Monday, July 30, 2012

Shibboleth SP part 2 (Typo3 Configuration)

Integrating Shibboleth login with Typo3

Extension installation

  • Go to extension manager and install Shibboleth Authentication (shibboleth_auth) extension. The extension is not automatically loaded, you must set the extension configuration first.
  • For frontend login, this extension can automatically import user information from Shibboleth IdP but not for backend login.
  • This extension will not propagate to another authentication mechanism (eg. LDAP or typo3 login) if the user is not found in the Shibboleth IdP but can be enabled with other authentication mechanism as long as in different function (eg. Shibboleth handles the frontend login and LDAP handles the backend login)
  • In this example, we only configure Shibboleth for frontend login.

Extension configuration

  • Open the extension configuration and check Frontend and Auto Import to enable frontend login and import user information from Shibboleth.
In the Others section:
  • Define the storage Pid. This value is based on the folder id where we store the Frontend Users.
  • Define the attribute name from the Shibboleth.

Customize the extension


  • We need to customize this extension to automatically parse additional attribute and to prevent this extension removes the user's group membership that we assign manually.
  1. Edit file typo3conf/ext/shibboleth_auth/ext_conf_template.txt to add additional configuration field, add the following code in the end of the file:
    # cat=basic; type=string; label=Shibboleth Additional Attribute: Example: first_name=givenname,last_name=sn
    additionalAttr = first_name=givenname,last_name=sn
    
    # cat=basic; type=string; label=Shibboleth defaultGroup: If no group retrieved, this group will be assigned
    defaultGroup = Guest
  2. Edit file typo3conf/ext/shibboleth_auth/sv1/class.tx_shibbolethauth_sv1.php
  • Inside updateFEUser() function :
a. Add the following code after $where variable to keep user's group membership and then update group membership using Shibboleth data if not a member yet.
// update existing feusergroup with group from Shibboleth
$where2 = " AND deleted = 0";
$dbres2 = $GLOBALS['TYPO3_DB']->exec_SELECTquery('usergroup',$this->authInfo['db_user']['table'],$where.$where2);
if ($row2 = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($dbres2)) {
   $currentGroups = $row2['usergroup'];
}
if ($dbres2) $GLOBALS['TYPO3_DB']->sql_free_result($dbres2);
$currentGroupsA = explode(',', $currentGroups);
$retGroupsA = explode(',', $this->getFEUserGroups());
foreach ($retGroupsA as $rg) {
  $isExist = 0;
  foreach ($currentGroupsA as $cg) {
    if ($rg == $cg) $isExist = 1;
  }
  if (!$isExist) $currentGroupsA[] = $rg;
}
$newGroups = implode(',', $currentGroupsA);
// end of update feusergroup
b. Change this line:
'usergroup' => $this->getFEUserGroups(),
into
'usergroup' => $newGroups,
c. After $user variable add the following code to parse additional attribute from additionalAttr config:
// parse additional attrb
if ($this->extConf['additionalAttr'] != null){
   $additionalAttr = explode(',',$this->extConf['additionalAttr']);
 foreach ($additionalAttr as $attr) {
  $attrbCont = explode('=', $attr);
  $user[$attrbCont[0]] = $this->getServerVar($attrbCont[1]);
 }
}
// end of parse
  • Inside getFEUserGroups() function :
a. Change the following code to define the default group from defaultGroup config:
if (empty($eduPersonAffiliation)) $eduPersonAffiliation = 'member';
into
if (empty($eduPersonAffiliation)) $eduPersonAffiliation = $this->extConf['defaultGroup'];
b. Add the following code to grep only cn value from group attribute that was retrieved by Shibboleth, after array_walk and before foreach:
array_walk($affiliation, create_function('&$v,$k', 'preg_match("@^(?:cn=)?([^,]+)@i", $v, $matches);$v=$matches[1];'));

.htaccess configuration

  • Create or edit .htaccess in the root folder of typo3 installation and add the following configuration:
    • In Typo3, Shibboleth should run in lazy mode. Below is the configuration:
    ### Shib auth ###
    AuthType Shibboleth
    ShibRequireSession Off
    Require Shibboleth
    
    • To make the Shibboleth SP handler not interpreted by RealUrl extension in typo3, add the following rule inside the <IfModule mod_rewrite.c> or in the .htaccess :
    RewriteRule ^(Shibboleth.*)/ - [L]
    RewriteRule ^(shibboleth-sp)/ - [L]
    

    Activate the Frontend login handler

    • Create new content element in Login page
      • Select General Plugin
      • In the Plugin Tab, select Shibboleth Login
    After this, you should be able to login using Shibboleth in the frontend.

    << Shibboleth SP part 1 (Installation) | Shibboleth SP part 3 (Moodle & Wordpress Configuration) >>

    No comments: