[Bug 18506] New: Shibboleth SSO Only Mode
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Bug ID: 18506 Summary: Shibboleth SSO Only Mode Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Authentication Assignee: gmcharlt@gmail.com Reporter: martin.renvoize@ptfs-europe.com QA Contact: testopia@bugs.koha-community.org CC: dpavlin@rot13.org Shibboleth works at it's best when it is the ONLY form of authentication allowed on the system. That way, if you disable opacPublic you can have a system that automatically redirects the user to the IdP for authentication immediately and skips any other forms of authentication leading to a more seamless SSO solution. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 --- Comment #1 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 62810 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62810&action=edit BUG 18506 - Add xShibOnly preference for shibboleth This patch adds two system preferences to Koha, opacShibOnly and staffShibOnly, allowing users to restrict authentication to just one method, Shibboleth. A system preference was chosen over a configuration file update to allow for local override at the virtualhost level. In this way a hosting provider can setup a 'backdoor opac' for example to allow fallback to local logins for support operations. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |12027 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=12027 [Bug 12027] Shibboleth authentication for staff client -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |katrin.fischer@bsz-bw.de Status|Needs Signoff |BLOCKED Assignee|gmcharlt@gmail.com |martin.renvoize@ptfs-europe | |.com --- Comment #2 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Assigning bug to Martin as he has provided the patch. Depends on a bug that is in 'Failed QA' - marking as BLOCKED for now. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 --- Comment #3 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Comment on attachment 62810 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62810 BUG 18506 - Add xShibOnly preference for shibboleth Review of attachment 62810: --> (https://bugs.koha-community.org/bugzilla3/page.cgi?id=splinter.html&bug=18506&attachment=62810) -----------------------------------------------------------------
From looking at the patch:
Author in patch file is not correct - PTFS Admin <hosting@ptfs-europe.com> ::: installer/data/mysql/atomicupdate/shibOnly.perl @@ +1,5 @@
+$DBversion = 'XXX'; # will be replaced by the RM +if( CheckVersion( $DBversion ) ) { + $dbh->do( "INSERT IGNORE INTO systempreferences (variable,value,explanation,options,type) VALUES ('opacShibOnly','0','If ON enables shibboleth only authentication for the opac','','YesNo'),('staffShibOnly','0','If ON enables shibboleth only authentication for the staff client','','YesNo')" ); + SetVersion( $DBversion ); + print "Upgrade to $DBversion done (Bug XXXXX - shibOnly preferences)\n";
Missing the bug number and maybe a nicer explanation? ::: koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/opac.pref @@ +828,5 @@
+ - pref: opacShibOnly + choices: + yes: "Don't allow" + no: Allow + - patrons to login by means other than shibboleth.
Should shibboleth be Shibboleth? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #62810|0 |1 is obsolete| | --- Comment #4 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 79050 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=79050&action=edit BUG 18506 - Add xShibOnly preference for shibboleth This patch adds two system preferences to Koha, opacShibOnly and staffShibOnly, allowing users to restrict authentication to just one method, Shibboleth. A system preference was chosen over a configuration file update to allow for local override at the virtualhost level. In this way a hosting provider can setup a 'backdoor opac' for example to allow fallback to local logins for support operations. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|BLOCKED |Needs Signoff --- Comment #5 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Rebased and made requested corrections. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Julian Maurice <julian.maurice@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |julian.maurice@biblibre.com Status|Needs Signoff |Failed QA --- Comment #6 from Julian Maurice <julian.maurice@biblibre.com> --- Hi Martin, it looks like the patch is not complete. It works as expected for OPAC when opacPublic is disabled. But when it's enabled, users are still able to login using their local credentials. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #79050|0 |1 is obsolete| | --- Comment #7 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 79522 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=79522&action=edit BUG 18506 - Add xShibOnly preference for shibboleth This patch adds two system preferences to Koha, opacShibOnly and staffShibOnly, allowing users to restrict authentication to just one method, Shibboleth. A system preference was chosen over a configuration file update to allow for local override at the virtualhost level. In this way a hosting provider can setup a 'backdoor opac' for example to allow fallback to local logins for support operations. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 --- Comment #8 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 79524 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=79524&action=edit Bug 18506: (followup) Make this play nicely with opacPublic -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Failed QA |Needs Signoff --- Comment #9 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Not my most elegant of followups but I think it resolves the issue. Thanks for testing Julian. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #79524|0 |1 is obsolete| | --- Comment #10 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 79540 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=79540&action=edit Bug 18506: (followup) Make this play nicely with opacPublic -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Shibboleth SSO Only Mode |SSO - Shibboleth Only Mode -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Text to go in the| |This enhancement adds a release notes| |system preference to allow | |libraries to enable | |shibboleth to work as the | |only authentication method | |available for their library | |and as such practice fully | |devolved authentication. | | | |When combined with the | |OpacPublic preference, this | |can be used to enable | |seamless Single Sign On, | |where the user simply | |browses to the OPAC in | |their web browser and if | |already logged in on their | |domain they will | |automatically be logged in | |in koha too. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Bug 18506 depends on bug 12027, which changed state. Bug 12027 Summary: Shibboleth authentication for staff client https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=12027 What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to Master |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 --- Comment #11 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 89423 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=89423&action=edit Bug 18506: Add xShibOnly preference for Shibboleth authentication This patch adds two system preferences to Koha, opacShibOnly and staffShibOnly, allowing users to restrict authentication to just one method, Shibboleth. A system preference was chosen over a configuration file update to allow for local override at the virtualhost level. In this way a hosting provider can setup a 'backdoor opac' for example to allow fallback to local logins for support operations. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #79540|0 |1 is obsolete| | --- Comment #12 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 89424 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=89424&action=edit Bug 18506: (followup) Make this play nicely with opacPublic -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #79522|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 --- Comment #13 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Freshly rebased. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kyle@bywatersolutions.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |RM_priority -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |nick@bywatersolutions.com Status|Needs Signoff |Failed QA --- Comment #14 from Nick Clemens <nick@bywatersolutions.com> --- Needs changes to opac-auth.tt too -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 --- Comment #15 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- (In reply to Nick Clemens from comment #14)
Needs changes to opac-auth.tt too
In theory you shouldn't be able to navigate to opac-auth.tt.. but it's not a bad idea to include handling there anyway. Follow-up incoming -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #89423|0 |1 is obsolete| | --- Comment #16 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 91011 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=91011&action=edit Bug 18506: Add xShibOnly preference for Shibboleth authentication This patch adds two system preferences to Koha, opacShibOnly and staffShibOnly, allowing users to restrict authentication to just one method, Shibboleth. A system preference was chosen over a configuration file update to allow for local override at the virtualhost level. In this way a hosting provider can setup a 'backdoor opac' for example to allow fallback to local logins for support operations. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 --- Comment #17 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 91012 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=91012&action=edit Bug 18506: (follow-up) Make this play nicely with opacPublic -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 --- Comment #18 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 91013 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=91013&action=edit Bug 18506: (follow-up) Handle shibOnly in opac-auth.tt This patch adds the shibOnly conditional to the opac-auth.tt template such that if shibOnly is enabled then only the shibboleth login link ,and any shibboleth login errors if there are any, will display. It does not however preclude SCO and SCI login, those are still available if when SCO_login or SCI_login parameters are passed. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #89424|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 --- Comment #19 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Fresh rebase, tidy up of QA script failures and follow-up added to address Nicks concerns. That last followup was more complex than anticipated.. I think that template could do with a bit of a tidy up and my patch includes some whitespace changes I did along the way to try and keep track of what I was doing.. I could remove those if requested. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Failed QA |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Matthias Meusburger <matthias.meusburger@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |matthias.meusburger@biblibr | |e.com --- Comment #20 from Matthias Meusburger <matthias.meusburger@biblibre.com> --- Hi, I've done some testing, and it works consistently with the various combinations of opacShibOnly, OpacPublic and staffShibOnly. However, when opacShibOnly is enabled, the authentication process always redirect to opac-user.pl, instead of the page the user was currently on (like a search result, for example). The user should be redirected to the page he was on, like when opacShibOnly is disabled. Also I'm a little concerned that users might lock themselves out of the admin interface when enabling staffShibOnly, but that's nothing an SQL query to modify the syspref's value can't fix. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 --- Comment #21 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- (In reply to Matthias Meusburger from comment #20)
Hi,
I've done some testing, and it works consistently with the various combinations of opacShibOnly, OpacPublic and staffShibOnly.
However, when opacShibOnly is enabled, the authentication process always redirect to opac-user.pl, instead of the page the user was currently on (like a search result, for example).
The user should be redirected to the page he was on, like when opacShibOnly is disabled.
Noted, I'll take a look at doing this in a follow-up now.
Also I'm a little concerned that users might lock themselves out of the admin interface when enabling staffShibOnly, but that's nothing an SQL query to modify the syspref's value can't fix.
