ILIAS  Release_3_10_x_branch Revision 61812
 All Data Structures Namespaces Files Functions Variables Groups Pages
Public Member Functions | Data Fields
ShibAuth Class Reference
Services/AuthShibboleth

Class Shibboleth. More...

+ Collaboration diagram for ShibAuth:

Public Member Functions

 ShibAuth ($authParams, $updateUserData=false)
 Constructor public.
 getAuth ()
 Checks if the current user is authenticated yet public.
 setIdle ($time, $add=false)
 Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua, rbac_fa public.
 setExpire ($time, $add=false)
 Set the maximum expire time.
 checkAuth ()
 Checks if there is a session with valid auth information.
 start ()
 Start new auth session.
 login ()
 Login function.
 setAuth ($username)
 Register variable in a session telling that the user has logged in successfully.
 logout ()
 Logout function.
 getUsername ()
 Get the username.
 getStatus ()
 Get the current status.
_importGlobalVariable ($variable)
 Import variables from special namespaces.
 generateLogin ()
 Automatically generates the username/screenname of a Shibboleth user or returns the user's already existing username.
 getFirstString ($string)
 Cleans and returns first of potential many values (multi-valued attributes)
 toAscii ($string)
 Replaces any non-ASCII character by its linguistically most logical substitution.

Data Fields

 $username
 $_sessionName = '_authsession'
 $status = ''
 $expire = 0
 $idle = 0
 $idled = false

Detailed Description

Class Shibboleth.

This class provides basic functionality for Shibboleth authentication

Definition at line 39 of file class.ilShibboleth.php.

Member Function Documentation

& ShibAuth::_importGlobalVariable (   $variable)

Import variables from special namespaces.

private

Parameters
stringType of variable (server, session, post)
Returns
array

Definition at line 500 of file class.ilShibboleth.php.

References $_COOKIE, $_GET, $_SESSION, and $GLOBALS.

Referenced by checkAuth(), getAuth(), getUsername(), login(), logout(), and setAuth().

{
$var = null;
switch (strtolower($variable)) {
case 'server' :
if (isset($_SERVER)) {
$var = &$_SERVER;
} else {
$var = &$GLOBALS['HTTP_SERVER_VARS'];
}
break;
case 'session' :
if (isset($_SESSION)) {
$var = &$_SESSION;
} else {
$var = &$GLOBALS['HTTP_SESSION_VARS'];
}
break;
case 'post' :
if (isset($_POST)) {
$var = &$_POST;
} else {
$var = &$GLOBALS['HTTP_POST_VARS'];
}
break;
case 'cookie' :
if (isset($_COOKIE)) {
$var = &$_COOKIE;
} else {
$var = &$GLOBALS['HTTP_COOKIE_VARS'];
}
break;
case 'get' :
if (isset($_GET)) {
$var = &$_GET;
} else {
$var = &$GLOBALS['HTTP_GET_VARS'];
}
break;
default:
break;
}
return $var;
}

+ Here is the caller graph for this function:

ShibAuth::checkAuth ( )

Checks if there is a session with valid auth information.

private

Returns
boolean Whether or not the user is authenticated.

Definition at line 166 of file class.ilShibboleth.php.

References _importGlobalVariable(), AUTH_EXPIRED, AUTH_IDLED, and logout().

Referenced by start().

{
$session = &$this->_importGlobalVariable('session');
if (isset($session[$this->_sessionName])) {
// Check if authentication session is expired
if ($this->expire > 0 &&
isset($session[$this->_sessionName]['timestamp']) &&
($session[$this->_sessionName]['timestamp'] + $this->expire) < time()) {
$this->logout();
$this->expired = true;
$this->status = AUTH_EXPIRED;
return false;
}
// Check if maximum idle time is reached
if ($this->idle > 0 &&
isset($session[$this->_sessionName]['idle']) &&
($session[$this->_sessionName]['idle'] + $this->idle) < time()) {
$this->logout();
$this->idled = true;
$this->status = AUTH_IDLED;
return false;
}
if (isset($session[$this->_sessionName]['registered']) &&
isset($session[$this->_sessionName]['username']) &&
$session[$this->_sessionName]['registered'] == true &&
$session[$this->_sessionName]['username'] != '') {
Auth::updateIdle();
return true;
}
}
return false;
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

ShibAuth::generateLogin ( )

Automatically generates the username/screenname of a Shibboleth user or returns the user's already existing username.

private

Returns
String Generated username

Definition at line 561 of file class.ilShibboleth.php.

