ILIAS  Release_4_0_x_branch Revision 61816
 All Data Structures Namespaces Files Functions Variables Groups Pages
Public Member Functions | Data Fields
ShibAuth Class Reference
Services/AuthShibboleth

Class Shibboleth. More...

+ Inheritance diagram for ShibAuth:
+ Collaboration diagram for ShibAuth:

Public Member Functions

 ShibAuth ($authParams, $updateUserData=false)
 Constructor public.
 supportsRedirects ()
 Returns true, if the current auth mode allows redirection to e.g to loginScreen, public section...
 setIdle ($time, $add=false)
 Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua, rbac_fa public.
 setExpire ($time, $add=false)
 Set the maximum expire time.
 login ()
 Login function.
 logout ()
 Logout function.
 generateLogin ()
 Automatically generates the username/screenname of a Shibboleth user or returns the user's already existing username.
 getFirstString ($string)
 Cleans and returns first of potential many values (multi-valued attributes)
 toAscii ($string)
 Replaces any non-ASCII character by its linguistically most logical substitution.
- Public Member Functions inherited from Auth
 Auth ($storageDriver, $options= '', $loginFunction= '', $showLogin=true)
 Constructor.
applyAuthOptions (&$options)
 Set the Auth options.
 _loadStorage ()
 Load Storage Driver if not already loaded.
 assignData ()
 Assign data from login form to internal values.
 start ()
 Start new auth session.
 setSessionName ($name= 'session')
 Set name of the session to a customized value.
 setShowLogin ($showLogin=true)
 Should the login form be displayed if neccessary?
 setAllowLogin ($allowLogin=true)
 Should the login form be displayed if neccessary?
 setCheckAuthCallback ($checkAuthCallback)
 Register a callback function to be called whenever the validity of the login is checked The function will receive two parameters, the username and a reference to the auth object.
 setLoginCallback ($loginCallback)
 Register a callback function to be called on user login.
 setFailedLoginCallback ($loginFailedCallback)
 Register a callback function to be called on failed user login.
 setLogoutCallback ($logoutCallback)
 Register a callback function to be called on user logout.
 setAuthData ($name, $value, $overwrite=true)
 Register additional information that is to be stored in the session.
 getAuthData ($name=null)
 Get additional information that is stored in the session.
 setAuth ($username)
 Register variable in a session telling that the user has logged in successfully.
 setAdvancedSecurity ($flag=true)
 Enables advanced security checks.
 checkAuth ()
 Checks if there is a session with valid auth information.
 getAuth ()
 Has the user been authenticated?
 updateIdle ()
 Update the idletime.
 getUsername ()
 Get the username.
 getStatus ()
 Get the current status.
 getPostUsernameField ()
 Gets the post varible used for the username.
 getPostPasswordField ()
 Gets the post varible used for the username.
 sessionValidThru ()
 Returns the time up to the session is valid.
 listUsers ()
 List all users that are currently available in the storage container.
 addUser ($username, $password, $additional= '')
 Add user to the storage container.
 removeUser ($username)
 Remove user from the storage container.
 changePassword ($username, $password)
 Change password for user in the storage container.
 log ($message, $level=AUTH_LOG_DEBUG)
 Log a message from the Auth system.
 _loadLogger ()
 Load Log object if not already loaded.
 attachLogObserver (&$observer)
 Attach an Observer to the Auth Log Source.
 _isAdvancedSecurityEnabled ($feature=null)
 Is advanced security enabled?
- Public Member Functions inherited from ilAuthBase
 supportRedirects ()
 Returns true, if the current auth mode allows redirects to e.g the login screen, public section ...
 getContainer ()
 Get container object.

Data Fields

 $username
 $_sessionName = '_authsession'
 $status = ''
 $expire = 0
 $idle = 0
 $idled = false
- Data Fields inherited from Auth
 $expire = 0
 $expired = false
 $idle = 0
 $idled = false
 $storage = ''
 $loginFunction = ''
 $showLogin = true
 $allowLogin = true
 $status = ''
 $username = ''
 $password = ''
 $checkAuthCallback = ''
 $loginCallback = ''
 $loginFailedCallback = ''
 $logoutCallback = ''
 $_sessionName = '_authsession'
 $version = "@version@"
 $advancedsecurity = false
 $_postUsername = 'username'
 $_postPassword = 'password'
 $session
 $server
 $post
 $cookie
 $authdata
 $authChecks = 0
 $logger = null
 $enableLogging = false
 $regenerateSessionId = false

Additional Inherited Members

- Static Public Member Functions inherited from Auth
_factory ($driver, $options= '')
 Return a storage driver based on $driver and $options.
 staticCheckAuth ($options=null)
 Statically checks if there is a session with valid auth information.
- Protected Member Functions inherited from ilAuthBase
 initAuth ()
 Init auth object Enable logging, set callbacks...
 loginObserver ($a_username, $a_auth)
 Called after successful login.
 failedLoginObserver ($a_username, $a_auth)
 Called after failed login.
 checkAuthObserver ($a_username, $a_auth)
 Called after each check auth request.
 logoutObserver ($a_username, $a_auth)
 Called after logout.
- Protected Attributes inherited from ilAuthBase
 $sub_status = null

Detailed Description

Class Shibboleth.

This class provides basic functionality for Shibboleth authentication

Definition at line 37 of file class.ilShibboleth.php.

Member Function Documentation

ShibAuth::generateLogin ( )

Automatically generates the username/screenname of a Shibboleth user or returns the user's already existing username.

private

Returns
String Generated username

Definition at line 379 of file class.ilShibboleth.php.

References $ilDB, $login, ilObjUser\_checkExternalAuthAccount(), ilUtil\generatePasswords(), getFirstString(), ilObjUser\getUserIdByLogin(), and toAscii().

Referenced by login().

{
global $ilias, $ilDB;
$shibID = $_SERVER[$ilias->getSetting('shib_login')];
$lastname = $this->getFirstString($_SERVER[$ilias->getSetting('shib_lastname')]);
$firstname = $this->getFirstString($_SERVER[$ilias->getSetting('shib_firstname')]);
if (trim($shibID) == "")
{
return;
}
//***********************************************//
// For backwards compatibility with previous versions
// We use the passwd field as mapping attribute for Shibboleth users
// because they don't need a password
$ilias->db->query("UPDATE usr_data SET auth_mode='shibboleth', passwd=".$ilDB->quote(md5(end(ilUtil::generatePasswords(1)))).", ext_account=".$ilDB->quote($shibID)." WHERE passwd=".$ilDB->quote($shibID));
//***********************************************//
// Let's see if user already is registered
$local_user = ilObjUser::_checkExternalAuthAccount("shibboleth", $shibID);
if ($local_user)
{
return $local_user;
}
// User doesn't seem to exist yet
// Generate new username
// This can be overruled by the data conversion API but you have
// to do it yourself in that case
// Generate the username out of the first character of firstname and the
// first word in lastname (adding the second one if the login is too short,
// avoiding meaningless last names like 'von' or 'd' and eliminating
// non-ASCII-characters, spaces, dashes etc.
$ln_arr=preg_split("/[ '-;]/", $lastname);
$login=substr($this->toAscii($firstname),0,1) . "." . $this->toAscii($ln_arr[0]);
if (strlen($login) < 6) $login .= $this->toAscii($ln_arr[1]);
$prefix = strtolower($login);
// If the user name didn't contain any ASCII characters, assign the
// name 'shibboleth' followed by a number, starting with 1.
if (strlen($prefix) == 0) {
$prefix = 'shibboleth';
$number = 1;
}
else
{
// Try if the login name is not already taken
if (!ilObjUser::getUserIdByLogin($prefix))
{
return $prefix;
}
// If the login name is in use, append a number, starting with 2.
$number = 2;
}
// Append a number, if the username is already taken
while (ilObjUser::getUserIdByLogin($prefix.$number))
{
$number++;
}
return $prefix.$number;
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

ShibAuth::getFirstString (   $string)

Cleans and returns first of potential many values (multi-valued attributes)

private

Parameters
stringA Shibboleth attribute or other string
Returns
string First value of attribute

Definition at line 456 of file class.ilShibboleth.php.

Referenced by generateLogin(), and login().

{
$list = split( ';', $string);
$clean_string = rtrim($list[0]);
return $clean_string;
}

+ Here is the caller graph for this function:

ShibAuth::login ( )

Login function.

private

Returns
void

Reimplemented from Auth.

Definition at line 166 of file class.ilShibboleth.php.

References $_GET, $username, AUTH_WRONG_LOGIN, ilShibbolethRoleAssignmentRules\doAssignments(), generateLogin(), ilUtil\generatePasswords(), getFirstString(), ilObjUser\getUserIdByLogin(), IL_PASSWD_MD5, ilUtil\redirect(), Auth\setAuth(), and ilShibbolethRoleAssignmentRules\updateAssignments().

{
global $ilias, $rbacadmin;
if (!empty($_SERVER[$ilias->getSetting('shib_login')]))
{
// Store user's Shibboleth sessionID for logout
$this->session['shibboleth_session_id'] = $_SERVER['Shib-Session-ID'];
// Get loginname of user, new login name is generated if user is new
$username = $this->generateLogin();
// Authorize this user
$this->setAuth($username);
$userObj = new ilObjUser();
// Check wether this account exists already, if not create it
if (!ilObjUser::getUserIdByLogin($username))
{
$newUser["firstname"] = $this->getFirstString($_SERVER[$ilias->getSetting('shib_firstname')]);
$newUser["lastname"] = $this->getFirstString($_SERVER[$ilias->getSetting('shib_lastname')]);
$newUser["login"] = $username;
// Password must be random to prevent users from manually log in using the login data from Shibboleth users
$newUser["passwd"] = md5(end(ilUtil::generatePasswords(1)));
$newUser["passwd_type"] = IL_PASSWD_MD5;
if (
$ilias->getSetting('shib_update_gender')
&& ($_SERVER[$ilias->getSetting('shib_gender')] == 'm'
|| $_SERVER[$ilias->getSetting('shib_gender')] =='f')
)
{
$newUser["gender"] = $_SERVER[$ilias->getSetting('shib_gender')];
}
// Save mapping between ILIAS user and Shibboleth uniqueID
$newUser["ext_account"] = $_SERVER[$ilias->getSetting('shib_login')];
// other data
$newUser["title"] = $_SERVER[$ilias->getSetting('shib_title')];
$newUser["institution"] = $_SERVER[$ilias->getSetting('shib_institution')];
$newUser["department"] = $_SERVER[$ilias->getSetting('shib_department')];
$newUser["street"] = $_SERVER[$ilias->getSetting('shib_street')];
$newUser["city"] = $_SERVER[$ilias->getSetting('shib_city')];
$newUser["zipcode"] = $_SERVER[$ilias->getSetting('shib_zipcode')];
$newUser["country"] = $_SERVER[$ilias->getSetting('shib_country')];
$newUser["phone_office"] = $this->getFirstString($_SERVER[$ilias->getSetting('shib_phone_office')]);
$newUser["phone_home"] = $this->getFirstString($_SERVER[$ilias->getSetting('shib_phone_home')]);
$newUser["phone_mobile"] = $this->getFirstString($_SERVER[$ilias->getSetting('shib_phone_mobile')]);
$newUser["fax"] = $this->getFirstString($_SERVER[$ilias->getSetting('shib_fax')]);
$newUser["matriculation"] = $_SERVER[$ilias->getSetting('shib_matriculation')];
$newUser["email"] = $this->getFirstString($_SERVER[$ilias->getSetting('shib_email')]);
$newUser["hobby"] = $_SERVER[$ilias->getSetting('shib_hobby')];
$newUser["auth_mode"] = "shibboleth";
// system data
$userObj->assignData($newUser);
$userObj->setTitle($userObj->getFullname());
$userObj->setDescription($userObj->getEmail());
$userObj->setLanguage($this->getFirstString($_SERVER[$ilias->getSetting('shib_language')]));
// Time limit
$userObj->setTimeLimitOwner(7);
$userObj->setTimeLimitUnlimited(1);
$userObj->setTimeLimitFrom(time());
$userObj->setTimeLimitUntil(time());
// Modify user data before creating the user
// Include custom code that can be used to further modify
// certain Shibboleth user attributes
if ( $ilias->getSetting('shib_data_conv')
&& $ilias->getSetting('shib_data_conv') != ''
&& is_readable($ilias->getSetting('shib_data_conv'))
)
{
include($ilias->getSetting('shib_data_conv'));
}
// Create use in DB
$userObj->create();
$userObj->setActive(1, 6);
$userObj->updateOwner();
//insert user data in table user_data
$userObj->saveAsNew();
// store acceptance of user agreement
//$userObj->writeAccepted();
