Skip to content

Commit

Permalink
Merging authentication changes back to head
Browse files Browse the repository at this point in the history
  • Loading branch information
exe-cutor committed Mar 9, 2007
1 parent 0e9d0c0 commit 3ea2876
Show file tree
Hide file tree
Showing 4 changed files with 85 additions and 44 deletions.
37 changes: 19 additions & 18 deletions auth/shibboleth/README.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ Changes:
- 02. 2006: Simplified authentication so that authorization works properly
Added instructions for IIS
- 11. 2006: User capabilities are now loaded properly as of Moodle 1.7+

- 03. 2007: Adapted authentication method to Moodle 1.8

Moodle Configuration with Dual login
-------------------------------------------------------------------------------
Expand All @@ -36,10 +36,11 @@ Moodle Configuration with Dual login

For IIS you have protect the auth/shibboleth directory directly in the
RequestMap of the Shibboleth configuration file (shibboleth.xml). See
https://authdev.it.ohio-state.edu/twiki/bin/view/Shibboleth/xmlaccesscontrol?topic=XMLAccessControl

https://spaces.internet2.edu/display/SHIB/xmlaccesscontrol?topic=XMLAccessControl

2. As Moodle admin, go to the 'Administrations >> Users >> Authentication
Options' and select the 'Shibboleth' authentication method from the pop-up.
Options' and click on the the 'Shibboleth' settings.

3. Fill in the fields of the form. The fields 'Username', 'First name',
'Surname', etc should contain the name of the environment variables of the
Expand All @@ -60,30 +61,30 @@ Moodle Configuration with Dual login
lengths for each field in the user profile.
#############################################################################

4. The large text field 'Instructions' must contain a link to the
moodle/auth/shibboleth/index.php file which is protected by
Shibboleth (see step 1) and causes the Shibboleth login procedure to start.
You could also use HTML code in that field, e.g. to create your own
Shibboleth login button.
4. Save the changes for the 'Shibboleth settings'.

5. Save the changes for the Shibboleth authentication method.
5.a If you want Shibboleth as your only authentication method, set the
'Alternate Login URL' in the 'Common settings' in
'Administrations >> Users >> Authentication Options' to the the URL of the
file 'moodle/auth/shibboleth/index.php'. This will enforce Shibboleth login.

Moodle Configuration with Shibboleth only login
-------------------------------------------------------------------------------
If you want Shibboleth as your only authentication method, configure Moodle as
described in the dual login section above and do the following steps:
6.b If you want to use another authentication method together with Shibboleth,
in parallel, change the 'Instructions' in the 'Common settings' of the
'Administrations >> Users >> Authentication Options' to contain a link to the
moodle/auth/shibboleth/index.php file which is protected by
Shibboleth (see step 1) and causes the Shibboleth login procedure to start.
You can also use HTML code in that field, e.g. to include an image as a
Shibboleth login button.

4.a On the Moodle Shibboleth settings page, set the 'Alternate Login URL' to
the URL of the file 'moodle/auth/shibboleth/index.php'
This will enforce Shibboleth login.
7. Save the changes for the 'Common settings'.

How the Shibboleth authentication works
--------------------------------------------------------------------------------
To get Shibboleth authenticated in Moodle a user basically must access the
Shibboleth-protected page /auth/shibboleth/index.php. If Shibboleth is the only
authentication method (see 4.a), this happens automatically when a user wants to
authentication method (see 5.a), this happens automatically when a user wants to
login in Moodle. Otherwise, the user has to click on the link on the login page
you provided in step 4.
you provided in step 5.b.

