[shib_auth] can someone please provide some input to this problem?

Thu Jun 9 02:24:09 CEST 2011

Brent and Scott from the Shibboleth user forum helped me figure this out. I wanted to pass it on.

As you recall , I wanted subsections of my Drupal sight to force shibboleth authentication. I could not force the user to authenticate up front when they landing on the site as there is "free content".

But I could only get <Location /Drupal> to work with shib_auth. It asked the user to login via Shibboleth's login form and then they were redirected to the front page logged in. (I authenticate the user with the Drupal database on the back via Shibboleth.)

But again that wasn't the requirement.

The requirement was if the user was on the site and clicked on a few tabs or links . . . they had to log in to Drupal via shibboleth to set up SSO with embedded Moodle.

The Shibboleth guys suggested:
<Location /drupal>
  AuthType shibboleth
  ShibRequestSetting requireSession 0
  require shibboleth
</Location>

<Location /drupal/cma/history>
  ShibRequestSetting requireSession 1
</Location>

Where /Drupal/cma/history was one of the clean urls of the site that needed to be locked down for authentication before viewing.

This worked. The user doesn't have to log in when they hit/Drupal but they do have to log in when they hit /Drupal/cma/history.

Just in case anyone else needed this . . .

Tommy

-----Original Message-----
From: shib_auth-bounces at listserv.niif.hu [mailto:shib_auth-bounces at listserv.niif.hu] On Behalf Of Kristof Bajnok
Sent: Monday, June 06, 2011 3:07 PM
To: shib_auth at listserv.niif.hu
Subject: Re: [shib_auth] can someone please provide some input to this problem?

On 2011. June 6. 20:46:55 Tommy Peterson wrote:
> OK. Can you give me a simple case of how people are ensuring authentication
> for certain sections of their Drupal sites? That might help me understand
> this better.

Unfortunately I don't know. Usually the content does not show up until the
user is authenticated. Or if they try to access it by bookmarking it, they get
an error message.

> I am an expert at PHP and I have already started looking at the module code
> itself to see where I can modify it. I have to have this done this
> week--actually last week. And given Apache/Shibboleth/shib_auth all seem
> to work I think we are pretty much there. I mean the Shibboleth log in
> page is thrown up. They are authenticated against the IDP. Theya re
> redirected to the page. They are just not logged in as the "sign-in" link
> still appears.

You should maintain a list of nodes for which automatic redirects are to be
performed. There is a function that constructs the URL where the user should
be redirected, so use that. You should understand the logic at the beginning
of shib_auth_init, and do the redirect there. However, I'm not sure how to do
a HTTP 302 redirect properly at Drupal init hook, ask the Drupal devs if you
can't manage that.

Please be sympathetic that I can't really support this kind of development. If
I could, I would do it myself.

Kristof

_______________________________________________
shib_auth mailing list
shib_auth at listserv.niif.hu
https://listserv.niif.hu/mailman/listinfo/shib_auth

This message contains Devin Group confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
 Please notify the sender immediately by e-mail if you have received this e-mail in error and delete this e-mail from your system. E-mail transmissions cannot be guaranteed secure, error-free and information could be intercepted, corrupted, lost, destroyed, arrive late, incomplete, or contain viruses. The sender therefore does not accept liability for errors or omissions in the contents of this message which may arise as result of transmission. If verification is required please request hard-copy version.