diff --git a/config/vufind/config.ini b/config/vufind/config.ini
index 80cac1f7688db979899bde3a35c3488769873041..23f5fde9509f39e41e70809040dea1b46fbb21e9 100644
--- a/config/vufind/config.ini
+++ b/config/vufind/config.ini
@@ -435,32 +435,29 @@ database = mysql://root@localhost/vufind
;port = 6002
; Shibboleth is optional. This section only needs to exist if the
-; Authentication Method is set to Shibboleth.
+; Authentication Method is set to Shibboleth. Be sure to set up authorization
+; logic in the permissions.ini file to filter users by Shibboleth attributes.
;[Shibboleth]
-
+; Server param with the identity provider entityID if a Shibboleth session exists.
+; If omitted, Shib-Identity-Provider is used.
+;idpserverparam = Shib-Identity-Provider
; Optional: you may set attribute names and values to be used as a filter;
; users will only be logged into VuFind if they match these filters.
;userattribute_1 = entitlement
;userattribute_value_1 = urn:mace:dir:entitlement:common-lib-terms
;userattribute_2 = unscoped-affiliation
;userattribute_value_2 = member
-
; Required: the attribute Shibboleth uses to uniquely identify users.
;username = persistent-id
-
; Required: Shibboleth login URL.
;login = https://shib.myuniversity.edu/Shibboleth.sso/Login
-
; Optional: Shibboleth logout URL.
;logout = https://shib.myuniversity.edu/Shibboleth.sso/Logout
-
; Optional: URL to forward to after Shibboleth login (if omitted,
; defaultLoggedInModule from [Site] section will be used).
-;target = http://shib.myuniversity.edu/vufind/MyResearch/Home
-
-; Optional: provider_id parameter to pass along to Shibboleth login.
+;target = https://shib.myuniversity.edu/vufind/MyResearch/Home
+; Optional: provider_id (entityId) parameter to pass along to Shibboleth login.
;provider_id = https://idp.example.edu/shibboleth-idp
-
; Some or all of the following entries may be uncommented to map Shibboleth
; attributes to user database columns:
;cat_username = HTTP_ALEPH_ID
diff --git a/module/VuFind/src/VuFind/Auth/Shibboleth.php b/module/VuFind/src/VuFind/Auth/Shibboleth.php
index d8308b14016b48141e2759eb9e4376f4bcf2d4df..6dc42679278179d664874db7303fb9981ebb6bcc 100644
--- a/module/VuFind/src/VuFind/Auth/Shibboleth.php
+++ b/module/VuFind/src/VuFind/Auth/Shibboleth.php
@@ -4,7 +4,7 @@
*
* PHP version 5
*
- * Copyright (C) Villanova University 2010.
+ * Copyright (C) Villanova University 2014.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2,
@@ -22,6 +22,8 @@
* @category VuFind2
* @package Authentication
* @author Franck Borel <franck.borel@gbv.de>
+ * @author Jochen Lienhard <lienhard@ub.uni-freiburg.de>
+ * @author Bernd Oberknapp <bo@ub.uni-freiburg.de>
* @author Demian Katz <demian.katz@villanova.edu>
* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License
* @link http://www.vufind.org Main Page
@@ -35,12 +37,16 @@ use VuFind\Exception\Auth as AuthException;
* @category VuFind2
* @package Authentication
* @author Franck Borel <franck.borel@gbv.de>
+ * @author Jochen Lienhard <lienhard@ub.uni-freiburg.de>
+ * @author Bernd Oberknapp <bo@ub.uni-freiburg.de>
* @author Demian Katz <demian.katz@villanova.edu>
* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License
* @link http://www.vufind.org Main Page
*/
class Shibboleth extends AbstractBase
{
+ const DEFAULT_IDPSERVERPARAM = 'Shib-Identity-Provider';
+
/**
* Validate configuration parameters. This is a support method for getConfig(),
* so the configuration MUST be accessed using $this->config; do not call
@@ -59,6 +65,7 @@ class Shibboleth extends AbstractBase
);
}
+ // Throw an exception if no login endpoint is available.
if (!isset($shib->login)) {
throw new AuthException(
'Shibboleth login configuration parameter is not set.'
@@ -151,7 +158,7 @@ class Shibboleth extends AbstractBase
// proxies others
if (isset($config->Shibboleth->provider_id)) {
- $sessionInitiator = $sessionInitiator . '&providerId=' .
