Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-35153

Allow WAYFless URLs with Shibboleth authentication

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.3.1
    • Fix Version/s: 2.4
    • Component/s: Authentication
    • Labels:
    • Testing Instructions:
      Hide

      This patch requires a Moodle environment with a working Shibboleth configuration. It assumes that you're using the internal WAYF and have the alternative login URL setup.

      1. Create a course in Moodle. Make a note of the direct link to the course.
      2. Logout. Make sure you aren't authenticated to the Moodle instance and that your session is completely closed.
      3. Craft a direct link to your Moodle instance which incorporates the entityID and the direct link to the course from the first step. This could be http://your-moodle-instance/alt/index.php?entityID=entityURI&target=FullURLToCourse
      4. Point your browser to that link.

      If you're already authenticated to your Shibboleth provider you should go directly to the course. If not, you'll be taken directly to the IDP page. Either way you don't visit the WAYF page.

      Show
      This patch requires a Moodle environment with a working Shibboleth configuration. It assumes that you're using the internal WAYF and have the alternative login URL setup. Create a course in Moodle. Make a note of the direct link to the course. Logout. Make sure you aren't authenticated to the Moodle instance and that your session is completely closed. Craft a direct link to your Moodle instance which incorporates the entityID and the direct link to the course from the first step. This could be http://your-moodle-instance/alt/index.php?entityID=entityURI&target=FullURLToCourse Point your browser to that link. If you're already authenticated to your Shibboleth provider you should go directly to the course. If not, you'll be taken directly to the IDP page. Either way you don't visit the WAYF page.
    • Affected Branches:
      MOODLE_23_STABLE
    • Fixed Branches:
      MOODLE_24_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-35153-master

      Description

      We have an environment with multiple Moodle instances under Shibboleth authentication. We'd like to create "WAYFless" URLs (see https://spaces.internet2.edu/display/inclibrary/Best+Practices) in the format http://resource-provider-site/session-initiator-url?entityID=IDENTITY-PROVIDER-ENTITYID&target=RESOURCE-LOCATION. auth/shibboleth/index.php seems like it should handle this, but $SESSION->wantsurl isn't getting set and there doesn't seem to be a way for it to get set. One way I see of solving this is to add a check for a 'target' parameter and set wantsurl based on that, if present.

        Gliffy Diagrams

          Issue Links

            Activity

            cfulton Charles Fulton created issue -
            Hide
            cfulton Charles Fulton added a comment -

            This fix is working for us at Lafayette but may not represent best practices.

            Show
            cfulton Charles Fulton added a comment - This fix is working for us at Lafayette but may not represent best practices.
            cfulton Charles Fulton made changes -
            Field Original Value New Value
            Pull Master Diff URL https://github.com/mackensen/moodle/compare/MDL-35153-master
            Pull Master Branch MDL-35153-master
            Pull from Repository https://github.com/mackensen/moodle
            Labels patch shibboleth
            Assignee Petr Škoda (skodak) [ skodak ] Charles Fulton [ cfulton ]
            cfulton Charles Fulton made changes -
            Status Open [ 1 ] Waiting for peer review [ 10012 ]
            salvetore Michael de Raadt made changes -
            Fix Version/s STABLE backlog [ 10463 ]
            Labels patch shibboleth patch triaged
            poltawski Dan Poltawski made changes -
            Original Estimate 0 minutes [ 0 ]
            Remaining Estimate 0 minutes [ 0 ]
            Status Waiting for peer review [ 10012 ] Peer review in progress [ 10013 ]
            Peer reviewer poltawski
            Hide
            poltawski Dan Poltawski added a comment -

            Hmm. First a disclaimer - I only know about shibboleth from a theory POV, I do not have it setup, though i've been reading about it for about 5 years !

