Moodle
  1. Moodle
  2. MDL-35153

Allow WAYFless URLs with Shibboleth authentication

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 2.3.1
    • Fix Version/s: 2.4
    • Component/s: Authentication
    • Labels:
    • Testing Instructions:
      Hide

      This patch requires a Moodle environment with a working Shibboleth configuration. It assumes that you're using the internal WAYF and have the alternative login URL setup.

      1. Create a course in Moodle. Make a note of the direct link to the course.
      2. Logout. Make sure you aren't authenticated to the Moodle instance and that your session is completely closed.
      3. Craft a direct link to your Moodle instance which incorporates the entityID and the direct link to the course from the first step. This could be http://your-moodle-instance/alt/index.php?entityID=entityURI&target=FullURLToCourse
      4. Point your browser to that link.

      If you're already authenticated to your Shibboleth provider you should go directly to the course. If not, you'll be taken directly to the IDP page. Either way you don't visit the WAYF page.

      Show
      This patch requires a Moodle environment with a working Shibboleth configuration. It assumes that you're using the internal WAYF and have the alternative login URL setup. Create a course in Moodle. Make a note of the direct link to the course. Logout. Make sure you aren't authenticated to the Moodle instance and that your session is completely closed. Craft a direct link to your Moodle instance which incorporates the entityID and the direct link to the course from the first step. This could be http://your-moodle-instance/alt/index.php?entityID=entityURI&target=FullURLToCourse Point your browser to that link. If you're already authenticated to your Shibboleth provider you should go directly to the course. If not, you'll be taken directly to the IDP page. Either way you don't visit the WAYF page.
    • Affected Branches:
      MOODLE_23_STABLE
    • Fixed Branches:
      MOODLE_24_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-35153-master
    • Rank:
      43785

      Description

      We have an environment with multiple Moodle instances under Shibboleth authentication. We'd like to create "WAYFless" URLs (see https://spaces.internet2.edu/display/inclibrary/Best+Practices) in the format http://resource-provider-site/session-initiator-url?entityID=IDENTITY-PROVIDER-ENTITYID&target=RESOURCE-LOCATION. auth/shibboleth/index.php seems like it should handle this, but $SESSION->wantsurl isn't getting set and there doesn't seem to be a way for it to get set. One way I see of solving this is to add a check for a 'target' parameter and set wantsurl based on that, if present.

        Issue Links

          Activity

          Charles Fulton created issue -
          Hide
          Charles Fulton added a comment -

          This fix is working for us at Lafayette but may not represent best practices.

          Show
          Charles Fulton added a comment - This fix is working for us at Lafayette but may not represent best practices.
          Charles Fulton made changes -
          Field Original Value New Value
          Pull Master Diff URL https://github.com/mackensen/moodle/compare/MDL-35153-master
          Pull Master Branch MDL-35153-master
          Pull from Repository https://github.com/mackensen/moodle
          Labels patch shibboleth
          Assignee Petr Škoda (skodak) [ skodak ] Charles Fulton [ cfulton ]
          Charles Fulton made changes -
          Status Open [ 1 ] Waiting for peer review [ 10012 ]
          Michael de Raadt made changes -
          Fix Version/s STABLE backlog [ 10463 ]
          Labels patch shibboleth patch triaged
          Dan Poltawski made changes -
          Original Estimate 0 minutes [ 0 ]
          Remaining Estimate 0 minutes [ 0 ]
          Status Waiting for peer review [ 10012 ] Peer review in progress [ 10013 ]
          Peer reviewer poltawski
          Hide
          Dan Poltawski added a comment -

          Hmm. First a disclaimer - I only know about shibboleth from a theory POV, I do not have it setup, though i've been reading about it for about 5 years !

          1. It doesn't seem right to me to use $SESSION->wantsurl, this is supposed to be for Moodle's internals.
            1. E.g. If a student clicks on a forum link on an email, they get redirected to the login screen, wantsurl is set and then after login they go back to a forum post
            2. In this solution, the IDP url will be used instead at the login time, so if they need to signin they will not be redirected to the right place
            3. So, this should be something specific to to the auth plugin, rather than using the wantsurl mechanics
          2. Is this 'WAYFless'idea part of the standard? Seems like the link is related to a specific library product? It'd be good to hear from more shibboleth users about this. (I have no clue)
          Show
          Dan Poltawski added a comment - Hmm. First a disclaimer - I only know about shibboleth from a theory POV, I do not have it setup, though i've been reading about it for about 5 years ! It doesn't seem right to me to use $SESSION->wantsurl, this is supposed to be for Moodle's internals. E.g. If a student clicks on a forum link on an email, they get redirected to the login screen, wantsurl is set and then after login they go back to a forum post In this solution, the IDP url will be used instead at the login time, so if they need to signin they will not be redirected to the right place So, this should be something specific to to the auth plugin, rather than using the wantsurl mechanics Is this 'WAYFless'idea part of the standard? Seems like the link is related to a specific library product? It'd be good to hear from more shibboleth users about this. (I have no clue)
          Hide
          Charles Fulton added a comment -

          Hi Dan,

          Let me try to explain in greater detail what I'm trying to accomplish, with the caveat that while we're running Shib in production I'm by no means an expert on the subject. First, "WAYFLess URL" is less a term of art and more shorthand to explain desired behavior. We want to be able to deep link into a Moodle instance where we already know the institutional identity of the requester.

          Our specific use case is that we have a Drupal-based portal which brings in a person's course listing via webservices. They're authenticated to that instance with CAS. We want them to access their Moodle-instance directly with a single-click. We can't, because we're doing federated logins so they have to choose their identity provider if they haven't specifically created a Moodle session yet. With the WAYFLess URL, we're passing the desired Moodle resource as the target so that the IDP will send it back as a parameter to Moodle. Ideally you get this sequence:

          1. User clicks on link which includes the IDP (entityID) and the desired course in Moodle (target) as parameters. This link points to the Shibboleth login passthrough.
          2. User is redirected to the chosen identity provider (without this patch, they would land on the IDP selector page).
          3. At the IDP, if the user is already authenticated then they're redirected to Moodle automatically (if not, they login).
          4. Moodle logs them in and directs them to the passed target, if set.

          Ultimately wantsurl is still an internal link but it's arriving in a different way.

          Hope this helps,

          Charles

          Show
          Charles Fulton added a comment - Hi Dan, Let me try to explain in greater detail what I'm trying to accomplish, with the caveat that while we're running Shib in production I'm by no means an expert on the subject. First, "WAYFLess URL" is less a term of art and more shorthand to explain desired behavior. We want to be able to deep link into a Moodle instance where we already know the institutional identity of the requester. Our specific use case is that we have a Drupal-based portal which brings in a person's course listing via webservices. They're authenticated to that instance with CAS. We want them to access their Moodle-instance directly with a single-click. We can't, because we're doing federated logins so they have to choose their identity provider if they haven't specifically created a Moodle session yet. With the WAYFLess URL, we're passing the desired Moodle resource as the target so that the IDP will send it back as a parameter to Moodle. Ideally you get this sequence: User clicks on link which includes the IDP ( entityID ) and the desired course in Moodle ( target ) as parameters. This link points to the Shibboleth login passthrough. User is redirected to the chosen identity provider (without this patch, they would land on the IDP selector page). At the IDP, if the user is already authenticated then they're redirected to Moodle automatically (if not, they login). Moodle logs them in and directs them to the passed target , if set. Ultimately wantsurl is still an internal link but it's arriving in a different way. Hope this helps, Charles
          Hide
          Benjamin Ellis added a comment -

          Quick question, have you read the UKAFM Best Practice: WAYFless Access to Resources at http://www.ukfederation.org.uk/library/uploads/Documents/WAYFlessGuidance.pdf

          Show
          Benjamin Ellis added a comment - Quick question, have you read the UKAFM Best Practice: WAYFless Access to Resources at http://www.ukfederation.org.uk/library/uploads/Documents/WAYFlessGuidance.pdf
          Hide
          Charles Fulton added a comment -

          @benjamin, I'm on the run this morning but a quick answer is yes. It was that document which suggested the current solution. Note that I'm not proposing moodle generate these urls, just that it knows what to do with them.

          Show
          Charles Fulton added a comment - @benjamin, I'm on the run this morning but a quick answer is yes. It was that document which suggested the current solution. Note that I'm not proposing moodle generate these urls, just that it knows what to do with them.
          Hide
          Dan Poltawski added a comment -

          Oh, so I misunderstood that target is in fact a moodle url.

          So, if I understand correctly, the target parameter really should be a PARAM_LOCALURL in order to avoid an open redirect vulnerability (https://www.owasp.org/index.php/Open_redirect).

          Show
          Dan Poltawski added a comment - Oh, so I misunderstood that target is in fact a moodle url. So, if I understand correctly, the target parameter really should be a PARAM_LOCALURL in order to avoid an open redirect vulnerability ( https://www.owasp.org/index.php/Open_redirect ).
          Hide
          Charles Fulton added a comment -

          Dan, yes, that makes sense to me. I've rebased and amended.

          Show
          Charles Fulton added a comment - Dan, yes, that makes sense to me. I've rebased and amended.
          Hide
          Dan Poltawski added a comment -

          Thanks Charles, submitting this for integration.

          This is going to be an interesting one to test as we do not currently have a shib setupf ro this at HQ. If someone in the comunity is able to test then will be useful.

          Show
          Dan Poltawski added a comment - Thanks Charles, submitting this for integration. This is going to be an interesting one to test as we do not currently have a shib setupf ro this at HQ. If someone in the comunity is able to test then will be useful.
          Dan Poltawski made changes -
          Status Peer review in progress [ 10013 ] Waiting for integration review [ 10010 ]
          Hide
          Eloy Lafuente (stronk7) added a comment -

          The main moodle.git repository has just been updated with latest weekly modifications. You may wish to rebase your PULL branches to simplify history and avoid any possible merge conflicts. This would also make integrator's life easier next week.

          TIA and ciao

          Show
          Eloy Lafuente (stronk7) added a comment - The main moodle.git repository has just been updated with latest weekly modifications. You may wish to rebase your PULL branches to simplify history and avoid any possible merge conflicts. This would also make integrator's life easier next week. TIA and ciao
          Eloy Lafuente (stronk7) made changes -
          Currently in integration Yes [ 10041 ]
          Eloy Lafuente (stronk7) made changes -
          Status Waiting for integration review [ 10010 ] Integration review in progress [ 10004 ]
          Integrator stronk7
          Hide
          Eloy Lafuente (stronk7) added a comment -

          Integrated (master only), thanks!

          Show
          Eloy Lafuente (stronk7) added a comment - Integrated (master only), thanks!
          Eloy Lafuente (stronk7) made changes -
          Status Integration review in progress [ 10004 ] Waiting for testing [ 10005 ]
          Fix Version/s 2.4 [ 12255 ]
          Fix Version/s STABLE backlog [ 10463 ]
          Tim Barker made changes -
          Status Waiting for testing [ 10005 ] Testing in progress [ 10011 ]
          Tester timb
          Hide
          Tim Barker added a comment -

          There are no testing instructions on this issue. May we have some please?

          Show
          Tim Barker added a comment - There are no testing instructions on this issue. May we have some please?
          Tim Barker made changes -
          Status Testing in progress [ 10011 ] Problem during testing [ 10007 ]
          Hide
          Charles Fulton added a comment -

          Instructions added.

          Show
          Charles Fulton added a comment - Instructions added.
          Charles Fulton made changes -
          Testing Instructions This patch requires a Moodle environment with a working Shibboleth configuration. It assumes that you're using the internal WAYF and have the alternative login URL setup.

          # Create a course in Moodle. Make a note of the direct link to the course.
          # Logout. Make sure you aren't authenticated to the Moodle instance and that your session is completely closed.
          # Craft a direct link to your Moodle instance which incorporates the entityID and the direct link to the course from the first step. This could be http://your-moodle-instance/alt/index.php?entityID=entityURI&target=FullURLToCourse
          # Point your browser to that link.

          If you're already authenticated to your Shibboleth provider you should go directly to the course. If not, you'll be taken directly to the IDP page. Either way you don't visit the WAYF page.
          Hide
          Eloy Lafuente (stronk7) added a comment -

          Sorry for skipping the missing instructions. Sending back to testing.

          Show
          Eloy Lafuente (stronk7) added a comment - Sorry for skipping the missing instructions. Sending back to testing.
          Eloy Lafuente (stronk7) made changes -
          Status Problem during testing [ 10007 ] Waiting for testing [ 10005 ]
          Hide
          Dan Poltawski added a comment -

          About this, we're going to be in a tricky testing situation as, as far as I know we still don't have a shib setup...

          Show
          Dan Poltawski added a comment - About this, we're going to be in a tricky testing situation as, as far as I know we still don't have a shib setup...
          Hide
          Tim Barker added a comment -

          If that is the case then I'm not sure how to proceed with this.

          Show
          Tim Barker added a comment - If that is the case then I'm not sure how to proceed with this.
          Tim Barker made changes -
          Status Waiting for testing [ 10005 ] Testing in progress [ 10011 ]
          Hide
          Tim Barker added a comment -

          Dan P and I have spoken about this. We cannot test this today because setting up the test environment would take too long.

          Charles is happy with his fix to the bug that he reported, it's been through the usual integration checks and regression testing is being performed today.

          Show
          Tim Barker added a comment - Dan P and I have spoken about this. We cannot test this today because setting up the test environment would take too long. Charles is happy with his fix to the bug that he reported, it's been through the usual integration checks and regression testing is being performed today.
          Tim Barker made changes -
          Status Testing in progress [ 10011 ] Tested [ 10006 ]
          Hide
          Eloy Lafuente (stronk7) added a comment -

          Cheating The Process, eh?

          hahaha, joking!

          Ciao

          Show
          Eloy Lafuente (stronk7) added a comment - Cheating The Process, eh? hahaha, joking! Ciao
          Hide
          Dan Poltawski added a comment -

          Congratulations, you've done it!

          Thanks, this change is now in the latest weekly release!

          Join the crowds of people tomorrow from 8am and download this Moodle release from your local apple store!

          Show
          Dan Poltawski added a comment - Congratulations, you've done it! Thanks, this change is now in the latest weekly release! Join the crowds of people tomorrow from 8am and download this Moodle release from your local apple store!
          Dan Poltawski made changes -
          Status Tested [ 10006 ] Closed [ 6 ]
          Resolution Fixed [ 1 ]
          Currently in integration Yes [ 10041 ]
          Integration date 20/Sep/12
          Charles Fulton made changes -
          Link This issue caused a regression MDL-37020 [ MDL-37020 ]
          Charles Fulton made changes -
          Link This issue caused a regression MDL-41598 [ MDL-41598 ]

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: