- Added support for Shibboleth data conversion API

- Shib auth now checks for the four essential variables
2025-01-18 05:58:34 +01:00 · 2005-05-13 15:10:40 +00:00 · 2005-05-13 15:10:40 +00:00 · 1b5ad83d2e
commit 1b5ad83d2e
parent 185b692b68
5 changed files with 101 additions and 20 deletions
--- a/auth/shibboleth/README.txt
+++ b/auth/shibboleth/README.txt
@ -97,7 +97,8 @@ You can use Shibboleth AND another authentication method (it was tested with
 manual login only). So if there are a few users that don't have a Shibboleth 
 login, you could create manual accounts for them and they could use the manual 
 login. For other authentication methods you first have to configure them and 
-then set Shibboleth as your authentication method. Users can log in only via one authentication method unless they have two accounts in Moodle.
+then set Shibboleth as your authentication method. Users can log in only via one 
 authentication method unless they have two accounts in Moodle.
 Shibboleth dual login with custom login page
 --------------------------------------------------------------------------------
@ -110,6 +111,57 @@ basically need a link to the Shibboleth-protected page
 form that sends 'username' and 'password' to moodle/login/index.php.
 Consult the Moodle documentation for further instructions and requirements.
 How to customize the way the Shibboleth user data is used in ILIAS
 --------------------------------------------------------------------------------
 Among the Shibboleth settings in Moodle there is a field that should contain a
 path to a php file that can be used as data manipulation API.
 You can use this if you want to further process the way your Shibboleth
 attributes are used in Moodle. 
 Example 1: Your Shibboleth federation uses an attribute that specifies the 
           user's preferred language, but the content of this attribute is not
           compatible with the Moodle data representation, e.g. the Shibboleth
           attribute contains 'German' but Moodle needs a two letter value like 
           'de'.
 Example 2: The country, city and street are provided in one Shibboleth attribute
           and you want these values to be used in the Moodle user profile. So
           You have to parse the corresponding attribute to fill the user fields.
 If you want to use this API you have to be a skilled PHP programmer. It is 
 strongly recommended that you take a look at the file 
 moodle/auth/shibboleth/lib.php, especially the function 'auth_get_userinfo' 
 where this API file is included. 
 The context of the API file is the same as within this login function. So you
 can directly edit the object $result.
 Example file:
 --
 <?PHP
    // Set the zip code and the adress
    if ($_SERVER[$CFG->auth_shib_user_address] != '')
    {
        // $address contains something like 'SWITCH$Limmatquai 138$CH-8021 Zurich'
        // We want to split this up to get: 
        // institution, street, zipcode, city and country
        $address = $_SERVER[$CFG->auth_shib_user_address];
        list($institution, $street, $zip_city) = split('\$', $address);
        ereg(' (.+)',$zip_city, $regs);
        $city = $regs[1];
        ereg('(.+)-',$zip_city, $regs);
        $country = $regs[1];
        $result["address"] = $street;
        $result["city"] = $city;
        $result["country"] = $country;
        $result["department"] = $institution;
    }
 ?>
 --
 Bugs
 --------------------------------------------------------------------------------
 The current implementation has not yet been extensively tested. So there may be
--- a/auth/shibboleth/config.html
+++ b/auth/shibboleth/config.html
@ -101,8 +101,10 @@ if (!isset($config->auth_user_lang_editlock)) {
 ?>
 <tr>
-    <td colspan="3" align="center">
+    <td colspan="3" align="left">
-        <?php  print_string("auth_shib_settings", "auth") ?>
+      <p>
        <?php  print_string("auth_shib_username_description", "auth") ?>
      </p>
    </td>
 </tr>
 <!--
