<<

NAME

C4::Auth_with_shibboleth

SYNOPSIS

use C4::Auth_with_shibboleth;

DESCRIPTION

This module is specific to Shibboleth authentication in koha and relies heavily upon the native shibboleth service provider package in your operating system.

CONFIGURATION

To use this type of authentication these additional packages are required:

We let the native shibboleth service provider packages handle all the complexities of shibboleth negotiation for us, and configuring this is beyond the scope of this documentation.

But to sum up, to get shibboleth working in koha, as a minimum you will need to:

  1. Create some metadata for your koha instance (if you're in a single instance setup then the default metadata available at https://youraddress.com/Shibboleth.sso/Metadata should be adequate)
  2. Swap metadata with your Identidy Provider (IdP)
  3. Map their attributes to what you want to see in koha
  4. Tell apache that we wish to allow koha to authenticate via shibboleth.

    This is as simple as adding the below to your virtualhost config:

     <Location />
       AuthType shibboleth
       Require shibboleth
     </Location>
  5. Configure koha to listen for shibboleth environment variables.

    This is as simple as enabling useshibboleth in koha-conf.xml:

     <useshibboleth>1</useshibboleth>
  6. Map shibboleth attributes to koha fields, and configure authentication match point in koha-conf.xml.
     <shibboleth>
       <matchpoint>userid<matchpoint> <!-- koha borrower field to match upon -->
       <mapping>
         <userid is="eduPersonID"></userid> <!-- koha borrower field to shibboleth attribute mapping -->
       </mapping>
     </shibboleth>

    Note: The minimum you need here is a <matchpoint> block, containing a valid column name from the koha borrowers table, and a <mapping> block containing a relation between the chosen matchpoint and the shibboleth attribute name.

It should be as simple as that; you should now be able to login via shibboleth in the opac.

If you need more help configuring your Service Provider to authenticate against a chosen Identity Provider then it might be worth taking a look at the community wiki page

FUNCTIONS

logout_shib

Sends a logout signal to the native shibboleth service provider and then logs out of koha. Depending upon the native service provider configuration and identity provider capabilities this may or may not perform a single sign out action.

  logout_shib($query);

login_shib_url

Given a query, this will return a shibboleth login url with return code to page with given given query.

  my $shibLoginURL = login_shib_url($query);

get_login_shib

Returns the shibboleth login attribute should it be found present in the http session

  my $shib_login = get_login_shib();

checkpw_shib

Given a database handle and a shib_login attribute, this routine checks for a matching local user and if found returns true, their cardnumber and their userid. If a match is not found, then this returns false.

  my ( $retval, $retcard, $retuserid ) = C4::Auth_with_shibboleth::checkpw_shib( $shib_login );

SEE ALSO

<<