shibboleth/0000755000175000017500000000000013150056356011325 5ustar domdomshibboleth/options-admin.php0000644000175000017500000004276513147357756014653 0ustar domdomadd_help_tab(array( 'title' => 'Shibboleth Help', 'id' => 'shibboleth-help', 'content' => shibboleth_help_text(), )); } /** * Setup multisite admin menus for Shibboleth options. * * @action: network_admin_menu **/ function shibboleth_network_admin_panels() { $hookname = add_submenu_page('settings.php', __('Shibboleth options', 'shibboleth'), __('Shibboleth', 'shibboleth'), 'manage_network_options', 'shibboleth-options', 'shibboleth_options_page' ); $screen = WP_Screen::get($hookname); $screen->add_help_tab(array( 'title' => 'Shibboleth Help', 'id' => 'shibboleth-help', 'content' => shibboleth_help_text(), )); } /** * Add Shibboleth links to the "help" pull down panel. */ function shibboleth_help_text() { $text = ' '; return apply_filters( 'shibboleth_help_text_filter', $text ); } /** * WordPress options page to configure the Shibboleth plugin. * * @uses apply_filters() Calls 'shibboleth_plugin_path' */ function shibboleth_options_page() { global $wp_roles; $message = null; $type = null; if ( isset($_POST['submit']) ) { check_admin_referer('shibboleth_update_options'); $shib_headers = (array) shibboleth_get_option('shibboleth_headers'); $shib_headers = array_merge($shib_headers, $_POST['headers']); /** * filter shibboleth_form_submit_headers * @param $shib_headers array * @since 1.4 * Hint: access $_POST within the filter. */ $shib_headers = apply_filters( 'shibboleth_form_submit_headers', $shib_headers ); shibboleth_update_option('shibboleth_headers', $shib_headers); $shib_roles = (array) shibboleth_get_option('shibboleth_roles'); $shib_roles = array_merge($shib_roles, $_POST['shibboleth_roles']); /** * filter shibboleth_form_submit_roles * @param $shib_roles array * @since 1.4 * Hint: access $_POST within the filter. */ $shib_roles = apply_filters( 'shibboleth_form_submit_roles', $shib_roles ); shibboleth_update_option('shibboleth_roles', $shib_roles); shibboleth_update_option('shibboleth_login_url', $_POST['login_url']); shibboleth_update_option('shibboleth_logout_url', $_POST['logout_url']); shibboleth_update_option('shibboleth_password_change_url', $_POST['password_change_url']); shibboleth_update_option('shibboleth_password_reset_url', $_POST['password_reset_url']); shibboleth_update_option('shibboleth_default_login', !empty($_POST['default_login'])); shibboleth_update_option('shibboleth_auto_login', !empty($_POST['auto_login'])); shibboleth_update_option('shibboleth_update_users', !empty($_POST['update_users'])); shibboleth_update_option('shibboleth_update_roles', !empty($_POST['update_roles'])); $type = 'updated'; $message = __( 'Settings saved.', 'shibboleth' ); if ( function_exists( 'add_settings_error' ) ) { add_settings_error( 'shibboleth_settings_updated', esc_attr( 'shibboleth_settings_updated' ), $message, $type ); settings_errors( 'shibboleth_settings_updated' ); } /** * action shibboleth_form_submit * @since 1.4 * Hint: use global $_POST within the action. */ do_action( 'shibboleth_form_submit' ); } $shib_headers = shibboleth_get_option('shibboleth_headers'); $shib_roles = shibboleth_get_option('shibboleth_roles'); $shibboleth_plugin_path = apply_filters('shibboleth_plugin_path', plugins_url('shibboleth')); screen_icon('shibboleth'); ?>

so add a with appropriate styling. * * @param $shib_headers array * @param $shib_roles array * @since 1.4 */ do_action( 'shibboleth_options_table', $shib_headers, $shib_roles ); ?>


: Shibboleth 1.3 | Shibboleth 2


: Shibboleth 1.3 | Shibboleth 2


/>

/>


attribute-map.xml (for Shibboleth 2.x) or' . ' AAP.xml (for Shibboleth 1.x).', 'shibboleth') ?>

: Shibboleth 1.3 | Shibboleth 2

/>
/>
/>
/>
/>

Managed profile fields are updated each time the user logs in using the current' . ' data provided by Shibboleth. Additionally, users will be prevented from manually updating these' . ' fields from within WordPress. Note that Shibboleth data is always used to populate the user' . ' profile during initial account creation.', 'shibboleth'); ?>


Current Limitations: While WordPress supports users having' . ' multiple roles, the Shibboleth plugin will only place the user in the highest ranking' . ' role. Only a single header/value pair is supported for each user role. This may be' . ' expanded in the future to support multiple header/value pairs or regular expression' . ' values. In the meantime, you can use the shibboleth_roles and' . ' shibboleth_user_role WordPress filters to provide your own logic for assigning' . ' user roles.', 'shibboleth'); ?>

role_names as $key => $name) { echo' '; } ?>
' . __($name) . '

/>

not update user roles manually,' . ' since they will be overwritten from Shibboleth the next time the user logs in. Note that Shibboleth data' . ' is always used to populate the initial user role during account creation.', 'shibboleth') ?>

Shibboleth Service Provider Author: Will Norris, mitcho (Michael 芳貴 Erlewine), Michael McNeill Version: 1.8 License: Apache 2 (http://www.apache.org/licenses/LICENSE-2.0.html) */ define ( 'SHIBBOLETH_PLUGIN_REVISION', preg_replace( '/\$Rev: (.+) \$/', '\\1', '$Rev: 1718376 $') ); // this needs to be on a separate line so that svn:keywords can work its magic // run activation function if new revision of plugin $shibboleth_plugin_revision = shibboleth_get_option('shibboleth_plugin_revision'); if ($shibboleth_plugin_revision === false || SHIBBOLETH_PLUGIN_REVISION != $shibboleth_plugin_revision) { add_action('admin_init', 'shibboleth_activate_plugin'); } /** * HTTP and FastCGI friendly getenv() replacement that handles * REDIRECT_ and HTTP_ environment variables automatically. */ function shibboleth_getenv( $var ) { $var_under = str_replace('-', '_', $var); $var_upper = strtoupper($var); $var_under_upper = strtoupper($var_under); $check_vars = array( $var => TRUE, 'REDIRECT_' . $var => TRUE, 'HTTP_' . $var => TRUE, $var_under => TRUE, 'REDIRECT_' . $var_under => TRUE, 'HTTP_' . $var_under => TRUE, $var_upper => TRUE, 'REDIRECT_' . $var_upper => TRUE, 'HTTP_' . $var_upper => TRUE, $var_under_upper => TRUE, 'REDIRECT_' . $var_under_upper => TRUE, 'HTTP_' . $var_under_upper => TRUE, ); foreach ($check_vars as $check_var => $true) { if ( ($result = getenv($check_var)) !== FALSE ) { return $result; } } return FALSE; } /** * Perform automatic login. This is based on the user not being logged in, * an active session and the option being set to true. */ function shibboleth_auto_login() { $shibboleth_auto_login = shibboleth_get_option('shibboleth_auto_login'); if ( !is_user_logged_in() && shibboleth_session_active() && $shibboleth_auto_login ) { do_action('login_form_shibboleth'); $userobj = wp_signon('', true); if ( is_wp_error($userobj) ) { // TODO: Proper error return. } else { wp_safe_redirect(shibboleth_getenv('REQUEST_URI')); exit(); } } } add_action('init', 'shibboleth_auto_login'); /** * Activate the plugin. This registers default values for all of the * Shibboleth options and attempts to add the appropriate mod_rewrite rules to * WordPress's .htaccess file. */ function shibboleth_activate_plugin() { if ( function_exists('switch_to_blog') ) switch_to_blog($GLOBALS['current_site']->blog_id); shibboleth_add_option('shibboleth_login_url', get_option('home') . '/Shibboleth.sso/Login'); shibboleth_add_option('shibboleth_default_login', false); shibboleth_add_option('shibboleth_auto_login', false); shibboleth_add_option('shibboleth_logout_url', get_option('home') . '/Shibboleth.sso/Logout'); $headers = array( 'username' => array( 'name' => 'eppn', 'managed' => false), 'first_name' => array( 'name' => 'givenName', 'managed' => true), 'last_name' => array( 'name' => 'sn', 'managed' => true), 'nickname' => array( 'name' => 'eppn', 'managed' => true), 'display_name' => array( 'name' => 'displayName', 'managed' => true), 'email' => array( 'name' => 'mail', 'managed' => true), ); shibboleth_add_option('shibboleth_headers', $headers); $roles = array( 'administrator' => array( 'header' => 'entitlement', 'value' => 'urn:mace:example.edu:entitlement:wordpress:admin', ), 'author' => array( 'header' => 'affiliation', 'value' => 'faculty', ), // TODO: this could likely do strange things if WordPress has an actual role named 'default' 'default' => 'subscriber', ); shibboleth_add_option('shibboleth_roles', $roles); shibboleth_add_option('shibboleth_update_roles', true); shibboleth_insert_htaccess(); shibboleth_migrate_old_data(); shibboleth_update_option('shibboleth_plugin_revision', SHIBBOLETH_PLUGIN_REVISION); if ( function_exists('restore_current_blog') ) restore_current_blog(); } register_activation_hook('shibboleth/shibboleth.php', 'shibboleth_activate_plugin'); /** * Cleanup certain plugins options on deactivation. */ function shibboleth_deactivate_plugin() { shibboleth_remove_htaccess(); } register_deactivation_hook('shibboleth/shibboleth.php', 'shibboleth_deactivate_plugin'); /** * Migrate old data to newer formats. */ function shibboleth_migrate_old_data() { // new header format, allowing each header to be marked as 'managed' individually $managed = shibboleth_get_option('shibboleth_update_users'); $headers = shibboleth_get_option('shibboleth_headers'); $updated = false; foreach ($headers as $key => $value) { if ( is_string($value) ) { $headers[$key] = array( 'name' => $value, 'managed' => $managed, ); $updated = true; } } if ( $updated ) { shibboleth_update_option('shibboleth_headers', $headers); } shibboleth_delete_option('shibboleth_update_users'); } /** * Load Shibboleth admin hooks only on admin page loads. * * 'admin_init' is actually called *after* 'admin_menu', so we have to hook in * to the 'init' action for this. */ function shibboleth_admin_hooks() { if ( defined('WP_ADMIN') && WP_ADMIN === true ) { require_once dirname(__FILE__) . '/options-admin.php'; require_once