Shibboleth Authentication
I (and increasingly more people around the world) am very interested in the Shibboleth authentication method why I started finding a solution to fully integrate Shibboleth authentication into Moodle. A while after I started I noticed that Markus Hagman already had done a Shibboleth authentication method for Moodle. The thing is though that the README.txt in moodle/auth/shibboleth/ doesn't cover all the points needed to use Shibboleth authentication or may be I just havent found yet all the details 
But let me explain first, what it's all about and would be interesting for us:
To give you a small overview about Shibboleth see http://shibboleth.internet2.edu/ or http://www.switch.ch/aai/ for a case study (thats our Shibboleth federation). Basically Shibboleth provides an authentication method for web-based applications. Users have to authenticate themselves once with one single username and password (in our case the users are mostly students from different universities all around Switzerland) and when they are authenticated they can use different services from other universities, libraries, content-providers in general without having to authenticate again (e.g. they could jump from one moodle site to another without re authenticating). This has various advantages for the users and the content-providers mainly concerning user management and security. But thats just the very very short introduction
What probably quite a lot of universities in a Shibboleth federation (group of schools or universities that use Shibboleth) want is the case of a dual-login, using the manual authentication method (as it is known in Moodle) and Shibboleth. This could look like this:
I didnt change the sourcecode or something, just edited three string values from moodlelib strings. I guess the manual part is self-explaining, but what happens if a user clicks on that AAI button (AAI stands for Authentication and Authorisation Infrastructure and is the name we are using in our Shibboleth federation)? Well, if a user clicks on that button the following should happen:
1. Redirect to a Shibboleth protected directory as it is described in moodle/auth/Shibboleth/README.txt
2. If user already is Shibboleth authenticated (this implies that the Apache server can provide the users Shibboleth attributes, e.g. HTTP_SHIB_SWISSEP_UNIQUEID in our case) go to 3. else the user is (automatically) redirected to a Shibboleth page where the login name and password have to be provided. Then the user automatically is redirected again to this page with the difference that the user is authenticated now.
3. If this user already has a user record, set up his session. Else his user record first has to be (automatically) created.
This all perfectly works right now, the only problem is that the Moodle code has to be extended a bit. Of course every admin who uses Shibboleth could do that by himself but we think that it would be a better solution to include the code into the official Moodle distribution. The code is generally usuable and not adapted to our specific Shibboleth implementation.
The changes that would be necessary to extend the moodle code and file structure are (most of this is already described in moodle/auth/shibboleth/README.txt):
1. A new directory has to be created, e.g. moodle/auth/shibboleth/login (alternatively the moodle/auth/shibboleth directory could be used for that itself)
2. within that directory there has to be a .htaccess file with
## Shibboleth authentication required
AuthType shibboleth
ShibRequireSession On
require valid-user
# Adapt the require statement to your needs
Furthermore there has to be an index.php file within that directory with the following content:
<?php
header("Location: ../../login/");
?>
3. The moodle/login/index.php file has to be extended by:
if ($CFG->shib_user_attribute && $_SERVER[$CFG->shib_user_attribute]) {
$frm->username = $_SERVER[$CFG->shib_user_attribute];
$frm->password = substr(base64_encode($_SERVER[$CFG->shib_user_attribute]),0,8);
}
after every "$frm = data_submitted();" line. What the code actually does is to "fill" the form data with the shib_user_attribute that is used in moodle/auth/shibboleth/lib.php:auth_user_login($username, $password) to check if this user is authenticated. The password line is not really necessary, but may be useful if an admin decides to convert a shibboleth user account into a manual one (the password could also be something constant since it is not possible that a shibboleth user can use the manual login).
4. In the moodle/login directory there should be a .htaccess file with the following content (the statements have to be commented out per default because they may cause problems on moodle instances on webservers that don't have Shibboleth installed):
## Shibboleth lazy session
#AuthType shibboleth
#ShibRequireSession Off
#require shibboleth
5. On the login page there has to be a link to the moodle/auth/sibboleth/login directory (can be done manually by the moodle admin modifying the moodlelib strings).
Thats about it. This is just a suggestion and I think that this solution may be useful to provide complete Shibboleth support for Moodle. I am also willing to contribute this (and more commented) code and extend the README it that is wished. But I thought that I first ask around in this forum if this is appreciated.
Cheers
Lukas
To give you a small overview about Shibboleth see http://shibboleth.internet2.edu/ or http://www.switch.ch/aai/ for a case study (thats our Shibboleth federation). Basically Shibboleth provides an authentication method for web-based applications. Users have to authenticate themselves once with one single username and password (in our case the users are mostly students from different universities all around Switzerland) and when they are authenticated they can use different services from other universities, libraries, content-providers in general without having to authenticate again (e.g. they could jump from one moodle site to another without re authenticating). This has various advantages for the users and the content-providers mainly concerning user management and security. But thats just the very very short introduction
What probably quite a lot of universities in a Shibboleth federation (group of schools or universities that use Shibboleth) want is the case of a dual-login, using the manual authentication method (as it is known in Moodle) and Shibboleth. This could look like this:
I didnt change the sourcecode or something, just edited three string values from moodlelib strings. I guess the manual part is self-explaining, but what happens if a user clicks on that AAI button (AAI stands for Authentication and Authorisation Infrastructure and is the name we are using in our Shibboleth federation)? Well, if a user clicks on that button the following should happen:
1. Redirect to a Shibboleth protected directory as it is described in moodle/auth/Shibboleth/README.txt
2. If user already is Shibboleth authenticated (this implies that the Apache server can provide the users Shibboleth attributes, e.g. HTTP_SHIB_SWISSEP_UNIQUEID in our case) go to 3. else the user is (automatically) redirected to a Shibboleth page where the login name and password have to be provided. Then the user automatically is redirected again to this page with the difference that the user is authenticated now.