Moodle basically checks whether the Shibboleth attribute that you mapped
as the username is present. This attribute should only be present if a user is
Expand Down
51 changes: 36 additions & 15 deletions auth/shibboleth/auth.php
View file
Original file line number Diff line number Diff line change
@@ -1,21 +1,23 @@
<?php
/**
* @author Martin Dougiamas
* @author Lukas Haemmerle
* @license http://www.gnu.org/copyleft/gpl.html GNU Public License
* @package moodle multiauth
*
* Authentication Plugin: Shibboleth Authentication
*
* Authentication using Shibboleth.
*
* 10.2004 SHIBBOLETH Authentication functions v.0.1
* 05.2005 Various extensions and fixes by Lukas Haemmerle
* 10.2005 Added better error messags
* 05.2006 Added better handling of mutli-valued attributes
* Distributed under GPL (c)Markus Hagman 2004-2006
*
* 10.2004 SHIBBOLETH Authentication functions v.0.1
* 05.2005 Various extensions and fixes by Lukas Haemmerle
* 10.2005 Added better error messags
* 05.2006 Added better handling of mutli-valued attributes
* 2006-08-28 File created, code imported from lib.php
* 2006-10-27 Upstream 1.7 changes merged in, added above credits from lib.php :-)
* 2007-03-09 Fixed authentication but may need some other changes
*/

if (!defined('MOODLE_INTERNAL')) {
Expand Down Expand Up @@ -48,28 +50,37 @@ function auth_plugin_shibboleth() {
* @return bool Authentication success or failure.
*/
function user_login($username, $password) {

// If we are in the shibboleth directory then we trust the server var
if (!empty($_SERVER[$config->user_attribute])) {
return ($_SERVER[$config->user_attribute] == $username);
if (!empty($_SERVER[$this->config->user_attribute])) {
return ($_SERVER[$this->config->user_attribute] == $username);
} else {
// If we are not, the user has used the manual login and the login name is
// unknown, so we return false.
return false;
}
}



/**
* Returns the user information for 'external' users. In this case the
* attributes provided by Shibboleth
*
* @return array $result Associative array of user data
*/
function get_userinfo($username) {
// reads user information from shibboleth attributes and return it in array()
global $CFG;

// Check whether we have got all the essential attributes
if (
empty($_SERVER[$config->user_attribute])
|| empty($_SERVER[$config->field_map_firstname])
|| empty($_SERVER[$config->field_map_lastname])
|| empty($_SERVER[$config->field_map_email])
empty($_SERVER[$this->config->user_attribute])
|| empty($_SERVER[$this->config->field_map_firstname])
|| empty($_SERVER[$this->config->field_map_lastname])
|| empty($_SERVER[$this->config->field_map_email])
) {
error(get_string( 'shib_not_all_attributes_error', 'auth' , "'".$config->user_attribute."' ('".$_SERVER[$config->user_attribute]."'), '".$config->field_map_firstname."' ('".$_SERVER[$config->field_map_firstname]."'), '".$config->field_map_lastname."' ('".$_SERVER[$config->field_map_lastname]."') and '".$config->field_map_email."' ('".$_SERVER[$config->field_map_email]."')"));
error(get_string( 'shib_not_all_attributes_error', 'auth' , "'".$this->config->user_attribute."' ('".$_SERVER[$this->config->user_attribute]."'), '".$this->config->field_map_firstname."' ('".$_SERVER[$this->config->field_map_firstname]."'), '".$this->config->field_map_lastname."' ('".$_SERVER[$this->config->field_map_lastname]."') and '".$this->config->field_map_email."' ('".$_SERVER[$this->config->field_map_email]."')"));
}

$attrmap = $this->get_attributes();
Expand All @@ -84,14 +95,14 @@ function get_userinfo($username) {
// Provide an API to modify the information to fit the Moodle internal
// data representation
if (
$config->convert_data
&& $config->convert_data != ''
&& is_readable($config->convert_data)
$this->config->convert_data
&& $this->config->convert_data != ''
&& is_readable($this->config->convert_data)
) {

// Include a custom file outside the Moodle dir to
// modify the variable $moodleattributes
include($config->convert_data);
include($this->config->convert_data);
}

return $result;
Expand Down Expand Up @@ -151,6 +162,9 @@ function config_form($config, $err, $user_fields) {

/**
* Processes and stores configuration data for this authentication plugin.
*
*
* @param object $config Configuration object
*/
function process_config($config) {
// set to defaults if undefined
Expand All @@ -173,11 +187,18 @@ function process_config($config) {
set_config('auth_instructions', $config->auth_instructions, 'auth/shibboleth');
set_config('changepasswordurl', $config->changepasswordurl, 'auth/shibboleth');

// Check values and return false if something is wrong
if (!file_exists($config->convert_data) || !is_readable($config->convert_data)){
return false;
}

return true;
}

/**
* Cleans and returns first of potential many values (multi-valued attributes)
*
* @param string $string Possibly multi-valued attribute from Shibboleth
*/
function get_first_string($string) {
$list = split( ';', $string);
Expand Down
10 changes: 9 additions & 1 deletion auth/shibboleth/config.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,20 +27,27 @@
<td><?php print_string("auth_shib_username_description", "auth") ?></td>
</tr>

<!--
This is kind of obsolete because the login instructions are now centralized
On the other hand it would be great for Shibboleth to have seperate login
instructions
-->
<!--
<tr valign="top">
<td align="right"><?php print_string("instructions", "auth") ?>:</td>
<td>
<textarea name="auth_instructions" cols="30" rows="10" wrap="virtual"><?php p($config->auth_instructions) ?></textarea>
</td>
<td>
<?php

print_string("auth_shib_instructions_help", "auth", htmlspecialchars($CFG->wwwroot.'/auth/shibboleth/index.php'));
helpbutton("text", get_string("helptext"));
?>
</td>
</tr>
-->

<tr valign="top">
<td align="right"><?php print_string("auth_shib_convert_data", "auth") ?>:</td>
Expand All @@ -59,6 +66,7 @@
<td><?php print_string("auth_shib_convert_data_description", "auth") ?></td>
</tr>


<tr valign="top">
<td align="right"><?php print_string('auth_shib_changepasswordurl', 'auth') ?>: </td>
<td>
Expand Down
31 changes: 21 additions & 10 deletions auth/shibboleth/index.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@
// Designed to be redirected from moodle/login/index.php

require('../../config.php');
require('lib.php');

if (isloggedin() && $USER->username != 'guest') { // Nothing to do
if (isset($SESSION->wantsurl) and (strpos($SESSION->wantsurl, $CFG->wwwroot) === 0)) {
Expand All @@ -18,7 +17,8 @@
}

$pluginconfig = get_config('auth/shibboleth');

$shibbolethauth = get_auth_plugin('shibboleth');

// Check whether Shibboleth is configured properly
if (empty($pluginconfig->user_attribute)) {
error(get_string( 'shib_not_set_up_error', 'auth'));
Expand All @@ -33,17 +33,22 @@

/// Check if the user has actually submitted login data to us

if ($user = authenticate_user_login($frm->username, $frm->password)) {

// Let's get them all set up.
$USER = $user;

add_to_log(SITEID, 'user', 'login', "view.php?id=$USER->id&course=".SITEID, $USER->id, 0, $USER->id);

if ($shibbolethauth->user_login($frm->username, $frm->password)) {
$USER = authenticate_user_login($frm->username, $frm->password);

$USER->loggedin = true;
$USER->site = $CFG->wwwroot; // for added security, store the site in the
update_user_login_times();
set_moodle_cookie($USER->username);
set_login_session_preferences();


unset($SESSION->lang);
$SESSION->justloggedin = true;

add_to_log(SITEID, 'user', 'login', "view.php?id=$USER->id&course=".SITEID, $USER->id, 0, $USER->id);

if (user_not_fully_set_up($USER)) {
$urltogo = $CFG->wwwroot.'/user/edit.php?id='.$USER->id.'&amp;course='.SITEID;
// We don't delete $SESSION->wantsurl yet, so we get there later
Expand All @@ -67,6 +72,12 @@
load_all_capabilities(); /// This is what lets the user do anything on the site :-)

redirect($urltogo);

exit;
}

else {
// For some weird reason the Shibboleth user couldn't be authenticated
}
}

Expand Down

0 comments on commit 3ea2876

Please sign in to comment.