Changes between Version 1 and Version 2 of MoodleShib


Ignore:
Timestamp:
03/12/13 10:30:39 (7 years ago)
Author:
dabantz@…
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • MoodleShib

    v1 v2  
    1 Shibboleth Authentication for Moodle (from the README.txt file in Moodle distribution) 
    2 ------------------------------------------------------------------------------- 
     1== [[https://iam.alaska.edu/|IAM]] / [[https://iam.alaska.edu/projects|Projects]] / [[https://iam.alaska.edu/shib|Shibboleth]] / [[ServiceCandidates|Service Candidates]] / Moodle == 
     2 
     3Shibboleth Authentication for Moodle  
     4(from the README.txt file in Moodle distribution) 
     5--------------------------------------------------------------------------- 
    36 
    47Requirements: 
     
    2427- 1.  2008: Added logout hook and moved Shibboleth config strings to utf8 auth 
    2528            language files. 
    26 - 3.  2009: Added various improvements and bug fixes reported by Ina Mller from 
     29- 3.  2009: Added various improvements and bug fixes reported by Ina Moller from 
    2730            university Tuebingen and Peter Ellis of University of Washington 
    2831- 4.  2009: Added another requirement for logout regarding the call back script 
     
    3639   For Apache you have to define a rule like the following in the Apache config: 
    3740 
    38 -- 
     41 
    3942 
    4043{{{ 
     
    4649}}} 
    4750 
    48 -- 
     51 
    4952 
    5053   To restrict access to Moodle, replace the access rule 'require valid-user' 
     
    5255 
    5356   For IIS you have protect the auth/shibboleth directory directly in the 
    54    RequestMap of the Shibboleth configuration file (shibboleth.xml or 
     57   !RequestMap of the Shibboleth configuration file (shibboleth.xml or 
    5558   shibboleth2.xml). 
    5659 
    57 -- 
     60 
    5861 
    5962{{{ 
     
    6770}}} 
    6871 
    69 -- 
     72 
    7073 
    7174   Also see: 
     
    9699   ############################################################################# 
    97100 
    98 4.a  If you want Shibboleth as your only authentication method with an external 
    99      Where Are You From (WAYF) Service , set the 'Alternate Login URL' in the 
    100      'Common settings' in 'Administrations >> Users >> Authentication Options' 
    101      to the the URL of the file 'moodle/auth/shibboleth/index.php'. 
    102      This will enforce Shibboleth login. 
    103  
    104 4.b If you want to use the Moodle integrated WAYF service, you have to activate it 
    105    in the Moodle Shibboleth authentication settings by checking the 
    106     'Moodle WAYF Service' checkbox and providing a list of entity IDs in the 
    107     'Identity Providers' textarea together with a name and an optional 
    108     !SessionInitiator URL, which usually is an absolute or relative URL pointing 
    109     to the same host. If no !SessionInitiator URL is given, the default one 
    110     '/Shibboleth.sso' (only works for Shibboleth 1.3.x) will be used. For 
    111     Shibboleth 2.x you have to add '/Shibboleth.sso/DS' as a !SessionInitiator. 
    112     Also see https://spaces.internet2.edu/display/SHIB/SessionInitiator 
    113     and https://spaces.internet2.edu/display/SHIB2/NativeSPSessionInitiator 
     1014.a  If you want Shibboleth as your only authentication method with an external Where Are You From (WAYF) Service , set the 'Alternate Login URL' in the 'Common settings' in 'Administrations >> Users >> Authentication Options' to the the URL of the file 'moodle/auth/shibboleth/index.php'. This will enforce Shibboleth login. 
     102 
     1034.b If you want to use the Moodle integrated WAYF service, you have to activate it in the Moodle Shibboleth authentication settings by checking the 'Moodle WAYF Service' checkbox and providing a list of entity IDs in the 'Identity Providers' textarea together with a name and an optional !SessionInitiator URL, which usually is an absolute or relative URL pointing to the same host. If no !SessionInitiator URL is given, the default one '/Shibboleth.sso' (only works for Shibboleth 1.3.x) will be used. For Shibboleth 2.x you have to add '/Shibboleth.sso/DS' as a !SessionInitiator.  Also see https://spaces.internet2.edu/display/SHIB/SessionInitiator and https://spaces.internet2.edu/display/SHIB2/NativeSPSessionInitiator 
    114104 
    115105    Important Note: If you upgraded from a previous version of Moodle and now want to use the integrated WAYF, you have to make sure that in step 1 only the index.php script in moodle/auth/shibboleth/ is protected but *not* the other scripts and especially not the login.php script. 
     