dirname(__FILE__) . '/options-user.php'; } } add_action('init', 'shibboleth_admin_hooks'); /** * Check if a Shibboleth session is active. * * @return boolean if session is active * @uses apply_filters calls 'shibboleth_session_active' before returning final result */ function shibboleth_session_active() { $active = false; if ( shibboleth_getenv('Shib-Session-ID') ) { $active = true; } $active = apply_filters('shibboleth_session_active', $active); return $active; } /** * Authenticate the user using Shibboleth. If a Shibboleth session is active, * use the data provided by Shibboleth to log the user in. If a Shibboleth * session is not active, redirect the user to the Shibboleth Session Initiator * URL to initiate the session. */ function shibboleth_authenticate($user, $username, $password) { if ( shibboleth_session_active() ) { return shibboleth_authenticate_user(); } else { if (isset( $_REQUEST['redirect_to'] )) { $initiator_url = shibboleth_session_initiator_url( $_REQUEST['redirect_to'] ); } else { $initiator_url = shibboleth_session_initiator_url(); } wp_redirect($initiator_url); exit; } } /** * When wp-login.php is loaded with 'action=shibboleth', hook Shibboleth * into the WordPress authentication flow. */ function shibboleth_login_form_shibboleth() { add_filter('authenticate', 'shibboleth_authenticate', 10, 3); } add_action('login_form_shibboleth', 'shibboleth_login_form_shibboleth'); /** * If a Shibboleth user requests a password reset, and the Shibboleth password * reset URL is set, redirect the user there. */ function shibboleth_retrieve_password( $user_login ) { $password_reset_url = shibboleth_get_option('shibboleth_password_reset_url'); if ( !empty($password_reset_url) ) { $user = get_user_by( 'login', $user_login ); if ( $user && get_user_meta($user->ID, 'shibboleth_account') ) { wp_redirect($password_reset_url); exit; } } } add_action('retrieve_password', 'shibboleth_retrieve_password'); /** * If Shibboleth is the default login method, add 'action=shibboleth' to the * WordPress login URL. */ function shibboleth_login_url($login_url) { if ( shibboleth_get_option('shibboleth_default_login') ) { $login_url = add_query_arg('action', 'shibboleth', $login_url); } return $login_url; } add_filter('login_url', 'shibboleth_login_url'); /** * If the Shibboleth logout URL is set and the user has an active Shibboleth * session, log the user out of Shibboleth after logging them out of WordPress. */ function shibboleth_logout() { $logout_url = shibboleth_get_option('shibboleth_logout_url'); if ( !empty($logout_url) && shibboleth_session_active() ) { wp_redirect($logout_url); exit; } } add_action('wp_logout', 'shibboleth_logout', 20); /** * Generate the URL to initiate Shibboleth login. * * @param string $redirect the final URL to redirect the user to after all login is complete * @return the URL to direct the user to in order to initiate Shibboleth login * @uses apply_filters() Calls 'shibboleth_session_initiator_url' before returning session intiator URL */ function shibboleth_session_initiator_url($redirect = null) { // first build the target URL. This is the WordPress URL the user will be returned to after Shibboleth // is done, and will handle actually logging the user into WordPress using the data provdied by Shibboleth if ( function_exists('switch_to_blog') ) switch_to_blog($GLOBALS['current_site']->blog_id); $target = site_url('wp-login.php'); if ( function_exists('restore_current_blog') ) restore_current_blog(); $target = add_query_arg('action', 'shibboleth', $target); if ( !empty($redirect) ) { $target = add_query_arg('redirect_to', urlencode($redirect), $target); } // now build the Shibboleth session initiator URL $initiator_url = shibboleth_get_option('shibboleth_login_url'); $initiator_url = add_query_arg('target', urlencode($target), $initiator_url); $initiator_url = apply_filters('shibboleth_session_initiator_url', $initiator_url); return $initiator_url; } /** * Authenticate the user based on the current Shibboleth headers. * * If the data available does not map to a WordPress role (based on the * configured role-mapping), the user will not be allowed to login. * * If this is the first time we've seen this user (based on the username * attribute), a new account will be created. * * Known users will have their profile data updated based on the Shibboleth * data present if the plugin is configured to do so. * * @return WP_User|WP_Error authenticated user or error if unable to authenticate */ function shibboleth_authenticate_user() { $shib_headers = shibboleth_get_option('shibboleth_headers'); // ensure user is authorized to login $user_role = shibboleth_get_user_role(); if ( empty($user_role) ) { return new WP_Error('no_access', __('You do not have sufficient access.')); } $username = shibboleth_getenv($shib_headers['username']['name']); /** * Allows a bypass mechanism for native Shibboleth authentication. * * Returning a non-null value from this filter will result in your value being * returned to WordPress. You can prevent a user from being authenticated * by returning a WP_Error object. * * @param null $auth * @param string $username */ $authenticate = apply_filters( 'shibboleth_authenticate_user', null, $username ); if ( null !