@ -127,13 +129,13 @@ if (!isset($config->auth_user_lang_editlock)) {
    </td>
    <td></td>                                                                                                                                 </td>
 </tr>
-->  
+--> 
 <tr>
    <td align="right"><?php  print_string("username") ?>:</td>
    <td>
    <input name="shib_user_attribute" type="text" size="30" value="<?php echo $config->shib_user_attribute?>">
    </td>
-    <td><?php  print_string("auth_shib_username_description", "auth") ?></td>
+    <td></td>
    </td>
 </tr>
@ -398,3 +400,11 @@ if (!isset($config->auth_user_lang_editlock)) {
    <?php  helpbutton("text", get_string("helptext")) ?>
    </td>
 </tr>
 <tr>
    <td align="right"><?php  print_string("auth_shib_convert_data", "auth") ?>:</td>
    <td>
    <input name="shib_convert_data" type="text" size="30" value="<?php echo $config->shib_convert_data?>">
    </td>
    <td><?php  print_string("auth_shib_convert_data_description", "auth") ?></td>
    </td>
 </tr>
--- a/auth/shibboleth/index.php
+++ b/auth/shibboleth/index.php
@ -8,19 +8,12 @@
        redirect($CFG->wwwroot.'/index.php');
    }
-/// If shibboleth login is enforced, directly go to the authentication page
+    // Check whether Shibboleth is configured properly
-
+    if (empty($CFG->shib_user_attribute)) {
-	if ($CFG->auth == 'shibboleth' and !empty($CFG->auth_shib_only)) {
+        error('Shibboleth authentication (\'shib_user_attribute\') is not set up correctly. You probably haven\'t yet configured the Shibboleth authentication. Please consult the README in moodle/auth/shibboleth for further instructions on how to set up Shibboleth authentication.');
-        if (empty($CFG->shib_user_attribute)) {
+    }
            error('Shibboleth authentication (\'shib_user_attribute\') is not set up correctly. You probably haven\'t yet configured the Shibboleth authentication. Please consult the README in moodle/auth/shibboleth for further instructions on how to set up Shibboleth authentication.');
        }
        if (empty($_SERVER[$CFG->shib_user_attribute])) {
            error('Shibboleth authentication is not set up correctly (could not find $_SERVER[\''.$CFG->shib_user_attribute.'\']) or your moodle/auth/shibboleth/index.php is not protected by Shibboleth. Please consult the README in moodle/auth/shibboleth for further instructions on how to set up Shibboleth authentication.');
        }
 	}
 /// If we can find the Shibboleth attribute, save it in session and return to main login page
    if (!empty($_SERVER[$CFG->shib_user_attribute])) {    // Shibboleth auto-login
        $frm->username = $_SERVER[$CFG->shib_user_attribute];
        $frm->password = substr(base64_encode($_SERVER[$CFG->shib_user_attribute]),0,8);
--- a/auth/shibboleth/lib.php
+++ b/auth/shibboleth/lib.php
@ -3,13 +3,13 @@
 //28.10.2004 SHIBBOLETH Authentication functions v.0.1
 //Distributed under GPL (c)Markus Hagman 2004-
-function auth_user_login ($username, $password) {
+function auth_user_login($username, $password) {
    global $CFG;
 /// If we are in the shibboleth directory then we trust the server var
    if (!empty($_SERVER[$CFG->shib_user_attribute])) {
        return ($_SERVER[$CFG->shib_user_attribute] == $username);
-    }
+    }    
 /// If we are not, then the server is probably set to not be Shibboleth-only
 /// and the user has used the normal login screen, so we redirect to the shibboleth
@ -24,6 +24,16 @@ function auth_get_userinfo($username) {
 // reads user information from shibboleth attributes and return it in array()
    global $CFG;
    // Check whether we have got all the essential attributes
    if (
           empty($_SERVER[$CFG->shib_user_attribute])
        || empty($_SERVER[$CFG->auth_shib_user_firstname])
        || empty($_SERVER[$CFG->auth_shib_user_lastname])
        || empty($_SERVER[$CFG->auth_shib_user_email])
        ) {
