Shibboleth authentication: Merging fix MDL-18538 and changes from MDL…

…-18116

auth/shibboleth/README.txt

@@ -21,6 +21,8 @@ Changes:
             attributes on request of Markus Hagman
 - 11. 2007: Integrated WAYF Service in Moodle
 - 12. 2008: Shibboleth 2.x and Single Logout support added
+- 1.  2008: Added logout hook and moved Shibboleth config strings to utf8 auth 
+            language files.
 
 Moodle Configuration with Dual login
 -------------------------------------------------------------------------------
@@ -41,16 +43,16 @@ Moodle Configuration with Dual login
 
    For IIS you have protect the auth/shibboleth directory directly in the
    RequestMap of the Shibboleth configuration file (shibboleth.xml). See
-
-   https://spaces.internet2.edu/display/SHIB/xmlaccesscontrol?topic=XMLAccessControl
+   https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapper and
+   https://spaces.internet2.edu/display/SHIB2/NativeSPAccessControl
 
-2. As Moodle admin, go to the 'Administrations >> Users >> Authentication
-   Options' and click on the the 'Shibboleth' settings.
+2. As Moodle admin, go to the 'Administrations >> Users >> Authentication' and 
+   click on the the 'Shibboleth' settings.
 
 3. Fill in the fields of the form. The fields 'Username', 'First name',
    'Surname', etc. should contain the name of the environment variables of the
    Shibboleth attributes that you want to map onto the corresponding Moodle
-   variable (e.g. 'HTTP_SHIB_PERSON_SURNAME' for the person's last name, refer
+   variable (e.g. 'Shib-Person-surname' for the person's last name, refer
    the Shibboleth documentation or the documentation of your Shibboleth
    federation for information on which attributes are available).
    Especially the 'Username' field is of great importance because
@@ -73,14 +75,16 @@ Moodle Configuration with Dual login
      to the the URL of the file 'moodle/auth/shibboleth/index.php'. 
      This will enforce Shibboleth login.
 
-4.b If you want to use the Moodle internal WAYF service, you have to activate it
+4.b If you want to use the Moodle integrated WAYF service, you have to activate it
     in the Moodle Shibboleth authentication settings by checking the 
     'Moodle WAYF Service' checkbox and providing a list of entity IDs in the 
     'Identity Providers' textarea together with a name and an optional 
     SessionInitiator URL, which usually is an absolute or relative URL pointing 
     to the same host. If no SessionInitiator URL is given, the default one 
-    '/Shibboleth.sso' will be used.
+    '/Shibboleth.sso' (only works for Shibboleth 1.3.x) will be used. For 
+    Shibboleth 2.x you have to add '/Shibboleth.sso/DS' as a SessionInitiator.
     Also see https://spaces.internet2.edu/display/SHIB/SessionInitiator
+    and https://spaces.internet2.edu/display/SHIB2/NativeSPSessionInitiator
 
     Important Note: If you upgraded from a previous version of Moodle and now
                     want to use the integrated WAYF, you have to make sure that
@@ -228,8 +232,12 @@ recommended to use the following approach when upgrading the Service Provider:
 3. After the SP upgrade, use this account to log into Moodle and adapt the 
    attribute mapping in 'Site Administration -> Users -> Shibboleth' to reflect 
    the changed attribute names.
-4. Test the login with a Shibboleth account
-5. If all is working, disable manual authentication again
+   You find the attribute names in the file /etc/shibboleth/attribute-map.xml 
+   listed as the 'id' value of an attribute definition.
+4. If you are using the integrated WAYF, you may have to set the third parameter
+   of each entry to '/Shibboleth.sso/DS'
+5. Test the login with a Shibboleth account
+6. If all is working, disable manual authentication again
 ********************************************************************************
 
 How to add logout support
@@ -277,7 +285,8 @@ applications yet that were adapted to support front and back channel
 logout. Hopefully, the Moodle logout helps to motivate the developers to 
 implement SLO :)
 
-Also see https://spaces.internet2.edu/display/SHIB2/SLOIssues for some 
+Also see https://spaces.internet2.edu/display/SHIB2/SLOIssues and 
+https://spaces.internet2.edu/display/SHIB2/NativeSPLogoutInitiator for some 
 background information on this topic.
 
 --------------------------------------------------------------------------------

auth/shibboleth/auth.php

@@ -183,6 +183,28 @@ function loginpage_hook() {
 
         return;
     }
+
+     /**
+     * Hook for logout page
+     *
+     */
+    function logoutpage_hook() {
+        global $redirect;
+
+        // Only do this if logout handler is defined
+        if (
+              isset($this->config->logout_handler) 
+              && !empty($this->config->logout_handler)
+           ){
+            // Backup old redirect url
+            $temp_redirect = $redirect;
+
+            // Overwrite redirect in order to send user to Shibboleth logout page and let him return back
+            $redirect = $this->config->logout_handler.'?return='.urlencode($temp_redirect);
+        }
+    }
+
+
 
     /**
      * Prints a form for configuring this authentication plugin.
@@ -243,17 +265,23 @@ function process_config($config) {
         if (isset($config->organization_selection) && !empty($config->organization_selection)) {
             set_config('organization_selection',    $config->organization_selection,    'auth/shibboleth');
         }
+        set_config('logout_handler',    $config->logout_handler,    'auth/shibboleth');
         set_config('login_name',    $config->login_name,    'auth/shibboleth');
         set_config('convert_data',      $config->convert_data,      'auth/shibboleth');
         set_config('auth_instructions', $config->auth_instructions, 'auth/shibboleth');
         set_config('changepasswordurl', $config->changepasswordurl, 'auth/shibboleth');
 
+        // Overwrite alternative login URL if integrated WAYF is used
         if (isset($config->alt_login) && $config->alt_login == 'on'){
             set_config('alt_login',    $config->alt_login,    'auth/shibboleth');
             set_config('alternateloginurl', $CFG->wwwroot.'/auth/shibboleth/login.php');
         } else {
-            set_config('alt_login',    'off',    'auth/shibboleth');
-            set_config('alternateloginurl', '');
+            // Check if integrated WAYF was enabled and is now turned off
+            // If it was and only then, reset the Moodle alternate URL 
+            if ($this->config->alt_login == 'on'){
+                set_config('alt_login',    'off',    'auth/shibboleth');
+                set_config('alternateloginurl', '');
+            }
             $config->alt_login = 'off';
         }
 

auth/shibboleth/login.php

@@ -1,6 +1,5 @@
 <?php // $Id$
 
-
     require_once("../../config.php");
     require_once($CFG->dirroot."/auth/shibboleth/auth.php");
 
@@ -61,6 +60,8 @@
         if (isset($IdPs[$selectedIdP][1]) && !empty($IdPs[$selectedIdP][1])){
             header('Location: '.$IdPs[$selectedIdP][1].'?providerId='. urlencode($selectedIdP) .'&target='. urlencode($CFG->wwwroot.'/auth/shibboleth/index.php'));
         } else {
+            // TODO: This has to be changed to /Shibboleth.sso/DS?entityId= for 
+            // Shibbolet 2.x sometime...
             header('Location: /Shibboleth.sso?providerId='. urlencode($selectedIdP) .'&target='. urlencode($CFG->wwwroot.'/auth/shibboleth/index.php'));
         }
     } elseif (isset($_POST['idp']) && !isset($IdPs[$_POST['idp']]))  {