== $authenticate ) { return $authenticate; } $user = get_user_by('login', $username); if ( $user->ID ) { if ( !get_user_meta($user->ID, 'shibboleth_account') ) { // TODO: what happens if non-shibboleth account by this name already exists? //return new WP_Error('invalid_username', __('Account already exists by this name.')); } } // create account if new user if ( !$user ) { $user = shibboleth_create_new_user($username); } if ( !$user ) { $error_message = 'Unable to create account based on data provided.'; if (defined('WP_DEBUG') && WP_DEBUG) { $error_message .= ''; } return new WP_Error('missing_data', $error_message); } // update user data update_user_meta($user->ID, 'shibboleth_account', true); shibboleth_update_user_data($user->ID); if ( shibboleth_get_option('shibboleth_update_roles') ) { $user->set_role($user_role); do_action( 'shibboleth_set_user_roles', $user ); } return $user; } /** * Create a new WordPress user account, and mark it as a Shibboleth account. * * @param string $user_login login name for the new user * @return object WP_User object for newly created user */ function shibboleth_create_new_user($user_login) { if ( empty($user_login) ) return null; // create account and flag as a shibboleth acount require_once( ABSPATH . WPINC . '/registration.php' ); $user_id = wp_insert_user(array('user_login'=>$user_login)); $user = new WP_User($user_id); update_user_meta($user->ID, 'shibboleth_account', true); // always update user data and role on account creation shibboleth_update_user_data($user->ID, true); $user_role = shibboleth_get_user_role(); $user->set_role($user_role); do_action( 'shibboleth_set_user_roles', $user ); return $user; } /** * Get the role the current user should have. This is determined by the role * mapping configured for the plugin, and the Shibboleth headers present at the * time of login. * * @return string the role the current user should have * @uses apply_filters() Calls 'shibboleth_roles' after retrieving shibboleth_roles array * @uses apply_filters() Calls 'shibboleth_user_role' before returning final user role */ function shibboleth_get_user_role() { global $wp_roles; if ( !$wp_roles ) $wp_roles = new WP_Roles(); $shib_roles = apply_filters('shibboleth_roles', shibboleth_get_option('shibboleth_roles')); $user_role = $shib_roles['default']; foreach ( $wp_roles->role_names as $key => $name ) { $role_header = $shib_roles[$key]['header']; $role_value = $shib_roles[$key]['value']; if ( empty($role_header) || empty($role_value) ) continue; $values = explode(';', shibboleth_getenv($role_header)); if ( in_array($role_value, $values) ) { $user_role = $key; break; } } $user_role = apply_filters('shibboleth_user_role', $user_role); return $user_role; } /** * Get the user fields that are managed by Shibboleth. * * @return Array user fields managed by Shibboleth */ function shibboleth_get_managed_user_fields() { $headers = shibboleth_get_option('shibboleth_headers'); $managed = array(); foreach ($headers as $name => $value) { if (isset($value['managed'])) { if ( $value['managed'] ) { $managed[] = $name; } } } return $managed; } /** * Update the user data for the specified user based on the current Shibboleth headers. Unless * the 'force_update' parameter is true, only the user fields marked as 'managed' fields will be * updated. * * @param int $user_id ID of the user to update * @param boolean $force_update force update of user data, regardless of 'managed' flag on fields * @uses apply_filters() Calls 'shibboleth_user_*' before setting user attributes, * where '*' is one of: login, nicename, first_name, last_name, * nickname, display_name, email */ function shibboleth_update_user_data($user_id, $force_update = false) { $shib_headers = shibboleth_get_option('shibboleth_headers'); $user_fields = array( 'user_login' => 'username', 'user_nicename' => 'username', 'first_name' => 'first_name', 'last_name' => 'last_name', 'nickname' => 'nickname', 'display_name' => 'display_name', 'user_email' => 'email' ); $user_data = array( 'ID' => $user_id, ); foreach ($user_fields as $field => $header) { $managed = false; if (isset($shib_headers[$header]['managed'])) { $managed = $shib_headers[$header]['managed']; } if ( $force_update || $managed ) { $filter = 'shibboleth_' . ( strpos($field, 'user_') === 0 ? '' : 'user_' ) . $field; $user_data[$field] = apply_filters($filter, shibboleth_getenv($shib_headers[$header]['name'])); } } wp_update_user($user_data); } /** * Sanitize the nicename using sanitize_user * See discussion: http://wordpress.org/support/topic/377030 * * @since 1.4 */ add_filter( 'shibboleth_user_nicename', 'sanitize_user' ); /** * Add a "Login with Shibboleth" link to the WordPress login form. This link * will be wrapped in a

