From c49e414b79cba916e1bfa04749f0d0a7f25d5354 Mon Sep 17 00:00:00 2001 From: exe-cutor Date: Thu, 12 Mar 2009 15:11:39 +0000 Subject: [PATCH] Shibboleth authentication: Merging fix MDL-18538 and changes from MDL-18116 --- auth/shibboleth/README.txt | 29 +++++++++++++++++++---------- auth/shibboleth/auth.php | 32 ++++++++++++++++++++++++++++++-- auth/shibboleth/login.php | 3 ++- 3 files changed, 51 insertions(+), 13 deletions(-) diff --git a/auth/shibboleth/README.txt b/auth/shibboleth/README.txt index c071f79e6b..1a71fb6412 100644 --- a/auth/shibboleth/README.txt +++ b/auth/shibboleth/README.txt @@ -21,6 +21,8 @@ Changes: attributes on request of Markus Hagman - 11. 2007: Integrated WAYF Service in Moodle - 12. 2008: Shibboleth 2.x and Single Logout support added +- 1. 2008: Added logout hook and moved Shibboleth config strings to utf8 auth + language files. Moodle Configuration with Dual login ------------------------------------------------------------------------------- @@ -41,16 +43,16 @@ Moodle Configuration with Dual login For IIS you have protect the auth/shibboleth directory directly in the RequestMap of the Shibboleth configuration file (shibboleth.xml). See - - https://spaces.internet2.edu/display/SHIB/xmlaccesscontrol?topic=XMLAccessControl + https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapper and + https://spaces.internet2.edu/display/SHIB2/NativeSPAccessControl -2. As Moodle admin, go to the 'Administrations >> Users >> Authentication - Options' and click on the the 'Shibboleth' settings. +2. As Moodle admin, go to the 'Administrations >> Users >> Authentication' and + click on the the 'Shibboleth' settings. 3. Fill in the fields of the form. The fields 'Username', 'First name', 'Surname', etc. should contain the name of the environment variables of the Shibboleth attributes that you want to map onto the corresponding Moodle - variable (e.g. 'HTTP_SHIB_PERSON_SURNAME' for the person's last name, refer + variable (e.g. 'Shib-Person-surname' for the person's last name, refer the Shibboleth documentation or the documentation of your Shibboleth federation for information on which attributes are available). Especially the 'Username' field is of great importance because @@ -73,14 +75,16 @@ Moodle Configuration with Dual login to the the URL of the file 'moodle/auth/shibboleth/index.php'. This will enforce Shibboleth login. -4.b If you want to use the Moodle internal WAYF service, you have to activate it +4.b If you want to use the Moodle integrated WAYF service, you have to activate it in the Moodle Shibboleth authentication settings by checking the 'Moodle WAYF Service' checkbox and providing a list of entity IDs in the 'Identity Providers' textarea together with a name and an optional SessionInitiator URL, which usually is an absolute or relative URL pointing to the same host. If no SessionInitiator URL is given, the default one - '/Shibboleth.sso' will be used. + '/Shibboleth.sso' (only works for Shibboleth 1.3.x) will be used. For + Shibboleth 2.x you have to add '/Shibboleth.sso/DS' as a SessionInitiator. Also see https://spaces.internet2.edu/display/SHIB/SessionInitiator + and https://spaces.internet2.edu/display/SHIB2/NativeSPSessionInitiator Important Note: If you upgraded from a previous version of Moodle and now want to use the integrated WAYF, you have to make sure that @@ -228,8 +232,12 @@ recommended to use the following approach when upgrading the Service Provider: 3. After the SP upgrade, use this account to log into Moodle and adapt the attribute mapping in 'Site Administration -> Users -> Shibboleth' to reflect the changed attribute names. -4. Test the login with a Shibboleth account -5. If all is working, disable manual authentication again + You find the attribute names in the file /etc/shibboleth/attribute-map.xml + listed as the 'id' value of an attribute definition. +4. If you are using the integrated WAYF, you may have to set the third parameter + of each entry to '/Shibboleth.sso/DS' +5. Test the login with a Shibboleth account +6. If all is working, disable manual authentication again ******************************************************************************** How to add logout support @@ -277,7 +285,8 @@ applications yet that were adapted to support front and back channel logout. Hopefully, the Moodle logout helps to motivate the developers to implement SLO :) -Also see https://spaces.internet2.edu/display/SHIB2/SLOIssues for some +Also see https://spaces.internet2.edu/display/SHIB2/SLOIssues and +https://spaces.internet2.edu/display/SHIB2/NativeSPLogoutInitiator for some background information on this topic. -------------------------------------------------------------------------------- diff --git a/auth/shibboleth/auth.php b/auth/shibboleth/auth.php index f76067a70a..764435849f 100644 --- a/auth/shibboleth/auth.php +++ b/auth/shibboleth/auth.php @@ -183,6 +183,28 @@ class auth_plugin_shibboleth extends auth_plugin_base { return; } + + /** + * Hook for logout page + * + */ + function logoutpage_hook() { + global $redirect; + + // Only do this if logout handler is defined + if ( + isset($this->config->logout_handler) + && !empty($this->config->logout_handler) + ){ + // Backup old redirect url + $temp_redirect = $redirect; + + // Overwrite redirect in order to send user to Shibboleth logout page and let him return back + $redirect = $this->config->logout_handler.'?return='.urlencode($temp_redirect); + } + } + + /** * Prints a form for configuring this authentication plugin. @@ -243,17 +265,23 @@ class auth_plugin_shibboleth extends auth_plugin_base { if (isset($config->organization_selection) && !empty($config->organization_selection)) { set_config('organization_selection', $config->organization_selection, 'auth/shibboleth'); } + set_config('logout_handler', $config->logout_handler, 'auth/shibboleth'); set_config('login_name', $config->login_name, 'auth/shibboleth'); set_config('convert_data', $config->convert_data, 'auth/shibboleth'); set_config('auth_instructions', $config->auth_instructions, 'auth/shibboleth'); set_config('changepasswordurl', $config->changepasswordurl, 'auth/shibboleth'); + // Overwrite alternative login URL if integrated WAYF is used if (isset($config->alt_login) && $config->alt_login == 'on'){ set_config('alt_login', $config->alt_login, 'auth/shibboleth'); set_config('alternateloginurl', $CFG->wwwroot.'/auth/shibboleth/login.php'); } else { - set_config('alt_login', 'off', 'auth/shibboleth'); - set_config('alternateloginurl', ''); + // Check if integrated WAYF was enabled and is now turned off + // If it was and only then, reset the Moodle alternate URL + if ($this->config->alt_login == 'on'){ + set_config('alt_login', 'off', 'auth/shibboleth'); + set_config('alternateloginurl', ''); + } $config->alt_login = 'off'; } diff --git a/auth/shibboleth/login.php b/auth/shibboleth/login.php index 951e6fec0c..88f3fc043d 100644 --- a/auth/shibboleth/login.php +++ b/auth/shibboleth/login.php @@ -1,6 +1,5 @@ dirroot."/auth/shibboleth/auth.php"); @@ -61,6 +60,8 @@ httpsrequired(); if (isset($IdPs[$selectedIdP][1]) && !empty($IdPs[$selectedIdP][1])){ header('Location: '.$IdPs[$selectedIdP][1].'?providerId='. urlencode($selectedIdP) .'&target='. urlencode($CFG->wwwroot.'/auth/shibboleth/index.php')); } else { + // TODO: This has to be changed to /Shibboleth.sso/DS?entityId= for + // Shibbolet 2.x sometime... header('Location: /Shibboleth.sso?providerId='. urlencode($selectedIdP) .'&target='. urlencode($CFG->wwwroot.'/auth/shibboleth/index.php')); } } elseif (isset($_POST['idp']) && !isset($IdPs[$_POST['idp']])) { -- 2.39.5