So I agree with this, but as it's the feature our customers have requested I think it's a valid use case. What we do at PTFS-E is use the syspref override in the vhosts and setup a second alias for local support so we can still login. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 --- Comment #22 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 92665 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=92665&action=edit Bug 18506: (follow-up) Set redirect type to 303 This should ensure query parameters are passed through the redirection. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 --- Comment #23 from Matthias Meusburger <matthias.meusburger@biblibre.com> --- The parameters are now kept after login, I'm signing this off. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Matthias Meusburger <matthias.meusburger@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #91011|0 |1 is obsolete| | --- Comment #24 from Matthias Meusburger <matthias.meusburger@biblibre.com> --- Created attachment 92680 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=92680&action=edit Bug 18506: Add xShibOnly preference for Shibboleth authentication This patch adds two system preferences to Koha, opacShibOnly and staffShibOnly, allowing users to restrict authentication to just one method, Shibboleth. A system preference was chosen over a configuration file update to allow for local override at the virtualhost level. In this way a hosting provider can setup a 'backdoor opac' for example to allow fallback to local logins for support operations. Signed-off-by: Matthias Meusburger <matthias.meusburger@biblibre.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Matthias Meusburger <matthias.meusburger@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #91012|0 |1 is obsolete| | --- Comment #25 from Matthias Meusburger <matthias.meusburger@biblibre.com> --- Created attachment 92681 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=92681&action=edit Bug 18506: (follow-up) Make this play nicely with opacPublic Signed-off-by: Matthias Meusburger <matthias.meusburger@biblibre.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Matthias Meusburger <matthias.meusburger@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #91013|0 |1 is obsolete| | --- Comment #26 from Matthias Meusburger <matthias.meusburger@biblibre.com> --- Created attachment 92682 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=92682&action=edit Bug 18506: (follow-up) Handle shibOnly in opac-auth.tt This patch adds the shibOnly conditional to the opac-auth.tt template such that if shibOnly is enabled then only the shibboleth login link ,and any shibboleth login errors if there are any, will display. It does not however preclude SCO and SCI login, those are still available if when SCO_login or SCI_login parameters are passed. Signed-off-by: Matthias Meusburger <matthias.meusburger@biblibre.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Matthias Meusburger <matthias.meusburger@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #92665|0 |1 is obsolete| | --- Comment #27 from Matthias Meusburger <matthias.meusburger@biblibre.com> --- Created attachment 92683 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=92683&action=edit Bug 18506: (follow-up) Set redirect type to 303 This should ensure query parameters are passed through the redirection. Signed-off-by: Matthias Meusburger <matthias.meusburger@biblibre.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Matthias Meusburger <matthias.meusburger@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Patch doesn't apply --- Comment #28 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- As we have a strong sign-off here and also some QA opinions, we should try and move this forward. Can we get a rebase please? Also a request: Could we make it OpacShibOnly or better OPACShibOnly? That seems to be more the standard looking at the other existing prefs. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |rel_19_11_candidate -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|rel_19_11_candidate |rel_20_05_target -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|rel_20_05_candidate, |rel_20_11_target |RM_priority | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 --- Comment #29 from David Cook <dcook@prosentient.com.au> --- Pretty interested by this. We have our own separate Shibboleth integration, and I recently did a SAML-only SSO auth for it. It would be interesting to compare them... -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|rel_20_11_target | CC| |jonathan.druart@bugs.koha-c | |ommunity.org -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Henry Bolshaw <bolshawh@parliament.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bolshawh@parliament.uk -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #92680|0 |1 is obsolete| | --- Comment #30 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 116250 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=116250&action=edit Bug 18506: Add xShibOnly preference for Shibboleth authentication This patch adds two system preferences to Koha, opacShibOnly and staffShibOnly, allowing users to restrict authentication to just one method, Shibboleth. We do however, allow for local fallback for the SCO/SCI logins. A system preference was chosen over a configuration file update to allow for local override at the virtualhost level. In this way a hosting provider can setup a 'backdoor opac' for example to allow fallback to local logins for support operations. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #92681|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #92683|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #92682|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #116250|0 |1 is obsolete| | --- Comment #31 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 116251 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=116251&action=edit Bug 18506: Add xShibOnly preference for Shibboleth authentication This patch adds two system preferences to Koha, opacShibOnly and staffShibOnly, allowing users to restrict authentication to just one method, Shibboleth. We do however, allow for local fallback for the SCO/SCI logins. A system preference was chosen over a configuration file update to allow for local override at the virtualhost level. In this way a hosting provider can setup a 'backdoor opac' for example to allow fallback to local logins for support operations. Signed-off-by: Matthias Meusburger <matthias.meusburger@biblibre.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 --- Comment #32 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 116253 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=116253&action=edit Bug 18506: (QA follow-up) opacShibOnly -> OPACShibOnly As requested -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Patch doesn't apply |Signed Off --- Comment #33 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- I've been porting this work from version to version on customer sites for a matter of years now.. would be wonderful to get it passed the finish line. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 --- Comment #34 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- David, can you put your QA stamp on this one? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #116251|0 |1 is obsolete| | Attachment #116253|0 |1 is obsolete| | --- Comment #35 from Nick Clemens <nick@bywatersolutions.com> --- Created attachment 116280 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=116280&action=edit Bug 18506: Add xShibOnly preference for Shibboleth authentication This patch adds two system preferences to Koha, opacShibOnly and staffShibOnly, allowing users to restrict authentication to just one method, Shibboleth. We do however, allow for local fallback for the SCO/SCI logins. A system preference was chosen over a configuration file update to allow for local override at the virtualhost level. In this way a hosting provider can setup a 'backdoor opac' for example to allow fallback to local logins for support operations. Signed-off-by: Matthias Meusburger <matthias.meusburger@biblibre.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 --- Comment #36 from Nick Clemens <nick@bywatersolutions.com> --- Created attachment 116281 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=116281&action=edit Bug 18506: (QA follow-up) opacShibOnly -> OPACShibOnly As requested Signed-off-by: Nick Clemens <nick@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 --- Comment #37 from Nick Clemens <nick@bywatersolutions.com> --- Created attachment 116282 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=116282&action=edit Bug 18506: (QA follow-up) Indentation and more conditionals add Indentation fixes for readability Cleaned up a few places where the ability to login otherwise was leakign through Signed-off-by: Nick Clemens <nick@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 --- Comment #38 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 116290 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=116290&action=edit Bug 18506: (QA follow-up) Indentation and more conditionals Indentation fixes for readability Cleaned up a few places where the ability to login otherwise was leakign through Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #116282|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 --- Comment #39 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Thanks for the followup.. seems more had changed since the last rebase than I thought :(. Looks great and I've double-checked with some extra testing here :) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Patch doesn't apply --- Comment #40 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Please rebase on top of bug 27476. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #116280|0 |1 is obsolete| | --- Comment #41 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 116536 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=116536&action=edit Bug 18506: Add xShibOnly preference for Shibboleth authentication This patch adds two system preferences to Koha, opacShibOnly and staffShibOnly, allowing users to restrict authentication to just one method, Shibboleth. We do however, allow for local fallback for the SCO/SCI logins. A system preference was chosen over a configuration file update to allow for local override at the virtualhost level. In this way a hosting provider can setup a 'backdoor opac' for example to allow fallback to local logins for support operations. Signed-off-by: Matthias Meusburger <matthias.meusburger@biblibre.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #116281|0 |1 is obsolete| | --- Comment #42 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 116537 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=116537&action=edit Bug 18506: (QA follow-up) opacShibOnly -> OPACShibOnly As requested Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #116290|0 |1 is obsolete| | --- Comment #43 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 116538 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=116538&action=edit Bug 18506: (QA follow-up) Indentation and more conditionals Indentation fixes for readability Cleaned up a few places where the ability to login otherwise was leakign through Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Patch doesn't apply |Passed QA --- Comment #44 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Rebased -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #116538|0 |1 is obsolete| | --- Comment #45 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Created attachment 116540 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=116540&action=edit Bug 18506: (QA follow-up) Indentation and more conditionals Indentation fixes for readability Cleaned up a few places where the ability to login otherwise was leakign through Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> JD amended patch: Remove trailing spaces -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to master Version(s)| |21.05.00 released in| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 --- Comment #46 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Pushed to master for 21.05, thanks to everybody involved! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Caroline Cyr La Rose <caroline.cyr-la-rose@inlibro.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |Manual CC| |caroline.cyr-la-rose@inlibr | |o.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Fridolin Somers <fridolin.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fridolin.somers@biblibre.co | |m --- Comment #47 from Fridolin Somers <fridolin.somers@biblibre.com> --- Do you think we can backport to 20.11.x ? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 --- Comment #48 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- It applies reasonably easily, I've backported it to our local 20.11 branch.. but it is an enhancement strictly, so your call as rmaint.. we trust you :) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Fridolin Somers <fridolin.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to master |Pushed to stable Version(s)|21.05.00 |21.05.00,20.11.04 released in| | --- Comment #49 from Fridolin Somers <fridolin.somers@biblibre.com> --- Pushed to 20.11.x for 20.11.04 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Andrew Fuerste-Henry <andrew@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED CC| |andrew@bywatersolutions.com Status|Pushed to stable |RESOLVED --- Comment #50 from Andrew Fuerste-Henry <andrew@bywatersolutions.com> --- Not backporting to 20.05. Please ask if needed. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Owen Leonard <oleonard@myacpl.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |28193 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28193 [Bug 28193] OpacLoginInstructions news block broken by Bug 18506 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Owen Leonard <oleonard@myacpl.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|28193 | Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28193 [Bug 28193] OpacLoginInstructions news block broken by Bug 20168 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 --- Comment #51 from David Cook <dcook@prosentient.com.au> --- One of these days I'll rewrite checkauth() / replace it. One of these days... I'm glad to see this though. We use Shibboleth in a very different way locally, but I implemented a Shibboleth only option a year or two as I found a lot of people were asking for it. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 Fridolin Somers <fridolin.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=28093 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18506 --- Comment #52 from Andrew Fuerste-Henry <andrewfh@dubcolib.org> --- *** Bug 22842 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org