mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-01-18 05:58:34 +01:00
Code Issues Projects Releases Wiki Activity

- Added support for Shibboleth data conversion API

Browse Source 
- Shib auth now checks for the four essential variables
This commit is contained in:
exe-cutor 2005-05-13 15:10:40 +00:00
parent 185b692b68
commit 1b5ad83d2e
5 changed files with 101 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
auth/shibboleth/README.txt
View File

@ -97,7 +97,8 @@ You can use Shibboleth AND another authentication method (it was tested with
manual login only). So if there are a few users that don't have a Shibboleth
login, you could create manual accounts for them and they could use the manual
login. For other authentication methods you first have to configure them and
then set Shibboleth as your authentication method. Users can log in only via one authentication method unless they have two accounts in Moodle.
then set Shibboleth as your authentication method. Users can log in only via one
authentication method unless they have two accounts in Moodle.
Shibboleth dual login with custom login page
--------------------------------------------------------------------------------
@ -110,6 +111,57 @@ basically need a link to the Shibboleth-protected page
form that sends 'username' and 'password' to moodle/login/index.php.
Consult the Moodle documentation for further instructions and requirements.
How to customize the way the Shibboleth user data is used in ILIAS
--------------------------------------------------------------------------------
Among the Shibboleth settings in Moodle there is a field that should contain a
path to a php file that can be used as data manipulation API.
You can use this if you want to further process the way your Shibboleth
attributes are used in Moodle.
Example 1: Your Shibboleth federation uses an attribute that specifies the
user's preferred language, but the content of this attribute is not
compatible with the Moodle data representation, e.g. the Shibboleth
attribute contains 'German' but Moodle needs a two letter value like
'de'.
Example 2: The country, city and street are provided in one Shibboleth attribute
and you want these values to be used in the Moodle user profile. So
You have to parse the corresponding attribute to fill the user fields.
If you want to use this API you have to be a skilled PHP programmer. It is
strongly recommended that you take a look at the file
moodle/auth/shibboleth/lib.php, especially the function 'auth_get_userinfo'
where this API file is included.
The context of the API file is the same as within this login function. So you
can directly edit the object $result.
Example file:
--
<?PHP
// Set the zip code and the adress
if ($_SERVER[$CFG->auth_shib_user_address] != '')
{
// $address contains something like 'SWITCH$Limmatquai 138$CH-8021 Zurich'
// We want to split this up to get:
// institution, street, zipcode, city and country
$address = $_SERVER[$CFG->auth_shib_user_address];
list($institution, $street, $zip_city) = split('\$', $address);
ereg(' (.+)',$zip_city, $regs);
$city = $regs[1];
ereg('(.+)-',$zip_city, $regs);
$country = $regs[1];
$result["address"] = $street;
$result["city"] = $city;
$result["country"] = $country;
$result["department"] = $institution;
}
?>
--
Bugs
--------------------------------------------------------------------------------
The current implementation has not yet been extensively tested. So there may be

16
auth/shibboleth/config.html
View File

@ -101,8 +101,10 @@ if (!isset($config->auth_user_lang_editlock)) {
?>
<tr>
<td colspan="3" align="center">
<?php print_string("auth_shib_settings", "auth") ?>
<td colspan="3" align="left">
<p>
<?php print_string("auth_shib_username_description", "auth") ?>
</p>
</td>
</tr>
<!--
@ -133,7 +135,7 @@ if (!isset($config->auth_user_lang_editlock)) {
<td>
<input name="shib_user_attribute" type="text" size="30" value="<?php echo $config->shib_user_attribute?>">
</td>
<td><?php print_string("auth_shib_username_description", "auth") ?></td>
<td></td>
</td>
</tr>
@ -398,3 +400,11 @@ if (!isset($config->auth_user_lang_editlock)) {
<?php helpbutton("text", get_string("helptext")) ?>
</td>
</tr>
<tr>
<td align="right"><?php print_string("auth_shib_convert_data", "auth") ?>:</td>
<td>
<input name="shib_convert_data" type="text" size="30" value="<?php echo $config->shib_convert_data?>">
</td>
<td><?php print_string("auth_shib_convert_data_description", "auth") ?></td>
</td>
</tr>

9
auth/shibboleth/index.php
View File

@ -8,19 +8,12 @@
redirect($CFG->wwwroot.'/index.php');
}
/// If shibboleth login is enforced, directly go to the authentication page
if ($CFG->auth == 'shibboleth' and !empty($CFG->auth_shib_only)) {
// Check whether Shibboleth is configured properly
if (empty($CFG->shib_user_attribute)) {
error('Shibboleth authentication (\'shib_user_attribute\') is not set up correctly. You probably haven\'t yet configured the Shibboleth authentication. Please consult the README in moodle/auth/shibboleth for further instructions on how to set up Shibboleth authentication.');
}
if (empty($_SERVER[$CFG->shib_user_attribute])) {
error('Shibboleth authentication is not set up correctly (could not find $_SERVER[\''.$CFG->shib_user_attribute.'\']) or your moodle/auth/shibboleth/index.php is not protected by Shibboleth. Please consult the README in moodle/auth/shibboleth for further instructions on how to set up Shibboleth authentication.');
}
}
/// If we can find the Shibboleth attribute, save it in session and return to main login page
if (!empty($_SERVER[$CFG->shib_user_attribute])) { // Shibboleth auto-login
$frm->username = $_SERVER[$CFG->shib_user_attribute];
$frm->password = substr(base64_encode($_SERVER[$CFG->shib_user_attribute]),0,8);

