1 260
szerkesztés
Módosítások
update for module version 3.1
== Configuration ==
=== Configuring Shibboleth ===
You should be familiar with protecting resources with Shibboleth before using this module. (See [https://spaces.internet2.edu/display/SHIB2/NativeSPProtectContent Shibboleth Wiki]) Please check that Shibboleth authentication is working for that location and all the necessary attributes are exported to the headers. You can enable [[Drupal Shibboleth module#DEBUG mode | DEBUG mode]] to dump the whole '''$_SERVER ''' array. If you can see Shibboleth attributes there, you're fine.
In Shibboleth there are two modes for protecting resources:
Shibboleth 1.3 always uses headers, therefore the <code>ShibUseHeaders</code> directive is invalid with Shibboleth 1.3.}}
=== DEBUG mode ===
If you enable DEBUG mode on the module configuration interface, you can dump the whole '''$_SERVER''' array. This shows you all the available attributes and helps you diagnosing possible Shibboleth attribute problems.
:: <small>Keep in mind that some users might have a specific attribute while others don't.</small>
==== Debug path prefix ====
Leave it empty, if you want to display debug information on every page. For example use <code>user/</code> for display DEBUG messages on paths <code>user/*</code>
Adding a prefix is useful, if you want to enable debugging on an online drupal installation without littering all of the pages with the debugging information. Can be set to a non-existent node as well, in this case, the information will be displayed over the built-in 404 page.
=== Setting Shibboleth parameters for the module ===
* protocol scheme (<code>http://</code> or <code>https://</code>)
* host name
* shibboleth Shibboleth handler URL (usually: <code>/Shibboleth.sso</code>)
* 'location' part of the SessionInitiator definition
* '''HTTPS''' or '''HTTP''' for ''scheme'', depending on whether you are using SSL or not
* '''/Login''' for ''WAYF location''
==== Attribute settings ====
Specify here the '''$_SERVER''' headers to look up the user's username and e-mail address. Please check '''DEBUG''' mode to look for the available headers. If you can not find the desired attribute, then something is wrong with your IdP-SP attribute release flow.
Both fields can have the same value, if you wish.
===== Using custom e-mail address =====
* ''Use only Shibboleth-provided e-mail address'' (default on): if this option is checked, Drupal e-mail address is rewritten with the Shibboleth-provided one. This means that your users can only use the e-mail address the IdP provides. '''When this option is on, missing e-mail address results in a fatal error.'''
* ''Ask for missing e-mail address'' (default off): by unchecking the option above and checking this, you instruct the module to ask the user for the missing e-mail address if the IdP does not provide one.
=== Logging out ===
==== Session expiry ====
Enable the option "''Destroy Drupal session when the Shibboleth session expires''", if you want to force logout the users without a valid Shibboleth session. (This only applies to lazy sessions, otherwise you are always having a Shibboleth session.)
{{INFO_EN|;There are a couple of concerns you should keep in mind:
* if the Shibboleth session is lost, all the Shibboleth-derived attributes disappear, therefore the user probably loses her roles
* Shibboleth session might get lost if you use a clustered SP without a central session cache}}
==== URL to redirect to after logout ====
Define an URL here, where you want the user to be navigated after logout. The URL can be absolute or relative to the server base url. The relative paths will be automatically extended with the site base URL.
=== Automatic role assignment ===
It's possible to assign roles to users based on their Shibboleth attributes.
