通过 
搜索
搜索ykweyer / yourls-authmgrplus-shibboleth
扩展YOURLS AuthMgrPlus插件以增加Shibboleth兼容性
1.0.2
2020-08-24 15:59 UTC
Requires
- php: >=7.2
- yourls/composer-installer: ^1.0
This package is auto-updated.
Last update: 2024-09-25 01:21:30 UTC
README
此插件将通过AuthMgrPlus使Yourls支持Shibboleth身份验证。
它基于Fuero的Shibboleth插件,但将RBAC逻辑外部化到AuthMgrPlus
许可
此插件根据GNU通用公共许可证版本2(GPLv2)或更高版本进行许可。许可条件包含在LICENSE文件中或在GNU网站上可以找到。
先决条件
如果您不知道Shibboleth是什么,或者IdP或SP是什么,请通过阅读这篇了解这些术语。
- Shibboleth SP已安装并且运行正常
- IdP正在发布插件使用的属性(默认:
cn,entitlement) - 通过一个简短的测试页面来验证其是否正常工作(请参阅测试您的Shibboleth设置)
- YOURLS >= 1.7
安装
-
将此文件夹内容复制到
user/plugins/yourls-authmgrplus-shibboleth下 -
确保AuthMgrPlus已安装并启用
-
在Yourls中启用插件
-
配置httpd
您的Web服务器配置需要调整以适应Shibboleth。以下是一个您可以使用的示例配置
# Protect admin area with Shibboleth <Location "/admin"> AuthType shibboleth ShibRequestSetting requireSession 1 require valid-user DirectoryIndex index.php </Location> # Protect stats too <LocationMatch "^/.*[+]$"> AuthType shibboleth ShibRequestSetting requireSession 1 require valid-user </LocationMatch> RewriteEngine on # Redirect 'http://yourls.local/' requests to admin area RewriteCond %{REQUEST_URI} ^/$ RewriteRule .* /admin/ [R,L] # Admin area or stats access is permitted over HTTPS only RewriteCond %{REQUEST_URI} ^/admin [OR] RewriteCond %{REQUEST_URI} ^/.*[+]$ RewriteCond %{HTTPS} !=on RewriteRule (.*) https://yourls.local$1 [R,L] # Modified default rewrite rules for short urls. # Takes into account Shibboleth's service URLs, admin area, and # robots.txt. RewriteCond /path/to/yourls%{REQUEST_URI} !-f RewriteCond /path/to/yourls%{REQUEST_URI} !-d RewriteCond %{REQUEST_URI} !^/(?:shibboleth-sp|Shibboleth.sso)/ RewriteRule ^(.*)$ /yourls-loader.php [L] -
重启httpd以使更改生效。
测试您的Shibboleth设置
将以下代码放入admin/test-sp.php
<html> <head><title>Shibboleth test</title></head> <body><pre><?php print_r($_SERVER); ?></pre> </body> </html>
在浏览器中访问此内容将得到如下结果
Array
(
[SCRIPT_URL] => /admin/test-sp.php
[SCRIPT_URI] => https://yourls.local/admin/test-sp.php
[Shib-Application-ID] => default
[Shib-Session-ID] => _d123456789eef1e35f96b29725731b2e6
[Shib-Identity-Provider] => https://your-idp-host/idp/shibboleth
[Shib-Authentication-Instant] => 2001-01-1T00:00:00.000Z
[Shib-Authentication-Method] => urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
[Shib-AuthnContext-Class] => urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
[Shib-Session-Index] => _a4fa5ffe838191234567890c6ea23bd
[cn] => your-user-id
[entitlement] => urn:mace:dir:entitlement:yourls.local:admin
[persistent-id] => some-persistent-id
[HTTPS] => on
[SSL_TLS_SNI] => yourls.local
[HTTP_HOST] => yourls.local
[HTTP_USER_AGENT] => Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:21.0) Gecko/20100101 Firefox/21.0
[HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
[HTTP_ACCEPT_LANGUAGE] => en,en-us;q=0.7,de-at;q=0.3
[HTTP_ACCEPT_ENCODING] => gzip, deflate
[HTTP_COOKIE] => some-cookie-data
[HTTP_CONNECTION] => keep-alive
[PATH] => /sbin:/usr/sbin:/bin:/usr/bin
[SERVER_SIGNATURE] => Apache
[SERVER_SOFTWARE] => Apache
[SERVER_NAME] => yourls.local
[SERVER_ADDR] => 8.8.8.8
[SERVER_PORT] => 443
[REMOTE_ADDR] => 1.1.1.1
[DOCUMENT_ROOT] => /path/to/yourls
[SERVER_ADMIN] => root@localhost
[SCRIPT_FILENAME] => /path/to/yourls/admin/test-sp.php
[REMOTE_PORT] => 4711
[REMOTE_USER] => some-persistent-id
[AUTH_TYPE] => shibboleth
[GATEWAY_INTERFACE] => CGI/1.1
[SERVER_PROTOCOL] => HTTP/1.1
[REQUEST_METHOD] => GET
[QUERY_STRING] =>
[REQUEST_URI] => /admin/test-sp.php
[SCRIPT_NAME] => /admin/test-sp.php
[PHP_SELF] => /admin/test-sp.php
[PHP_AUTH_USER] => some-persistent-id
[REQUEST_TIME] => 1366872110
)
验证您想要指定的用于SHIBBOLETH_ENTITLEMENT和SHIBBOLETH_UID的属性是否存在且具有合理的值(例如以下内容)
[cn] => your-user-id
[entitlement] => urn:mace:dir:entitlement:yourls.local:admin
配置
插件从user/config.php读取设置及其默认值
// Designates the attribute containing the username define('SHIBBOLETH_UID', 'cn'); // The attribute controlling the user's roles for a SP, e.g. 'entitlement'. See attribute-map.xml define('SHIBBOLETH_ENTITLEMENT', 'entitlement'); // A regular expression applied to SHIBBOLETH_ENTITLEMENT. Upon a match, the login page will be bypassed // and the user is granted access. define('SHIBBOLETH_ENTITLEMENT_REGEX', '/^.*urn:mace:dir:entitlement:yourls.local:.*$/');