- Added support for Shibboleth data conversion API

- Shib auth now checks for the four essential variables
2025-01-17 21:49:15 +01:00 · 2005-05-13 15:10:40 +00:00 · 2005-05-13 15:10:40 +00:00 · 1b5ad83d2e
commit 1b5ad83d2e
parent 185b692b68
5 changed files with 101 additions and 20 deletions
--- a/auth/shibboleth/README.txt
+++ b/auth/shibboleth/README.txt
@ -97,7 +97,8 @@ You can use Shibboleth AND another authentication method (it was tested with
 manual login only). So if there are a few users that don't have a Shibboleth 
 login, you could create manual accounts for them and they could use the manual 
 login. For other authentication methods you first have to configure them and 
-then set Shibboleth as your authentication method. Users can log in only via one authentication method unless they have two accounts in Moodle.
+then set Shibboleth as your authentication method. Users can log in only via one 
+authentication method unless they have two accounts in Moodle.

 Shibboleth dual login with custom login page
 --------------------------------------------------------------------------------
@ -110,6 +111,57 @@ basically need a link to the Shibboleth-protected page
 form that sends 'username' and 'password' to moodle/login/index.php.
 Consult the Moodle documentation for further instructions and requirements.

+How to customize the way the Shibboleth user data is used in ILIAS
+--------------------------------------------------------------------------------
+Among the Shibboleth settings in Moodle there is a field that should contain a
+path to a php file that can be used as data manipulation API.
+You can use this if you want to further process the way your Shibboleth
+attributes are used in Moodle. 
+
+Example 1: Your Shibboleth federation uses an attribute that specifies the 
+           user's preferred language, but the content of this attribute is not
+           compatible with the Moodle data representation, e.g. the Shibboleth
+           attribute contains 'German' but Moodle needs a two letter value like 
+           'de'.
+Example 2: The country, city and street are provided in one Shibboleth attribute
+           and you want these values to be used in the Moodle user profile. So
+           You have to parse the corresponding attribute to fill the user fields.
+
+If you want to use this API you have to be a skilled PHP programmer. It is 
+strongly recommended that you take a look at the file 
+moodle/auth/shibboleth/lib.php, especially the function 'auth_get_userinfo' 
+where this API file is included. 
+The context of the API file is the same as within this login function. So you
+can directly edit the object $result.
+
+Example file:
+
+--
+<?PHP
+
+    // Set the zip code and the adress
+    if ($_SERVER[$CFG->auth_shib_user_address] != '')
+    {
+        // $address contains something like 'SWITCH$Limmatquai 138$CH-8021 Zurich'
+        // We want to split this up to get: 
+        // institution, street, zipcode, city and country
+        $address = $_SERVER[$CFG->auth_shib_user_address];
+        list($institution, $street, $zip_city) = split('\$', $address);
+        
+        ereg(' (.+)',$zip_city, $regs);
+        $city = $regs[1];
+        
+        ereg('(.+)-',$zip_city, $regs);
+        $country = $regs[1];
+        
+        $result["address"] = $street;
+        $result["city"] = $city;
+        $result["country"] = $country;
+        $result["department"] = $institution;
+    }
+?>
+--
+
 Bugs
 --------------------------------------------------------------------------------
 The current implementation has not yet been extensively tested. So there may be
--- a/auth/shibboleth/config.html
+++ b/auth/shibboleth/config.html
@ -101,8 +101,10 @@ if (!isset($config->auth_user_lang_editlock)) {

 ?>
 <tr>
-    <td colspan="3" align="center">
-        <?php  print_string("auth_shib_settings", "auth") ?>
+    <td colspan="3" align="left">
+      <p>
+        <?php  print_string("auth_shib_username_description", "auth") ?>
+      </p>
    </td>
 </tr>
 <!--
@ -127,13 +129,13 @@ if (!isset($config->auth_user_lang_editlock)) {
    </td>
    <td></td>                                                                                                                                 </td>
 </tr>
-->  
+--> 
 <tr>
    <td align="right"><?php  print_string("username") ?>:</td>
    <td>
    <input name="shib_user_attribute" type="text" size="30" value="<?php echo $config->shib_user_attribute?>">
    </td>
-    <td><?php  print_string("auth_shib_username_description", "auth") ?></td>
+    <td></td>
    </td>
 </tr>

