Supporting each other

Community forums

Welcome, Guest

Forum

Main Forum

Installation

Does Xerte Online Toolkit work with shibboleth?

Questions on getting Xerte Toolkits installed on your server and questions about authentication and user logins.

Page:
1
2
3

TOPIC:

Does Xerte Online Toolkit work with shibboleth? 9 years 5 months ago #2837

fgeng Topic Author Offline New Member Posts: 1 Thank you received: 0	I am new to this Forums... Finally we have got our local installation of Xerte Online Toolkiet. Could anyone help me to configure our local Xerte to work with shibboleth? Many thanks in advance! Fawei
	Please Log in or Create an account to join the conversation. Last edit: by fgeng.

Does Xerte Online Toolkit work with shibboleth? 9 years 4 months ago #2922

jayaich Offline Premium Member Posts: 82 Thank you received: 5	We have just installed the 3.0 beta version of Xerte - rather than the 2.1 version - partly because it includes some code for working with shibboleth. I'll be taking a look at that in a couple of days time. I can already see that it suggests using the php-saml package, which we have installed but not configured yet. I'll let you know if we get it working. John.
	Please Log in or Create an account to join the conversation.

Does Xerte Online Toolkit work with shibboleth? 9 years 3 months ago #2942

JohnSmith Offline Platinum Member Posts: 397 Thank you received: 71	Thanks John, we'll all be keen to hear how you get on with setting up of Shibboleth auth, perhaps you could even put together a step by step for others as you are doing it? I'm sure others would be interested in seeing the process, even out of curiosity; i know I would...
	Please Log in or Create an account to join the conversation.

Does Xerte Online Toolkit work with shibboleth? 9 years 3 months ago #2975

jayaich
Offline
Premium Member
Posts: 82
Thank you received: 5

Sorry for the delay in replying. I've been trying to work to a deadline, and some things have got a bit left behind.

The good news is that we have been running XOT with Shibboleth for a couple of weeks now with no problems.

There is bad news though. The docs suggest using the 'php-saml' software. We installed this and configured it as best we could, but we always received an encryption error from the IdP. I spent some time looking at this, but didn't really get anywhere.

So, instead, we decided to use the Shibboleth consortium software from shibboleth.net/ . We have used this software on other servers with no problems, and since we are running CentOS on the XOT server we can just download the RPM and install that.

Installation of the software also creates the SP metadata (I think. We changed ours a couple of times using a script which is provided to recreate the metadata. If it isn't created automatically, then just run the 'metagen.sh' script). It also installs an Apache module/config file used for talking between Shibboleth and Apache. The Shibboleth software does require configuration in that the SP metadata needs to be configured into the IdP, and the IdP metadata into the SP (which basically just involves copying a file from one server to the other). The SP config file (/etc/shibboleth/shibboleth2.xml) needs to be configured in that it needs to be told where the IdP is located, what attributes to expect and what the SP entityID is. The 'attribute-map.xml' file may also need to be modified depending on what attributes you are going to use.

On the IdP side, this needs to be configured to recognise the SP entityID, and release whatever attributes are required. (We release a few attributes by default, but in this case the unscoped-affiliation is the one we mainly want.)

It might all sound a bit complicated, but to be honest once you've set up the SP and reconfigured the IdP a couple of times it becomes quite easy. (We use the same shibboleth.net software on our IdP as well.)

Once it's all set up, then start the 'shibd' process on the XOT server. The installation docs on shibboleth.net will give you some info about how to test that the IdP and SP are talking to each other. Running 'lynx https://localhost/Shibboleth.sso/Status' from a console on the server itself will give you a quick idea if they are talking to each other. If you get some gibberish output, then it's working. If you get some sort of error, or no output, then it's not working.

the SP software provides log files in two directories. The shibd output is in '/var/log/shibboleth', and this will show you the attributes being received in the transaction log. (The attribute values are not shown.) Other errors may appear in the '/var/log/shibboleth-www' directory.