+ $sessionInitiator = $sessionInitiator . '&entityID=' .
urlencode($config->Shibboleth->provider_id);
}
@@ -230,4 +237,4 @@ class Shibboleth extends AbstractBase
return $sortedUserAttributes;
}
-}
+}
\ No newline at end of file
diff --git a/module/VuFind/src/VuFind/Role/PermissionProvider/Factory.php b/module/VuFind/src/VuFind/Role/PermissionProvider/Factory.php
index f2f1ee84249e311c752a03e36f3413160ff0010d..8251bfa1ca90f54e9dac23662de87da6f1756a81 100644
--- a/module/VuFind/src/VuFind/Role/PermissionProvider/Factory.php
+++ b/module/VuFind/src/VuFind/Role/PermissionProvider/Factory.php
@@ -86,7 +86,10 @@ class Factory
*/
public static function getShibboleth(ServiceManager $sm)
{
- return new Shibboleth($sm->getServiceLocator()->get('Request'));
+ return new Shibboleth(
+ $sm->getServiceLocator()->get('Request'),
+ $sm->getServiceLocator()->get('VuFind\Config')->get('config')
+ );
}
/**
diff --git a/module/VuFind/src/VuFind/Role/PermissionProvider/Shibboleth.php b/module/VuFind/src/VuFind/Role/PermissionProvider/Shibboleth.php
index efbb30997fb4e0dc418863c09e18745a7a7c41ee..b366bec2535a35aa8c7eb035a8d3d27e8fa34540 100644
--- a/module/VuFind/src/VuFind/Role/PermissionProvider/Shibboleth.php
+++ b/module/VuFind/src/VuFind/Role/PermissionProvider/Shibboleth.php
@@ -29,6 +29,8 @@
*/
namespace VuFind\Role\PermissionProvider;
use Zend\Http\PhpEnvironment\Request;
+use VuFind\Auth\Shibboleth as ShibbolethAuth;
+use VuFind\Role\PermissionProvider\ServerParam;
/**
* Shibboleth permission provider for VuFind.
@@ -50,16 +52,28 @@ class Shibboleth extends ServerParam
*/
protected $request;
+ /**
+ * Server param with the identity provider entityID
+ *
+ * @var string
+ */
+ protected $idpServerParam;
+
/**
* Constructor
*
- * @param Request $request Request object
+ * @param Request $request Request object
+ * @param \Zend\Config\Config $config VuFind configuration
*/
- public function __construct(Request $request)
+ public function __construct(Request $request, $config)
{
parent::__construct($request);
- $this->aliases = ['idpentityid' => 'Shib-Identity-Provider'];
+ $this->idpServerParam = isset($config->Shibboleth->idpserverparam)
+ ? $config->Shibboleth->idpserverparam
+ : ShibbolethAuth::DEFAULT_IDPSERVERPARAM;
+
+ $this->aliases = ['idpentityid' => $this->idpServerParam];
$this->serverParamDelimiter = ';';
$this->serverParamEscape = '\\';
}
@@ -74,7 +88,8 @@ class Shibboleth extends ServerParam
*/
public function getPermissions($options)
{
- if ($this->request->getServer()->get('Shib-Identity-Provider') === null) {
+ $this->debug('getPermissions: idpServerParam = ' . $this->idpServerParam);
+ if ($this->request->getServer()->get($this->idpServerParam) === null) {
$this->logWarning('getPermissions: Shibboleth server params missing');
return [];
diff --git a/module/VuFind/tests/unit-tests/src/VuFindTest/Role/PermissionProvider/ShibbolethTest.php b/module/VuFind/tests/unit-tests/src/VuFindTest/Role/PermissionProvider/ShibbolethTest.php
index af72ab2bd80581bb4371c5e5ba9c138504bebab0..337015ea295c4423e50287348705bbd1e01ececb 100644
--- a/module/VuFind/tests/unit-tests/src/VuFindTest/Role/PermissionProvider/ShibbolethTest.php
+++ b/module/VuFind/tests/unit-tests/src/VuFindTest/Role/PermissionProvider/ShibbolethTest.php
@@ -91,14 +91,16 @@ class ShibbolethTest extends \VuFindTest\Unit\TestCase
* @param array $headers Request headers
* @param mixed $options options as from configuration
* @param array $expectedResult expected result returned by getPermissions
+ * @param array $config VuFind configuration options
*
* @return void
*/
- protected function checkShibboleth($headers, $options, $expectedResult)
- {
+ protected function checkShibboleth($headers, $options, $expectedResult,
+ $config = []
+ ) {
$request = new \Zend\Http\PhpEnvironment\Request();
$request->setServer(new \Zend\Stdlib\Parameters($headers));
- $shibboleth = new Shibboleth($request);
+ $shibboleth = new Shibboleth($request, new \Zend\Config\Config($config));
$result = $shibboleth->getPermissions($options);
$this->assertEquals($result, $expectedResult);
}