with an id value of "shibboleth_login" so that * deployers can style this however they choose. */ function shibboleth_login_form() { $login_url = add_query_arg('action', 'shibboleth'); $login_url = remove_query_arg('reauth', $login_url); echo '

' . __('Login with Shibboleth', 'shibboleth') . '

'; } add_action('login_form', 'shibboleth_login_form'); /** * Insert directives into .htaccess file to enable Shibboleth Lazy Sessions. */ function shibboleth_insert_htaccess() { $disabled = defined( 'SHIBBOLETH_DISALLOW_FILE_MODS' ) && SHIBBOLETH_DISALLOW_FILE_MODS; if ( got_mod_rewrite() && ! $disabled ) { $htaccess = get_home_path() . '.htaccess'; $rules = array('AuthType shibboleth', 'Require shibboleth'); insert_with_markers($htaccess, 'Shibboleth', $rules); } } /** * Remove directives from .htaccess file to enable Shibboleth Lazy Sessions. */ function shibboleth_remove_htaccess() { $disabled = defined( 'SHIBBOLETH_DISALLOW_FILE_MODS' ) && SHIBBOLETH_DISALLOW_FILE_MODS; if ( got_mod_rewrite() && ! $disabled ) { $htaccess = get_home_path() . '.htaccess'; insert_with_markers($htaccess, 'Shibboleth', array()); } } /* Custom option functions to correctly use WPMU *_site_option functions when available. */ function shibboleth_get_option($key, $default = false ) { return function_exists('get_site_option') ? get_site_option($key, $default) : get_option($key, $default); } function shibboleth_add_option($key, $value, $autoload = 'yes') { if (function_exists('add_site_option')) { return add_site_option($key, $value); } else { return add_option($key, $value, '', $autoload); } } function shibboleth_update_option($key, $value) { return function_exists('update_site_option') ? update_site_option($key, $value) : update_option($key, $value); } function shibboleth_delete_option($key) { return function_exists('delete_site_option') ? delete_site_option($key) : delete_option($key); } /** * Load localization files. */ function shibboleth_load_textdomain() { load_plugin_textdomain('shibboleth', false, dirname( plugin_basename( __FILE__ ) ) . '/localization/'); } add_action('plugins_loaded', 'shibboleth_load_textdomain'); shibboleth/localization/0000755000175000017500000000000013150056356014015 5ustar domdomshibboleth/localization/shibboleth.pot0000644000175000017500000001545111261510622016662 0ustar domdom# SOME DESCRIPTIVE TITLE. # Copyright (C) YEAR Will Norris # This file is distributed under the same license as the PACKAGE package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: Shibboleth 1.3-dev\n" "Report-Msgid-Bugs-To: http://wordpress.org/tag/shibboleth\n" "POT-Creation-Date: 2009-10-02 17:48-0700\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=CHARSET\n" "Content-Transfer-Encoding: 8bit\n" #: options-admin.php:14 options-admin.php:83 msgid "Shibboleth Options" msgstr "" #. #-#-#-#-# shibboleth.pot (Shibboleth 1.3-dev) #-#-#-#-# #. Plugin Name of an extension #: options-admin.php:15 options-admin.php:18 msgid "Shibboleth" msgstr "" #: options-admin.php:17 msgid "Shibboleth options" msgstr "" #: options-admin.php:31 msgid "Shibboleth 1.3 Wiki" msgstr "" #: options-admin.php:32 msgid "Shibboleth 2 Wiki" msgstr "" #: options-admin.php:33 msgid "Shibboleth Mailing Lists" msgstr "" #: options-admin.php:87 msgid "Session Initiator URL" msgstr "" #: options-admin.php:90 msgid "" "This URL is constructed from values found in your main Shibboleth SP " "configuration file: your site hostname, the Sessions handlerURL, and the " "SessionInitiator Location." msgstr "" #: options-admin.php:93 options-admin.php:106 options-admin.php:147 msgid "Wiki Documentation" msgstr "" #: options-admin.php:99 msgid "Logout URL" msgstr "" #: options-admin.php:102 msgid "" "This URL is constructed from values found in your main Shibboleth SP " "configuration file: your site hostname, the Sessions handlerURL, and the " "LogoutInitiator Location (also known as the SingleLogoutService Location in " "Shibboleth 1.3)." msgstr "" #: options-admin.php:112 msgid "Password Change URL" msgstr "" #: options-admin.php:115 msgid "" "If this option is set, Shibboleth users will see a \"change password\" link " "on their profile page directing them to this URL." msgstr "" #: options-admin.php:119 msgid "Password Reset URL" msgstr "" #: options-admin.php:122 msgid "" "If this option is set, Shibboleth users who try to reset their forgotten " "password using WordPress will be redirected to this URL." msgstr "" #: options-admin.php:126 msgid "Shibboleth is default login" msgstr "" #: options-admin.php:129 msgid "Use Shibboleth as the default login method for users." msgstr "" #: options-admin.php:131 msgid "" "If set, this will cause all standard WordPress login links to initiate " "Shibboleth login instead of local WordPress authentication. Shibboleth " "login can always be initiated from the WordPress login form by clicking the " "\"Login with Shibboleth\" link." msgstr "" #: options-admin.php:140 msgid "User Profile Data" msgstr "" #: options-admin.php:142 msgid "" "Define the Shibboleth headers which should be mapped to each user profile " "attribute. These header names are configured in attribute-map.xml (for Shibboleth 2.x) or AAP.xml (for Shibboleth 1.x)." msgstr "" #: options-admin.php:154 msgid "Username" msgstr "" #: options-admin.php:160 msgid "First name" msgstr "" #: options-admin.php:164 options-admin.php:171 options-admin.php:178 #: options-admin.php:185 options-admin.php:192 msgid "Managed" msgstr "" #: options-admin.php:167 msgid "Last name" msgstr "" #: options-admin.php:174 msgid "Nickname" msgstr "" #: options-admin.php:181 msgid "Display name" msgstr "" #: options-admin.php:188 msgid "Email Address" msgstr "" #: options-admin.php:196 msgid "" "Managed profile fields are updated each time the user logs in using " "the current data provided by Shibboleth. Additionally, users will be " "prevented from manually updating these fields from within WordPress. Note " "that Shibboleth data is always used to populate the user profile during " "initial account creation." msgstr "" #: options-admin.php:203 msgid "User Role Mappings" msgstr "" #: options-admin.php:205 msgid "" "Users can be placed into one of WordPress's internal roles based on any " "attribute. For example, you could define a special eduPersonEntitlement " "value that designates the user as a WordPress Administrator. Or you could " "automatically place all users with an eduPersonAffiliation of \"faculty\" in " "the Author role." msgstr "" #: options-admin.php:210 msgid "" "Current Limitations: While WordPress supports users having " "multiple roles, the Shibboleth plugin will only place the user in the " "highest ranking role. Only a single header/value pair is supported for each " "user role. This may be expanded in the future to support multiple header/" "value pairs or regular expression values. In the meantime, you can use the " "shibboleth_roles and shibboleth_user_role WordPress " "filters to provide your own logic for assigning user roles." msgstr "" #: options-admin.php:227 msgid "Role Mappings" msgstr "" #: options-admin.php:236 msgid "Header Name" msgstr "" #: options-admin.php:237 msgid "Header Value" msgstr "" #: options-admin.php:259 msgid "Default Role" msgstr "" #: options-admin.php:262 msgid "(none)" msgstr "" #: options-admin.php:271 msgid "" "If a user does not map into any of the roles above, they will be placed into " "the default role. If there is no default role, the user will not be able to " "login with Shibboleth." msgstr "" #: options-admin.php:278 msgid "Update User Roles" msgstr "" #: options-admin.php:281 msgid "" "Use Shibboleth data to update user role mappings each time the user logs in." msgstr "" #: options-admin.php:283 msgid "" "Be aware that if you use this option, you should not update " "user roles manually, since they will be overwritten from Shibboleth the next " "time the user logs in. Note that Shibboleth data is always used to populate " "the initial user role during account creation." msgstr "" #: options-admin.php:293 msgid "Save Changes" msgstr "" #: options-user.php:34 msgid "Some profile fields cannot be changed from WordPress." msgstr "" #: options-user.php:73 msgid "" "Starred fields are managed by Shibboleth and should not be changed from " "WordPress." msgstr "" #: options-user.php:91 msgid "Change Password" msgstr "" #: options-user.php:93 msgid "Change your password" msgstr "" #: shibboleth.php:269 msgid "You do not have sufficient access." msgstr "" #: shibboleth.php:430 msgid "Login with Shibboleth" msgstr "" #. Plugin URI of an extension msgid "http://wordpress.org/extend/plugins/shibboleth" msgstr "" #. Description of an extension msgid "" "Easily externalize user authentication to a Shibboleth Service Provider" msgstr "" #. Author of an extension msgid "Will Norris" msgstr "" #. Author URI of an extension msgid "http://willnorris.com/" msgstr "" shibboleth/options-user.php0000644000175000017500000001046713147357756014533 0ustar domdomID, 'shibboleth_account')) { add_filter('show_password_fields', create_function('$v', 'return false;')); add_action('admin_footer-profile.php', 'shibboleth_admin_footer_profile'); } } function shibboleth_admin_footer_profile() { $managed_fields = shibboleth_get_managed_user_fields(); if ( !empty($managed_fields) ) { $selectors = join(',', array_map(create_function('$a', 'return "#$a";'), $managed_fields)); echo ' '; } } /** * For WordPress accounts that were created by Shibboleth, warn the admin of * Shibboleth managed attributes. */ function shibboleth_admin_footer_edit_user() { global $user_id; if (get_user_meta($user_id, 'shibboleth_account')) { $shibboleth_fields = array(); $shibboleth_fields = array_merge($shibboleth_fields, shibboleth_get_managed_user_fields()); if (shibboleth_get_option('shibboleth_update_roles')) { $shibboleth_fields = array_merge($shibboleth_fields, array('role')); } if (!empty($shibboleth_fields)) { $selectors = array(); foreach($shibboleth_fields as $field) { $selectors[] = 'label[for=\'' . $field . '\']'; } echo ' '; } } } /** * Add change password link to the user profile for Shibboleth users. */ function shibboleth_show_user_profile() { $user = wp_get_current_user(); $password_change_url = shibboleth_get_option('shibboleth_password_change_url'); if (get_user_meta($user->ID, 'shibboleth_account') && !empty($password_change_url) ) { ?>
ID, 'shibboleth_account') ) { $managed = shibboleth_get_managed_user_fields(); if ( in_array('first_name', $managed) ) { add_filter('pre_user_first_name', create_function('$n', 'return $GLOBALS["current_user"]->first_name;')); } if ( in_array('last_name', $managed) ) { add_filter('pre_user_last_name', create_function('$n', 'return $GLOBALS["current_user"]->last_name;')); } if ( in_array('nickname', $managed) ) { add_filter('pre_user_nickname', create_function('$n', 'return $GLOBALS["current_user"]->nickname;')); } if ( in_array('display_name', $managed) ) { add_filter('pre_user_display_name', create_function('$n', 'return $GLOBALS["current_user"]->display_name;')); } if ( in_array('email', $managed) ) { add_filter('pre_user_email', create_function('$e', 'return $GLOBALS["current_user"]->user_email;')); } } } shibboleth/README.md0000644000175000017500000000071313147357756012623 0ustar domdomShibboleth ========== This is the official development repository (as of version 1.8) for the [Shibboleth plugin for WordPress](http://wordpress.org/plugins/shibboleth), originally by [Will Norris](https://github.com/willnorris) and [Michael Yoshitaka Erlewine](https://github.com/mitcho). Read [readme.txt](https://github.com/michaelryanmcneill/shibboleth/blob/master/readme.txt) for usage information. The project accepts contributions via pull request! shibboleth/readme.txt0000644000175000017500000002461413150056356013332 0ustar domdom=== Shibboleth === Contributors: michaelryanmcneill, willnorris, mitchoyoshitaka Tags: shibboleth, authentication, login, saml Requires at least: 3.3 Tested up to: 4.8.1 Stable tag: 1.8 Allows WordPress to externalize user authentication and account creation to a Shibboleth Service Provider. == Description == This plugin is designed to support integrating your WordPress site into your existing identity management infrastructure using a [Shibboleth] Service Provider. WordPress can be configured so that all standard login requests will be sent to your configured Shibboleth Identity Provider or Discovery Service. Upon successful authentication, a new WordPress account will be automatically provisioned for the user if one does not already exist. User attributes (username, first name, last name, display name, nickname, and email address) can be synchronized with your enterprise's system of record each time the user logs into WordPress. Finally, the user's role within WordPress can be automatically set (and continually updated) based on any attribute Shibboleth provides. For example, you may decide to give users with an eduPersonAffiliation value of *faculty* the WordPress role of *editor*, while the eduPersonAffiliation value of *student* maps to the WordPress role *contributor*. Or you may choose to limit access to WordPress altogether using a special eduPersonEntitlement value. [Shibboleth]: http://shibboleth.internet2.edu/ = Contribute on GitHub = This plugin is actively maintained by the community, [using GitHub](https://github.com/michaelryanmcneill/shibboleth). Contributions are welcome, via pull request, [on GitHub](https://github.com/michaelryanmcneill/shibboleth). Issues can be submitted [on the issue tracker](https://github.com/michaelryanmcneill/shibboleth/issues). == Installation == First and foremost, you must have the Shibboleth Service Provider [properly installed][] and working. If you don't have Shibboleth working yet, I assure you that you won't get this plugin to work. This plugin expects Shibboleth to be configured to use "lazy sessions", so ensure that you have Shibboleth configured with requireSession set to "false". Upon activation, the plugin will attempt to set the appropriate directives in WordPress's .htaccess file. If it is unable to do so, you can add this manually: AuthType shibboleth Require shibboleth The option to automatically login the users into WordPress also works when not using the lazy session options as it will force login into WordPress. In other words, if the user has an active session and you are requiring authentication to access this WordPress site and they need to be logged into WordPress, then they will be logged in without having to use the WordPress login page. This works very well for sites that use WordPress for internal ticketing and helpdesk functions where any access to content requires authentication. Consider the following .htaccess options when used in conjunction with the automatic login feature AuthType shibboleth ShibRequestSetting requireSession 1 Require valid-user OR Authtype shibboleth ShibRequestSetting requireSession 1 Require isMemberOf group1 group2 Require sAMAccountName user1 user 2 NOTE: If the plugin is successful in updating your .htaccess file, it will place the option between a marked block: BEGIN Shibboleth END Shibboleth If you add more options, you may want to consider moving all configuration options out of this block as they will be cleared out upon deactivation of the plugin. = For single-user WordPress = Upload the `shibboleth` folder to your WordPress plugins folder (probably `/wp-content/plugins`), and activate it through the WordPress admin panel. Configure it from the Shibboleth settings page. = For WordPress Multisite = Upload the `shibboleth` folder to your `mu-plugins` folder (probably `/wp-content/mu-plugins`). Move the file `shibboleth-mu.php` from the `shibboleth` folder up one directory so that it is in `mu-plugins` alongside the `shibboleth` folder. No need to activate it, just configure it from the Shibboleth settings page, found under "Site Admin". [properly installed]: https://spaces.internet2.edu/display/SHIB2/Installation == Frequently Asked Questions == = What is Shibboleth? = From [the Shibboleth homepage][]: > The Shibboleth System is a standards based, open source software package for > web single sign-on across or within organizational boundaries. It allows > sites to make informed authorization decisions for individual access of > protected online resources in a privacy-preserving manner. [the Shibboleth homepage]: http://shibboleth.internet2.edu/ = Can I extend the Shibboleth plugin to provide custom logic? = Yes, the plugin provides a number of new [actions][] and [filters][] that can be used to extend the functionality of the plugin. Search `shibboleth.php` for occurrences of the function calls `apply_filters` and `do_action` to find them all. Then [write a new plugin][] that makes use of the hooks. If your require additional hooks to allow for extending other parts of the plugin, please notify the plugin authors via the [support forum][]. Before extending the plugin in this manner, please ensure that it is not actually more appropriate to add this logic to Shibboleth. It may make more sense to add a new attribute to your Shibboleth Identity Provider's attribute store (e.g. LDAP directory), or a new attribute definition to the Identity Provider's internal attribute resolver or the Shibboleth Service Provider's internal attribute extractor. In the end, the Shibboleth administrator will have to make that call as to what is most appropriate. [actions]: http://codex.wordpress.org/Plugin_API#Actions [filters]: http://codex.wordpress.org/Plugin_API#Filters [write a new plugin]: http://codex.wordpress.org/Writing_a_Plugin [support forum]: http://wordpress.org/tags/shibboleth?forum_id=10#postform == Screenshots == 1. Configure login, logout, and password management URLs 2. Specify which Shibboleth headers map to user profile fields 3. Assign users into WordPress roles based on arbitrary data provided by Shibboleth == Upgrade Notice == This update brings with it numerous changes, including support for PHP 7.x. Please see the changelog for additional details. == Changelog == = version 1.8 (2017-08-23) = The Shibboleth plugin is now being maintained by [michaelryanmcneill](https://profiles.wordpress.org/michaelryanmcneill). Contributions are welcome on [GitHub](https://github.com/michaelryanmcneill/shibboleth)! - Adding the ability to disable .htaccess modifications with a wp-config.php constant (`SHIBBOLETH_DISALLOW_FILE_MODS`). - Added `shibboleth_getenv()` to support various prefixed environment variables from Shibboleth, including`REDIRECT_` and `HTTP_`; props [@cjbnc and @jrchamp](https://github.com/mitcho/shibboleth/pull/13). - Update various deprecated WordPress functions, including `update_usermeta()` and `get_userdatabylogin()`; props [@skoranda](https://github.com/mitcho/shibboleth/pull/21). - Resolved undefined index when calling `shibboleth_session_initiator_url()`; props [@skoranda](https://github.com/mitcho/shibboleth/pull/21). - Added support for PHP 7.x; props to many people. - Added `shibboleth_authenticate_user` filter; props [@boonebgorges](https://github.com/mitcho/shibboleth/pull/29). - Resolved undefined index on `admin-options.php`; props [@HirotoKagotani](https://github.com/mitcho/shibboleth/pull/31), [@jrchamp, and @stepmeul](https://github.com/mitcho/shibboleth/pull/23). - Resolved HTML markup mistake; [props @HirotoKagotani](https://github.com/mitcho/shibboleth/pull/31). - Adds an update success message to let user's know their settings were saved, using the Settings API. = version 1.7 (2016-03-20) = - fixed a security vulnerability reported by WordPress security team - load multisite options correctly; [thanks to jdelsemme for reporting](https://github.com/mitcho/shibboleth/issues/8) - updated htaccess setting strings; [props dericcrago](https://github.com/mitcho/shibboleth/pull/6) - fix reauth loop; [props jrchamp](https://github.com/mitcho/shibboleth/pull/5) - set l10n text domain; [props jrchamp](https://github.com/mitcho/shibboleth/pull/5) = version 1.6 (2014-04-07) = - tested for compatibility with recent WordPress versions; now requires WordPress 3.3 - options screen now limited to admins; [props billjojo](https://github.com/mitcho/shibboleth/pull/1) - new option to auto-login using Shibboleth; [props billjojo](https://github.com/mitcho/shibboleth/pull/1) - remove workaround for MU `add_site_option`; [props billjojo](https://github.com/mitcho/shibboleth/pull/2) = version 1.5 (2012-10-01) = - [Bugfix](http://wordpress.org/support/topic/plugin-shibboleth-loop-wrong-key-checked): check for `Shib_Session_ID` as well as `Shib-Session-ID` out of the box. Props David Smith = version 1.4 (2010-08-30) = - tested for compatibility with WordPress 3.0 - new hooks for developers to override the default user role mapping controls - now applies `sanitize_name()` to the Shibboleth user's `nicename` column = version 1.3 (2009-10-02) = - required WordPress version bumped to 2.8 - much cleaner integration with WordPress authentication system - individual user profile fields can be designated as managed by Shibboleth - start of support for i18n. If anyone is willing to provide translations, please contact the plugin author = version 1.2 (2009-04-21) = - fix bug where shibboleth users couldn't update their profile. (props pchapman on bug report) - fix bug where local logins were being sent to shibboleth = version 1.1 (2009-03-16) = - cleaner integration with WordPress login form (now uses a custom action instead of hijacking the standard login action) - add option for enterprise password change URL -- shown on user profile page. - add option for enterprise password reset URL -- Shibboleth users are auto-redirected here if attempt WP password reset. - add plugin deactivation hook to remove .htaccess rules - add option to specify Shibboleth header for user nickname - add filters for all user attributes and user role (allow other plugins to override these values) - much cleaner interface on user edit admin page - fix bug with options being overwritten in WordPress MU = version 1.0 (2009-03-14) = - now works properly with WordPress MU - move Shibboleth menu to Site Admin for WordPress MU (props: Chris Bland) - lots of code cleanup and documentation = version 0.1 = - initial public release shibboleth/icon.png0000644000175000017500000000676411156526226013002 0ustar domdomPNG  IHDR$$tEXtSoftwareAdobe ImageReadyqe< IDATxڔX xUz$$ Ia1 ,ۼqEGA罉#2'3y04d4!ObBJB]Us;2 I]U]U,9(Aϱ_9i&,Y n#vj%ZQU}׃ =/_hTݨt<@Q(X<5m=5g&\Kݑ`<=hgPdaP??!{B*\|9rrbH%M=I$g|cgzNgD 'LJ(2AH7e* "ȑeYxn}Mu}d;R׮U8q1DQ9apЬtZkSwtI\ KJSzZj5GU0D9Ņ*v1cHT9D-2 i)i!0SXi Sg(5Y{CF6%ۍcq]XZ$7UߙI,a;iK.CɆkNo^zA>>fH fİ!%_p';qkdr͍D:> FĎDXq?4~UVҌ_ aEp()Q.T4% ^$v /-Bmuݖ_hoE[{9t!8oXNI֟{p{[wi\Rs fl8V F2 CՐ~~xf}}oMAsseO҇2 S0#1G6#Osn|jTmc??X*+XG* y(JLK $dL k#8 O$HkFߕ!lc;}4rY%/IJT) ./N%BLL̅IiġBd`h\!G+,^s.(<d8q%(¦p+M  Jز^&y -ܝ! c SDC~lX4"$O,-^F<:AB 9`vx#tuVOOO)It1l6NqV?XY$h1h!,.$b(7S6 aT1 Υ$rGzyIIj1i R-Ymw`EmV̒OCRLaVS  %t? mf#!NI:hcRmt FLMݭU7ryhoں9W;$+v܉I"D4CQBud4 ì` Or/4h鋞OO=G֨GE[C-mciZflU"9MjCS&\''҈p^ (9m4E[JU>-)GC*G h0_K'Ѹe0(BU#Iv򒂃TcEQ Q$'Q&y2#8%"N}xĈ2jngzaC Y Y8%Gﳽ Do7Qz BY"}W/S;sYR-5h׮]w.rADDCf41+""M|G|+z#:)4 mGl0 "8R׷$Dd>:w6[ݏ뤆@jZoTÅ<"5X"A `$48]Ǡ€Q"r5BbyDpY$l.Ҩׇ|fng^΋key|w0 _.'yRH*&N!.ER\E@kńDi"XXȍG,ُ؞)˒!D 9\XWz?Ƞ,s/(֝)s/t_vZqT [|ѐV۱4p"^2!WUVT HVHXv`/T^Pv̉F\j>khײ}%%&rUUe..2 C!#Y d/j4x$X":rڣDFBhi%gv8F63wKpyN zή%JAr{JZڥ-WI1?`RGr az5))P^}e{xߚiYk*eL{a_ᕯɔrVEg͟fHժ;gϝyI9ɷ"ZzzEߔ>F gg i]+ajFĄ`*.!QQ3Nfm{j]n.04I_~ $pdk/Pİ¡+VM$2v't?4#"R"E[C^:Cu>ӿ:f^Wn_^`32 %3Bp9gnIť⼧8lho^e)m3N&jg|pWWhVghAnV$rG(6WV:}yGm!Uz;^)S ]E$." ^ܖ[p 7r=Ku_(l:+{:zᴎ>xd65,;ܛ~W4J>𵈦gtU݆c!@i?MIy?9,z}?DPbRB#$'ǟ>˿abvA}$2t%$9 ;䈎0gރ(acS=vxH %9/V.TB˞`4wudvwL~9P& 4_~!IENDB`shibboleth/shibboleth-mu.php0000644000175000017500000000051211261506630014572 0ustar domdom