25
auth/shibboleth/lib.php
View File

@ -24,6 +24,16 @@ function auth_get_userinfo($username) {
// reads user information from shibboleth attributes and return it in array()
global $CFG;
// Check whether we have got all the essential attributes
if (
empty($_SERVER[$CFG->shib_user_attribute])
|| empty($_SERVER[$CFG->auth_shib_user_firstname])
|| empty($_SERVER[$CFG->auth_shib_user_lastname])
|| empty($_SERVER[$CFG->auth_shib_user_email])
) {
error("Moodle needs certain Shibboleth attributes which are not present in your case. The attributes are: '".$CFG->shib_user_attribute."' ('".$_SERVER[$CFG->shib_user_attribute]."'), '".$CFG->auth_shib_user_firstname."' ('".$_SERVER[$CFG->auth_shib_user_firstname]."'), '".$CFG->auth_shib_user_lastname."' ('".$_SERVER[$CFG->auth_shib_user_lastname]."') and '".$CFG->auth_shib_user_email."' ('".$_SERVER[$CFG->auth_shib_user_email]."')<br>Please contact your Identity Service Provider.");
}
$config = (array)$CFG;
$attrmap = auth_shib_attributes();
@ -33,6 +43,20 @@ function auth_get_userinfo($username) {
foreach ($attrmap as $key=>$value) {
$result[$key]=utf8_decode($_SERVER[$value]);
}
// Provide an API to modify the information to fit the Moodle internal
// data representation
if (
$config["shib_convert_data"]
&& $config["shib_convert_data"] != ''
&& file_exists($config["shib_convert_data"])
){
// Include a custom file outside the Moodle dir to
// modify the variable $moodleattributes
include($config["shib_convert_data"]);
}
return $result;
}
@ -52,6 +76,7 @@ function auth_shib_attributes (){
}
}
$moodleattributes['username']=$config["shib_user_attribute"];
return $moodleattributes;
}
?>

5
lang/en/auth.php
View File

@ -101,15 +101,16 @@ $string['auth_pop3mailbox'] = 'Name of the mailbox to attempt a connection with.
$string['auth_pop3port'] = 'Server port (110 is the most common, 995 is common for SSL)';
$string['auth_pop3title'] = 'Use a POP3 server';
$string['auth_pop3type'] = 'Server type. If your server uses certificate security, choose pop3cert.';
$string['auth_shibbolethdescription'] = 'Using this method users are created and authenticated using <a href=\"http://shibboleth.internet2.edu/\" target=\"_blank\">Shibboleth</a>';
$string['auth_shibbolethdescription'] = 'Using this method users are created and authenticated using <a href=\"http://shibboleth.internet2.edu/\" target=\"_blank\">Shibboleth</a>.<br>Be sure to read the <a href=\"../auth/shibboleth/README.txt\" target=\"_blank\">README</a> for Shibboleth on how to set up your Moodle with Shibboleth';
$string['auth_shibbolethtitle'] = 'Shibboleth';
$string['auth_shibboleth_login'] = 'Shibboleth Login';
$string['auth_shibboleth_manual_login'] = 'Manual Login';
$string['auth_shib_settings'] = 'Be sure to read the <a href=\"../auth/shibboleth/README.txt\" target=\"_blank\">README</a> file for Shibboleth on how to set up your Moodle with Shibboleth';
$string['auth_shib_only'] = 'Shibboleth only';
$string['auth_shib_only_description'] = 'Check this option if a Shibboleth authentication shall be enforced';
$string['auth_shib_username_description'] = 'Name of the webserver Shibboleth environment variable that shall be used as Moodle username';
$string['auth_shib_instructions'] = 'Use the <a href=\"$a\">Shibboleth login</a> to get access via Shibboleth, if your institution supports it.<br />Otherwise, use the normal login form shown here.';
$string['auth_shib_convert_data'] = 'Data modification API';
$string['auth_shib_convert_data_description'] = 'You can use this API to further modify the data provided by Shibboleth. Read the <a href=\"../auth/shibboleth/README.txt\" target=\"_blank\">README</a> for further instructions.';
$string['auth_shib_instructions_help'] = 'Here you should provide custom instructions for your users to explain Shibboleth. It will be shown on the login page in the instructions section. It should include a link to a Shibboleth-protected resource that redirects users to \"<b>$a</b>\" so that Shibboleth users can login in Moodle. If you leave it blank, then standard instructions will be used (not Shibboleth-specific)';
$string['auth_updatelocal'] = 'Update local data';
$string['auth_updatelocal_expl'] = '<p><b>Update local data:</b> If enabled, the field will be updated (from external auth) every time the user logs in or there is a user synchronization. Fields set to update locally should be locked.</p>';