3. If this user already has a user record, set up his session. Else his user record first has to be (automatically) created.
This all perfectly works right now, the only problem is that the Moodle code has to be extended a bit. Of course every admin who uses Shibboleth could do that by himself but we think that it would be a better solution to include the code into the official Moodle distribution. The code is generally usuable and not adapted to our specific Shibboleth implementation.
The changes that would be necessary to extend the moodle code and file structure are (most of this is already described in moodle/auth/shibboleth/README.txt):
1. A new directory has to be created, e.g. moodle/auth/shibboleth/login (alternatively the moodle/auth/shibboleth directory could be used for that itself)
2. within that directory there has to be a .htaccess file with
## Shibboleth authentication required
AuthType shibboleth
ShibRequireSession On
require valid-user
# Adapt the require statement to your needs
Furthermore there has to be an index.php file within that directory with the following content:
<?php
header("Location: ../../login/");
?>
3. The moodle/login/index.php file has to be extended by:
if ($CFG->shib_user_attribute && $_SERVER[$CFG->shib_user_attribute]) {
$frm->username = $_SERVER[$CFG->shib_user_attribute];
$frm->password = substr(base64_encode($_SERVER[$CFG->shib_user_attribute]),0,8);
}
after every "$frm = data_submitted();" line. What the code actually does is to "fill" the form data with the shib_user_attribute that is used in moodle/auth/shibboleth/lib.php:auth_user_login($username, $password) to check if this user is authenticated. The password line is not really necessary, but may be useful if an admin decides to convert a shibboleth user account into a manual one (the password could also be something constant since it is not possible that a shibboleth user can use the manual login).
4. In the moodle/login directory there should be a .htaccess file with the following content (the statements have to be commented out per default because they may cause problems on moodle instances on webservers that don't have Shibboleth installed):
## Shibboleth lazy session
#AuthType shibboleth
#ShibRequireSession Off
#require shibboleth
5. On the login page there has to be a link to the moodle/auth/sibboleth/login directory (can be done manually by the moodle admin modifying the moodlelib strings).
Thats about it. This is just a suggestion and I think that this solution may be useful to provide complete Shibboleth support for Moodle. I am also willing to contribute this (and more commented) code and extend the README it that is wished. But I thought that I first ask around in this forum if this is appreciated.
Cheers
Lukas
Re: Shibboleth Authentication
Have you contacted Markus? Can you post here a diff with your proposed changes to auth/shibboleth?
Re: Shibboleth Authentication
Yes, I sent Markus an email last week and he just answered today. So we probably will discuss the changes first before I/we provide a patch
Re: Shibboleth Authentication
yep, my bad!
I had forgotten the include the modifications that has to be made in the login/index.php file. I'v put up an updated README.txt which has the modifications needed for login/index.php
login/index.php
--
Add code after line 31:
if ($_SERVER[$CFG->shib_user_attribute]) {
/// Log in automatically if user is has been shibboleth authenticated
$frm->username = $_SERVER[$CFG->shib_user_attribute];
$frm->password = "guest";
} else {
$frm = data_submitted();
}
--
We are heading in the same way Lukas . Your right that it's not necessary to protect the whole Moodle directory with shibboleth. It's enough to add protection to moodle/login directory.
We also discussed about prefilling the user information fields when new user enters Moodle through shibboleth. These fields should get disalbed when their values are found from shibboleth attributes.
So you think I should make that auth/shibboleth/login dir and add lines needed to .htaccess and index.php file?
Cheers,
Markus
Re: Shibboleth Authentication
Why not just insert the code and the files in the moodle source tree directly and hence saving the moodle admins some work? The modification shouldnt change anything for non-shibboleth moodle installations but should bring some advantages when it comes to installation and configuration of moodle.
@Martin: Is there anything that speaks against this modification (see markus' post above) of login/index.php and my proposed changes?
The prefilling of user information fields already happens in the current 1.5 dev version, so nothing to change here.
Directory structure:
it definetely would propose to put the .htaccess file with the lazy session in auth/shibboleth/ hence using this directory as your proposed "proxy" that requires a shibboleth session.
the easisest way probably would be to create a index.php file in auth/shibboleth/ with content:
<?
require_once("../../config.php");
header("Location: ".$CFG->wwwroot."/login/");
exit;
?>
Thats easier because the admin doesnt have to change anything in this file.
@Markus: by the way, what I have been wondering all the time when I studied your code/README is what you use the WAYF url and the logout URL for? especially the logout url interests me, because we have some problems in our shibboleth federation with a total logout. Does your (Markus) federation have a single sign out (logout) mechanism so that a shibboleth user is really logged out of all applications and has to single sign on again after that?
@Martin: Is there anything that speaks against this modification (see markus' post above) of login/index.php and my proposed changes?
The prefilling of user information fields already happens in the current 1.5 dev version, so nothing to change here.