// setup user preferences
$userObj->writePrefs();
//set role entries
#$rbacadmin->assignUser($ilias->getSetting('shib_user_default_role'), $userObj->getId(),true);
// New role assignment
include_once './Services/AuthShibboleth/classes/class.ilShibbolethRoleAssignmentRules.php';
ilShibbolethRoleAssignmentRules::doAssignments($userObj->getId(),$_SERVER);
unset($userObj);
// Authorize this user
$this->setAuth($username);
}
else
{
// Update user account
$uid = $userObj->checkUserId();
$userObj->setId($uid);
$userObj->read($uid);
if (
$ilias->getSetting('shib_update_gender')
&& ($_SERVER[$ilias->getSetting('shib_gender')] == 'm'
|| $_SERVER[$ilias->getSetting('shib_gender')] =='f')
)
$userObj->setGender($_SERVER[$ilias->getSetting('shib_gender')]);
if ($ilias->getSetting('shib_update_title'))
$userObj->setTitle($_SERVER[$ilias->getSetting('shib_title')]);
$userObj->setFirstname($this->getFirstString($_SERVER[$ilias->getSetting('shib_firstname')]));
$userObj->setLastname($this->getFirstString($_SERVER[$ilias->getSetting('shib_lastname')]));
$userObj->setFullname();
if ($ilias->getSetting('shib_update_institution'))
$userObj->setInstitution($_SERVER[$ilias->getSetting('shib_institution')]);
if ($ilias->getSetting('shib_update_department'))
$userObj->setDepartment($_SERVER[$ilias->getSetting('shib_department')]);
if ($ilias->getSetting('shib_update_street'))
$userObj->setStreet($_SERVER[$ilias->getSetting('shib_street')]);
if ($ilias->getSetting('shib_update_city'))
$userObj->setCity($_SERVER[$ilias->getSetting('shib_city')]);
if ($ilias->getSetting('shib_update_zipcode'))
$userObj->setZipcode($_SERVER[$ilias->getSetting('shib_zipcode')]);
if ($ilias->getSetting('shib_update_country'))
$userObj->setCountry($_SERVER[$ilias->getSetting('shib_country')]);
if ($ilias->getSetting('shib_update_phone_office'))
$userObj->setPhoneOffice($this->getFirstString($_SERVER[$ilias->getSetting('shib_phone_office')]));
if ($ilias->getSetting('shib_update_phone_home'))
$userObj->setPhoneHome($this->getFirstString($_SERVER[$ilias->getSetting('shib_phone_home')]));
if ($ilias->getSetting('shib_update_phone_mobile'))
$userObj->setPhoneMobile($this->getFirstString($_SERVER[$ilias->getSetting('shib_phone_mobile')]));
if ($ilias->getSetting('shib_update_fax'))
$userObj->setFax($_SERVER[$ilias->getSetting('shib_fax')]);
if ($ilias->getSetting('shib_update_matriculation'))
$userObj->setMatriculation($_SERVER[$ilias->getSetting('shib_matriculation')]);
if ($ilias->getSetting('shib_update_email'))
$userObj->setEmail($this->getFirstString($_SERVER[$ilias->getSetting('shib_email')]));
if ($ilias->getSetting('shib_update_hobby'))
$userObj->setHobby($_SERVER[$ilias->getSetting('shib_hobby')]);
if ($ilias->getSetting('shib_update_language'))
$userObj->setLanguage($_SERVER[$ilias->getSetting('shib_language')]);
// Include custom code that can be used to further modify
// certain Shibboleth user attributes
if ( $ilias->getSetting('shib_data_conv')
&& $ilias->getSetting('shib_data_conv') != ''
&& is_readable($ilias->getSetting('shib_data_conv'))
)
{
include($ilias->getSetting('shib_data_conv'));
}
$userObj->update();
// Update role assignments
include_once './Services/AuthShibboleth/classes/class.ilShibbolethRoleAssignmentRules.php';
ilShibbolethRoleAssignmentRules::updateAssignments($userObj->getId(),$_SERVER);
}
// we are authenticated: redirect, if possible
if ($_GET["target"] != "")
{
ilUtil::redirect("goto.php?target=".$_GET["target"]."&client_id=".CLIENT_ID);
}
}
else
{
// This should never occur unless Shibboleth is not configured properly
$this->status = AUTH_WRONG_LOGIN;
}
}

+ Here is the call graph for this function:

ShibAuth::logout ( )

Logout function.