The Apache shibboleth module, by default, sets up a '/secure' directory which requires shibboleth authentication. So for testing just create the 'secure' directory in your web server document root, and drop in there a simple PHP file containing a call to 'phpinfo()'. Using a browser, access the file and you should be prompted by your IdP for login credentials. The phpinfo call should dump a load of PHP info in the browser, and near the bottom should be the $_SERVER variables. Amongst them you should see the Shibboleth attributes you have requested. So for example, "$_SERVER", "$_SERVER" etc. So far so good, you now have Shibboleth, Apache and PHP all talking.

The last part is now to get XOT to call Shibboleth when the 'Login' button is clicked, and to use the variables to check the user is allowed to log in or not. This requires writing a shortish PHP script, which I based on the 'Saml2.php' script. I called this file 'Shibboleth.php'. This goes into the 'library/Xerte/Authentication' directory under your web server document root.. I see no way round writing the script since what attributes a site wants to use could be anything, so it will at least require modifying any provided script just as with the current 'Saml2.php' script. That is, I don't think Xerte can automate this part of the installation process because it will vary from site to site. Secondly, the 'auth_config.php' file must be changed to use the 'Shibboleth' login method (that is what we called it, but others can obviously call it whatever they want. The name must match the filename used above). Finally, the 'login_library.php' file must be changed to recognise the shibboleth method, and the 'index.php' file to cater for the Logout button. I'll attach (hopefully) copies of the changes made.

When the login button is clicked the user is taken to the URL '/Shibboleth.sso/Login?target=xxx'. and for the Logout button the location is '/Shibboleth.sso/Logout?return=xxx'. In both cases the 'xxx' is the URL of the XOT server (xerte_toolkits_site->site_url). So there is no need for any extra code to handle replies to or from the SP or IdP (the shibd process does all that). It also means that when the Logout button is clicked, the user is returned to the Login page (because index.php sees them as not logged in).

In our case we have made some other changes for Shibboleth. All users must be presented with the login page initially. That is, it does not automatically log them in immediately. The user must click on the login button (whether they get prompted for their userid/password of course depends on whether they have used Shibboleth SSO to log in to some other service first). Secondly, the userid and password boxes have been removed since they are not required. It may only confuse the user to enter their credentials and then click the login button (and sort of defeats SSO). Finally, the 'Logout' button logs them out of XOT but also out of the current Shibboleth session, and returns them to the XOT login page. So any other SSO session (to some other service) will still work, but to enter XOT again they must again click on the Login button (obviously they won't be prompted for a userid/password if the IdP still recognises their credentials as valid). Other sites may or may not want to do the same. As such the Xerte developers may or may not want to include all or any of the changes we have made (or even make some of them configurable via the management interface?).

Since Shibboleth is provided as an authentication method with Apache, you can setup various locations/directories so that only authenticated users can access them. The USER-FILES, print and editor directories seem like good ones to use. The Apache authentication configuration is set up the same as was provided for the '/secure' directory. So before being able to do anything of any use, users must be authenticated.

That's it really. Again, it might seem complicated, but in fact there were only a few changes required to the XOT code, and all the IdP/SP traffic is handled by the shibd process.

Please Log in or Create an account to join the conversation.

Does Xerte Online Toolkit work with shibboleth? 9 years 3 months ago #2976

jayaich Offline Premium Member Posts: 82 Thank you received: 5	Hmm, no attachments. Let's try that again...
	Please Log in or Create an account to join the conversation.