            1. It doesn't seem right to me to use $SESSION->wantsurl, this is supposed to be for Moodle's internals.
              1. E.g. If a student clicks on a forum link on an email, they get redirected to the login screen, wantsurl is set and then after login they go back to a forum post
              2. In this solution, the IDP url will be used instead at the login time, so if they need to signin they will not be redirected to the right place
              3. So, this should be something specific to to the auth plugin, rather than using the wantsurl mechanics
            2. Is this 'WAYFless'idea part of the standard? Seems like the link is related to a specific library product? It'd be good to hear from more shibboleth users about this. (I have no clue)
            Show
            poltawski Dan Poltawski added a comment - Hmm. First a disclaimer - I only know about shibboleth from a theory POV, I do not have it setup, though i've been reading about it for about 5 years ! It doesn't seem right to me to use $SESSION->wantsurl, this is supposed to be for Moodle's internals. E.g. If a student clicks on a forum link on an email, they get redirected to the login screen, wantsurl is set and then after login they go back to a forum post In this solution, the IDP url will be used instead at the login time, so if they need to signin they will not be redirected to the right place So, this should be something specific to to the auth plugin, rather than using the wantsurl mechanics Is this 'WAYFless'idea part of the standard? Seems like the link is related to a specific library product? It'd be good to hear from more shibboleth users about this. (I have no clue)
            Hide
            cfulton Charles Fulton added a comment -

            Hi Dan,

            Let me try to explain in greater detail what I'm trying to accomplish, with the caveat that while we're running Shib in production I'm by no means an expert on the subject. First, "WAYFLess URL" is less a term of art and more shorthand to explain desired behavior. We want to be able to deep link into a Moodle instance where we already know the institutional identity of the requester.

            Our specific use case is that we have a Drupal-based portal which brings in a person's course listing via webservices. They're authenticated to that instance with CAS. We want them to access their Moodle-instance directly with a single-click. We can't, because we're doing federated logins so they have to choose their identity provider if they haven't specifically created a Moodle session yet. With the WAYFLess URL, we're passing the desired Moodle resource as the target so that the IDP will send it back as a parameter to Moodle. Ideally you get this sequence:

            1. User clicks on link which includes the IDP (entityID) and the desired course in Moodle (target) as parameters. This link points to the Shibboleth login passthrough.
            2. User is redirected to the chosen identity provider (without this patch, they would land on the IDP selector page).
            3. At the IDP, if the user is already authenticated then they're redirected to Moodle automatically (if not, they login).
            4. Moodle logs them in and directs them to the passed target, if set.

            Ultimately wantsurl is still an internal link but it's arriving in a different way.

            Hope this helps,

            Charles

            Show
            cfulton Charles Fulton added a comment - Hi Dan, Let me try to explain in greater detail what I'm trying to accomplish, with the caveat that while we're running Shib in production I'm by no means an expert on the subject. First, "WAYFLess URL" is less a term of art and more shorthand to explain desired behavior. We want to be able to deep link into a Moodle instance where we already know the institutional identity of the requester. Our specific use case is that we have a Drupal-based portal which brings in a person's course listing via webservices. They're authenticated to that instance with CAS. We want them to access their Moodle-instance directly with a single-click. We can't, because we're doing federated logins so they have to choose their identity provider if they haven't specifically created a Moodle session yet. With the WAYFLess URL, we're passing the desired Moodle resource as the target so that the IDP will send it back as a parameter to Moodle. Ideally you get this sequence: User clicks on link which includes the IDP ( entityID ) and the desired course in Moodle ( target ) as parameters. This link points to the Shibboleth login passthrough. User is redirected to the chosen identity provider (without this patch, they would land on the IDP selector page). At the IDP, if the user is already authenticated then they're redirected to Moodle automatically (if not, they login). Moodle logs them in and directs them to the passed target , if set. Ultimately wantsurl is still an internal link but it's arriving in a different way. Hope this helps, Charles
            Hide
            bencellis Benjamin Ellis added a comment -