This function clears any auth tokens in the currently active session and executes the logout callback function, if any

public

Returns
void

Reimplemented from Auth.

Definition at line 366 of file class.ilShibboleth.php.

{
parent::logout();
}
ShibAuth::setExpire (   $time,
  $add = false 
)

Set the maximum expire time.

public

Parameters
integertime in seconds
booladd time to current expire time or not
Returns
void

Reimplemented from Auth.

Definition at line 150 of file class.ilShibboleth.php.

{
if ($add) {
$this->expire += $time;
} else {
$this->expire = $time;
}
}
ShibAuth::setIdle (   $time,
  $add = false 
)

Deletes a role and deletes entries in object_data, rbac_pa, rbac_templates, rbac_ua, rbac_fa public.

Parameters
integerobj_id of role (role_id)
integerref_id of role folder (ref_id)
Returns
boolean true on success

Reimplemented from Auth.

Definition at line 132 of file class.ilShibboleth.php.

{
if ($add) {
$this->idle += $time;
} else {
$this->idle = $time;
}
}
ShibAuth::ShibAuth (   $authParams,
  $updateUserData = false 
)

Constructor public.

Definition at line 94 of file class.ilShibboleth.php.

References Auth\Auth(), and Auth\setSessionName().

{
if ($authParams["sessionName"] != "") {
parent::Auth("", array("sessionName" => $authParams["sessionName"]));
}
else {
parent::Auth("");
}
$this->updateUserData = $updateUserData;
if (!empty($authParams['sessionName'])) {
$this->setSessionName($authParams['sessionName']);
unset($authParams['sessionName']);
}
}

+ Here is the call graph for this function:

ShibAuth::supportsRedirects ( )

Returns true, if the current auth mode allows redirection to e.g to loginScreen, public section...

Returns

Definition at line 118 of file class.ilShibboleth.php.

{
return true;
}
ShibAuth::toAscii (   $string)

Replaces any non-ASCII character by its linguistically most logical substitution.

private

Parameters
stringA Shibboleth attribute or other string
Returns
string ascii-version of attribute

Definition at line 472 of file class.ilShibboleth.php.

References UtfNormal\toNFKD().

Referenced by generateLogin().

{
require_once('include/Unicode/UtfNormal.php');
// Normalize to NFKD.
// This separates letters from combining marks.
// See http://unicode.org/reports/tr15
$string = UtfNormal::toNFKD($string);
// Replace german usages of diaeresis by appending an e
$string = preg_replace('/([aouAOU])\\xcc\\x88/','\\1e', $string);
// Replace the combined ae character by separated a and e
$string = preg_replace('/\\xc3\\x86/','AE', $string);
$string = preg_replace('/\\xc3\\xa6/','ae', $string);
// Replace the combined thorn character by th
$string = preg_replace('/\\xc3\\x9e/','TH', $string);
$string = preg_replace('/\\xc3\\xbe/','th', $string);
// Replace the letter eth by d
$string = preg_replace('/\\xc3\\x90/','D', $string);
$string = preg_replace('/\\xc4\\x91/','d', $string);
$string = preg_replace('/\\xc4\\x90/','D', $string);
// Replace the combined ss character
$string = preg_replace('/\\xc3\\x9f/','ss', $string);
// Get rid of everything except the characters a to z and the hyphen
$string = preg_replace('/[^a-zA-Z\-]/i','', $string);
return $string;
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

Field Documentation

ShibAuth::$_sessionName = '_authsession'

Definition at line 51 of file class.ilShibboleth.php.

ShibAuth::$expire = 0

Definition at line 68 of file class.ilShibboleth.php.

ShibAuth::$idle = 0

Definition at line 80 of file class.ilShibboleth.php.

ShibAuth::$idled = false

Definition at line 88 of file class.ilShibboleth.php.

ShibAuth::$status = ''

Definition at line 58 of file class.ilShibboleth.php.

ShibAuth::$username

Definition at line 44 of file class.ilShibboleth.php.

Referenced by login().

The documentation for this class was generated from the following file: