2 // This file is part of Moodle - http://moodle.org/
4 // Moodle is free software: you can redistribute it and/or modify
5 // it under the terms of the GNU General Public License as published by
6 // the Free Software Foundation, either version 3 of the License, or
7 // (at your option) any later version.
9 // Moodle is distributed in the hope that it will be useful,
10 // but WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 // GNU General Public License for more details.
14 // You should have received a copy of the GNU General Public License
15 // along with Moodle. If not, see <http://www.gnu.org/licenses/>.
18 * Authentication Plugin: Shibboleth Authentication
19 * Authentication using Shibboleth.
21 * Distributed under GPL (c)Markus Hagman 2004-2006
23 * @package auth_shibboleth
24 * @author Martin Dougiamas
25 * @author Lukas Haemmerle
26 * @license http://www.gnu.org/copyleft/gpl.html GNU Public License
29 defined('MOODLE_INTERNAL') ||
die();
31 require_once($CFG->libdir
.'/authlib.php');
34 * Shibboleth authentication plugin.
36 class auth_plugin_shibboleth
extends auth_plugin_base
{
41 public function __construct() {
42 $this->authtype
= 'shibboleth';
43 $this->config
= get_config('auth_shibboleth');
47 * Old syntax of class constructor. Deprecated in PHP7.
49 * @deprecated since Moodle 3.1
51 public function auth_plugin_shibboleth() {
52 debugging('Use of class name as constructor is deprecated', DEBUG_DEVELOPER
);
57 * Returns true if the username and password work and false if they are
58 * wrong or don't exist.
60 * @param string $username The username (with system magic quotes)
61 * @param string $password The password (with system magic quotes)
62 * @return bool Authentication success or failure.
64 function user_login($username, $password) {
67 // If we are in the shibboleth directory then we trust the server var
68 if (!empty($_SERVER[$this->config
->user_attribute
])) {
69 // Associate Shibboleth session with user for SLO preparation
71 if (isset($_SERVER['Shib-Session-ID'])){
72 // This is only available for Shibboleth 2.x SPs
73 $sessionkey = $_SERVER['Shib-Session-ID'];
75 // Try to find out using the user's cookie
76 foreach ($_COOKIE as $name => $value){
77 if (preg_match('/_shibsession_/i', $name)){
83 // Set shibboleth session ID for logout
84 $SESSION->shibboleth_session_id
= $sessionkey;
86 return (strtolower($_SERVER[$this->config
->user_attribute
]) == strtolower($username));
88 // If we are not, the user has used the manual login and the login name is
89 // unknown, so we return false.
97 * Returns the user information for 'external' users. In this case the
98 * attributes provided by Shibboleth
100 * @return array $result Associative array of user data
102 function get_userinfo($username) {
103 // reads user information from shibboleth attributes and return it in array()
106 // Check whether we have got all the essential attributes
107 if ( empty($_SERVER[$this->config
->user_attribute
]) ) {
108 print_error( 'shib_not_all_attributes_error', 'auth_shibboleth' , '', "'".$this->config
->user_attribute
."' ('".$_SERVER[$this->config
->user_attribute
]."'), '".$this->config
->field_map_firstname
."' ('".$_SERVER[$this->config
->field_map_firstname
]."'), '".$this->config
->field_map_lastname
."' ('".$_SERVER[$this->config
->field_map_lastname
]."') and '".$this->config
->field_map_email
."' ('".$_SERVER[$this->config
->field_map_email
]."')");
111 $attrmap = $this->get_attributes();
114 $search_attribs = array();
116 foreach ($attrmap as $key=>$value) {
117 // Check if attribute is present
118 if (!isset($_SERVER[$value])){
123 // Make usename lowercase
124 if ($key == 'username'){
125 $result[$key] = strtolower($this->get_first_string($_SERVER[$value]));
127 $result[$key] = $this->get_first_string($_SERVER[$value]);
131 // Provide an API to modify the information to fit the Moodle internal
132 // data representation
134 $this->config
->convert_data
135 && $this->config
->convert_data
!= ''
136 && is_readable($this->config
->convert_data
)
139 // Include a custom file outside the Moodle dir to
140 // modify the variable $moodleattributes
141 include($this->config
->convert_data
);
148 * Returns array containg attribute mappings between Moodle and Shibboleth.
152 function get_attributes() {
153 $configarray = (array) $this->config
;
155 $moodleattributes = array();
156 $userfields = array_merge($this->userfields
, $this->get_custom_user_profile_fields());
157 foreach ($userfields as $field) {
158 if (isset($configarray["field_map_$field"])) {
159 $moodleattributes[$field] = $configarray["field_map_$field"];
162 $moodleattributes['username'] = $configarray["user_attribute"];
164 return $moodleattributes;
167 function prevent_local_passwords() {
172 * Returns true if this authentication plugin is 'internal'.
176 function is_internal() {
181 * Whether shibboleth users can change their password or not.
183 * Shibboleth auth requires password to be changed on shibboleth server directly.
184 * So it is required to have password change url set.
186 * @return bool true if there's a password url or false otherwise.
188 function can_change_password() {
189 if (!empty($this->config
->changepasswordurl
)) {
197 * Get password change url.
199 * @return moodle_url|null Returns URL to change password or null otherwise.