Directory structure:
it definetely would propose to put the .htaccess file with the lazy session in auth/shibboleth/ hence using this directory as your proposed "proxy" that requires a shibboleth session.
the easisest way probably would be to create a index.php file in auth/shibboleth/ with content:
<?
require_once("../../config.php");
header("Location: ".$CFG->wwwroot."/login/");
exit;
?>
Thats easier because the admin doesnt have to change anything in this file.
@Markus: by the way, what I have been wondering all the time when I studied your code/README is what you use the WAYF url and the logout URL for? especially the logout url interests me, because we have some problems in our shibboleth federation with a total logout. Does your (Markus) federation have a single sign out (logout) mechanism so that a shibboleth user is really logged out of all applications and has to single sign on again after that?
Re: Shibboleth Authentication
Basically if you guys can come up with a way that involves the least amount of changes for the existing Moodle scripts as possible (so that auth/shibboleth is as self-contained as possible) then I'd be happy to make what changes we have to in the main scripts.
One approach we've taken for the new CAS SSO module in 1.5 is to modify login/index.php to call auth/cas/login.php instead, and login/logout.php to call auth/cas/logout.php instead. Would this help for Shibboleth too? Then you would have complete control over login and logout when Shibboleth is active.
One approach we've taken for the new CAS SSO module in 1.5 is to modify login/index.php to call auth/cas/login.php instead, and login/logout.php to call auth/cas/logout.php instead. Would this help for Shibboleth too? Then you would have complete control over login and logout when Shibboleth is active.
Re: Shibboleth Authentication
Most of the things needed to use Shibboleth authentication already were done by Markus for 1.5 development version. They perfectly work but to make it easier for Moodle admins to use the Shibboleth authentication some additional changes for Shibboleth Authentication would be useful:
If Marcus agrees with that I would suggest the following changes:
file: moodle/login/index.php
diff
--
66c66,73
< } else {
---
> } elseif ($_SERVER[$CFG->shib_user_attribute]) {
> // Shibboleth login
> // Log in automatically if user is shibboleth authenticated
> $frm->username = $_SERVER[$CFG->shib_user_attribute];
> // Set a random password that consists of the first 8 letters of the base 64 encoded user ID
> // This password is never used unless the user account is converted to manual
> $frm->password = substr(base64_encode($_SERVER[$CFG->shib_user_attribute]),0,8);
> } else {
--
new file: moodle/auth/shibboleth/index.php
--
<?
require_once("../../config.php");
header("Location: ".$CFG->wwwroot."/login/");
exit;
?>
--
new file: moodle/auth/shibboleth/.htaccess
--
# Requires a Shibboleth session
# Be sure to read moodle/auth/shibboleth/README.txt for further instructions
AuthType shibboleth
ShibRequireSession On
# Add your own access rules
require valid-user
--
new file: moodle/login/.htaccess
--
# Uncomment the following lines to use Shibboleth authentication
# Be sure to read moodle/auth/shibboleth/README.txt for further instructions
#AuthType shibboleth
#ShibRequireSession Off
#require shibboleth
--
file: README.txt
See attached file
Additionally it would be very useful if an admin could lock some user profile fields to prevent Shibboleth users from modifying them. But for this to work, the bug http://moodle.org/bugs/bug.php?op=show&bugid=2722&pos=0 should be fixed.
If Marcus agrees with that I would suggest the following changes:
file: moodle/login/index.php
diff
--
66c66,73
< } else {
---
> } elseif ($_SERVER[$CFG->shib_user_attribute]) {
> // Shibboleth login
> // Log in automatically if user is shibboleth authenticated
> $frm->username = $_SERVER[$CFG->shib_user_attribute];
> // Set a random password that consists of the first 8 letters of the base 64 encoded user ID
> // This password is never used unless the user account is converted to manual
> $frm->password = substr(base64_encode($_SERVER[$CFG->shib_user_attribute]),0,8);
> } else {
--
new file: moodle/auth/shibboleth/index.php
--
<?
require_once("../../config.php");
header("Location: ".$CFG->wwwroot."/login/");
exit;
?>
--
new file: moodle/auth/shibboleth/.htaccess
--
# Requires a Shibboleth session
# Be sure to read moodle/auth/shibboleth/README.txt for further instructions
AuthType shibboleth
ShibRequireSession On
# Add your own access rules
require valid-user
--
new file: moodle/login/.htaccess
--
# Uncomment the following lines to use Shibboleth authentication
# Be sure to read moodle/auth/shibboleth/README.txt for further instructions
#AuthType shibboleth
#ShibRequireSession Off
#require shibboleth
--
file: README.txt
See attached file
Additionally it would be very useful if an admin could lock some user profile fields to prevent Shibboleth users from modifying them. But for this to work, the bug http://moodle.org/bugs/bug.php?op=show&bugid=2722&pos=0 should be fixed.
Re: Shibboleth Authentication
Concerning the recommended changes:
Shall I send you (or the other Martin an email with all the above-mentioned changes or shall I post them in this topic in a collected form again?
Shall I send you (or the other Martin
Re: Shibboleth Authentication
Post a unified diff
Re: Shibboleth Authentication
Ok then. here we go.
Made the patch with cvs diff -u
There is also a directory called 'new-files' included which contains the moodle directory structure. There are three new files that should be placed at the corresponding places.
There is only one file change for the non-shibboleth files of moodle. This change is in moodle/login/index.php
Made the patch with cvs diff -u
There is also a directory called 'new-files' included which contains the moodle directory structure. There are three new files that should be placed at the corresponding places.
There is only one file change for the non-shibboleth files of moodle. This change is in moodle/login/index.php
Re: Shibboleth Authentication
I'm looking at this now.
