Módosítások

Drupal Shibboleth module

1 923 bájt hozzáadva, 2013. február 25., 15:33
nincs szerkesztési összefoglaló
Drupal '''shib_auth''' module enables [http://shibboleth.internet2.edu Shibboleth] authentication for [http://drupal.org Drupal CMS].
{{STOP|This document is written for module version 3.3-x. Please consult the [[#Change log]] for the revisions of this document for the previous releases.
 {{STOP|A '''new release (3For documentation about the more recent 4.1) is approaching'''x version, therefore the text below refers to some features that are not part of the last release. Please consult the please read [[#Change logDrupalShibbolethReadmeDev]] for the current stable release (3.0).}}
{{STOP|The following documentation assumes that
* You [https://wiki.shibboleth.net/confluence/display/SHIB2/FlowsAndConfig understand how Shibboleth works]
* You have [https://wiki.shibboleth.net/confluence/display/SHIB2/Installation successfully installed and configured Shibboleth SP] on your host running Drupal.
}}
== Installation ==
# Download module source for your Drupal version from the [http://drupal.org/project/shib_auth project page].
# Enable module at '''<code>Administer -> Site building -> Modules</code>'''
=== Compatibility ===
Module is being developed for Drupal 6.x. We try to backport have stopped backporting new features to the 5.x from time to time, though branch and Drupal 7 is not yet supported as long as it might take several weeksisn't the stable branch. If you can help with backportingwant to contribute to development or porting, please contact '''aai _AT_ niif _DOT_ hu'''!
Older versions of Drupal are not supported, nor is Drupal 7 as long as it is not the stable branch. Both Shibboleth 1.3 and Shibboleth 2.x are supported. {{ATTENTION_EN|When using along with Userprotect module (which is recommended anyway), there was a [http://drupalalthough some features might require Shibboleth 2.org/node/305989 bug], which [http://drupal.org/node/306912 turned out to be] a [http://drupal.org/node/165642 Drupal core bug].  The bug was fixed in Drupal 5.10 and 6.4, so '''only versions above 5.10 and 6.4 are supported'''x.}}
=== Upgrading module ===
There is no upgrade procedure. If you are upgrading from the same major version, you don't even only need to uninstall overwrite the module before upgrading. This way files within your configuration (role mappings<code>modules/shib_auth</code> directory, etc) persiststhen run <code>update.php</code>.
== Configuration ==
=== Configuring Shibboleth ===
You should be familiar with protecting resources with Shibboleth before using this module. (See [https://spaceswiki.internet2shibboleth.edunet/confluence/display/SHIB2/NativeSPProtectContent Shibboleth Wiki]) Please check that Shibboleth authentication is working for that location and all the necessary attributes are exported to the headers. You can enable [[Drupal Shibboleth module#DEBUG mode | DEBUG mode]] to dump the whole '''$_SERVER''' array. If you can see Shibboleth attributes there, you're fine.
In Shibboleth there are two modes for protecting resources:
* '''"Strict" Sessions''' (normal sessions): users can only access Drupal content if they have a valid Shibboleth session. This case, no anonymous access can be granted (not even read-only) and you can not use any auxiliary authentication methods.
{{STOP|If you decide to use lazy sessions and you don't want your users to be able to log in with a password, '''YOU MUST DISABLE PASSWORD CHANGE'''. (See below.)[[#Disallowing password change|you have to disable changing passwords]]}}
==== Example Shibboleth configuration ====
===== Using custom e-mail address =====
* ''Use Require and use only Shibboleth-provided e-mail address'' (default on): if with this option is checkedset, Drupal e-mail address is rewritten with the Shibboleth-provided oneon each login. This means that your users can only use the e-mail address which is provided by the IdP provides. '''When this option The IdP is on, missing required to send the e-mail address results in attribute otherwise the user gets a fatal error.'''* ''Ask for missing e-mail address'' (default off): let the user modify her own e-mail address by unchecking editing her Drupal account. If the option above and checking thisIdP provides an e-mail address, you instruct then that value will be the module to ask default, otherwise the user for the missing is asked to specify her e-mail address if the IdP does not provide one.
=== Logging out ===
Enable the option "''Destroy Drupal session when the Shibboleth session expires''", if you want to force logout the users without a valid Shibboleth session. (This only applies to lazy sessions, otherwise you are always having a Shibboleth session.)
{{INFO_EN|;There are a couple of concerns you should keep Keep in mindif you leave this option off:* if the Shibboleth session is lost, all the Shibboleth-derived attributes disappear, therefore the user probably loses her the [[#Automatic role assignment|assigned Shibboleth roles]]** on the other hand, the rolesassigned to the ''Drupal account of the user'' persist as long as the Drupal session is valid
* Shibboleth session might get lost if you use a clustered SP without a central session cache}}
 
==== URL to redirect to after logout ====
Define an URL here, where you want the user to be navigated after logout. The URL can be absolute or relative to the server base url. The relative paths will be automatically extended with the site base URL.  ==== SAML2 Logout ====At the moment, Shibboleth2 SP supports SAML2 logout while the Shibboleth2 IdP does not. It has a consequence that (if you have a standard Shibboleth2 installation), you will get a Shibboleth error message on logout, like this: Global Logout Status of Global Logout: Identity provider does not support SAML 2 Single Logout protocol.You can avoid this message by commenting out SAML2 global logout initiator from <code>/Logout</code> handler in <code>/etc/shibboleth/shibboleth2.xml</code>:<source lang="xml"> <!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. --> <LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie"> <!-- The following line should be commented out to make Drupal logout work, as long as your IdPs do not support SAML2 logout --> <!--LogoutInitiator type="SAML2" template="bindingTemplate.html"/--> <LogoutInitiator type="Local"/> </LogoutInitiator></source> 
=== Automatic role assignment ===
It's possible to assign roles to users based on their Shibboleth attributes.
Additional roles can be assigned statically to the user (as an individual) by the administrator as normally.
{{ATTENTION_EN|Dynamic roles are not visible on the role administration page and on the user page. These roles are evaluated dynamically and are not saved to the database.}}
== Using module ==
== Change log ==
=== Version 3.2 -> 3.3 ===
Module update problem was fixed. From now on one should run update.php on updates.<br>
[https://wiki.aai.niif.hu/index.php?title=Drupal_Shibboleth_module&oldid=1290 Previous version]
=== Version 3.1 -> 3.2 ===
The module now works with caching, but requires disabling and re-enabling.<br>
[https://wiki.aai.niif.hu/index.php?title=Drupal_Shibboleth_module&oldid=1004 Previous version]
=== Version 3.0 -> 3.1 ===
If you need documentation for 3.0, please [https://wiki.aai.niif.hu/index.php?title=Drupal_Shibboleth_module&oldid=906 use the previous version of the documentation]
[[Category: AAI]] [[Category: Drupal]] [[Category: Shibboleth SP]][[Category: HOWTO]][[Category: English]]
A lap eredeti címe: „https://wiki.niif.hu/index.php?title=Speciális:MobileDiff/921...2378

Navigációs menü