I (and increasingly more people around the world) am very interested in the Shibboleth authentication method why I started finding a solution to fully integrate Shibboleth authentication into Moodle. A while after I started I noticed that Markus Hagman already had done a Shibboleth authentication method for Moodle. The thing is though that the README.txt in moodle/auth/shibboleth/ doesn't cover all the points needed to use Shibboleth authentication or may be I just havent found yet all the details 
But let me explain first, what it's all about and would be interesting for us:
To give you a small overview about Shibboleth see http://shibboleth.internet2.edu/ or http://www.switch.ch/aai/ for a case study (thats our Shibboleth federation). Basically Shibboleth provides an authentication method for web-based applications. Users have to authenticate themselves once with one single username and password (in our case the users are mostly students from different universities all around Switzerland) and when they are authenticated they can use different services from other universities, libraries, content-providers in general without having to authenticate again (e.g. they could jump from one moodle site to another without re authenticating). This has various advantages for the users and the content-providers mainly concerning user management and security. But thats just the very very short introduction
What probably quite a lot of universities in a Shibboleth federation (group of schools or universities that use Shibboleth) want is the case of a dual-login, using the manual authentication method (as it is known in Moodle) and Shibboleth. This could look like this:
I didnt change the sourcecode or something, just edited three string values from moodlelib strings. I guess the manual part is self-explaining, but what happens if a user clicks on that AAI button (AAI stands for Authentication and Authorisation Infrastructure and is the name we are using in our Shibboleth federation)? Well, if a user clicks on that button the following should happen:
1. Redirect to a Shibboleth protected directory as it is described in moodle/auth/Shibboleth/README.txt
2. If user already is Shibboleth authenticated (this implies that the Apache server can provide the users Shibboleth attributes, e.g. HTTP_SHIB_SWISSEP_UNIQUEID in our case) go to 3. else the user is (automatically) redirected to a Shibboleth page where the login name and password have to be provided. Then the user automatically is redirected again to this page with the difference that the user is authenticated now.
3. If this user already has a user record, set up his session. Else his user record first has to be (automatically) created.
This all perfectly works right now, the only problem is that the Moodle code has to be extended a bit. Of course every admin who uses Shibboleth could do that by himself but we think that it would be a better solution to include the code into the official Moodle distribution. The code is generally usuable and not adapted to our specific Shibboleth implementation.
The changes that would be necessary to extend the moodle code and file structure are (most of this is already described in moodle/auth/shibboleth/README.txt):
1. A new directory has to be created, e.g. moodle/auth/shibboleth/login (alternatively the moodle/auth/shibboleth directory could be used for that itself)
2. within that directory there has to be a .htaccess file with
## Shibboleth authentication required
AuthType shibboleth
ShibRequireSession On
require valid-user
# Adapt the require statement to your needs
Furthermore there has to be an index.php file within that directory with the following content:
<?php
header("Location: ../../login/");
?>
3. The moodle/login/index.php file has to be extended by:
if ($CFG->shib_user_attribute && $_SERVER[$CFG->shib_user_attribute]) {
$frm->username = $_SERVER[$CFG->shib_user_attribute];
$frm->password = substr(base64_encode($_SERVER[$CFG->shib_user_attribute]),0,8);
}
after every "$frm = data_submitted();" line. What the code actually does is to "fill" the form data with the shib_user_attribute that is used in moodle/auth/shibboleth/lib.php:auth_user_login($username, $password) to check if this user is authenticated. The password line is not really necessary, but may be useful if an admin decides to convert a shibboleth user account into a manual one (the password could also be something constant since it is not possible that a shibboleth user can use the manual login).
4. In the moodle/login directory there should be a .htaccess file with the following content (the statements have to be commented out per default because they may cause problems on moodle instances on webservers that don't have Shibboleth installed):
## Shibboleth lazy session
#AuthType shibboleth
#ShibRequireSession Off
#require shibboleth
5. On the login page there has to be a link to the moodle/auth/sibboleth/login directory (can be done manually by the moodle admin modifying the moodlelib strings).
