Changes between Version 1 and Version 2 of MoodleShib
- Timestamp:
- 03/12/13 10:30:39 (11 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
MoodleShib
v1 v2 1 Shibboleth Authentication for Moodle (from the README.txt file in Moodle distribution) 2 ------------------------------------------------------------------------------- 1 == [[https://iam.alaska.edu/|IAM]] / [[https://iam.alaska.edu/projects|Projects]] / [[https://iam.alaska.edu/shib|Shibboleth]] / [[ServiceCandidates|Service Candidates]] / Moodle == 2 3 Shibboleth Authentication for Moodle 4 (from the README.txt file in Moodle distribution) 5 --------------------------------------------------------------------------- 3 6 4 7 Requirements: … … 24 27 - 1. 2008: Added logout hook and moved Shibboleth config strings to utf8 auth 25 28 language files. 26 - 3. 2009: Added various improvements and bug fixes reported by Ina M �ller from29 - 3. 2009: Added various improvements and bug fixes reported by Ina Moller from 27 30 university Tuebingen and Peter Ellis of University of Washington 28 31 - 4. 2009: Added another requirement for logout regarding the call back script … … 36 39 For Apache you have to define a rule like the following in the Apache config: 37 40 38 -- 41 39 42 40 43 {{{ … … 46 49 }}} 47 50 48 -- 51 49 52 50 53 To restrict access to Moodle, replace the access rule 'require valid-user' … … 52 55 53 56 For IIS you have protect the auth/shibboleth directory directly in the 54 RequestMap of the Shibboleth configuration file (shibboleth.xml or57 !RequestMap of the Shibboleth configuration file (shibboleth.xml or 55 58 shibboleth2.xml). 56 59 57 -- 60 58 61 59 62 {{{ … … 67 70 }}} 68 71 69 -- 72 70 73 71 74 Also see: … … 96 99 ############################################################################# 97 100 98 4.a If you want Shibboleth as your only authentication method with an external 99 Where Are You From (WAYF) Service , set the 'Alternate Login URL' in the 100 'Common settings' in 'Administrations >> Users >> Authentication Options' 101 to the the URL of the file 'moodle/auth/shibboleth/index.php'. 102 This will enforce Shibboleth login. 103 104 4.b If you want to use the Moodle integrated WAYF service, you have to activate it 105 in the Moodle Shibboleth authentication settings by checking the 106 'Moodle WAYF Service' checkbox and providing a list of entity IDs in the 107 'Identity Providers' textarea together with a name and an optional 108 !SessionInitiator URL, which usually is an absolute or relative URL pointing 109 to the same host. If no !SessionInitiator URL is given, the default one 110 '/Shibboleth.sso' (only works for Shibboleth 1.3.x) will be used. For 111 Shibboleth 2.x you have to add '/Shibboleth.sso/DS' as a !SessionInitiator. 112 Also see https://spaces.internet2.edu/display/SHIB/SessionInitiator 113 and https://spaces.internet2.edu/display/SHIB2/NativeSPSessionInitiator 101 4.a If you want Shibboleth as your only authentication method with an external Where Are You From (WAYF) Service , set the 'Alternate Login URL' in the 'Common settings' in 'Administrations >> Users >> Authentication Options' to the the URL of the file 'moodle/auth/shibboleth/index.php'. This will enforce Shibboleth login. 102 103 4.b If you want to use the Moodle integrated WAYF service, you have to activate it in the Moodle Shibboleth authentication settings by checking the 'Moodle WAYF Service' checkbox and providing a list of entity IDs in the 'Identity Providers' textarea together with a name and an optional !SessionInitiator URL, which usually is an absolute or relative URL pointing to the same host. If no !SessionInitiator URL is given, the default one '/Shibboleth.sso' (only works for Shibboleth 1.3.x) will be used. For Shibboleth 2.x you have to add '/Shibboleth.sso/DS' as a !SessionInitiator. Also see https://spaces.internet2.edu/display/SHIB/SessionInitiator and https://spaces.internet2.edu/display/SHIB2/NativeSPSessionInitiator 114 104 115 105 Important Note: If you upgraded from a previous version of Moodle and now want to use the integrated WAYF, you have to make sure that in step 1 only the index.php script in moodle/auth/shibboleth/ is protected but *not* the other scripts and especially not the login.php script. … … 127 117 Important Note: If you went for 4.b (integrated WAYF service), saving the settings will overwrite the Moodle Alternate Login URL using the Moodle web root URL. 128 118 129 6. If you want to use Shibboleth in addition to another authentication method 130 not using the integrated WAYF service from 4.b, change the 'Instructions' in 131 'Administrations >> Users >> Manage authentication' to contain a link to the 132 moodle/auth/shibboleth/index.php file which is protected by 133 Shibboleth (see step 1.) and causes the Shibboleth login procedure to start. 134 You can also use HTML code in that field, e.g. to include an image as a 135 Shibboleth login button. 119 6. If you want to use Shibboleth in addition to another authentication method not using the integrated WAYF service from 4.b, change the 'Instructions' in 'Administrations >> Users >> Manage authentication' to contain a link to the moodle/auth/shibboleth/index.php file which is protected by Shibboleth (see step 1.) and causes the Shibboleth login procedure to start. You can also use HTML code in that field, e.g. to include an image as a Shibboleth login button. 136 120 137 121 Note: As of now you cannot use dual login together with the integrated WAYF service provided by Moodle (4.b). … … 139 123 7. Save the authentication changes. 140 124 141 How the Shibboleth authentication works 142 -------------------------------------------------------------------------------- 125 == How the Shibboleth authentication works == 126 143 127 To get Shibboleth authenticated in Moodle a user basically must access the 144 128 Shibboleth-protected page /auth/shibboleth/index.php. If Shibboleth is the only … … 168 152 authentication method unless they have two accounts in Moodle. 169 153 170 Shibboleth dual login with custom login page 171 -------------------------------------------------------------------------------- 154 == Shibboleth dual login with custom login page == 155 172 156 You can create a dual login page that better fits your needs. For this 173 157 to work, you have to set up the two authentication methods (e.g. 'Manual … … 179 163 Consult the Moodle documentation for further instructions and requirements. 180 164 181 How to customize the way the Shibboleth user data is used in Moodle 182 -------------------------------------------------------------------------------- 165 == How to customize the way the Shibboleth user data is used in Moodle == 166 183 167 Among the Shibboleth settings in Moodle there is a field that should contain a 184 168 path to a php file that can be used as data manipulation hook. … … 268 252 ******************************************************************************** 269 253 270 How to add logout support 271 -------------------------------------------------------------------------------- 254 == How to add logout support == 255 256 272 257 In order make Moodle support Shibboleth logout, one has to make the Shibboleth 273 258 Service Provider (SP) aware of the Moodle logout capability. Only then the SP … … 279 264 {{{ 280 265 <MetadataProvider> 281 }}} 282 element. 283 284 -- 266 }}} 267 element. 268 285 269 286 270 {{{ … … 288 272 Channel="back" 289 273 Location="https://#YOUR_MOODLE_HOSTNAME#/moodle/auth/shibboleth/logout.php" /> 290 -- 274 291 275 }}} 292 276 … … 308 292 like this to your Apache configuration after all the other require rules 309 293 310 -- 294 311 295 312 296 {{{ … … 318 302 }}} 319 303 320 -- 304 321 305 When using IIS, the same can be achieved by something like: 322 -- 306 {{{ 323 307 <Path name="auth/shibboleth/logout.php" requireSession="false" > 324 -- 308 }}} 325 309 in the shibboleth2.xml RequestMap. 326 310