Does Xerte Online Toolkit work with shibboleth? 9 years 3 months ago #2977

jayaich
Offline
Premium Member
Posts: 82
Thank you received: 5

Well that didn't work. So here are the 3 patch diffs, and the shibboleth.php file:

--- auth_config.php.orig        2015-07-29 23:17:22.000000000 +0100
+++ auth_config.php     2015-08-05 14:09:17.850485225 +0100
@@ -27,11 +27,12 @@
  * See code in library/Xerte/Authentication/*.php - where each file should match up to the value used below.
  */
 
-$xerte_toolkits_site->authentication_method = 'Guest';
+//$xerte_toolkits_site->authentication_method = 'Guest';
 //$xerte_toolkits_site->authentication_method = 'Ldap';
 //$xerte_toolkits_site->authentication_method = 'Db';
 //$xerte_toolkits_site->authentication_method = 'Static';
 //$xerte_toolkits_site->authentication_method = "Moodle";
+$xerte_toolkits_site->authentication_method = "Shibboleth";
 
 //restrict moodle guest access
 //comment out the following if you want the Moodle guest account to have authoring access

--- index.php.orig      2015-07-29 23:17:23.000000000 +0100
+++ index.php   2015-08-05 14:15:46.209359969 +0100
@@ -188,8 +188,12 @@
                 echo $_SESSION['toolkits_firstname'] . " " . $_SESSION['toolkits_surname']; ?>
                <div style="display: inline-block"><?php display_language_selectionform("general"); ?></div>
                <button title="<?PHP echo INDEX_BUTTON_LOGOUT; ?>" type="button" class="xerte_button_c_no_width"
-                        onclick="javascript:logout(<?php echo($xerte_toolkits_site->authentication_method == "Saml2" ? "true" : "false"); ?>)">
-                    <i class="fa fa-sign-out xerte-icon"></i><?PHP echo INDEX_BUTTON_LOGOUT; ?>
+                        <?php if ($xerte_toolkits_site->authentication_method == "Shibboleth" || $xerte_toolkits_site->authentication_method == "Saml2") { ?>
+                            onclick="javascript:logout(true)">
+                        <?php } else { ?>
+                            onclick="javascript:logout(false)">
+                        <?php } ?>
+                        <i class="fa fa-sign-out xerte-icon"></i><?PHP echo INDEX_BUTTON_LOGOUT; ?>
                 </button>
             </div>
             <div style="clear:both;"></div>

