Skip to content
Browse files

authentication: MDL-18116 Added Shibboleth logout handler URL, remove…

… hard-coded strings to lang file, updated README

- Added a new setting logout_handler to the Shibboleth authentication settings
- Removed hard-coded strings in the configuration settings and replaced them with proper print_string expressions
- Added a logoutpage_hook function that (optinally) sends a user who clicks on the logout button to the Shibboleth logout handler after Moodle logout
- Updated README
  • Loading branch information...
1 parent ab478fe commit 08b51e7f13168cb7137e9787c9689d85052bb792 exe-cutor committed Feb 6, 2009
Showing with 71 additions and 21 deletions.
  1. +19 −10 auth/shibboleth/README.txt
  2. +23 −0 auth/shibboleth/auth.php
  3. +19 −9 auth/shibboleth/config.html
  4. +2 −1 auth/shibboleth/login.php
  5. +8 −1 lang/en_utf8/auth.php
View
29 auth/shibboleth/README.txt
@@ -21,6 +21,8 @@ Changes:
attributes on request of Markus Hagman
- 11. 2007: Integrated WAYF Service in Moodle
- 12. 2008: Shibboleth 2.x and Single Logout support added
+- 1. 2008: Added logout hook and moved Shibboleth config strings to utf8 auth
+ language files.
Moodle Configuration with Dual login
-------------------------------------------------------------------------------
@@ -41,16 +43,16 @@ Moodle Configuration with Dual login
For IIS you have protect the auth/shibboleth directory directly in the
RequestMap of the Shibboleth configuration file (shibboleth.xml). See
-
- https://spaces.internet2.edu/display/SHIB/xmlaccesscontrol?topic=XMLAccessControl
+ https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapper and
+ https://spaces.internet2.edu/display/SHIB2/NativeSPAccessControl
-2. As Moodle admin, go to the 'Administrations >> Users >> Authentication
- Options' and click on the the 'Shibboleth' settings.
+2. As Moodle admin, go to the 'Administrations >> Users >> Authentication' and
+ click on the the 'Shibboleth' settings.
3. Fill in the fields of the form. The fields 'Username', 'First name',
'Surname', etc. should contain the name of the environment variables of the
Shibboleth attributes that you want to map onto the corresponding Moodle
- variable (e.g. 'HTTP_SHIB_PERSON_SURNAME' for the person's last name, refer
+ variable (e.g. 'Shib-Person-surname' for the person's last name, refer
the Shibboleth documentation or the documentation of your Shibboleth
federation for information on which attributes are available).
Especially the 'Username' field is of great importance because
@@ -73,14 +75,16 @@ Moodle Configuration with Dual login
to the the URL of the file 'moodle/auth/shibboleth/index.php'.
This will enforce Shibboleth login.
-4.b If you want to use the Moodle internal WAYF service, you have to activate it
+4.b If you want to use the Moodle integrated WAYF service, you have to activate it
in the Moodle Shibboleth authentication settings by checking the
'Moodle WAYF Service' checkbox and providing a list of entity IDs in the
'Identity Providers' textarea together with a name and an optional
SessionInitiator URL, which usually is an absolute or relative URL pointing
to the same host. If no SessionInitiator URL is given, the default one
- '/Shibboleth.sso' will be used.
+ '/Shibboleth.sso' (only works for Shibboleth 1.3.x) will be used. For
+ Shibboleth 2.x you have to add '/Shibboleth.sso/DS' as a SessionInitiator.
Also see https://spaces.internet2.edu/display/SHIB/SessionInitiator
+ and https://spaces.internet2.edu/display/SHIB2/NativeSPSessionInitiator
Important Note: If you upgraded from a previous version of Moodle and now
want to use the integrated WAYF, you have to make sure that
@@ -228,8 +232,12 @@ recommended to use the following approach when upgrading the Service Provider:
3. After the SP upgrade, use this account to log into Moodle and adapt the
attribute mapping in 'Site Administration -> Users -> Shibboleth' to reflect
the changed attribute names.
-4. Test the login with a Shibboleth account
-5. If all is working, disable manual authentication again
+ You find the attribute names in the file /etc/shibboleth/attribute-map.xml
+ listed as the 'id' value of an attribute definition.
+4. If you are using the integrated WAYF, you may have to set the third parameter
+ of each entry to '/Shibboleth.sso/DS'
+5. Test the login with a Shibboleth account
