Differences

This shows you the differences between two versions of the page.

--- configuration:shibboleth [2016/09/09 08:59] – Added a note about the rationale for SLO emaijala
+++ configuration:shibboleth [2022/10/28 11:09] (current) – [Shibboleth Setup] demiankatz
@@ Line 1: / Line 1: @@
+====== Shibboleth Configuration ======
 ===== Shibboleth Setup =====
@@ Line 10: / Line 12: @@
     </If>
     <Else>
-      Require all granted
+      ShibRequestSetting requireSession false
+      AuthType shibboleth
+      Require shibboleth
     </Else>
 </code>
-The settings on VuFind side are found in the Shibboleth section in config.ini. Starting with VuFind 3.2 debug level log includes Shibboleth authentication handler messages to aid in debugging any issues with the authentication. These messages include the environment variables so that you can check if the environment variables that the Shibboleth module sets up matc the variable names in config.ini.
+Note: the "Else" clause can simply be "require all granted" if you are not using the Shibboleth "logout" setting... but if you are using "logout," you need access to Shibboleth attributes at all times, and thus must always require the Shibboleth module.
+The settings on VuFind side are found in the Shibboleth section in config.ini. Starting with VuFind 4.0 debug level log includes Shibboleth authentication handler messages to aid in debugging any issues with the authentication. These messages include the environment variables so that you can check if the environment variables that the Shibboleth module sets up matc the variable names in config.ini.
 ===== Shibboleth Single Logout =====
-Support for Shibboleth back-channel single logout is available starting from VuFind version 3.2. Single logout is especially important in public terminals where the Shibboleth Identity Provider would keep the user's session alive unless the browser is closed too regardless of whether the user logged out from VuFind.
+Support for Shibboleth back-channel single logout is available starting from VuFind version 4.0. Single logout is especially important in public terminals where the Shibboleth Identity Provider would keep the user's session alive unless the browser is closed too regardless of whether the user logged out from VuFind.
+N.B. VuFind's Shibboleth logout notification handling requires the PHP SOAP module installed.
 Here are some links for background information on how single logout works with Shibboleth:
@@ Line 79: / Line 87: @@
 </code>
+==== Testing the Logout Handler ====
+A logout request can be simulated to verify that the logout handler works:
+  - Start a session in VuFind.
+  - Do a search and check that it shows up in the search history.
+  - Take note of the session id by e.g. checking cookies with browser's developer tools.
+  - Add a mapping from an external ID ("Shibboleth session ID") to the external session database table with the mysql cli client (replace SESSION_ID with the ID from step 3): <code sql>
+insert into external_session (session_id, external_session_id) values ('SESSION_ID', 'EXTERNAL_SESSION_ID');
+</code>
+  - Use the following command to issue a logout request (replace `https://localhost` with your VuFind's address if necessary): <code bash>
+curl -X POST --header "Content-Type: text/xml;charset=UTF-8" \
+--data \
+'<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"> \
+  <s:Body> \
+    <LogoutNotification xmlns="urn:mace:shibboleth:2.0:sp:notify" type="global"> \
+      <SessionID>EXTERNAL_SESSION_ID</SessionID> \
+    </LogoutNotification> \
+  </s:Body> \
+</s:Envelope>' \
+'https://localhost/soap/shiblogout'
+</code>
+===== Advanced Options =====
+See the [[:configuration:shibboleth:library_cards|Shibboleth and Library Cards]] page for details on setting up Shibboleth with VuFind's optional "Library Cards" feature.
 ---- struct data ----
+properties.Page Owner : emaijala
 ----