--- login_library.php.orig      2015-07-29 23:17:24.000000000 +0100
+++ login_library.php   2015-08-05 14:32:58.518954692 +0100
@@ -164,9 +164,14 @@
                               <?PHP echo INDEX_LOGIN; ?>
                             </p>
                             <div>
-
-                                <form method="post" enctype="application/x-www-form-urlencoded" ><p><?php echo INDEX_USERNAME; ?> <input type="text" size="20" maxlength="100" name="login" id="login_box"/></p><p><?PHP echo INDEX_PASSWORD; ?><input type="password" size="20" maxlength="100" name="password" /></p><p style="clear:left; width:95%; padding-bottom:15px;"><button type="submit" class="xerte_button"  style="float:right"><i class="fa fa-sign-in"></i> <?php echo INDEX_BUTTON_LOGIN; ?></button></p></form>
-                                <script>   document.getElementById("login_box").focus();      </script>
+                                <?php /* Shibboleth only shows the login button */
+                                    if ($xerte_toolkits_site->authentication_method == "Shibboleth") { ?>
+                                        <button type="button" onClick="window.location.href='<?php echo "/Shibboleth.sso/Login?target=" . $xerte_toolkits_site->site_url; ?>'" class="xerte_button" style="float:right"><i class="fa fa-sign-in"></i> <?php echo INDEX_BUTTON_LOGIN; ?></button>
+                                    <?php } else { ?>
+                                        <form method="post" enctype="application/x-www-form-urlencoded" ><p><?php echo INDEX_USERNAME; ?> <input type="text" size="20" maxlength="100" name="login" id="login_box"/></p><p><?PHP echo INDEX_PASSWORD; ?><input type="password" size="20" maxlength="100" name="password" /></p><p style="clear:left; width:95%; padding-bottom:15px;"><button type="submit" class="xerte_button"  style="float:right"><i class="fa fa-sign-in"></i> <?php echo INDEX_BUTTON_LOGIN; ?></button></p></form>
+                                        <script>   document.getElementById("login_box").focus();      </script>
+                                    <?php }
+                                ?>
                               <?php
                               if (!empty($messages)) {
                                 echo "<ul class='error'>";
@@ -255,14 +260,20 @@
         </div>
         <div class="mainbody_holder">
             <div style="margin:0 7px 4px 0"><?php display_language_selectionform("");?></div>
-            <form method="post" enctype="application/x-www-form-urlencoded" >
-                <p style="margin:4px"><?php echo INDEX_USERNAME; ?>:
-                <input class="xerte_input_box" type="text" size="20" maxlength="100" name="login" id="login_box"/></p>
-                <p style="margin:4px"><?PHP echo INDEX_PASSWORD; ?>:
-                <input class="xerte_input_box" type="password" size="20" maxlength="100" name="password" /></p>
-                <button type="submit" class="xerte_button_c" style="margin:0 3px 0 0"><i class="fa fa-sign-in"></i> <?php echo INDEX_BUTTON_LOGIN; ?></button>
-            </form>
-            <script>document.getElementById("login_box").focus();      </script>
+            <?php /* Shibboleth only shows the login button */
+                if ($xerte_toolkits_site->authentication_method == "Shibboleth") { ?>
+                    <button type="button" onClick="window.location.href='<?php echo "/Shibboleth.sso/Login?target=" . $xerte_toolkits_site->site_url; ?>'" class="xerte_button_c" style="margin:0 3px 0 0"><i class="fa fa-sign-in" style="vertical-align:middle"></i> <?php echo INDEX_BUTTON_LOGIN; ?></button>
+                <?php } else { ?>
+                    <form method="post" enctype="application/x-www-form-urlencoded" >
+                        <p style="margin:4px"><?php echo INDEX_USERNAME; ?>:
+                        <input class="xerte_input_box" type="text" size="20" maxlength="100" name="login" id="login_box"/></p>
+                        <p style="margin:4px"><?PHP echo INDEX_PASSWORD; ?>:
+                        <input class="xerte_input_box" type="password" size="20" maxlength="100" name="password" /></p>
+                        <button type="submit" class="xerte_button_c" style="margin:0 3px 0 0"><i class="fa fa-sign-in"></i> <?php echo INDEX_BUTTON_LOGIN; ?></button>
+                    </form>
+                    <script>document.getElementById("login_box").focus();      </script>
+                <?php }
+            ?>
         </div>
     </div>
     <div style="clear:both;"></div>

The Shibboleth.php file:

<?php

class Xerte_Authentication_Shibboleth extends Xerte_Authentication_Abstract
{

    private $_record = array();


    public function getUsername() {
        return (isset($this->_record['username'])) ? $this->_record['username'] : null;
    }

    public function getFirstname() {
        return (isset($this->_record['firstname'])) ? $this->_record['firstname'] : null;
    }

    public function getSurname() {
        return (isset($this->_record['surname'])) ? $this->_record['surname'] : null;
    }

    public function check() {
        return true;
    }

    public function login($username, $password) {
        /* This function doesn't get called... but just in case. */

        return (isset($_SERVER['unscoped-affiliation']) && strpos($_SERVER['unscoped-affiliation'], 'member') !== false) ? true : false;
    }

    public function needsLogin() {
        if (isset($_SERVER['unscoped-affiliation'])) {
                if (strpos($_SERVER['unscoped-affiliation'], 'staff') !== false) {
                        $this->_record['username'] = $_SERVER['uid'];
                        $this->_record['firstname'] = $_SERVER['givenName'];
                        $this->_record['surname'] = $_SERVER['surname'];

                        return false;
                }
                else {
                        return true;
                }
        }
        else {
                return true;
        }
    }

    public function hasLogout() {
        return true;
    }

    public function logout() {
        if (isset($_SESSION['toolkits_logon_id'])) {
                session_destroy();

                header("Location: /Shibboleth.sso/Logout?return=" . $this->xerte_toolkits_site->site_url);
                exit;
        }

        return true;
    }
}