@ -398,3 +400,11 @@ if (!isset($config->auth_user_lang_editlock)) {
    <?php  helpbutton("text", get_string("helptext")) ?>
    </td>
 </tr>
+<tr>
+    <td align="right"><?php  print_string("auth_shib_convert_data", "auth") ?>:</td>
+    <td>
+    <input name="shib_convert_data" type="text" size="30" value="<?php echo $config->shib_convert_data?>">
+    </td>
+    <td><?php  print_string("auth_shib_convert_data_description", "auth") ?></td>
+    </td>
+</tr>
--- a/auth/shibboleth/index.php
+++ b/auth/shibboleth/index.php
@ -8,19 +8,12 @@
        redirect($CFG->wwwroot.'/index.php');
    }

-/// If shibboleth login is enforced, directly go to the authentication page
-
-	if ($CFG->auth == 'shibboleth' and !empty($CFG->auth_shib_only)) {
-        if (empty($CFG->shib_user_attribute)) {
-            error('Shibboleth authentication (\'shib_user_attribute\') is not set up correctly. You probably haven\'t yet configured the Shibboleth authentication. Please consult the README in moodle/auth/shibboleth for further instructions on how to set up Shibboleth authentication.');
-        }
-        if (empty($_SERVER[$CFG->shib_user_attribute])) {
-            error('Shibboleth authentication is not set up correctly (could not find $_SERVER[\''.$CFG->shib_user_attribute.'\']) or your moodle/auth/shibboleth/index.php is not protected by Shibboleth. Please consult the README in moodle/auth/shibboleth for further instructions on how to set up Shibboleth authentication.');
-        }
-	}
+    // Check whether Shibboleth is configured properly
+    if (empty($CFG->shib_user_attribute)) {
+        error('Shibboleth authentication (\'shib_user_attribute\') is not set up correctly. You probably haven\'t yet configured the Shibboleth authentication. Please consult the README in moodle/auth/shibboleth for further instructions on how to set up Shibboleth authentication.');
+    }

 /// If we can find the Shibboleth attribute, save it in session and return to main login page
-
    if (!empty($_SERVER[$CFG->shib_user_attribute])) {    // Shibboleth auto-login
        $frm->username = $_SERVER[$CFG->shib_user_attribute];
        $frm->password = substr(base64_encode($_SERVER[$CFG->shib_user_attribute]),0,8);
--- a/auth/shibboleth/lib.php
+++ b/auth/shibboleth/lib.php
@ -3,13 +3,13 @@
 //28.10.2004 SHIBBOLETH Authentication functions v.0.1
 //Distributed under GPL (c)Markus Hagman 2004-

-function auth_user_login ($username, $password) {
+function auth_user_login($username, $password) {
    global $CFG;

 /// If we are in the shibboleth directory then we trust the server var
    if (!empty($_SERVER[$CFG->shib_user_attribute])) {
        return ($_SERVER[$CFG->shib_user_attribute] == $username);
-    }
+    }    

 /// If we are not, then the server is probably set to not be Shibboleth-only
 /// and the user has used the normal login screen, so we redirect to the shibboleth
@ -24,6 +24,16 @@ function auth_get_userinfo($username) {
 // reads user information from shibboleth attributes and return it in array()
    global $CFG;

+    // Check whether we have got all the essential attributes
+    if (
+           empty($_SERVER[$CFG->shib_user_attribute])
+        || empty($_SERVER[$CFG->auth_shib_user_firstname])
+        || empty($_SERVER[$CFG->auth_shib_user_lastname])
+        || empty($_SERVER[$CFG->auth_shib_user_email])
+        ) {
+        error("Moodle needs certain Shibboleth attributes which are not present in your case. The attributes are: '".$CFG->shib_user_attribute."' ('".$_SERVER[$CFG->shib_user_attribute]."'), '".$CFG->auth_shib_user_firstname."' ('".$_SERVER[$CFG->auth_shib_user_firstname]."'), '".$CFG->auth_shib_user_lastname."' ('".$_SERVER[$CFG->auth_shib_user_lastname]."') and '".$CFG->auth_shib_user_email."' ('".$_SERVER[$CFG->auth_shib_user_email]."')<br>Please contact your Identity Service Provider.");
+    }
+
    $config = (array)$CFG;
    $attrmap = auth_shib_attributes();
   
@ -33,6 +43,20 @@ function auth_get_userinfo($username) {
    foreach ($attrmap as $key=>$value) {
        $result[$key]=utf8_decode($_SERVER[$value]);
    }
+    
+     // Provide an API to modify the information to fit the Moodle internal
+    // data representation
+    if (   
+          $config["shib_convert_data"] 
+          && $config["shib_convert_data"] != ''
+          && file_exists($config["shib_convert_data"])
+        ){
+        
+        // Include a custom file outside the Moodle dir to
+        // modify the variable $moodleattributes
+        include($config["shib_convert_data"]);
+    }
+    
    return $result;
 }

@ -52,6 +76,7 @@ function auth_shib_attributes (){
        }
    }
    $moodleattributes['username']=$config["shib_user_attribute"];
+    
 	return $moodleattributes;
 }
 ?>
--- a/lang/en/auth.php
+++ b/lang/en/auth.php
@ -101,15 +101,16 @@ $string['auth_pop3mailbox'] = 'Name of the mailbox to attempt a connection with.
 $string['auth_pop3port'] = 'Server port (110 is the most common, 995 is common for SSL)';
 $string['auth_pop3title'] = 'Use a POP3 server';
 $string['auth_pop3type'] = 'Server type. If your server uses certificate security, choose pop3cert.';
-$string['auth_shibbolethdescription'] = 'Using this method users are created and authenticated using <a href=\"http://shibboleth.internet2.edu/\" target=\"_blank\">Shibboleth</a>';
+$string['auth_shibbolethdescription'] = 'Using this method users are created and authenticated using <a href=\"http://shibboleth.internet2.edu/\" target=\"_blank\">Shibboleth</a>.<br>Be sure to read the <a href=\"../auth/shibboleth/README.txt\" target=\"_blank\">README</a> for Shibboleth on how to set up your Moodle with Shibboleth';
 $string['auth_shibbolethtitle'] = 'Shibboleth';
 $string['auth_shibboleth_login'] = 'Shibboleth Login';
 $string['auth_shibboleth_manual_login'] = 'Manual Login';
-$string['auth_shib_settings'] = 'Be sure to read the <a href=\"../auth/shibboleth/README.txt\" target=\"_blank\">README</a> file for Shibboleth on how to set up your Moodle with Shibboleth';
 $string['auth_shib_only'] = 'Shibboleth only';
 $string['auth_shib_only_description'] = 'Check this option if a Shibboleth authentication shall be enforced';
 $string['auth_shib_username_description'] = 'Name of the webserver Shibboleth environment variable that shall be used as Moodle username';
 $string['auth_shib_instructions'] = 'Use the <a href=\"$a\">Shibboleth login</a> to get access via Shibboleth, if your institution supports it.<br />Otherwise, use the normal login form shown here.';
+$string['auth_shib_convert_data'] = 'Data modification API';
+$string['auth_shib_convert_data_description'] = 'You can use this API to further modify the data provided by Shibboleth. Read the <a href=\"../auth/shibboleth/README.txt\" target=\"_blank\">README</a> for further instructions.';
 $string['auth_shib_instructions_help'] = 'Here you should provide custom instructions for your users to explain Shibboleth.  It will be shown on the login page in the instructions section.  It should include a link to a Shibboleth-protected resource that redirects users to \"<b>$a</b>\" so that Shibboleth users can login in Moodle.  If you leave it blank, then standard instructions will be used (not Shibboleth-specific)';
 $string['auth_updatelocal'] = 'Update local data';
 $string['auth_updatelocal_expl'] = '<p><b>Update local data:</b> If enabled, the field will be updated (from external auth) every time the user logs in or there is a user synchronization. Fields set to update locally should be locked.</p>';