        error("Moodle needs certain Shibboleth attributes which are not present in your case. The attributes are: '".$CFG->shib_user_attribute."' ('".$_SERVER[$CFG->shib_user_attribute]."'), '".$CFG->auth_shib_user_firstname."' ('".$_SERVER[$CFG->auth_shib_user_firstname]."'), '".$CFG->auth_shib_user_lastname."' ('".$_SERVER[$CFG->auth_shib_user_lastname]."') and '".$CFG->auth_shib_user_email."' ('".$_SERVER[$CFG->auth_shib_user_email]."')<br>Please contact your Identity Service Provider.");
    }
    $config = (array)$CFG;
    $attrmap = auth_shib_attributes();
@ -33,6 +43,20 @@ function auth_get_userinfo($username) {
    foreach ($attrmap as $key=>$value) {
        $result[$key]=utf8_decode($_SERVER[$value]);
    }
     // Provide an API to modify the information to fit the Moodle internal
    // data representation
    if (   
          $config["shib_convert_data"] 
          && $config["shib_convert_data"] != ''
          && file_exists($config["shib_convert_data"])
        ){
        // Include a custom file outside the Moodle dir to
        // modify the variable $moodleattributes
        include($config["shib_convert_data"]);
    }
    return $result;
 }
@ -52,6 +76,7 @@ function auth_shib_attributes (){
        }
    }
    $moodleattributes['username']=$config["shib_user_attribute"];
 	return $moodleattributes;
 }
 ?>
--- a/lang/en/auth.php
+++ b/lang/en/auth.php
@ -101,15 +101,16 @@ $string['auth_pop3mailbox'] = 'Name of the mailbox to attempt a connection with.
 $string['auth_pop3port'] = 'Server port (110 is the most common, 995 is common for SSL)';
 $string['auth_pop3title'] = 'Use a POP3 server';
 $string['auth_pop3type'] = 'Server type. If your server uses certificate security, choose pop3cert.';
-$string['auth_shibbolethdescription'] = 'Using this method users are created and authenticated using <a href=\"http://shibboleth.internet2.edu/\" target=\"_blank\">Shibboleth</a>';
+$string['auth_shibbolethdescription'] = 'Using this method users are created and authenticated using <a href=\"http://shibboleth.internet2.edu/\" target=\"_blank\">Shibboleth</a>.<br>Be sure to read the <a href=\"../auth/shibboleth/README.txt\" target=\"_blank\">README</a> for Shibboleth on how to set up your Moodle with Shibboleth';
 $string['auth_shibbolethtitle'] = 'Shibboleth';
 $string['auth_shibboleth_login'] = 'Shibboleth Login';
 $string['auth_shibboleth_manual_login'] = 'Manual Login';
 $string['auth_shib_settings'] = 'Be sure to read the <a href=\"../auth/shibboleth/README.txt\" target=\"_blank\">README</a> file for Shibboleth on how to set up your Moodle with Shibboleth';
 $string['auth_shib_only'] = 'Shibboleth only';
 $string['auth_shib_only_description'] = 'Check this option if a Shibboleth authentication shall be enforced';
 $string['auth_shib_username_description'] = 'Name of the webserver Shibboleth environment variable that shall be used as Moodle username';
 $string['auth_shib_instructions'] = 'Use the <a href=\"$a\">Shibboleth login</a> to get access via Shibboleth, if your institution supports it.<br />Otherwise, use the normal login form shown here.';
 $string['auth_shib_convert_data'] = 'Data modification API';
 $string['auth_shib_convert_data_description'] = 'You can use this API to further modify the data provided by Shibboleth. Read the <a href=\"../auth/shibboleth/README.txt\" target=\"_blank\">README</a> for further instructions.';
 $string['auth_shib_instructions_help'] = 'Here you should provide custom instructions for your users to explain Shibboleth.  It will be shown on the login page in the instructions section.  It should include a link to a Shibboleth-protected resource that redirects users to \"<b>$a</b>\" so that Shibboleth users can login in Moodle.  If you leave it blank, then standard instructions will be used (not Shibboleth-specific)';
 $string['auth_updatelocal'] = 'Update local data';
 $string['auth_updatelocal_expl'] = '<p><b>Update local data:</b> If enabled, the field will be updated (from external auth) every time the user logs in or there is a user synchronization. Fields set to update locally should be locked.</p>';