Permalink
Browse files

Added Upgrade instructions for Shibboleth 2.x

Corrected some typos for logout section
  • Loading branch information...
1 parent 8f12dde commit b926e3dde5dc0289e054cddbe80bc1e961d02916 exe-cutor committed Dec 8, 2008
Showing with 43 additions and 8 deletions.
  1. +43 −8 auth/shibboleth/README.txt
View
@@ -20,7 +20,7 @@ Changes:
- 10. 2007: Removed the requirement for email address, surname and given name
attributes on request of Markus Hagman
- 11. 2007: Integrated WAYF Service in Moodle
-- 12. 2008: Single Logout support added
+- 12. 2008: Shibboleth 2.x and Single Logout support added
Moodle Configuration with Dual login
-------------------------------------------------------------------------------
@@ -200,6 +200,37 @@ Example file:
?>
--
+How to upgrade your Service Provider to 2.x
+-------------------------------------------------------------------------------
+
+In case your upgrade your Service Provider 1.3.x to 2.x, be aware of the fact
+that in version 2.0 the default behaviour regarding attribute propagation
+changed.
+While the Service Provider 1.3.x published the Shibboleth attributes to the
+web server environment as HTTP Request headers, the Service Provider 2.x
+publishes attributes as environment variables, which increases the security for
+some platforms.
+However, this change has the effect that the attribute names change.
+E.g. while the surname attribute was published as 'HTTP_SHIB_PERSON_SURNAME'
+with 1.3.x, this attribute will be available in $_SERVER['Shib-Person-surname']
+or depending on your /etc/shibboleth/attribute-map.xml file just as
+$_SERVER['sn'].
+Because Moodle needs to know what Shibboleth attributes it shall map onto which
+Moodle user profile field, one has to make sure the mapping is updated as well
+after the Service Provider upgrade.
+
+********************************************************************************
+Because you risk locking yourself out of Moodle it is strongly
+recommended to use the following approach when upgrading the Service Provider:
+1. Enable manual authentication before the upgrade.
+2. Make sure that you have at least one manual account with administration
+ privileges working before upgrading your Service Provider to 2.x.
+3. After the SP upgrade, use this account to log into Moodle and adapt the
+ attribute mapping in 'Site Administration -> Users -> Shibboleth' to reflect
+ the changed attribute names.
+4. Test the login with a Shibboleth account
+5. If all is working, disable manual authentication again
+********************************************************************************
How to add logout support
--------------------------------------------------------------------------------
@@ -217,14 +248,18 @@ just before the <MetadataProvider> element.
Channel="back"
Location="https://#YOUR_MOODLE_HOSTNAME#/moodle/auth/shibboleth/logout.php" />
+<!--
+If possible, you should use only the back channel logout once it is working.
+-->
+<!--
<Notify
Channel="front"
Location="https://#YOUR_MOODLE_HOSTNAME#/moodle/auth/shibboleth/logout.php" />
-
+-->
--
-The restart the Shibboleth daemon and check the log file for errors. If there
-were no errors, you cat test the logout feature by accessing Moodle,
+Then restart the Shibboleth daemon and check the log file for errors. If there
+were no errors, you can test the logout feature by accessing Moodle,
authenticating via Shibboleth and the access the URL:
#YOUR_MOODLE_HOSTNAME#/Shibboleth.sso/Logout (assuming you have a standard
Shibboleth installation). If everything worked well, you should see a Shibboleth
@@ -236,14 +271,14 @@ Limitations:
Single Logout is only supported with SAML2 and so far only with the Shibboleth
Service Provider 2.x.
As of December 2008, the Shibboleth Identity Provider 2.1.1 does not yet support
-Single Logout (SLO). Therefore, the logout feature doesn't make that much
-sense yet. One of the reasons why SLO isn't supported yet is because there aren't
- many applications yet that were adapted to support front and back channel
+Single Logout (SLO). Therefore, the single logout feature cannot be used yet.
+One of the reasons why SLO isn't supported yet is because there aren't many
+applications yet that were adapted to support front and back channel
logout. Hopefully, the Moodle logout helps to motivate the developers to
implement SLO :)
Also see https://spaces.internet2.edu/display/SHIB2/SLOIssues for some
-background information.
+background information on this topic.
--------------------------------------------------------------------------------
In case of problems and questions with Shibboleth authentication, contact

0 comments on commit b926e3d

Please sign in to comment.