References ilObjUser\_checkExternalAuthAccount(), ilUtil\generatePasswords(), getFirstString(), ilObjUser\getUserIdByLogin(), and toAscii().

Referenced by login().

{
global $ilias, $ilDB;
$shibID = $_SERVER[$ilias->getSetting('shib_login')];
$lastname = $this->getFirstString($_SERVER[$ilias->getSetting('shib_lastname')]);
$firstname = $this->getFirstString($_SERVER[$ilias->getSetting('shib_firstname')]);
if (trim($shibID) == "")
{
return;
}
//***********************************************//
// For backwards compatibility with previous versions
// We use the passwd field as mapping attribute for Shibboleth users
// because they don't need a password
$ilias->db->query("UPDATE usr_data SET auth_mode='shibboleth', passwd=".$ilDB->quote(md5(end(ilUtil::generatePasswords(1)))).", ext_account=".$ilDB->quote($shibID)." WHERE passwd=".$ilDB->quote($shibID));
//***********************************************//
// Let's see if user already is registered
$local_user = ilObjUser::_checkExternalAuthAccount("shibboleth", $shibID);
if ($local_user)
{
return $local_user;
}
// User doesn't seem to exist yet
// Generate new username
// This can be overruled by the data conversion API but you have
// to do it yourself in that case
// Generate the username out of the first character of firstname and the
// first word in lastname (adding the second one if the login is too short,
// avoiding meaningless last names like 'von' or 'd' and eliminating
// non-ASCII-characters, spaces, dashes etc.
$ln_arr=preg_split("/[ '-;]/", $lastname);
$login=substr($this->toAscii($firstname),0,1) . "." . $this->toAscii($ln_arr[0]);
if (strlen($login) < 6) $login .= $this->toAscii($ln_arr[1]);
$prefix = strtolower($login);
// If the user name didn't contain any ASCII characters, assign the
// name 'shibboleth' followed by a number, starting with 1.
if (strlen($prefix) == 0) {
$prefix = 'shibboleth';
$number = 1;
}
else
{
// Try if the login name is not already taken
if (!ilObjUser::getUserIdByLogin($prefix))
{
return $prefix;
}
// If the login name is in use, append a number, starting with 2.
$number = 2;
}
// Append a number, if the username is already taken
while (ilObjUser::getUserIdByLogin($prefix.$number))
{
$number++;
}
return $prefix.$number;
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

ShibAuth::getAuth ( )

Checks if the current user is authenticated yet public.

Returns
boolean true if user is authenticated

Definition at line 112 of file class.ilShibboleth.php.

References _importGlobalVariable().

{
$session = &$this->_importGlobalVariable('session');
if (!empty($session) &&
(isset($session[$this->_sessionName]['registered']) &&
$session[$this->_sessionName]['registered'] === true))
{
return true;
} else {
return false;
}
}

+ Here is the call graph for this function:

ShibAuth::getFirstString (   $string)

Cleans and returns first of potential many values (multi-valued attributes)

private

Parameters
stringA Shibboleth attribute or other string
Returns
string First value of attribute

Definition at line 638 of file class.ilShibboleth.php.

Referenced by generateLogin(), and login().

{
$list = split( ';', $string);
$clean_string = rtrim($list[0]);
return $clean_string;
}

+ Here is the caller graph for this function:

ShibAuth::getStatus ( )

Get the current status.

public

Returns
string

Definition at line 487 of file class.ilShibboleth.php.

References $status.

{
return $status;
}
ShibAuth::getUsername ( )

Get the username.

public

Returns
string

Definition at line 472 of file class.ilShibboleth.php.

References $_sessionName, and _importGlobalVariable().

{
$session = &$this->_importGlobalVariable('session');
if (!isset($session[$this->_sessionName]['username'])) {
return '';
}
return $session[$this->_sessionName]['username'];
}

+ Here is the call graph for this function:

ShibAuth::login ( )

Login function.

private

Returns
void

Definition at line 230 of file class.ilShibboleth.php.

References $_GET, $_sessionName, $username, _importGlobalVariable(), AUTH_WRONG_LOGIN, generateLogin(), ilUtil\generatePasswords(), getFirstString(), ilObjUser\getUserIdByLogin(), IL_PASSWD_MD5, ilUtil\redirect(), and setAuth().

