Permalink
Browse files

MDL-18597 Merging from STABLE

  • Loading branch information...
1 parent 1f46501 commit ad9f023c64b6df6cae232b6cfeb87a85931ca838 exe-cutor committed Mar 18, 2009
Showing with 218 additions and 164 deletions.
  1. +23 −5 auth/shibboleth/README.txt
  2. +12 −2 auth/shibboleth/auth.php
  3. +31 −9 auth/shibboleth/config.html
  4. +3 −3 auth/shibboleth/login.php
  5. +149 −145 auth/shibboleth/logout.php
View
@@ -2,8 +2,8 @@ Shibboleth Authentication for Moodle
-------------------------------------------------------------------------------
Requirements:
-- Shibboleth target 1.1 or later. See documentation for your Shibboleth
- federation on how to set up Shibboleth.
+- Shibboleth Service Provider 1.3 or newer. Recommended is 2.1 or newer.
+ See documentation for your Shibboleth federation on how to set up Shibboleth.
Changes:
- 11. 2004: Created by Markus Hagman
@@ -23,6 +23,8 @@ Changes:
- 12. 2008: Shibboleth 2.x and Single Logout support added
- 1. 2008: Added logout hook and moved Shibboleth config strings to utf8 auth
language files.
+- 3. 2009: Added various improvements and bug fixes reported by Ina M�ller from
+ university Tuebingen and Peter Ellis of University of Washington
Moodle Configuration with Dual login
-------------------------------------------------------------------------------
@@ -42,7 +44,20 @@ Moodle Configuration with Dual login
with something that fits your needs, e.g. 'require affiliation student'.
For IIS you have protect the auth/shibboleth directory directly in the
- RequestMap of the Shibboleth configuration file (shibboleth.xml). See
+ RequestMap of the Shibboleth configuration file (shibboleth.xml or
+ shibboleth2.xml).
+
+--
+<Path name="moodle" requireSession="false" >
+ <Path name="auth/shibboleth/index.php" requireSession="true" >
+ <AccessControl>
+ ...
+ </AccessControl>
+ </Path>
+</Path>
+--
+
+ Also see:
https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapper and
https://spaces.internet2.edu/display/SHIB2/NativeSPAccessControl
@@ -274,10 +289,13 @@ Shibboleth installation). If everything worked well, you should see a Shibboleth
page saying that you were successfully logged out and if you go back to Moodle
you also should be logged out from Moodle.
+Requirements:
+- PHP needs the Soap Extension, which maybe must installed manually:
+ More information is available here http://ch.php.net/soap
+- Logout only works with Shibboleth Service Provider 2.1 or higher
Limitations:
-Single Logout is only supported with SAML2 and so far only with the Shibboleth
-Service Provider 2.x.
+Single Logout is only supported when SAML2 is used at the SP and the IdP.
As of December 2008, the Shibboleth Identity Provider 2.1.1 does not yet support
Single Logout (SLO). Therefore, the single logout feature cannot be used yet.
One of the reasons why SLO isn't supported yet is because there aren't many
View
@@ -196,8 +196,17 @@ function logoutpage_hook() {
isset($this->config->logout_handler)
&& !empty($this->config->logout_handler)
){
- // Backup old redirect url
- $temp_redirect = $redirect;
+ // Check if there is an alternative logout return url defined
+ if (
+ isset($this->config->logout_return_url)
+ && !empty($this->config->logout_return_url)
+ ){
+ // Set temp_redirect to alternative return url
+ $temp_redirect = $this->config->logout_return_url;
+ } else {
+ // Backup old redirect url
+ $temp_redirect = $redirect;
+ }
// Overwrite redirect in order to send user to Shibboleth logout page and let him return back
$redirect = $this->config->logout_handler.'?return='.urlencode($temp_redirect);
@@ -266,6 +275,7 @@ function process_config($config) {
set_config('organization_selection', $config->organization_selection, 'auth/shibboleth');
}
set_config('logout_handler', $config->logout_handler, 'auth/shibboleth');
+ set_config('logout_return_url', $config->logout_return_url, 'auth/shibboleth');
set_config('login_name', $config->login_name, 'auth/shibboleth');
set_config('convert_data', $config->convert_data, 'auth/shibboleth');
set_config('auth_instructions', $config->auth_instructions, 'auth/shibboleth');
@@ -45,25 +45,25 @@
</tr>
<tr valign="top">
- <td align="right">Moodle WAYF Service:</td>
+ <td align="right"><?php print_string("auth_shib_integrated_wayf", "auth") ?>:</td>
<td>
<input name="alt_login" type="checkbox" <?php
if ( isset($config->alt_login) and $config->alt_login == 'on' ){
echo 'checked="checked"';
}
?> />
</td>
- <td>If you check this, Moodle will use its own WAYF service instead of the one configured for Shibboleth. Moodle will display a drop-down list on this alternative login page where the user has to select his Identity Provider.</td>
+ <td><?php print_string("auth_shib_integrated_wayf_description", "auth") ?></td>
</tr>
<tr valign="top">
- <td align="right">Identity Providers:</td>
+ <td align="right"><?php print_string("auth_shib_idp_list", "auth") ?>:</td>
<td>
<textarea name="organization_selection" rows="10" cols="30" style="overflow: auto; white-space: nowrap;"
><?php
if (!isset($config->organization_selection)){
echo 'urn:mace:organization1:providerID, Example Organization 1
-https://another.idp-id.com/shibboleth, Other Example Organization
+https://another.idp-id.com/shibboleth, Other Example Organization, /Shibboleth.sso/DS/SWITCHaai
urn:mace:organization2:providerID, Example Organization 2, /Shibboleth.sso/WAYF/SWITCHaai';
} else {
echo $config->organization_selection;
@@ -78,13 +78,35 @@
}
?>
</td>
- <td>Provide a list of Identity Provider entityIDs to let the user choose from on the login page.
-On each line there must be a comma-separated tuple for entityID of the IdP (see the Shibboleth metadata file) and Name of IdP as it shall be displayed in the drow-down list.
-As an optional third parameter you can add the location of a Shibboleth session initiator that shall be used in case your Moodle installation is part of a multi federation setup.</td>
+ <td><?php print_string("auth_shib_idp_list_description", "auth") ?></td>
</tr>
<tr valign="top">
- <td align="right">Authentication Method Name:</td>
+ <td align="right"><?php print_string("auth_shib_logout_url", "auth") ?>:</td>
+ <td>
+ <input name="logout_handler" type="text" size="30" value="<?php
+ if ( isset($config->logout_handler) and !empty($config->logout_handler)){
+ echo $config->logout_handler;
+ }
+ ?>" />
+ </td>
+ <td><?php print_string("auth_shib_logout_url_description", "auth") ?></td>
+</tr>
+
+<tr valign="top">
+ <td align="right"><?php print_string("auth_shib_logout_return_url", "auth") ?>:</td>
+ <td>
+ <input name="logout_return_url" type="text" size="30" value="<?php
+ if ( isset($config->logout_return_url) and !empty($config->logout_return_url)){
+ echo $config->logout_return_url;
+ }
+ ?>" />
+ </td>
+ <td><?php print_string("auth_shib_logout_return_url_description", "auth") ?></td>
+</tr>
+
+<tr valign="top">
+ <td align="right"><?php print_string("auth_shib_auth_method", "auth") ?>:</td>
<td>
<input name="login_name" type="text" size="30" value="<?php
if ( isset($config->login_name) and !empty($config->login_name)){
@@ -94,7 +116,7 @@
}
?>" />
</td>
- <td>Provide a name for the Shibboleth authentication method that is familiar to your users. This could be the name of your Shibboleth federation, e.g. "SWITCHaai Login" or "InCommon Login" and so on.</td>
+ <td><?php print_string("auth_shib_auth_method_description", "auth") ?></td>
</tr>
<tr valign="top">
@@ -9,7 +9,7 @@
/// Check for timed out sessions
if (!empty($SESSION->has_timed_out)) {
$session_has_timed_out = true;
- unset($SESSION->has_timed_out);
+ $SESSION->has_timed_out = false;
} else {
$session_has_timed_out = false;
}
@@ -20,7 +20,7 @@
/// Define variables used in page
if (!$site = get_site()) {
- print_error('nosite');
+ error("No site found!");
}
if (empty($CFG->langmenu)) {
@@ -37,7 +37,7 @@
$loginurl = (!empty($CFG->alternateloginurl)) ? $CFG->alternateloginurl : '';
- if (get_moodle_cookie() == '') {
+ if (get_moodle_cookie() == '') {
set_moodle_cookie('nobody'); // To help search for cookies
}
Oops, something went wrong.

0 comments on commit ad9f023

Please sign in to comment.