201 function change_password_url() {
202 if (!empty($this->config
->changepasswordurl
)) {
203 return new moodle_url($this->config
->changepasswordurl
);
210 * Hook for login page
213 function loginpage_hook() {
214 global $SESSION, $CFG;
216 // Prevent username from being shown on login page after logout
217 $CFG->nolastloggedin
= true;
223 * Hook for logout page
226 function logoutpage_hook() {
227 global $SESSION, $redirect;
229 // Only do this if logout handler is defined, and if the user is actually logged in via Shibboleth
230 $logouthandlervalid = isset($this->config
->logout_handler
) && !empty($this->config
->logout_handler
);
231 if (isset($SESSION->shibboleth_session_id
) && $logouthandlervalid ) {
232 // Check if there is an alternative logout return url defined
233 if (isset($this->config
->logout_return_url
) && !empty($this->config
->logout_return_url
)) {
234 // Set temp_redirect to alternative return url
235 $temp_redirect = $this->config
->logout_return_url
;
237 // Backup old redirect url
238 $temp_redirect = $redirect;
241 // Overwrite redirect in order to send user to Shibboleth logout page and let him return back
242 $redirecturl = new moodle_url($this->config
->logout_handler
, array('return' => $temp_redirect));
243 $redirect = $redirecturl->out();
248 * Cleans and returns first of potential many values (multi-valued attributes)
250 * @param string $string Possibly multi-valued attribute from Shibboleth
252 function get_first_string($string) {
253 $list = explode( ';', $string);
254 $clean_string = rtrim($list[0]);
256 return $clean_string;
260 * Test if settings are correct, print info to output.
262 public function test_settings() {
265 if (!isset($this->config
->user_attribute
) ||
empty($this->config
->user_attribute
)) {
266 echo $OUTPUT->notification(get_string("shib_not_set_up_error", "auth_shibboleth",
267 (new moodle_url('/auth/shibboleth/README.txt'))->out()), 'notifyproblem');
270 if ($this->config
->convert_data
and $this->config
->convert_data
!= '' and !is_readable($this->config
->convert_data
)) {
271 echo $OUTPUT->notification(get_string("auth_shib_convert_data_warning", "auth_shibboleth"), 'notifyproblem');
274 if (isset($this->config
->organization_selection
) && empty($this->config
->organization_selection
) &&
275 isset($this->config
->alt_login
) && $this->config
->alt_login
== 'on') {
277 echo $OUTPUT->notification(get_string("auth_shib_no_organizations_warning", "auth_shibboleth"), 'notifyproblem');
283 * Return a list of identity providers to display on the login page.
285 * @param string $wantsurl The requested URL.
286 * @return array List of arrays with keys url, iconurl and name.
288 public function loginpage_idp_list($wantsurl) {
289 $config = get_config('auth_shibboleth');
292 // Before displaying the button check that Shibboleth is set-up correctly.
293 if (empty($config->user_attribute
)) {
297 $url = new moodle_url('/auth/shibboleth/index.php');
299 if ($config->auth_logo
) {
300 $iconurl = moodle_url
::make_pluginfile_url(
301 context_system
::instance()->id
,
311 $result[] = ['url' => $url, 'iconurl' => $iconurl, 'name' => $config->login_name
];
318 * Sets the standard SAML domain cookie that is also used to preselect
319 * the right entry on the local way
321 * @param string $selectedIDP IDP identifier
323 function set_saml_cookie($selectedIDP) {
324 if (isset($_COOKIE['_saml_idp']))
326 $IDPArray = generate_cookie_array($_COOKIE['_saml_idp']);
332 $IDPArray = appendCookieValue($selectedIDP, $IDPArray);
333 setcookie ('_saml_idp', generate_cookie_value($IDPArray), time() +
(100*24*3600));
337 * Generate array of IdPs from Moodle Shibboleth settings
339 * @param string Text containing tuble/triple of IdP entityId, name and (optionally) session initiator
340 * @return array Identifier of IdPs and their name/session initiator
342 function get_idp_list($organization_selection) {
345 $idp_raw_list = explode("\n", $organization_selection);
347 foreach ($idp_raw_list as $idp_line){
348 $idp_data = explode(',', $idp_line);
349 if (isset($idp_data[2]))
351 $idp_list[trim($idp_data[0])] = array(trim($idp_data[1]),trim($idp_data[2]));
353 elseif(isset($idp_data[1]))
355 $idp_list[trim($idp_data[0])] = array(trim($idp_data[1]));
363 * Generates an array of IDPs using the cookie value
365 * @param string Value of SAML domain cookie
366 * @return array Identifiers of IdPs
368 function generate_cookie_array($value) {
370 // Decodes and splits cookie value
371 $CookieArray = explode(' ', $value);
372 $CookieArray = array_map('base64_decode', $CookieArray);
378 * Generate the value that is stored in the cookie using the list of IDPs
380 * @param array IdP identifiers
381 * @return string SAML domain cookie value
383 function generate_cookie_value($CookieArray) {
385 // Merges cookie content and encodes it
386 $CookieArray = array_map('base64_encode', $CookieArray);
387 $value = implode(' ', $CookieArray);
392 * Append a value to the array of IDPs
394 * @param string IdP identifier
395 * @param array IdP identifiers
396 * @return array IdP identifiers with appended IdP
398 function appendCookieValue($value, $CookieArray) {
400 array_push($CookieArray, $value);
401 $CookieArray = array_reverse($CookieArray);
402 $CookieArray = array_unique($CookieArray);
403 $CookieArray = array_reverse($CookieArray);