    127117    Important Note: If you went for 4.b (integrated WAYF service), saving the settings will overwrite the Moodle Alternate Login URL using the Moodle web root URL. 
    128118 
    129 6.  If you want to use Shibboleth in addition to another authentication method 
    130     not using the integrated WAYF service from 4.b, change the 'Instructions' in 
    131     'Administrations >> Users >> Manage authentication' to contain a link to the 
    132      moodle/auth/shibboleth/index.php file which is protected by 
    133      Shibboleth (see step 1.) and causes the Shibboleth login procedure to start. 
    134      You can also use HTML code in that field, e.g. to include an image as a 
    135      Shibboleth login button. 
     1196.  If you want to use Shibboleth in addition to another authentication method not using the integrated WAYF service from 4.b, change the 'Instructions' in 'Administrations >> Users >> Manage authentication' to contain a link to the moodle/auth/shibboleth/index.php file which is protected by Shibboleth (see step 1.) and causes the Shibboleth login procedure to start.  You can also use HTML code in that field, e.g. to include an image as a Shibboleth login button. 
    136120 
    137121  Note: As of now you cannot use dual login together with the integrated WAYF service provided by Moodle (4.b). 
     
    1391237. Save the authentication changes. 
    140124 
    141 How the Shibboleth authentication works 
    142 -------------------------------------------------------------------------------- 
     125== How the Shibboleth authentication works == 
     126 
    143127To get Shibboleth authenticated in Moodle a user basically must access the 
    144128Shibboleth-protected page /auth/shibboleth/index.php. If Shibboleth is the only 
     
    168152authentication method unless they have two accounts in Moodle. 
    169153 
    170 Shibboleth dual login with custom login page 
    171 -------------------------------------------------------------------------------- 
     154== Shibboleth dual login with custom login page == 
     155 
    172156You can create a dual login page that better fits your needs. For this 
    173157to work, you have to set up the two authentication methods (e.g. 'Manual 
     
    179163Consult the Moodle documentation for further instructions and requirements. 
    180164 
    181 How to customize the way the Shibboleth user data is used in Moodle 
    182 -------------------------------------------------------------------------------- 
     165== How to customize the way the Shibboleth user data is used in Moodle == 
     166 
    183167Among the Shibboleth settings in Moodle there is a field that should contain a 
    184168path to a php file that can be used as data manipulation hook. 
     
    268252******************************************************************************** 
    269253 
    270 How to add logout support 
    271 -------------------------------------------------------------------------------- 
     254== How to add logout support == 
     255 
     256 
    272257In order make Moodle support Shibboleth logout, one has to make the Shibboleth 
    273258Service Provider (SP) aware of the Moodle logout capability. Only then the SP 
     
    279264{{{ 
    280265<MetadataProvider> 
    281 }}} 
    282  element. 
    283  
    284 -- 
     266}}}  
     267element. 
     268 
    285269 
    286270{{{ 
     
    288272    Channel="back" 
    289273    Location="https://#YOUR_MOODLE_HOSTNAME#/moodle/auth/shibboleth/logout.php" /> 
    290 -- 
     274 
    291275}}} 
    292276 
     
    308292  like this to your Apache configuration after all the other require rules 
    309293 
    310 -- 
     294 
    311295 
    312296{{{ 
     
    318302}}} 
    319303 
    320 -- 
     304 
    321305  When using IIS, the same can be achieved by something like: 
    322 -- 
     306{{{ 
    323307<Path name="auth/shibboleth/logout.php" requireSession="false" > 
    324 -- 
     308}}} 
    325309  in the shibboleth2.xml RequestMap. 
    326310