mirror of
https://github.com/moodle/moodle.git
synced 2025-04-22 00:42:54 +02:00
Shibboleth authentication: Merging fix MDL-18538 and changes from MDL-18116
This commit is contained in:
exe-cutor
parent
f24222e2a2
commit
c49e414b79
@ -21,6 +21,8 @@ Changes:
|
||||
attributes on request of Markus Hagman
|
||||
- 11. 2007: Integrated WAYF Service in Moodle
|
||||
- 12. 2008: Shibboleth 2.x and Single Logout support added
|
||||
- 1. 2008: Added logout hook and moved Shibboleth config strings to utf8 auth
|
||||
language files.
|
||||
|
||||
Moodle Configuration with Dual login
|
||||
-------------------------------------------------------------------------------
|
||||
@ -41,16 +43,16 @@ Moodle Configuration with Dual login
|
||||
|
||||
For IIS you have protect the auth/shibboleth directory directly in the
|
||||
RequestMap of the Shibboleth configuration file (shibboleth.xml). See
|
||||
|
||||
https://spaces.internet2.edu/display/SHIB/xmlaccesscontrol?topic=XMLAccessControl
|
||||
https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapper and
|
||||
https://spaces.internet2.edu/display/SHIB2/NativeSPAccessControl
|
||||
|
||||
2. As Moodle admin, go to the 'Administrations >> Users >> Authentication
|
||||
Options' and click on the the 'Shibboleth' settings.
|
||||
2. As Moodle admin, go to the 'Administrations >> Users >> Authentication' and
|
||||
click on the the 'Shibboleth' settings.
|
||||
|
||||
3. Fill in the fields of the form. The fields 'Username', 'First name',
|
||||
'Surname', etc. should contain the name of the environment variables of the
|
||||
Shibboleth attributes that you want to map onto the corresponding Moodle
|
||||
variable (e.g. 'HTTP_SHIB_PERSON_SURNAME' for the person's last name, refer
|
||||
variable (e.g. 'Shib-Person-surname' for the person's last name, refer
|
||||
the Shibboleth documentation or the documentation of your Shibboleth
|
||||
federation for information on which attributes are available).
|
||||
Especially the 'Username' field is of great importance because
|
||||
@ -73,14 +75,16 @@ Moodle Configuration with Dual login
|
||||
to the the URL of the file 'moodle/auth/shibboleth/index.php'.
|
||||
This will enforce Shibboleth login.
|
||||
|
||||
4.b If you want to use the Moodle internal WAYF service, you have to activate it
|
||||
4.b If you want to use the Moodle integrated WAYF service, you have to activate it
|
||||
in the Moodle Shibboleth authentication settings by checking the
|
||||
'Moodle WAYF Service' checkbox and providing a list of entity IDs in the
|
||||
'Identity Providers' textarea together with a name and an optional
|
||||
SessionInitiator URL, which usually is an absolute or relative URL pointing
|
||||
to the same host. If no SessionInitiator URL is given, the default one
|
||||
'/Shibboleth.sso' will be used.
|
||||
'/Shibboleth.sso' (only works for Shibboleth 1.3.x) will be used. For
|
||||
Shibboleth 2.x you have to add '/Shibboleth.sso/DS' as a SessionInitiator.
|
||||
Also see https://spaces.internet2.edu/display/SHIB/SessionInitiator
|
||||
and https://spaces.internet2.edu/display/SHIB2/NativeSPSessionInitiator
|
||||
|
||||
Important Note: If you upgraded from a previous version of Moodle and now
|
||||
want to use the integrated WAYF, you have to make sure that
|
||||
@ -228,8 +232,12 @@ recommended to use the following approach when upgrading the Service Provider:
|
||||
3. After the SP upgrade, use this account to log into Moodle and adapt the
|
||||
attribute mapping in 'Site Administration -> Users -> Shibboleth' to reflect
|
||||
the changed attribute names.
|
||||
4. Test the login with a Shibboleth account
|
||||
5. If all is working, disable manual authentication again
|
||||
You find the attribute names in the file /etc/shibboleth/attribute-map.xml
|
||||
listed as the 'id' value of an attribute definition.