Thats about it. This is just a suggestion and I think that this solution may be useful to provide complete Shibboleth support for Moodle. I am also willing to contribute this (and more commented) code and extend the README it that is wished. But I thought that I first ask around in this forum if this is appreciated.
Cheers
Lukas
To give you a small overview about Shibboleth see http://shibboleth.internet2.edu/ or http://www.switch.ch/aai/ for a case study (thats our Shibboleth federation). Basically Shibboleth provides an authentication method for web-based applications. Users have to authenticate themselves once with one single username and password (in our case the users are mostly students from different universities all around Switzerland) and when they are authenticated they can use different services from other universities, libraries, content-providers in general without having to authenticate again (e.g. they could jump from one moodle site to another without re authenticating). This has various advantages for the users and the content-providers mainly concerning user management and security. But thats just the very very short introduction
What probably quite a lot of universities in a Shibboleth federation (group of schools or universities that use Shibboleth) want is the case of a dual-login, using the manual authentication method (as it is known in Moodle) and Shibboleth. This could look like this:
I didnt change the sourcecode or something, just edited three string values from moodlelib strings. I guess the manual part is self-explaining, but what happens if a user clicks on that AAI button (AAI stands for Authentication and Authorisation Infrastructure and is the name we are using in our Shibboleth federation)? Well, if a user clicks on that button the following should happen:
1. Redirect to a Shibboleth protected directory as it is described in moodle/auth/Shibboleth/README.txt
2. If user already is Shibboleth authenticated (this implies that the Apache server can provide the users Shibboleth attributes, e.g. HTTP_SHIB_SWISSEP_UNIQUEID in our case) go to 3. else the user is (automatically) redirected to a Shibboleth page where the login name and password have to be provided. Then the user automatically is redirected again to this page with the difference that the user is authenticated now.
3. If this user already has a user record, set up his session. Else his user record first has to be (automatically) created.
This all perfectly works right now, the only problem is that the Moodle code has to be extended a bit. Of course every admin who uses Shibboleth could do that by himself but we think that it would be a better solution to include the code into the official Moodle distribution. The code is generally usuable and not adapted to our specific Shibboleth implementation.
The changes that would be necessary to extend the moodle code and file structure are (most of this is already described in moodle/auth/shibboleth/README.txt):
1. A new directory has to be created, e.g. moodle/auth/shibboleth/login (alternatively the moodle/auth/shibboleth directory could be used for that itself)
2. within that directory there has to be a .htaccess file with
## Shibboleth authentication required
AuthType shibboleth
ShibRequireSession On
require valid-user
# Adapt the require statement to your needs
Furthermore there has to be an index.php file within that directory with the following content:
<?php
header("Location: ../../login/");
?>
3. The moodle/login/index.php file has to be extended by:
if ($CFG->shib_user_attribute && $_SERVER[$CFG->shib_user_attribute]) {
$frm->username = $_SERVER[$CFG->shib_user_attribute];
$frm->password = substr(base64_encode($_SERVER[$CFG->shib_user_attribute]),0,8);
}
after every "$frm = data_submitted();" line. What the code actually does is to "fill" the form data with the shib_user_attribute that is used in moodle/auth/shibboleth/lib.php:auth_user_login($username, $password) to check if this user is authenticated. The password line is not really necessary, but may be useful if an admin decides to convert a shibboleth user account into a manual one (the password could also be something constant since it is not possible that a shibboleth user can use the manual login).
4. In the moodle/login directory there should be a .htaccess file with the following content (the statements have to be commented out per default because they may cause problems on moodle instances on webservers that don't have Shibboleth installed):
## Shibboleth lazy session
#AuthType shibboleth
#ShibRequireSession Off
#require shibboleth
5. On the login page there has to be a link to the moodle/auth/sibboleth/login directory (can be done manually by the moodle admin modifying the moodlelib strings).
Thats about it. This is just a suggestion and I think that this solution may be useful to provide complete Shibboleth support for Moodle. I am also willing to contribute this (and more commented) code and extend the README it that is wished. But I thought that I first ask around in this forum if this is appreciated.
Cheers
Lukas
).
