 https://another.idp-id.com/shibboleth, Other Example Organization, /Shibboleth.sso/DS/SWITCHaai
 urn:mace:organization2:providerID, Example Organization 2, /Shibboleth.sso/WAYF/SWITCHaai';
         } else {
-            echo $config->organization_selection;
+            echo htmlentities($config->organization_selection);
         }
         ?>
 </textarea>
@@ -110,7 +110,7 @@ urn:mace:organization2:providerID, Example Organization 2, /Shibboleth.sso/WAYF/
     <td>
         <input name="login_name" type="text" size="30" value="<?php 
         if ( isset($config->login_name) and !empty($config->login_name)){
-            echo $config->login_name;
+            echo htmlentities($config->login_name);
         } else {
             echo 'Shibboleth Login';
         }
diff --git a/auth/shibboleth/index.php b/auth/shibboleth/index.php
index 22d46f474a..562a28ff8c 100644
--- a/auth/shibboleth/index.php
+++ b/auth/shibboleth/index.php
@@ -14,6 +14,7 @@
         }
 
         redirect($urltogo);
+        
     }
 
     $pluginconfig   = get_config('auth/shibboleth');
diff --git a/auth/shibboleth/login.php b/auth/shibboleth/login.php
index 8be9f9ef36..03f23746b6 100644
--- a/auth/shibboleth/login.php
+++ b/auth/shibboleth/login.php
@@ -58,13 +58,20 @@ httpsrequired();
         $selectedIdP = $_POST['idp'];
         set_saml_cookie($selectedIdP);
         
-        // Redirect to SessionInitiator with providerId as argument
+        // Redirect to SessionInitiator with entityID as argument
         if (isset($IdPs[$selectedIdP][1]) && !empty($IdPs[$selectedIdP][1])){
-            header('Location: '.$IdPs[$selectedIdP][1].'?providerId='. urlencode($selectedIdP) .'&target='. urlencode($CFG->wwwroot.'/auth/shibboleth/index.php'));
+            // For Shibbolet 1.x Service Providers
+	    header('Location: '.$IdPs[$selectedIdP][1].'?providerId='. urlencode($selectedIdP) .'&target='. urlencode($CFG->wwwroot.'/auth/shibboleth/index.php'));
+
+	    // For Shibbolet 2.x Service Providers
+	    // header('Location: '.$IdPs[$selectedIdP][1].'?entityID='. urlencode($selectedIdP) .'&target='. urlencode($CFG->wwwroot.'/auth/shibboleth/index.php'));
+
         } else {
-            // TODO: This has to be changed to /Shibboleth.sso/DS?entityId= for 
-            // Shibbolet 2.x sometime...
+            // For Shibbolet 1.x Service Providers
             header('Location: /Shibboleth.sso?providerId='. urlencode($selectedIdP) .'&target='. urlencode($CFG->wwwroot.'/auth/shibboleth/index.php'));
+
+            // For Shibboleth 2.x Service Providers
+            // header('Location: /Shibboleth.sso/DS?entityID='. urlencode($selectedIdP) .'&target='. urlencode($CFG->wwwroot.'/auth/shibboleth/index.php'));
         }
     } elseif (isset($_POST['idp']) && !isset($IdPs[$_POST['idp']]))  {
         $errormsg = get_string('auth_shibboleth_errormsg', 'auth_shibboleth');