{
global $ilias, $rbacadmin;
if (!empty($_SERVER[$ilias->getSetting('shib_login')]))
{
// Store user's Shibboleth sessionID for logout
$session = &$this->_importGlobalVariable('session');
$session[$this->_sessionName]['shibboleth_session_id'] = $_SERVER['Shib-Session-ID'];
// Get loginname of user, new login name is generated if user is new
$username = $this->generateLogin();
// Authorize this user
$this->setAuth($username);
$userObj = new ilObjUser();
// Check wether this account exists already, if not create it
if (!ilObjUser::getUserIdByLogin($username))
{
$newUser["firstname"] = $this->getFirstString($_SERVER[$ilias->getSetting('shib_firstname')]);
$newUser["lastname"] = $this->getFirstString($_SERVER[$ilias->getSetting('shib_lastname')]);
$newUser["login"] = $username;
// Password must be random to prevent users from manually log in using the login data from Shibboleth users
$newUser["passwd"] = md5(end(ilUtil::generatePasswords(1)));
$newUser["passwd_type"] = IL_PASSWD_MD5;
if (
$ilias->getSetting('shib_update_gender')
&& ($_SERVER[$ilias->getSetting('shib_gender')] == 'm'
|| $_SERVER[$ilias->getSetting('shib_gender')] =='f')
)
{
$newUser["gender"] = $_SERVER[$ilias->getSetting('shib_gender')];
}
// Save mapping between ILIAS user and Shibboleth uniqueID
$newUser["ext_account"] = $_SERVER[$ilias->getSetting('shib_login')];
// other data
$newUser["title"] = $_SERVER[$ilias->getSetting('shib_title')];
$newUser["institution"] = $_SERVER[$ilias->getSetting('shib_institution')];
$newUser["department"] = $_SERVER[$ilias->getSetting('shib_department')];
$newUser["street"] = $_SERVER[$ilias->getSetting('shib_street')];
$newUser["city"] = $_SERVER[$ilias->getSetting('shib_city')];
$newUser["zipcode"] = $_SERVER[$ilias->getSetting('shib_zipcode')];
$newUser["country"] = $_SERVER[$ilias->getSetting('shib_country')];
$newUser["phone_office"] = $this->getFirstString($_SERVER[$ilias->getSetting('shib_phone_office')]);
$newUser["phone_home"] = $this->getFirstString($_SERVER[$ilias->getSetting('shib_phone_home')]);
$newUser["phone_mobile"] = $this->getFirstString($_SERVER[$ilias->getSetting('shib_phone_mobile')]);
$newUser["fax"] = $this->getFirstString($_SERVER[$ilias->getSetting('shib_fax')]);
$newUser["matriculation"] = $_SERVER[$ilias->getSetting('shib_matriculation')];
$newUser["email"] = $this->getFirstString($_SERVER[$ilias->getSetting('shib_email')]);
$newUser["hobby"] = $_SERVER[$ilias->getSetting('shib_hobby')];
$newUser["auth_mode"] = "shibboleth";
// system data
$userObj->assignData($newUser);
$userObj->setTitle($userObj->getFullname());
$userObj->setDescription($userObj->getEmail());
$userObj->setLanguage($this->getFirstString($_SERVER[$ilias->getSetting('shib_language')]));
// Time limit
$userObj->setTimeLimitOwner(7);
$userObj->setTimeLimitUnlimited(1);
$userObj->setTimeLimitFrom(time());
$userObj->setTimeLimitUntil(time());
// Modify user data before creating the user
// Include custom code that can be used to further modify
// certain Shibboleth user attributes
if ( $ilias->getSetting('shib_data_conv')
&& $ilias->getSetting('shib_data_conv') != ''
&& is_readable($ilias->getSetting('shib_data_conv'))
)
{
include($ilias->getSetting('shib_data_conv'));
}
// Create use in DB
$userObj->create();
$userObj->setActive(1, 6);
