Shibboleth
Localización: Enlace hacia configuraciones en Configuraciones > Administración del sitio > Plugins > Autenticación > Gestionar autenticación
Con este método puede conectarse a un servidor Shibboleth para comprobar y crear nuevas cuentas.
Shibboleth es un proyecto Middleware Initiative de Internet2 que ha creado una arquitectura e implementación de código abierto para la autentificación basada en identidad federada e infraestructura basada en SAML. La intendidad federada permite información sobre los usuarios en un dominio de seguridad para facilitarla a otras organizaciones en federaciones comunes. Esto permite una única identificación multi-plataforma y elimina la necesidad a los administradores de mantener usuarios y contraseñas. Los proveedores de identidad (IdP's) proporcionan información de usuario, mientras que los proveedores de servicios (SP's) usan esta información y dan acceso a contenido seguro
Extraído de Wikipedia, the free encyclopedia
Configuración de Moodle para usar Shibboleth
El archivo README.TXT dentro de la carpeta auth/shibboleth de su distribución Moodle contiene las instrucciones para configuración.
Sibboleth en el Reino Unido (de la Gran Bretaña)
En el UK Becta y JISCtiene un plan para implementar escuelas, FE y federaciones HE usando Shibboleth para dar identificación única. Eso significa que centros educativos en el UK que usen Moodle deberían ser capaces de identificar a sus usuarios vía Shibboleth si sus organizaciones educativas se unen al la Federación de Gestión de accesos de Reino Unido (UK Access Management Federation) y la identidad de sus usuarios la almacena el proveedor de identidad que LA/RBC (Consorcio Regional de Bandaancha) use. Para escuelas de Autoridades Locales (LA) esto probablemente significa contactar con su autoridad local o RCB
Nota: Pendiente de Traducir. ¡Anímese a traducir esta página!. ( y otras páginas pendientes)
Shibboleth en Suiza
en Suiza la SWITCH Foundation tiene un ingreso universal bajo edu-ID para todos los que viven en Suiza. Cubre 160 instituciones y 900,000 usuarios.
Una configuración de muestra
Nota: Pendiente de Traducir. ¡Anímese a traducir esta página!. ( y otras páginas pendientes)
Notación
- The expressions in all caps are placeholders for their actual values. For example /PATH/TO/MOODLE could be /var/www/html/moodle in your server.
- The '#' in shell commands in the form '# COMMAND" means the COMMAND needs to be run as the super-user. It could be the user 'root' or a different user having sudo privileges. In the latter case he should prepend the command with sudo, as in '$ sudo COMMAND'. The '$' in that command denotes it is a non-privileged user.
Prerequisitos
- You have your Moodle site running on Debian GNU/Linux or any of its derivatives like Ubuntu Linux.
- This documentation assumes that your Linux distribution uses the system manager Systemd. But you can easily change the commands for a different init system, typically SysV or Upstart.
- You are running the web server Apache2.
- Your site serves HTTPS on its default port 443. We write its URL as https://DOMAIN, where DOMAIN stands for your the domain name of your Moodle server. So if the URL of your Moodle is https://lms.example.com/ then DOMAIN is lms.example.com.
Pasos que debe seguir
1. Install the Shibboleth module for Apache2
Install the Debian package libapache2-mod-shib, which contains the Apache module for Shibboleth service providers (SP) and its supporting Shib daemon:
# apt install libapache2-mod-shib --no-install-recommends
It will create a directory /etc/shibboleth with a default set of configuration files and also install the system service shib.
2. Download federation metadata signing certificate
# wget https://FEDERATIONREGISTRY/signedmetadata/metadata-signer -O /etc/shibboleth/federation-cert.pem
3. Configure the Shibboleth service provider
Edit the /etc/shibboleth/shibboleth2.xml file as described below.
3.1 Change the ApplicationDefaults tag to your domain
<ApplicationDefaults entityID="https://DOMAIN/shibboleth" REMOTE_USER="eppn subject-id pairwise-id persistent-id" cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
Notice that the end of the ApplicationDefaults tag is way below. So don't add one here!
3.2 Set the discovery server
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://DISCOVERYSERVER"> SAML2 </SSO>
3.3 Set the MetadataProvider
<MetadataProvider type="XML" url="https://METADATAPROVIDER/signedmetadata/metadata.xml" legacyOrgName="true" backingFilePath="test-metadata.xml" maxRefreshDelay="7200">
<MetadataFilter type="Signature" certificate="federation-cert.pem" verifyBackup="false" />
<MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" /> </MetadataProvider>
3.4 Set the names of the key and certificate files
<CredentialResolver type="File" use="signing" key="lms-signing-key.pem" certificate="lms-signing-cert.pem" /> <CredentialResolver type="File" use="encryption" key="lms-encrypt-key.pem" certificate="lms-encrypt-cert.pem" />
We will generate those lms-*.pem files in step 3.6.
