Drupal Shibboleth module

Innen: KIFÜ Wiki
A lap korábbi változatát látod, amilyen Bajnokk(AT)niif.hu (vitalap | szerkesztései) 2008. szeptember 3., 09:27-kor történt szerkesztése után volt. (Administering Drupal with strict sessions: moving content to other paragraph)

Drupal shib_auth module enables Shibboleth authentication for Drupal CMS.

Installation


Compatibility

Module is being developed for Drupal 6.x. We try to backport new features to 5.x from time to time, though it might take several weeks. If you can help backporting, please contact aai _AT_ niif _DOT_ hu!

Older versions of Drupal are not supported, nor is Drupal 7 as long as it is not the stable branch.

Upgrading module

There is no upgrade procedure (yet). Please uninstall the module before upgrading. It is reported that sometimes disabling module and removing its directory is not enough.

Configuration

Configuring Shibboleth

You should be familiar with protecting resources with Shibboleth before using this module. (See Shibboleth Wiki) Please check that Shibboleth authentication is working for that location and all the necessary attributes are exported to the headers. You can enable DEBUG mode to dump the whole $_SERVER array. If you can see Shibboleth attributes there, you're fine.

In Shibboleth there are two modes for protecting resources:

  • Lazy Sessions: session is only initiated if an application redirects user to the SessionInitiator URL. In this module, it is done by clicking the "Login with Shibboleth" link. Anonymous access is possible.
Detailed description of lazy sessions in Hungarian.
  • "Strict" Sessions (normal sessions): users can only access Drupal content if they have a valid Shibboleth session. This case, no anonymous access can be granted (not even read-only).

Example Shibboleth configuration

Note: this example uses lazy sessions. Configuration for Shibboleth 1.3 is quite similar.

/etc/shibboleth/shibboleth2.xml snippet:

<RequestMapper type="Native">
  <RequestMap applicationId="default">
    <Host name="your.host.name">
      <Path name="location_of">
        <Path name="your_Drupal">
          <Path name="installation" authType="shibboleth" requireSession="false" />
        </Path>
      </Path>
    </Host>
  </RequestMap>
</RequestMapper>


Apache config file snippet (ie. /etc/apache2/sites-enabled/your.host.name, or you can even use .htaccess without the <Location> tags):

<Location /location_of/your_Drupal/installation>
  AuthType Shibboleth
  ShibRequireSession Off
  require shibboleth
</Location>


Setting Shibboleth parameters for the module

Automatic role assignment

Change log