Re: Shibboleth Authentication
I really don't want to have the .htaccess file in the login directory.
Firstly it means the admin has to keep editing that file every time they upgrade, and secondly, I've seen more than one webhost that threw up errors when it encountered ANY .htaccess file (even empty ones) so I don't want to risk the breakage.
Can we make login/index.php redirect to auth/shibboleth/login/index.php when shibboleth is active, and have everything in there?
If no system environment variables are found in that shibboleth login script it could set some session variable (to prevent a loop) and redirect back to the main login script.
Firstly it means the admin has to keep editing that file every time they upgrade, and secondly, I've seen more than one webhost that threw up errors when it encountered ANY .htaccess file (even empty ones) so I don't want to risk the breakage.
Can we make login/index.php redirect to auth/shibboleth/login/index.php when shibboleth is active, and have everything in there?
If no system environment variables are found in that shibboleth login script it could set some session variable (to prevent a loop) and redirect back to the main login script.
Re: Shibboleth Authentication
mhhh, I understand your concerns
The system environment variables provided by shibboleth are only available when there is this .htaccess file in moodle/login/ therefore , such a check is not possible.
one of your mentioned problems could be solved like this:
we rename the .htaccess file to something like 'disabled.htacess' and instruct the admins in the readme to rename the file when they need it. that way the webservers dont "throw up"
but as you said, there still would be that problem with the upgrade.
Your suggestion should be possible. We could extend the auth/shibboleth/index.php in such a way that it sets up the users moodle session if the user successfully was authenticated over shibboleth... Ill look at this on monday.
have a nice weekend
The system environment variables provided by shibboleth are only available when there is this .htaccess file in moodle/login/ therefore , such a check is not possible.
one of your mentioned problems could be solved like this:
we rename the .htaccess file to something like 'disabled.htacess' and instruct the admins in the readme to rename the file when they need it. that way the webservers dont "throw up"
Your suggestion should be possible. We could extend the auth/shibboleth/index.php in such a way that it sets up the users moodle session if the user successfully was authenticated over shibboleth... Ill look at this on monday.
have a nice weekend
Re: Shibboleth Authentication
I reviewed the alternatives again today. As I understood, the solution has to be:
a. easy to uprade
b. as self contained as possible
c. with minimal changes to moodle code
I think that extending the auth/shibboleth/login/index.php to do login/index.php's job is of no use, because login/index.php doesn't have to be modified that much.
How about if we don't use .htaccess files at all and instead instruct the moodle administrator in the README to define the shibboleth access rules in the apache config file (they would have to edit the .htaccess files as well if they were used). These rules generally don't change, so the admin has to define them once. That way the three requirements above would be fulfilled.
We basically would use the patch I submitted but ommit the .htaccess file(s) in the login directory and change the readme with instructions for the admins on how to change their apache.conf.
a. easy to uprade
b. as self contained as possible
c. with minimal changes to moodle code
I think that extending the auth/shibboleth/login/index.php to do login/index.php's job is of no use, because login/index.php doesn't have to be modified that much.
How about if we don't use .htaccess files at all and instead instruct the moodle administrator in the README to define the shibboleth access rules in the apache config file (they would have to edit the .htaccess files as well if they were used). These rules generally don't change, so the admin has to define them once. That way the three requirements above would be fulfilled.
We basically would use the patch I submitted but ommit the .htaccess file(s) in the login directory and change the readme with instructions for the admins on how to change their apache.conf.
Re: Shibboleth Authentication
I made another patch where everything concerning Shibboleth authentication is in /auth/shibboleth . The only change to moodle/login/index.php now is a
if ($CFG->auth == 'shibboleth') {
require($CFG->dirroot.'/auth/shibboleth/login.php');
}
- No .htaccess files needed
- Also extended the language strings of lang/en/auth.php for Shibboleth.
- README is updated
Just replace the whole auth/shibboleth/ directory.
if ($CFG->auth == 'shibboleth') {
require($CFG->dirroot.'/auth/shibboleth/login.php');
}
- No .htaccess files needed
- Also extended the language strings of lang/en/auth.php for Shibboleth.
- README is updated
Just replace the whole auth/shibboleth/ directory.
Re: Shibboleth Authentication
OK, I've had a good look at all this ... I didn't like all the duplication going on with a whole new shibboleth login page, so I've refactored some of the stuff from the old login page and rewritten shibboleth plugin quite a bit to use the logic I prefer.
The flow is like this:
1. When Shibboleth is main authentication method
2. When only some users in the database are marked as Shibboleth
All of this is untested under Shibboleth but please try the current 1.5 CVS and see how it goes. Lukas, if you need CVS write access to this directory to keep working on it please let me know! Thanks!
The flow is like this:
1. When Shibboleth is main authentication method
- User goes to normal login page
- Moodle redirects immediately to auth/shibboleth/index.php
- index.php checks environment and authenticates user (or not)
- If they are logged in, it sends them on their way, otherwise they get sent to the normal login page (which won't redirect this time).
2. When only some users in the database are marked as Shibboleth
- User goes to normal login page
- User logs in normally
- Moodle detects their account is Shibboleth, so they get redirected to auth/shibboleth/index.php
- index.php checks environment and authenticates user (or not)
- If they are logged in, it sends them on their way, otherwise they get sent to the normal login page again.
All of this is untested under Shibboleth but please try the current 1.5 CVS and see how it goes. Lukas, if you need CVS write access to this directory to keep working on it please let me know! Thanks!