$userObj->updateOwner();
//insert user data in table user_data
$userObj->saveAsNew();
// store acceptance of user agreement
//$userObj->writeAccepted();
// setup user preferences
$userObj->writePrefs();
//set role entries
$rbacadmin->assignUser($ilias->getSetting('shib_user_default_role'), $userObj->getId(),true);
unset($userObj);
}
else
{
// Update user account
$userObj->checkUserId();
$userObj->read();
if (
$ilias->getSetting('shib_update_gender')
&& ($_SERVER[$ilias->getSetting('shib_gender')] == 'm'
|| $_SERVER[$ilias->getSetting('shib_gender')] =='f')
)
$userObj->setGender($_SERVER[$ilias->getSetting('shib_gender')]);
if ($ilias->getSetting('shib_update_title'))
$userObj->setTitle($_SERVER[$ilias->getSetting('shib_title')]);
$userObj->setFirstname($this->getFirstString($_SERVER[$ilias->getSetting('shib_firstname')]));
$userObj->setLastname($this->getFirstString($_SERVER[$ilias->getSetting('shib_lastname')]));
$userObj->setFullname();
if ($ilias->getSetting('shib_update_institution'))
$userObj->setInstitution($_SERVER[$ilias->getSetting('shib_institution')]);
if ($ilias->getSetting('shib_update_department'))
$userObj->setDepartment($_SERVER[$ilias->getSetting('shib_department')]);
if ($ilias->getSetting('shib_update_street'))
$userObj->setStreet($_SERVER[$ilias->getSetting('shib_street')]);
if ($ilias->getSetting('shib_update_city'))
$userObj->setCity($_SERVER[$ilias->getSetting('shib_city')]);
if ($ilias->getSetting('shib_update_zipcode'))
$userObj->setZipcode($_SERVER[$ilias->getSetting('shib_zipcode')]);
if ($ilias->getSetting('shib_update_country'))
$userObj->setCountry($_SERVER[$ilias->getSetting('shib_country')]);
if ($ilias->getSetting('shib_update_phone_office'))
$userObj->setPhoneOffice($this->getFirstString($_SERVER[$ilias->getSetting('shib_phone_office')]));
if ($ilias->getSetting('shib_update_phone_home'))
$userObj->setPhoneHome($this->getFirstString($_SERVER[$ilias->getSetting('shib_phone_home')]));
if ($ilias->getSetting('shib_update_phone_mobile'))
$userObj->setPhoneMobile($this->getFirstString($_SERVER[$ilias->getSetting('shib_phone_mobile')]));
if ($ilias->getSetting('shib_update_fax'))
$userObj->setFax($_SERVER[$ilias->getSetting('shib_fax')]);
if ($ilias->getSetting('shib_update_matriculation'))
$userObj->setMatriculation($_SERVER[$ilias->getSetting('shib_matriculation')]);
if ($ilias->getSetting('shib_update_email'))
$userObj->setEmail($this->getFirstString($_SERVER[$ilias->getSetting('shib_email')]));
if ($ilias->getSetting('shib_update_hobby'))
$userObj->setHobby($_SERVER[$ilias->getSetting('shib_hobby')]);
if ($ilias->getSetting('shib_update_language'))
$userObj->setLanguage($_SERVER[$ilias->getSetting('shib_language')]);
// Include custom code that can be used to further modify
// certain Shibboleth user attributes
if ( $ilias->getSetting('shib_data_conv')
&& $ilias->getSetting('shib_data_conv') != ''
&& is_readable($ilias->getSetting('shib_data_conv'))
)
{
include($ilias->getSetting('shib_data_conv'));
}
$userObj->update();
}
// we are authenticated: redirect, if possible
if ($_GET["target"] != "")
{
ilUtil::redirect("goto.php?target=".$_GET["target"]."&client_id=".CLIENT_ID);
}
}
else
{
// This should never occur unless Shibboleth is not configured properly
$this->status = AUTH_WRONG_LOGIN;
}
}