            Quick question, have you read the UKAFM Best Practice: WAYFless Access to Resources at http://www.ukfederation.org.uk/library/uploads/Documents/WAYFlessGuidance.pdf

            Show
            bencellis Benjamin Ellis added a comment - Quick question, have you read the UKAFM Best Practice: WAYFless Access to Resources at http://www.ukfederation.org.uk/library/uploads/Documents/WAYFlessGuidance.pdf
            Hide
            cfulton Charles Fulton added a comment -

            @benjamin, I'm on the run this morning but a quick answer is yes. It was that document which suggested the current solution. Note that I'm not proposing moodle generate these urls, just that it knows what to do with them.

            Show
            cfulton Charles Fulton added a comment - @benjamin, I'm on the run this morning but a quick answer is yes. It was that document which suggested the current solution. Note that I'm not proposing moodle generate these urls, just that it knows what to do with them.
            Hide
            poltawski Dan Poltawski added a comment -

            Oh, so I misunderstood that target is in fact a moodle url.

            So, if I understand correctly, the target parameter really should be a PARAM_LOCALURL in order to avoid an open redirect vulnerability (https://www.owasp.org/index.php/Open_redirect).

            Show
            poltawski Dan Poltawski added a comment - Oh, so I misunderstood that target is in fact a moodle url. So, if I understand correctly, the target parameter really should be a PARAM_LOCALURL in order to avoid an open redirect vulnerability ( https://www.owasp.org/index.php/Open_redirect ).
            Hide
            cfulton Charles Fulton added a comment -

            Dan, yes, that makes sense to me. I've rebased and amended.

            Show
            cfulton Charles Fulton added a comment - Dan, yes, that makes sense to me. I've rebased and amended.
            Hide
            poltawski Dan Poltawski added a comment -

            Thanks Charles, submitting this for integration.

            This is going to be an interesting one to test as we do not currently have a shib setupf ro this at HQ. If someone in the comunity is able to test then will be useful.

            Show
            poltawski Dan Poltawski added a comment - Thanks Charles, submitting this for integration. This is going to be an interesting one to test as we do not currently have a shib setupf ro this at HQ. If someone in the comunity is able to test then will be useful.
            poltawski Dan Poltawski made changes -
            Status Peer review in progress [ 10013 ] Waiting for integration review [ 10010 ]
            Hide
            stronk7 Eloy Lafuente (stronk7) added a comment -

            The main moodle.git repository has just been updated with latest weekly modifications. You may wish to rebase your PULL branches to simplify history and avoid any possible merge conflicts. This would also make integrator's life easier next week.

            TIA and ciao

            Show
            stronk7 Eloy Lafuente (stronk7) added a comment - The main moodle.git repository has just been updated with latest weekly modifications. You may wish to rebase your PULL branches to simplify history and avoid any possible merge conflicts. This would also make integrator's life easier next week. TIA and ciao
            stronk7 Eloy Lafuente (stronk7) made changes -
            Currently in integration Yes [ 10041 ]
            stronk7 Eloy Lafuente (stronk7) made changes -
            Status Waiting for integration review [ 10010 ] Integration review in progress [ 10004 ]
            Integrator stronk7
            Hide
            stronk7 Eloy Lafuente (stronk7) added a comment -

            Integrated (master only), thanks!

            Show
            stronk7 Eloy Lafuente (stronk7) added a comment - Integrated (master only), thanks!
            stronk7 Eloy Lafuente (stronk7) made changes -
            Status Integration review in progress [ 10004 ] Waiting for testing [ 10005 ]
            Fix Version/s 2.4 [ 12255 ]
            Fix Version/s STABLE backlog [ 10463 ]
            timb Tim Barker made changes -
            Status Waiting for testing [ 10005 ] Testing in progress [ 10011 ]
            Tester timb
            Hide
            timb Tim Barker added a comment -

            There are no testing instructions on this issue. May we have some please?

            Show
            timb Tim Barker added a comment - There are no testing instructions on this issue. May we have some please?
            timb Tim Barker made changes -
            Status Testing in progress [ 10011 ] Problem during testing [ 10007 ]
            Hide
            cfulton Charles Fulton added a comment -

            Instructions added.

            Show
            cfulton Charles Fulton added a comment - Instructions added.
            cfulton Charles Fulton made changes -
            Testing Instructions This patch requires a Moodle environment with a working Shibboleth configuration. It assumes that you're using the internal WAYF and have the alternative login URL setup.

            # Create a course in Moodle. Make a note of the direct link to the course.
            # Logout. Make sure you aren't authenticated to the Moodle instance and that your session is completely closed.
            # Craft a direct link to your Moodle instance which incorporates the entityID and the direct link to the course from the first step. This could be http://your-moodle-instance/alt/index.php?entityID=entityURI&target=FullURLToCourse
            # Point your browser to that link.

            If you're already authenticated to your Shibboleth provider you should go directly to the course. If not, you'll be taken directly to the IDP page. Either way you don't visit the WAYF page.
            Hide
            stronk7 Eloy Lafuente (stronk7) added a comment -

            Sorry for skipping the missing instructions. Sending back to testing.

            Show
            stronk7 Eloy Lafuente (stronk7) added a comment - Sorry for skipping the missing instructions. Sending back to testing.
            stronk7 Eloy Lafuente (stronk7) made changes -
            Status Problem during testing [ 10007 ] Waiting for testing [ 10005 ]
            Hide
            poltawski Dan Poltawski added a comment -

            About this, we're going to be in a tricky testing situation as, as far as I know we still don't have a shib setup...

            Show
            poltawski Dan Poltawski added a comment - About this, we're going to be in a tricky testing situation as, as far as I know we still don't have a shib setup...
            Hide
            timb Tim Barker added a comment -

            If that is the case then I'm not sure how to proceed with this.

            Show
            timb Tim Barker added a comment - If that is the case then I'm not sure how to proceed with this.
            timb Tim Barker made changes -
            Status Waiting for testing [ 10005 ] Testing in progress [ 10011 ]
            Hide
            timb Tim Barker added a comment -

            Dan P and I have spoken about this. We cannot test this today because setting up the test environment would take too long.

            Charles is happy with his fix to the bug that he reported, it's been through the usual integration checks and regression testing is being performed today.

            Show
            timb Tim Barker added a comment - Dan P and I have spoken about this. We cannot test this today because setting up the test environment would take too long. Charles is happy with his fix to the bug that he reported, it's been through the usual integration checks and regression testing is being performed today.
            timb Tim Barker made changes -
            Status Testing in progress [ 10011 ] Tested [ 10006 ]
            Hide
            stronk7 Eloy Lafuente (stronk7) added a comment -

            Cheating The Process, eh?

            hahaha, joking!

            Ciao

            Show
            stronk7 Eloy Lafuente (stronk7) added a comment - Cheating The Process, eh? hahaha, joking! Ciao
            Hide
            poltawski Dan Poltawski added a comment -

            Congratulations, you've done it!

            Thanks, this change is now in the latest weekly release!

            Join the crowds of people tomorrow from 8am and download this Moodle release from your local apple store!

            Show
            poltawski Dan Poltawski added a comment - Congratulations, you've done it! Thanks, this change is now in the latest weekly release! Join the crowds of people tomorrow from 8am and download this Moodle release from your local apple store!
            poltawski Dan Poltawski made changes -
            Status Tested [ 10006 ] Closed [ 6 ]
            Resolution Fixed [ 1 ]
            Currently in integration Yes [ 10041 ]
            Integration date 20/Sep/12
            cfulton Charles Fulton made changes -
            Link This issue caused a regression MDL-37020 [ MDL-37020 ]
            cfulton Charles Fulton made changes -
            Link This issue caused a regression MDL-41598 [ MDL-41598 ]

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  3/Dec/12