|
||||
4. If you are using the integrated WAYF, you may have to set the third parameter
|
||||
of each entry to '/Shibboleth.sso/DS'
|
||||
5. Test the login with a Shibboleth account
|
||||
6. If all is working, disable manual authentication again
|
||||
********************************************************************************
|
||||
|
||||
How to add logout support
|
||||
@ -277,7 +285,8 @@ applications yet that were adapted to support front and back channel
|
||||
logout. Hopefully, the Moodle logout helps to motivate the developers to
|
||||
implement SLO :)
|
||||
|
||||
Also see https://spaces.internet2.edu/display/SHIB2/SLOIssues for some
|
||||
Also see https://spaces.internet2.edu/display/SHIB2/SLOIssues and
|
||||
https://spaces.internet2.edu/display/SHIB2/NativeSPLogoutInitiator for some
|
||||
background information on this topic.
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
@ -183,6 +183,28 @@ class auth_plugin_shibboleth extends auth_plugin_base {
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
/**
|
||||
* Hook for logout page
|
||||
*
|
||||
*/
|
||||
function logoutpage_hook() {
|
||||
global $redirect;
|
||||
|
||||
// Only do this if logout handler is defined
|
||||
if (
|
||||
isset($this->config->logout_handler)
|
||||
&& !empty($this->config->logout_handler)
|
||||
){
|
||||
// Backup old redirect url
|
||||
$temp_redirect = $redirect;
|
||||
|
||||
// Overwrite redirect in order to send user to Shibboleth logout page and let him return back
|
||||
$redirect = $this->config->logout_handler.'?return='.urlencode($temp_redirect);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
/**
|
||||
* Prints a form for configuring this authentication plugin.
|
||||
@ -243,17 +265,23 @@ class auth_plugin_shibboleth extends auth_plugin_base {
|
||||
if (isset($config->organization_selection) && !empty($config->organization_selection)) {
|
||||
set_config('organization_selection', $config->organization_selection, 'auth/shibboleth');
|
||||
}
|
||||
set_config('logout_handler', $config->logout_handler, 'auth/shibboleth');
|
||||
set_config('login_name', $config->login_name, 'auth/shibboleth');
|
||||
set_config('convert_data', $config->convert_data, 'auth/shibboleth');
|
||||
set_config('auth_instructions', $config->auth_instructions, 'auth/shibboleth');
|
||||
set_config('changepasswordurl', $config->changepasswordurl, 'auth/shibboleth');
|
||||
|
||||
// Overwrite alternative login URL if integrated WAYF is used
|
||||
if (isset($config->alt_login) && $config->alt_login == 'on'){
|
||||
set_config('alt_login', $config->alt_login, 'auth/shibboleth');
|
||||
set_config('alternateloginurl', $CFG->wwwroot.'/auth/shibboleth/login.php');
|
||||
} else {
|
||||
set_config('alt_login', 'off', 'auth/shibboleth');
|
||||
set_config('alternateloginurl', '');
|
||||
// Check if integrated WAYF was enabled and is now turned off
|
||||
// If it was and only then, reset the Moodle alternate URL
|
||||
if ($this->config->alt_login == 'on'){
|
||||
set_config('alt_login', 'off', 'auth/shibboleth');
|
||||
set_config('alternateloginurl', '');
|
||||
}
|
||||
$config->alt_login = 'off';
|
||||
}
|
||||
|
||||
|
||||
@ -1,6 +1,5 @@
|
||||
<?php // $Id$
|
||||
|
||||
|
||||
require_once("../../config.php");
|
||||
require_once($CFG->dirroot."/auth/shibboleth/auth.php");
|
||||
|
||||
@ -61,6 +60,8 @@ httpsrequired();
|
||||
if (isset($IdPs[$selectedIdP][1]) && !empty($IdPs[$selectedIdP][1])){
|
||||
header('Location: '.$IdPs[$selectedIdP][1].'?providerId='. urlencode($selectedIdP) .'&target='. urlencode($CFG->wwwroot.'/auth/shibboleth/index.php'));
|
||||
} else {
|
||||
// TODO: This has to be changed to /Shibboleth.sso/DS?entityId= for
|
||||
// Shibbolet 2.x sometime...
|
||||
header('Location: /Shibboleth.sso?providerId='. urlencode($selectedIdP) .'&target='. urlencode($CFG->wwwroot.'/auth/shibboleth/index.php'));
|
||||
}
|
||||
} elseif (isset($_POST['idp']) && !isset($IdPs[$_POST['idp']])) {
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user