+6. If all is working, disable manual authentication again
********************************************************************************
How to add logout support
@@ -277,7 +285,8 @@ applications yet that were adapted to support front and back channel
logout. Hopefully, the Moodle logout helps to motivate the developers to
implement SLO :)
-Also see https://spaces.internet2.edu/display/SHIB2/SLOIssues for some
+Also see https://spaces.internet2.edu/display/SHIB2/SLOIssues and
+https://spaces.internet2.edu/display/SHIB2/NativeSPLogoutInitiator for some
background information on this topic.
--------------------------------------------------------------------------------
View
23 auth/shibboleth/auth.php
@@ -183,6 +183,28 @@ function loginpage_hook() {
return;
}
+
+ /**
+ * Hook for logout page
+ *
+ */
+ function logoutpage_hook() {
+ global $redirect;
+
+ // Only do this if logout handler is defined
+ if (
+ isset($this->config->logout_handler)
+ && !empty($this->config->logout_handler)
+ ){
+ // Backup old redirect url
+ $temp_redirect = $redirect;
+
+ // Overwrite redirect in order to send user to Shibboleth logout page and let him return back
+ $redirect = $this->config->logout_handler.'?return='.urlencode($temp_redirect);
+ }
+ }
+
+
/**
* Prints a form for configuring this authentication plugin.
@@ -243,6 +265,7 @@ function process_config($config) {
if (isset($config->organization_selection) && !empty($config->organization_selection)) {
set_config('organization_selection', $config->organization_selection, 'auth/shibboleth');
}
+ set_config('logout_handler', $config->logout_handler, 'auth/shibboleth');
set_config('login_name', $config->login_name, 'auth/shibboleth');
set_config('convert_data', $config->convert_data, 'auth/shibboleth');
set_config('auth_instructions', $config->auth_instructions, 'auth/shibboleth');
View
28 auth/shibboleth/config.html
@@ -45,25 +45,25 @@
</tr>
<tr valign="top">
- <td align="right">Moodle WAYF Service:</td>
+ <td align="right"><?php print_string("auth_shib_integrated_wayf", "auth") ?>:</td>
<td>
<input name="alt_login" type="checkbox" <?php
if ( isset($config->alt_login) and $config->alt_login == 'on' ){
echo 'checked="checked"';
}
?> />
</td>
- <td>If you check this, Moodle will use its own WAYF service instead of the one configured for Shibboleth. Moodle will display a drop-down list on this alternative login page where the user has to select his Identity Provider.</td>
+ <td><?php print_string("auth_shib_integrated_wayf_description", "auth") ?></td>
</tr>
<tr valign="top">
- <td align="right">Identity Providers:</td>
+ <td align="right"><?php print_string("auth_shib_idp_list", "auth") ?>:</td>
<td>
<textarea name="organization_selection" rows="10" cols="30" style="overflow: auto; white-space: nowrap;"
><?php
if (!isset($config->organization_selection)){
echo 'urn:mace:organization1:providerID, Example Organization 1
-https://another.idp-id.com/shibboleth, Other Example Organization
+https://another.idp-id.com/shibboleth, Other Example Organization, /Shibboleth.sso/DS/SWITCHaai
urn:mace:organization2:providerID, Example Organization 2, /Shibboleth.sso/WAYF/SWITCHaai';
} else {
echo $config->organization_selection;
@@ -78,13 +78,23 @@
}
?>
</td>
- <td>Provide a list of Identity Provider entityIDs to let the user choose from on the login page.
-On each line there must be a comma-separated tuple for entityID of the IdP (see the Shibboleth metadata file) and Name of IdP as it shall be displayed in the drow-down list.
-As an optional third parameter you can add the location of a Shibboleth session initiator that shall be used in case your Moodle installation is part of a multi federation setup.</td>
+ <td><?php print_string("auth_shib_idp_list_description", "auth") ?></td>
</tr>
<tr valign="top">
- <td align="right">Authentication Method Name:</td>
+ <td align="right"><?php print_string("auth_shib_logout_url", "auth") ?>:</td>
+ <td>
+ <input name="logout_handler" type="text" size="30" value="<?php
+ if ( isset($config->logout_handler) and !empty($config->logout_handler)){
+ echo $config->logout_handler;
+ }
+ ?>" />
+ </td>
+ <td><?php print_string("auth_shib_logout_url_description", "auth") ?></td>
+</tr>
+
+<tr valign="top">
+ <td align="right"><?php print_string("auth_shib_auth_method", "auth") ?>:</td>
<td>
