Fix (and completely revamp) the Shibboleth authentication module. (hotfix of #2611) #2612
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This updates the Shibboleth authentication module to fit into the new
scheme of the general webwork2 authentication process. The module is
set up to work just like all of the other up to date webwork2
authentication modules.
It has its own configuration file (conf/authen_shibboleth.conf.dist)
that should be used instead of adding a buch of variables to
localOverrides.conf. The include statement in localOverrides.conf
should be uncommented, and the dist file copied and modified.
Furthermore, relatively complete instructions on how to use the
authentication module are in the comments in the configuration file.
The variables in the configuration file are all the same as before,
except that there is one new one. That is the
`$shibboleth{bypass_query}`. Previously "bypassShib" was hard coded for
this purpose. Now that can be configured. If that variable is not set
(and for those using this module before it wouldn't be), then the bypass
parameter will not work. So this is the only real change from before.
The issues that were causing webwork2's session not to work have been
fixed. This means that proctored test access will work again.
The library browser, pg problem editor, and everything else that uses
the rpc endpoints will work correctly. There simply is nothing special
that the authentication module needs to do here, and most importantly it
needs to not do anything special (like reverting to the base
authentication module). The rpc enpoints now use the usual
authentication methods, and that does work with mod_shib.
Don't worry. The module is still strict and has warnings enabled. All modules that derive from `Mojo::Base` are. I forgot to remove these when changing to that, and those cause warnings since Mojo::Base disables the warnings for using signatures.
Currently the parameter works to sign in, but if you try to do anything after signing in, then you are redirected to sign in to the Shibboleth identity provider. To prevent that the parameter needs to be considered a persistent authentication parameter.
drgrice1
force-pushed
the
shibboleth-rework-hotfix
branch
from
9bbd118 to
975a9da
Compare
Alex-Jordan
approved these changes
Nov 13, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This updates the Shibboleth authentication module to fit into the new scheme of the general webwork2 authentication process. The module is set up to work just like all of the other up to date webwork2 authentication modules.
It has its own configuration file (conf/authen_shibboleth.conf.dist) that should be used instead of adding a buch of variables to localOverrides.conf. The include statement in localOverrides.conf should be uncommented, and the dist file copied and modified. Furthermore, relatively complete instructions on how to use the authentication module are in the comments in the configuration file.
The variables in the configuration file are all the same as before, except that there is one new one. That is the
$shibboleth{bypass_query}. Previously "bypassShib" was hard coded for this purpose. Now that can be configured. If that variable is not set (and for those using this module before it wouldn't be), then the bypass parameter will not work. So this is the only real change from before.The issues that were causing webwork2's session not to work have been fixed. This means that proctored test access will work again.
The library browser, pg problem editor, and everything else that uses the rpc endpoints will work correctly. There simply is nothing special that the authentication module needs to do here, and most importantly it needs to not do anything special (like reverting to the base authentication module). The rpc enpoints now use the usual authentication methods, and that does work with mod_shib.