Child pages
  • Shibbolizing Podcast
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Overview

This document explains how to Shibbolize Podcast@UCSF.

Required Shibboleth Attributes

Podcast@UCSF requires the following attributes from GALEN LDAP, and, therefore, requires them from Shibboleth:

  • UID (GALEN ID) which will be mapped to EPPN
  • givenName
  • sn
  • eduPersonPrimaryAffiliation

Components

Podcast@UCSF controls authentication with the following items:

  • login.php
  • sessionManagement.php
  • database
  • .htaccess files in actual podcast directories

PHP Code Changes

The following are changes that need to be done to the PHP code.

login.php

  • Change the login form to be a button that points to MyAccess shibboleth, with text that reads, "Log in via MyAccess". The form would be something like this:
<form method="post" action="/Shibboleth.sso/DS">
<input type="hidden" name="target" value="https://cit.ucsf.edu/podcast/shibboleth.php" />
<input type="hidden" name="providerId" value="https://d5n1.ucsf.edu/idp/shibboleth" />
<input type="submit" value="Log in via MyAccess" />

The login code at the top of the page should be moved into a new page, called shibboleth.php, as that page will be the page which is protected by the shibd daemon running on the Podcast server.

In shibboleth.php, the auth code should look like:

   if (isLoggedIn()) {
      header("Location: $target" );
      exit;
   } else {
      if ($_SERVER['REMOTE_USER']) {
         shibLogin();
         header( "Location: $target" );
         exit;
      } else
         header("Location: login.php");
      }
   }

sessionManagement.php

Add a new method to sessionManagement.php that works as follows:


function shibLogin() {
   $_SESSION['uid']       = $_SERVER['REMOTE_USER'];
   $_SESSION['givenName'] = $_SERVER['givenName'];
   $_SESSION['sn']        = $_SERVER['sn'];
   $_SESSION['eduPersonPrimaryAffiliation'] = $_SERVER['eduPersonPrimaryAffiliation'];
}

Modify userLogout() to actually end the shibd session, as well:

function userLogout() {
   $_SESSION = array();
   if ( isset( $_COOKIE[ session_name() ])) {
      setcookie( session_name(), '', time()-42000, '/');
   }
   session_destroy();
   header("Location: /Shibboleth.sso/Logout");
}

Database Changes

Podcast@UCSF uses the database for admins and owners, and for each, the GALEN ID is used in the record. For admins the GALEN ID is uid and for owners the GALEN ID is galenid. For both admins and owners the GALEN ID will have to be converted to EPPN.

  • No labels