<input name="login_name" type="text" size="30" value="<?php
if ( isset($config->login_name) and !empty($config->login_name)){
@@ -94,7 +104,7 @@
}
?>" />
</td>
- <td>Provide a name for the Shibboleth authentication method that is familiar to your users. This could be the name of your Shibboleth federation, e.g. "SWITCHaai Login" or "InCommon Login" and so on.</td>
+ <td><?php print_string("auth_shib_auth_method_description", "auth") ?></td>
</tr>
<tr valign="top">
View
3 auth/shibboleth/login.php
@@ -1,6 +1,5 @@
<?php // $Id$
-
require_once("../../config.php");
require_once($CFG->dirroot."/auth/shibboleth/auth.php");
@@ -61,6 +60,8 @@
if (isset($IdPs[$selectedIdP][1]) && !empty($IdPs[$selectedIdP][1])){
header('Location: '.$IdPs[$selectedIdP][1].'?providerId='. urlencode($selectedIdP) .'&target='. urlencode($CFG->wwwroot.'/auth/shibboleth/index.php'));
} else {
+ // TODO: This has to be changed to /Shibboleth.sso/DS?entityId= for
+ // Shibbolet 2.x sometime...
header('Location: /Shibboleth.sso?providerId='. urlencode($selectedIdP) .'&target='. urlencode($CFG->wwwroot.'/auth/shibboleth/index.php'));
}
} elseif (isset($_POST['idp']) && !isset($IdPs[$_POST['idp']])) {
View
9 lang/en_utf8/auth.php
@@ -346,10 +346,17 @@
$string['auth_shibboleth_select_member'] = 'I\'m a member of ...';
$string['auth_shibboleth_errormsg'] ='Please select the organization you are member of!';
$string['auth_shib_no_organizations_warning'] ='If you want to use the integrated WAYF service, you must provide a coma-separated list of Identity Provider entityIDs, their names and optionally a session initiator.';
-
$string['shib_not_set_up_error'] = 'Shibboleth authentication doesn\'t seem to be set up correctly because no Shibboleth environment variables are present for this page. Please consult the <a href=\"README.txt\">README</a> for further instructions on how to set up Shibboleth authentication or contact the webmaster of this Moodle installation.';
$string['shib_no_attributes_error'] = 'You seem to be Shibboleth authenticated but Moodle didn\'t receive any user attributes. Please check that your Identity Provider releases the necessary attributes ($a) to the Service Provider Moodle is running on or inform the webmaster of this server.';
$string['shib_not_all_attributes_error'] = 'Moodle needs certain Shibboleth attributes which are not present in your case. The attributes are: $a<br />Please contact the webmaster of this server or your Identity Provider.';
+$string['auth_shib_integrated_wayf'] = 'Moodle WAYF Service';
+$string['auth_shib_integrated_wayf_description'] = 'If you check this, Moodle will use its own WAYF service instead of the one configured for Shibboleth. Moodle will display a drop-down list on this alternative login page where the user has to select his Identity Provider.';
+$string['auth_shib_idp_list'] = 'Identity Providers';
+$string['auth_shib_idp_list_description'] = 'Provide a list of Identity Provider entityIDs to let the user choose from on the login page.<br>On each line there must be a comma-separated tuple for entityID of the IdP (see the Shibboleth metadata file) and Name of IdP as it shall be displayed in the drow-down list.<br>As an optional third parameter you can add the location of a Shibboleth session initiator that shall be used in case your Moodle installation is part of a multi federation setup.';
+$string['auth_shib_logout_url'] = 'Shibboleth Service Provider logout handler URL';
+$string['auth_shib_logout_url_description'] = 'Provide the URL to the Shibboleth Service Provider logout handler. This typically is <tt>/Shibboleth.sso/Logout</tt>';
+$string['auth_shib_auth_method'] = 'Authentication Method Name';
+$string['auth_shib_auth_method_description'] = 'Provide a name for the Shibboleth authentication method that is familiar to your users. This could be the name of your Shibboleth federation, e.g. <tt>SWITCHaai Login</tt> or <tt>InCommon Login</tt> or similar.';
$string['auth_updatelocal'] = 'Update local';
$string['auth_updatelocal_expl'] = '<p><b>Update local:</b> If enabled, the field will be updated (from external auth) every time the user logs in or there is a user synchronization. Fields set to update locally should be locked.</p>';

0 comments on commit 08b51e7

Please sign in to comment.
Something went wrong with that request. Please try again.