3.5 Add a ApplicationOverride section (Note: Not necessay, dg 28 Aug 2024)
Add the following ApplicationOverride section just before the ApplicationDefaults section:
<ApplicationOverride id="wp" entityID="https://wp.YOUR-DOMAIN/shibboleth"> <CredentialResolver type="File" use="signing" key="wp-signing-key.pem" certificate="wp-signing-cert.pem"/> <CredentialResolver type="File" use="encryption" key="wp-encrypt-key.pem" certificate="wp-encrypt-cert.pem"/> </ApplicationOverride>
3.6 Create SP metadata credentials for both sites:
/usr/sbin/shib-keygen -n lms-signing -e https://DOMAIN/shibboleth /usr/sbin/shib-keygen -n lms-encrypt -e https://DOMAIN/shibboleth
4. Start the shibboleth service
4.1 Test the configuration first:
# shibd -t /etc/shibboleth/shibboleth2.xml
4.2 (Re)start the Shibd and Apache2:
# systemctl start shibd # systemctl restart apache2
5. Enable Shibboleth on the Apache virtual host
5.1 To enable shibboleth login on the web application add the certificate files and protect the /PATH/TO/MOODLE/auth/shibboleth/index.php by Shibboleth. They are in a /etc/apache2/sites-available/SOMETHING.conf file. Here is the format:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName DOMAIN ServerAdmin YOU@DOMAIN DocumentRoot /PATH/TO/MOODLE
ErrorLog ${APACHE_LOG_DIR}/DOMAIN-error.log CustomLog ${APACHE_LOG_DIR}/DOMAIN-access.log combined SSLCertificateFile /etc/ssl/certs/ssl-DOMAIN.crt SSLCertificateKeyFile /etc/ssl/private/ssl-DOMAIN.key
<Location /moodle> # just comment out # ShibRequestSetting applicationId mdl </Location>
<Directory /PATH/TO/MOODLE/auth/shibboleth/index.php> AuthType shibboleth # just comment out the next line and add the two lines below that # ShibRequestSetting applicationId mdl ShibRequireSession On require valid-user </Directory> </VirtualHost>
</IfModule>
5.2 Activate Shibd and reload Apache
# a2enmod shib # systemctl reload apache2.service
6. Register the SP with the federation
We have now set up Shibboleth SP for Moodle. It has to be registered with the federation so that its WAYF go to the discovery Service to point different IDP's.
6.1 Download the metadata of the application
You can get them by visiting the URL https://DOMAIN/Shibboleth.sso/Metadata
6.2 Register the metadata with the federation
Visit https://FEDERATTION/ and go to Join. You will be asked to upload the metadata on line and go through a couple of screens answering administrative questions. Follow the instructions on the screens.
Once the federation operator approves your request you will receive a SP registration link.
7. Enable and configure the Shibboleth plug-in in Moodle
Once you've registered successfully you have to configure the Shibboleth plug-in in Moodle. For that Moodle you have to enable it first.
7.1 Enable the Shibboleth plug-in in Moodle
As Moodle admin, go to the Site administration > Plugins > Authentication and enable Shibboleth by clicking on the "eye".
7.2 Configure the Shibboleth plug-in in Moodle
The fields 'Username', 'First name', 'Surname', etc. should contain the name of the environment variables of the Shibboleth attributes that you want to map onto the corresponding Moodle variable. Especially the 'Username' field is of great importance because this attribute is used for the Moodle authentication of Shibboleth users.
Username: eppn
Moodle WAYF service: No
Identity providers (auth_shibboleth | organization_selection): Delete everything in the box
Shibboleth Service Provider logout handler URL: /Shibboleth.sso/Logout
Data mapping (First name): givenName
Data mapping (Surname): sn
Data mapping (Email address): mail
In all three set Update local to On every login and Lock value to Unlocked if empty.
And save. The change will be immediately active, no need to restart any service!
¡Terminado!
Now you may browse to https://DOMAIN/ and select your preferred IdP to log in.
Cómo depurarlo
Notas adicionales
Some IdPs will only share a minimal set of user fields with your Moodle SP, which can cause problems:
- Moodle errors relating to missing Shibboleth fields can be fixed by altering the data mappings within the Shibboleth authentication plugin, and ensuring that fields are not locked. The user will be asked to manually provide data if Shibboleth does not automatically provide the corresponding information.
- Moodle errors relating to invalid characters in username can be fixed by Allowing extended characters in usernames (found under Security > Site policies).