13 November 2009, 11:45

For many good reasons, we have decided to use shibboleth to integrate all services as Moodle etc ...

So, I would like to know if some body is already working on a shibboleth auth plugins? 

thanks in advance,

Hélène

13 November 2009, 15:36

Hi Hélène:

I'm not using it up to this date, but I've read the shibboleth web page and, I promise, I'll try it. It sounds very interesting and useful. Sincerely. Fred

15 November 2009, 18:28

Hi - someone filed a bug on the tracker a coupe of weeks ago about a problem with the length of our username column when using some kind of SAML2/shibboleth/kerberos SSO thing, that person is writing a plugin so maybe support will be available soon.

Found the bug:  https://eduforge.org/tracker/index.php?func=detail&aid=3424&group_id=176&atid=739

15 November 2009, 19:58

That would be me. I'm working on a Shibboleth Authentication plugin based on the SimpleSAMLPHP  Authentication plugin by  Piers Harding <[email protected]>.Thanks Piers.

BTW there is little difference between the Internet2 Shibboleth 2.x  SAML Service Provider and the SimpleSAMLPHP SAML Service Provider except for the Shibboleth SP supporting more SAML profiles and IMHO is easier to integrate into an some applications. And while I've used SSP for a number of federated sites I myself am happier using the Shiiboleth. Hey its one of those religion thangs.

Once I'm finished smooth over the cracks I'll put it up somewhere; perhaps of the Mahara plugin wiki site.

03 December 2010, 17:07

I know I'm a year late coming to this, but what did you do about deep-linking?  

For example, if you are not logged in and go to a URL like http://mahara.example.com/user/view.php?id=123, you get a login prompt that is incompatible with Shibboleth.  

This is different than the prompt generated on the home page, which can be overridden in your theme with templates/sideblocks/login.tpl.  

Instead, in the deep-linking case, the login prompt is generated by the JavaScript function show_login_form() in js/mahara.js.  

I'm not sure what the best way to override that is.  Maybe I have exceptionally weak Google Fu and jet-lag today.

06 December 2010, 12:23

Oops.  My boneheaded mistake.  It appears to be in theme/{THEME}/templates/login.tpl, so that's the place to modify it.  Ignore me.

08 December 2010, 18:02

Since Rich (see below) found the template file to change, I have another question about deep linking... Do you know how to tell SimpleSAMLphp that the user should be returned to the deep link page after authentication?

For instance, if you send the user to /auth/saml for authentication, the user is just sent to the Mahara home page after authentication, but the user originally wanted to go to /user/view.php?id=123. Is there a way to tell /auth/saml that the user needs to go to /user/view.php?id=123 after authentication?

Thanks!

09 December 2010, 10:57

Hi Lucas -

the auth/saml plugin does need an improvement to remember the original target URL when a user is forced around the login loop (eg. user goes to /user/view.php?id=123 ->redirected to /auth/saml/ -> some how knows to get back to /user/view.php?id=123 again...).

This has been done in Moodle with the wantsurl parameter, and something similar would work here (when I get enough tuits to make the change).

Cheers,

Piers Harding.

09 December 2010, 19:02

I just submitted a patch to index.php that I believe implements this behavior.  A couple of notes:

1) I don't grok what's going on with the SESSION stuff...closing the session to let SAML do its thing, then opening the session again...so I just wrote directly to the $_SESSION array rather than using the abstraction.  You may want to refactor that part, unless what I did happens to make sense in the context.

2)  I suppose there should be a config option to force redirecting to a front page and forbid deep-linking?  Not sure.

The patch can be found at https://bugs.launchpad.net/mahara/+bug/688395.