+ Here is the call graph for this function:

ShibAuth::logout ( )

Logout function.

This function clears any auth tokens in the currently active session and executes the logout callback function, if any

public

Returns
void

Definition at line 451 of file class.ilShibboleth.php.

References $_SESSION, $_sessionName, and _importGlobalVariable().

Referenced by checkAuth().

{
$session = &$this->_importGlobalVariable('session');
$this->username = '';
$session[$this->_sessionName] = array();
if (isset($_SESSION)) {
unset($session[$this->_sessionName]);
} else {
session_unregister($this->_sessionName);
}
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

ShibAuth::setAuth (   $username)

Register variable in a session telling that the user has logged in successfully.

public

Parameters
stringUsername
Returns
void

Definition at line 420 of file class.ilShibboleth.php.

References $_SESSION, $_sessionName, $username, and _importGlobalVariable().

Referenced by login().

{
$session = &$this->_importGlobalVariable('session');
if (!isset($session[$this->_sessionName]) && !isset($_SESSION)) {
session_register($this->_sessionName);
}
if (!isset($session[$this->_sessionName]) || !is_array($session[$this->_sessionName])) {
$session[$this->_sessionName] = array();
}
if(!isset($session[$this->_sessionName]['data'])){
$session[$this->_sessionName]['data'] = array();
}
$session[$this->_sessionName]['registered'] = true;
$session[$this->_sessionName]['username'] = $username;
$session[$this->_sessionName]['timestamp'] = time();
$session[$this->_sessionName]['idle'] = time();
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

ShibAuth::setExpire (   $time,
  $add = false 
)

Set the maximum expire time.

public

Parameters
integertime in seconds
booladd time to current expire time or not
Returns
void

Definition at line 151 of file class.ilShibboleth.php.

{
if ($add) {
$this->expire += $time;
} else {
$this->expire = $time;
}
}
ShibAuth::setIdle (   $time,
  $add = false 
)

Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua, rbac_fa public.

Parameters
integerobj_id of role (role_id)
integerref_id of role folder (ref_id)
Returns
boolean true on success

Definition at line 133 of file class.ilShibboleth.php.

{
if ($add) {
$this->idle += $time;
} else {
$this->idle = $time;
}
}
ShibAuth::ShibAuth (   $authParams,
  $updateUserData = false 
)

Constructor public.

Definition at line 96 of file class.ilShibboleth.php.

{
$this->updateUserData = $updateUserData;
if (!empty($authParams['sessionName'])) {
$this->_sessionName = $authParams['sessionName'];
unset($authParams['sessionName']);
}
}
ShibAuth::start ( )

Start new auth session.

public

Returns
void

Definition at line 215 of file class.ilShibboleth.php.

References checkAuth().

{
@session_start();
if (!$this->checkAuth()) {
//$this->login();
}
}

+ Here is the call graph for this function:

ShibAuth::toAscii (   $string)

Replaces any non-ASCII character by its linguistically most logical substitution.

private

Parameters
stringA Shibboleth attribute or other string
Returns
string ascii-version of attribute

Definition at line 654 of file class.ilShibboleth.php.

References UtfNormal\toNFKD().

Referenced by generateLogin().

{
require_once('include/Unicode/UtfNormal.php');
// Normalize to NFKD.
// This separates letters from combining marks.
// See http://unicode.org/reports/tr15
$string = UtfNormal::toNFKD($string);
// Replace german usages of diaeresis by appending an e
$string = preg_replace('/([aouAOU])\\xcc\\x88/','\\1e', $string);
// Replace the combined ae character by separated a and e
$string = preg_replace('/\\xc3\\x86/','AE', $string);
$string = preg_replace('/\\xc3\\xa6/','ae', $string);
// Replace the combined thorn character by th
$string = preg_replace('/\\xc3\\x9e/','TH', $string);
$string = preg_replace('/\\xc3\\xbe/','th', $string);
// Replace the letter eth by d
$string = preg_replace('/\\xc3\\x90/','D', $string);
$string = preg_replace('/\\xc4\\x91/','d', $string);
$string = preg_replace('/\\xc4\\x90/','D', $string);
// Replace the combined ss character
$string = preg_replace('/\\xc3\\x9f/','ss', $string);
// Get rid of everything except the characters a to z and the hyphen
$string = preg_replace('/[^a-zA-Z\-]/i','', $string);
return $string;
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

Field Documentation

ShibAuth::$_sessionName = '_authsession'

Definition at line 53 of file class.ilShibboleth.php.

Referenced by getUsername(), login(), logout(), and setAuth().

ShibAuth::$expire = 0

Definition at line 70 of file class.ilShibboleth.php.

ShibAuth::$idle = 0

Definition at line 82 of file class.ilShibboleth.php.

ShibAuth::$idled = false

Definition at line 90 of file class.ilShibboleth.php.

ShibAuth::$status = ''

Definition at line 60 of file class.ilShibboleth.php.

Referenced by getStatus().

ShibAuth::$username

Definition at line 46 of file class.ilShibboleth.php.

Referenced by login(), and setAuth().

The documentation for this class was generated from the following file: