Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Shibboleth authentication: Merging fix MDL-18538 and changes from MDL…

  • Loading branch information...
commit c49e414b79cba916e1bfa04749f0d0a7f25d5354 1 parent f24222e
exe-cutor authored
29 auth/shibboleth/README.txt
@@ -21,6 +21,8 @@ Changes:
attributes on request of Markus Hagman
- 11. 2007: Integrated WAYF Service in Moodle
- 12. 2008: Shibboleth 2.x and Single Logout support added
+- 1. 2008: Added logout hook and moved Shibboleth config strings to utf8 auth
+ language files.
Moodle Configuration with Dual login
@@ -41,16 +43,16 @@ Moodle Configuration with Dual login
For IIS you have protect the auth/shibboleth directory directly in the
RequestMap of the Shibboleth configuration file (shibboleth.xml). See
+ and
-2. As Moodle admin, go to the 'Administrations >> Users >> Authentication
- Options' and click on the the 'Shibboleth' settings.
+2. As Moodle admin, go to the 'Administrations >> Users >> Authentication' and
+ click on the the 'Shibboleth' settings.
3. Fill in the fields of the form. The fields 'Username', 'First name',
'Surname', etc. should contain the name of the environment variables of the
Shibboleth attributes that you want to map onto the corresponding Moodle
- variable (e.g. 'HTTP_SHIB_PERSON_SURNAME' for the person's last name, refer
+ variable (e.g. 'Shib-Person-surname' for the person's last name, refer
the Shibboleth documentation or the documentation of your Shibboleth
federation for information on which attributes are available).
Especially the 'Username' field is of great importance because
@@ -73,14 +75,16 @@ Moodle Configuration with Dual login
to the the URL of the file 'moodle/auth/shibboleth/index.php'.
This will enforce Shibboleth login.
-4.b If you want to use the Moodle internal WAYF service, you have to activate it
+4.b If you want to use the Moodle integrated WAYF service, you have to activate it
in the Moodle Shibboleth authentication settings by checking the
'Moodle WAYF Service' checkbox and providing a list of entity IDs in the
'Identity Providers' textarea together with a name and an optional
SessionInitiator URL, which usually is an absolute or relative URL pointing
to the same host. If no SessionInitiator URL is given, the default one
- '/Shibboleth.sso' will be used.
+ '/Shibboleth.sso' (only works for Shibboleth 1.3.x) will be used. For
+ Shibboleth 2.x you have to add '/Shibboleth.sso/DS' as a SessionInitiator.
Also see
+ and
Important Note: If you upgraded from a previous version of Moodle and now
want to use the integrated WAYF, you have to make sure that
@@ -228,8 +232,12 @@ recommended to use the following approach when upgrading the Service Provider:
3. After the SP upgrade, use this account to log into Moodle and adapt the
attribute mapping in 'Site Administration -> Users -> Shibboleth' to reflect
the changed attribute names.
-4. Test the login with a Shibboleth account
-5. If all is working, disable manual authentication again
+ You find the attribute names in the file /etc/shibboleth/attribute-map.xml
+ listed as the 'id' value of an attribute definition.
+4. If you are using the integrated WAYF, you may have to set the third parameter
+ of each entry to '/Shibboleth.sso/DS'
+5. Test the login with a Shibboleth account
+6. If all is working, disable manual authentication again
How to add logout support
@@ -277,7 +285,8 @@ applications yet that were adapted to support front and back channel
logout. Hopefully, the Moodle logout helps to motivate the developers to
implement SLO :)
-Also see for some
+Also see and
+ for some
background information on this topic.
32 auth/shibboleth/auth.php
@@ -183,6 +183,28 @@ function loginpage_hook() {
+ /**
+ * Hook for logout page
+ *
+ */
+ function logoutpage_hook() {
+ global $redirect;
+ // Only do this if logout handler is defined
+ if (
+ isset($this->config->logout_handler)
+ && !empty($this->config->logout_handler)
+ ){
+ // Backup old redirect url
+ $temp_redirect = $redirect;
+ // Overwrite redirect in order to send user to Shibboleth logout page and let him return back
+ $redirect = $this->config->logout_handler.'?return='.urlencode($temp_redirect);
+ }
+ }
* Prints a form for configuring this authentication plugin.
@@ -243,17 +265,23 @@ function process_config($config) {
if (isset($config->organization_selection) && !empty($config->organization_selection)) {
set_config('organization_selection', $config->organization_selection, 'auth/shibboleth');
+ set_config('logout_handler', $config->logout_handler, 'auth/shibboleth');
set_config('login_name', $config->login_name, 'auth/shibboleth');
set_config('convert_data', $config->convert_data, 'auth/shibboleth');
set_config('auth_instructions', $config->auth_instructions, 'auth/shibboleth');
set_config('changepasswordurl', $config->changepasswordurl, 'auth/shibboleth');
+ // Overwrite alternative login URL if integrated WAYF is used
if (isset($config->alt_login) && $config->alt_login == 'on'){
set_config('alt_login', $config->alt_login, 'auth/shibboleth');
set_config('alternateloginurl', $CFG->wwwroot.'/auth/shibboleth/login.php');
} else {
- set_config('alt_login', 'off', 'auth/shibboleth');
- set_config('alternateloginurl', '');
+ // Check if integrated WAYF was enabled and is now turned off
+ // If it was and only then, reset the Moodle alternate URL
+ if ($this->config->alt_login == 'on'){
+ set_config('alt_login', 'off', 'auth/shibboleth');
+ set_config('alternateloginurl', '');
+ }
$config->alt_login = 'off';
3  auth/shibboleth/login.php
@@ -1,6 +1,5 @@
<?php // $Id$
@@ -61,6 +60,8 @@
if (isset($IdPs[$selectedIdP][1]) && !empty($IdPs[$selectedIdP][1])){
header('Location: '.$IdPs[$selectedIdP][1].'?providerId='. urlencode($selectedIdP) .'&target='. urlencode($CFG->wwwroot.'/auth/shibboleth/index.php'));
} else {
+ // TODO: This has to be changed to /Shibboleth.sso/DS?entityId= for
+ // Shibbolet 2.x sometime...
header('Location: /Shibboleth.sso?providerId='. urlencode($selectedIdP) .'&target='. urlencode($CFG->wwwroot.'/auth/shibboleth/index.php'));
} elseif (isset($_POST['idp']) && !isset($IdPs[$_POST['idp']])) {
Please sign in to comment.
Something went wrong with that request. Please try again.