Child pages
  • Shibbolizing Podcast
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »


This document explains how to Shibbolize Podcast@UCSF.

Required Shibboleth Attributes

Podcast@UCSF requires the following attributes from GALEN LDAP, and, therefore, requires them from Shibboleth:

  • UID (GALEN ID) which will be mapped to EPPN
  • givenName
  • sn
  • eduPersonPrimaryAffiliation


Podcast@UCSF controls authentication with the following items:

  • login.php
  • sessionManagement.php
  • fileHelper.php
  • logout.php
  • database

PHP Code Changes

The following are changes that need to be done to the PHP code.


  • Change the login form to be a button that points to MyAccess shibboleth, with text that reads, "Log in via MyAccess". The form would be something like this:
<form method="post" action="/Shibboleth.sso/DS">
<input type="hidden" name="target" value="" />
<input type="hidden" name="providerId" value="" />
<input type="submit" value="Log in via MyAccess" />

The login code at the top of the page should be moved into a new page, called shibboleth.php, as that page will be the page which is protected by the shibd daemon running on the Podcast server.

In shibboleth.php, the auth code should look like:

   if (isLoggedIn()) {
      header("Location: $target" );
   } else {
      if ($_SERVER['REMOTE_USER']) {
         header( "Location: $target" );
      } else
         header("Location: login.php");


Add a new method to sessionManagement.php that works as follows:

function shibLogin() {
   $_SESSION['uid']       = $_SERVER['REMOTE_USER'];
   $_SESSION['givenName'] = $_SERVER['givenName'];
   $_SESSION['sn']        = $_SERVER['sn'];
   $_SESSION['eduPersonPrimaryAffiliation'] = $_SERVER['eduPersonPrimaryAffiliation'];

Modify userLogout() to actually end the shibd session, as well:

function userLogout() {
   $_SESSION = array();
   if ( isset( $_COOKIE[ session_name() ])) {
      setcookie( session_name(), '', time()-42000, '/');
   header("Location: /Shibboleth.sso/Logout");


The in the function setAccessFile(...), in the file fileHelper.php, writes out a .htaccess file to protect a podcast directory. The output needs to be changed from this:

  AuthType Basic
  AuthName "Galen Login Authentication"
  AuthLDAPURL "ldaps://,dc=library,dc=ucsf,dc=edu?uid"
  AuthLDAPAuthoritative on
  require valid-user

to this:

  AuthType shibboleth
  ShibRequireSession On
  ShibUseHeaders On
  require valid-user


The file logout.php also handles logout, so the code in this file needs to be changed from:

header( "Location: index.php" );


header("Location: /Shibboleth.sso/Logout");

Database Changes

Podcast@UCSF uses the database for admins and owners, and for each, the GALEN ID is used in the record. The following needs to be change in the database:

  1. The values of the column uid of the administrators table needs to be changed to the user's EPPN
  2. The values of the column galenid of the owner table needs to be changed to the user's EPPN
  • No labels