Re: Shibboleth Authentication
First of all, thank you for having a look at this
I downloaded the latest dev version with your changes and then first executed the moodle/admin/ update process. This perfectly worked with my Shibboleth admin user, which is a good sign So the changes you made perfectly work for Shibboleth as main authentication method.
Flow 1:
In general the changes you made are ok but the README has to be adapted because right now it doesn't work "out of the box" just by configuring Moodle properly.
This is because there is some information missing in the README. E.g. the webserver admin HAS to protect the the moodle/auth/shibboleth dir (or at least the index.php file within that dir) to start the whole Shibboleth authentication process. Withouth that, the users cannot get Shibboleth authenticated. I guess you deleted this step for some reason...
Furthermore, for other Non-Shibboleth users to log in, the webserver admin has to do some additional work (either setup a dual login page or modify some text strings). Fot that, of course, the admin has to change the login link, which also should be mentioned in the Readme.
Flow 2:
I didn't understand what exactly you wanted to describe in point 2 and 3. If the user logged in "normally" (i assume you mean using a login name and a password and e.g. the manual authentication method), why does he have get redirected to auth/shibboleth/index.php and geth Shibboleth authenticated, when he already provided login and password for a manual Moodle account?
CVS write access would be nice. That way I could update the README file myself. My mailaddress is haemmerle@switch.ch
I downloaded the latest dev version with your changes and then first executed the moodle/admin/ update process. This perfectly worked with my Shibboleth admin user, which is a good sign
Flow 1:
In general the changes you made are ok but the README has to be adapted because right now it doesn't work "out of the box" just by configuring Moodle properly.
This is because there is some information missing in the README. E.g. the webserver admin HAS to protect the the moodle/auth/shibboleth dir (or at least the index.php file within that dir) to start the whole Shibboleth authentication process. Withouth that, the users cannot get Shibboleth authenticated. I guess you deleted this step for some reason...
Furthermore, for other Non-Shibboleth users to log in, the webserver admin has to do some additional work (either setup a dual login page or modify some text strings). Fot that, of course, the admin has to change the login link, which also should be mentioned in the Readme.
Flow 2:
I didn't understand what exactly you wanted to describe in point 2 and 3. If the user logged in "normally" (i assume you mean using a login name and a password and e.g. the manual authentication method), why does he have get redirected to auth/shibboleth/index.php and geth Shibboleth authenticated, when he already provided login and password for a manual Moodle account?
CVS write access would be nice. That way I could update the README file myself. My mailaddress is haemmerle@switch.ch
Re: Shibboleth Authentication
1) There is a .htaccess file in cvs:/moodle/auth/shibboleth ... I assumed the contents of this would be standard for every site ... is that not true?
2) What I described was for a Shibboleth user on a site that is not predominantly Shibboleth. For example, most people using LDAP. but you have a few Shibboleth users.
For CVS access email me your sourceforge username (more details here: http://moodle.org/doc/?frame=cvs.html)
2) What I described was for a Shibboleth user on a site that is not predominantly Shibboleth. For example, most people using LDAP. but you have a few Shibboleth users.
For CVS access email me your sourceforge username (more details here: http://moodle.org/doc/?frame=cvs.html)
Re: Shibboleth Authentication
1. No, as far as I can see there isn't a .htaccess file in auth/shibboleth/ (neither in viewcvs nor when I make a cvs checkout or update). This file is rather essential, so it really should be added.
Btw. I also found a small bug in auth/shibboleth/config.html, line 396 (4. line from bottom) should be '<?php print_string("auth_shib_instructions_help","auth", htmlspecialchars($CFG->wwwroot.'/auth/shibboleth/index.php')) ?>'
Btw. I also found a small bug in auth/shibboleth/config.html, line 396 (4. line from bottom) should be '<?php print_string("auth_shib_instructions_help","auth", htmlspecialchars($CFG->wwwroot.'/auth/shibboleth/index.php')) ?>'
Re: Shibboleth Authentication
Oh yeah, btw I forgot to mention something. There IS something that you maybe should change in moodle/auth/shibboleth/lib.php
in function auth_get_userinfo($username) it probably is better to write:
$result[$key]=utf8_decode($_SERVER[$value]);
instead of
$result[$key]=$_SERVER[$value];
At least in german we have names with umlauts ä ö ü and they have to be converted with utf8_decode to get properly displayed.
in function auth_get_userinfo($username) it probably is better to write:
$result[$key]=utf8_decode($_SERVER[$value]);
instead of
$result[$key]=$_SERVER[$value];
At least in german we have names with umlauts ä ö ü and they have to be converted with utf8_decode to get properly displayed.
Re: Shibboleth Authentication
I updated the of moodle/auth/shibboleth/config.html . Cleaned the code a bit and added options to lock the user fields and auto update them (I bascially copied these from the ldap/config.html). That would be useful too.
Re: Shibboleth Authentication
How much of LDAP are you using? The CAS module has an interesting approach to reusing LDAP after the SSO has happened.
(Thanks Romuald for the heads up!)
(Thanks Romuald for the heads up!)
Re: Shibboleth Authentication
Just the HTML elements that are used to set the locking or auto-updating feature of certain user fields. No PHP code so far.
Shibboleth Authorization?
Hello,
What about Shibboleth authorization support in Moodle?
Does it work? And how is it realized? How do I grant access to a course for "shibbolized" students?
Re: Shibboleth Authorization?
Moodle should support Shibboleth authentication since 1.5. So far I haven't got much feedback although I know that people seem to be using it. So, I suppose it works Automatic enrolement of Shib users is not supported at the moment, so users just log in via Shibboleth (the first time their account is automatically created) and then have to enrol to courses the usual way.
See the Shibboleth Auth Readme for more information.
See the Shibboleth Auth Readme for more information.
Re: Shibboleth Authorization?
If I had a single moodle installed, I even won't need shibboleth 
I am interested not only in SSO, but in centralized course access administration.
Re: Shibboleth Authorization?
As I understand it. A content provider may well have SSO for all their system but Shibboleth goes beyond. In UK schools the idea is that their is a single username password pair for ALL UK school children and that gets them into any content from any learning content provider that they are subscribed to (either personally, via school, local authority, regional broadband consortium or DfES). Of course only if the content provider is "shibbolised". The next stage would be the authorisation so that if they are in say year 11 they are authorised to get the learning content that year 11's are subscribed to. If they are a teacher not a student they get the teacher privileges with regard to the learning content.
Becta are in the process of procuring the WAYF service for UK schools. The roll out is due for Sept 2006. See Becta Shibboleth pages for the overview and download the pdf for the uk schools shibboleth roadmap.
This fits in with the Learning Platform standards and procurement drive fom DfES via Becta. which Miles Berry is helping to keep in touch with for Moodle. Login to SchoolForge Moodle Repository to see his response.
In my view I am hoping that eventually that when a teacher or pupil logs in to their network (whether Active Directory or whatever) at school the authentication has happened for any of their learning content so they don't have to log in again for any content from providers that shibbolise. Huge problems with achieveing this I know but its a goal. Time in school is at a premium and there is so much wasted time in dealing with authentication and authorisation problems. The next step is to get the e-Portfolio for learners transferable once standards are in place.
HTH
Becta are in the process of procuring the WAYF service for UK schools. The roll out is due for Sept 2006. See Becta Shibboleth pages for the overview and download the pdf for the uk schools shibboleth roadmap.
This fits in with the Learning Platform standards and procurement drive fom DfES via Becta. which Miles Berry is helping to keep in touch with for Moodle. Login to SchoolForge Moodle Repository to see his response.
In my view I am hoping that eventually that when a teacher or pupil logs in to their network (whether Active Directory or whatever) at school the authentication has happened for any of their learning content so they don't have to log in again for any content from providers that shibbolise. Huge problems with achieveing this I know but its a goal. Time in school is at a premium and there is so much wasted time in dealing with authentication and authorisation problems. The next step is to get the e-Portfolio for learners transferable once standards are in place.
HTH
Re: Shibboleth Authorization?
Hi,
Just to say that we use actually CAS module for all the 4 Universities of Bretagne (France) for internal use. Now we want to use Shib to build a common Moodle instance for about 80000 students. We have an identity provider in eatch university. We have a Shib federation. So ....
But we have a problem. We have test the Shib Module for authentification and it's working like we need. The problem is for inscription to courses. Like it's said in this thread, the shib module just do the authentication job. So we are working on an API to get a shib attributes like SHIBBOLET_COURSES. This attributes will be a list of Moodle course codes. It will be passed with the authentication and build by eatch university from there internal information system.
Perhaps we need a little help to do this, if we are satisfied by our API, we'll commit it to the Moodle community. If someone have done this before, i'm interested in.
Just another thing, you can just give one extra code for a Moodle course. If it would be possible to give more than one it could help us a lot !!!! (Martin 
).
Cheers,
Romuald
Re: Shibboleth Authorization?
As far as I know nobody has done something like this. When we asked some e-learning administratos in Switzerland if they would appreciate something like this, they told us that they would prefer their current solution. This solution basically consists of the course password that is given to all students who are allowed to access the course... But of course it would be nice if there was a Shibboleth auto-enrollment.
The solution in my opinion should be as general as possible. Remember that most Shibboleth Federations use their own attribute specifications and they differ in quite some points when it comes to attributes naming and value ranges (see InCommon Attribute Specs, HAKA Attribute Specs, SWITCHaai Attribute Specs, ...).
So, if you use an attribute for course enrollment, I probably would use the multivalued eduPersonEntitlement (OID: 1.3.6.1.4.1.5923.1.1.1.7) , which is used in almost all federations as far as I know. This attribute is either a URN or a URL.
The solution in my opinion should be as general as possible. Remember that most Shibboleth Federations use their own attribute specifications and they differ in quite some points when it comes to attributes naming and value ranges (see InCommon Attribute Specs, HAKA Attribute Specs, SWITCHaai Attribute Specs, ...).
So, if you use an attribute for course enrollment, I probably would use the multivalued eduPersonEntitlement (OID: 1.3.6.1.4.1.5923.1.1.1.7) , which is used in almost all federations as far as I know. This attribute is either a URN or a URL.
Re: Shibboleth Authorization?
Lukas,
Now I feel like an idiot, I've been wondering when shibboleth was coming to moodle, only trouble was I've been searching for it spelt with one b
As a non developer I have only a tentative understanding of this thread so please bear with me, I would like to direct students using BB to moodle pages in a way that is seemless for them but would allow me to track their use of elements of moodle. Can shibboleth be used to register them into moodle without a separate login? What would I need to do to achieve this?
Thanks
Rich
Now I feel like an idiot, I've been wondering when shibboleth was coming to moodle, only trouble was I've been searching for it spelt with one b
As a non developer I have only a tentative understanding of this thread so please bear with me, I would like to direct students using BB to moodle pages in a way that is seemless for them but would allow me to track their use of elements of moodle. Can shibboleth be used to register them into moodle without a separate login? What would I need to do to achieve this?
Thanks
Rich
Re: Shibboleth Authorization?
There are definitely two b's Just for my understanding, BB= Blackboard?
Yes, you can use Shibboleth to register users automatically in Moodle. They won't need another username and password besides the one they use to authenticate at their Identity Provider.
When you set a link to a course page or something else in Moodle that requires a user to authenticate, a not yet logged-in user will be redirected to the Moodle login page. There, he can choose whether to log in manually (using Moodle's own user management) or to log in via Shibboleth. Alternatively, you can also configure Moodle to automatically log in all users via Shibboleth. In that case, they won't see the log in screen but will be sent to the Identity Provider directly.
Either way, a first time Moodle user who wants to log in via Shibboleth is redirected to his Identity Provider, where he has to authenticate. After being redirected back to Moodle, the user's Shibboleth attributes are used by Moodle to create the user's account, to log the user in and to finally redirect the user to the page he originally requested.
In your case, if the users already were logged in via Shibboleth on Blackboard, they won't have to authenticate again at their Identity Provider, so the whole process indeed is quite seamless.
You basically need a web server with Moodle and Shibboleth installed. And of course your users somewhere need to have an account on a Shibboleth Identity Provider. The Identity Provider must provide for each user at least the attributes: email address, given name, surnamen and some kind of unique identifier within the Shibboleth federation (email address could be used for that as well).
All you then should have to do is to configure Moodle for Shibboleth. Have a look at the Moodle Shibboleth README, which can be found in moodle/auth/shibboleth.
Yes, you can use Shibboleth to register users automatically in Moodle. They won't need another username and password besides the one they use to authenticate at their Identity Provider.
When you set a link to a course page or something else in Moodle that requires a user to authenticate, a not yet logged-in user will be redirected to the Moodle login page. There, he can choose whether to log in manually (using Moodle's own user management) or to log in via Shibboleth. Alternatively, you can also configure Moodle to automatically log in all users via Shibboleth. In that case, they won't see the log in screen but will be sent to the Identity Provider directly.
Either way, a first time Moodle user who wants to log in via Shibboleth is redirected to his Identity Provider, where he has to authenticate. After being redirected back to Moodle, the user's Shibboleth attributes are used by Moodle to create the user's account, to log the user in and to finally redirect the user to the page he originally requested.
In your case, if the users already were logged in via Shibboleth on Blackboard, they won't have to authenticate again at their Identity Provider, so the whole process indeed is quite seamless.
You basically need a web server with Moodle and Shibboleth installed. And of course your users somewhere need to have an account on a Shibboleth Identity Provider. The Identity Provider must provide for each user at least the attributes: email address, given name, surnamen and some kind of unique identifier within the Shibboleth federation (email address could be used for that as well).
All you then should have to do is to configure Moodle for Shibboleth. Have a look at the Moodle Shibboleth README, which can be found in moodle/auth/shibboleth.
Re: Shibboleth Authorization?
Lukas,
yup, BB = blackboard
Thanks for that, I will see if I can do something practical with that.
Rich
yup, BB = blackboard
Thanks for that, I will see if I can do something practical with that.
Rich
Re: Shibboleth Authentication
Hi everybody,
I'm new to this forum so I'm not sure I'm posting in the right thread.
I've set up a shibboleth Service Provider which is retrieving attributes and credentials through a Identity Provider, and I think all is working fine as I can't see any errors in the logs...
My problem is that I wan't to use shibboleth with Moodle and that it doesn't work... I must have made a mistake but I can't see where. I've been through the README.txt and :
- put the <location> .... </location> part in Apache,
- filled the .htaccess file,
- configured the attributes in Moodle.
What happens :
- I click on the Shibboleth authentication link in Moodle,
- I'm redirected to the page where I login for Shibboleth to make the authentication
- I've got the message saying "Shibboleth authentication request..."
- I'm redirected to the login page without being identified.
But shibboleth logs are saying among many lines :
- SP side :
"2006-06-02 09:00:10 INFO Shibboleth-TRANSACTION : Successful attribute query for session (ID: _8f6e739ba4ca94a24944a4d473b51bd7)"
- IdP side :
"2006-06-02 08:59:45,468 Authentication assertion issued to provider (https://dhcp15.rech18.emn.fr/shibboleth) on behalf of principal (apoitout). Name Identifier: (_a3a79996b2f1cf1a9fdebc35e3cebc25). Name Identifier Format: (urn:mace:shibboleth:1.0:nameIdentifier).
2006-06-02 08:59:46,037 Attribute assertion issued to provider (https://dhcp15.rech18.emn.fr/shibboleth) on behalf of principal (apoitout)."
Any ideas ?
Thanks,
Amélie.
I'm new to this forum so I'm not sure I'm posting in the right thread.
I've set up a shibboleth Service Provider which is retrieving attributes and credentials through a Identity Provider, and I think all is working fine as I can't see any errors in the logs...
My problem is that I wan't to use shibboleth with Moodle and that it doesn't work... I must have made a mistake but I can't see where. I've been through the README.txt and :
- put the <location> .... </location> part in Apache,
- filled the .htaccess file,
- configured the attributes in Moodle.
What happens :
- I click on the Shibboleth authentication link in Moodle,
- I'm redirected to the page where I login for Shibboleth to make the authentication
- I've got the message saying "Shibboleth authentication request..."
- I'm redirected to the login page without being identified.
But shibboleth logs are saying among many lines :
- SP side :
"2006-06-02 09:00:10 INFO Shibboleth-TRANSACTION : Successful attribute query for session (ID: _8f6e739ba4ca94a24944a4d473b51bd7)"
- IdP side :
"2006-06-02 08:59:45,468 Authentication assertion issued to provider (https://dhcp15.rech18.emn.fr/shibboleth) on behalf of principal (apoitout). Name Identifier: (_a3a79996b2f1cf1a9fdebc35e3cebc25). Name Identifier Format: (urn:mace:shibboleth:1.0:nameIdentifier).
2006-06-02 08:59:46,037 Attribute assertion issued to provider (https://dhcp15.rech18.emn.fr/shibboleth) on behalf of principal (apoitout)."
Any ideas ?
Thanks,
Amélie.
Re: Shibboleth Authentication
Hi Amélie
Could you please tell which version of Moodle you are using? Are you sure that you get any attributes (do you have another protected webpage to verify that, e.g. a protected webpage with <? print_r($_SERVER) ?> should give you some personal Shibboleth attributes).
If you are using Moodle 1.6 Beta, you should at least get an error message if Shibboleth is not configured properly.
For Moodle 1.5 you have to make sure that the .htaccess file really is processed by Apache because this is not the default behaviour of Apache. You have to set AllowOverride to 'all' or 'AuthConfig, Limit, Options' for the directory that contains this .htaccess file.
Could you please tell which version of Moodle you are using? Are you sure that you get any attributes (do you have another protected webpage to verify that, e.g. a protected webpage with <? print_r($_SERVER) ?> should give you some personal Shibboleth attributes).
If you are using Moodle 1.6 Beta, you should at least get an error message if Shibboleth is not configured properly.
For Moodle 1.5 you have to make sure that the .htaccess file really is processed by Apache because this is not the default behaviour of Apache. You have to set AllowOverride to 'all' or 'AuthConfig, Limit, Options' for the directory that contains this .htaccess file.
Re: Shibboleth Authentication
Well, as I said friday, it should be my mistake and it was, I misconfigured the mapping between HTTP attributes sent by shibboleth and moodle attributes, so it didn't produce any error message.
Thanks for your help, I realised my mistake thanks to the <? print_r($_SERVER) ?> script.
Re: Shibboleth Authentication
Moodle Version:2.3.3+ on Linux/Apache/Oracle/PHP
This sounding similar to the problems I'm having.
I've got apache set up as per the README.
I've got the attribute-map.xml set up to extract the username "uid on the shib side"
<? print_r($_SERVER) ?> returns
[uid] => dwn
I've got the field in the shibboleth gui configuration under Administration->Plugins->Authentication->Shibboleth set to uid.
My username in Moodle is: dwn
Yet I'm getting:
You seem to be Shibboleth authenticated but Moodle has no valid account for your username. Your account may not exist or it may have been suspended.
Debug info:
Error code: shib_invalid_account_error
Error code: shib_invalid_account_error
Stack trace:
- line 467 of /lib/setuplib.php: moodle_exception thrown
- line 88 of /auth/shibboleth/index.php: call to print_error()
I can't figure out it isn't working.
anyone got any ideas?
Re: Shibboleth Authentication
Hi,
is this guide to be considered updated for a Shibboleth setup in Moodle 2.7?
I'm stuck. I'm correctly redirected back to my platform and i get this error message:
"Shibboleth authentication doesn't seem to be set up correctly because no Shibboleth environment variables are present for this page."
Which "environment variable" am i missing?
(I did filled the form in the Admin>Plugin>Auth>Shibb with username, name, surname, etc).
Any clues about how to get on with the deployment?
Filippo
Re: Shibboleth Authentication
This might seem an obvious question, but have you configured the SP on the moodle server to deal with the appropriate attributes (attribute-map.xml) and on the IdP end told it to release these attributes from that user's network profile?
I have it working if you need a reference (happy to post certain parts of our config).
Re: Shibboleth Authentication
That would be fantastic.
I'm learning my way into Shibboleth and I could have missed a step!
Thank you very much!
Re: Shibboleth Authentication
On the moodle server where can i locate the xml file so i can check with the server administator?
Re: Shibboleth Authentication
On a usual system it's in:
C:\opt\shibboleth-sp\etc\shibboleth
EDIT - the above is for Windows.
On linux, look in /opt/shibboleth-sp/etc/shibboleth
Re: Shibboleth Authentication
About the attribute-map.xml and the config files, do you prefer share them via email, pvt message or here on the forum?
Let me know which course of action fits your need.
F.
Re: Shibboleth Authentication
Hi to everyone,
in the end the problem was cause by a series of small (aka stupid) things.
The moodle platform https needed to be fully configured as well as their parameters in the config file.
In shibboleth file (moodle-side) needed to be commented/uncommented the correct shibboleth version line.
The strings inside the shibboleth configuration panel in moodle needed to be changed (they were actually too long).
I hope i'll have time to write down a Shibboleth+Moodle introduction to help out others like me who doesn't have much experience with SSO systems. Maybe I'll post it here to have a technical and an English overview by you guys.
I just hope i have time in the near future
Thanks again to everyone.
F.