Bug 12027: Added shibboleth authentication to the staff client

- This patch adds shibboleth authentication to the staff client.
- Depending upon how your url structure works, you may or may not need a
  second native shibboleth service provider profile configured for this
  to work.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

diff --git a/C4/Auth.pm b/C4/Auth.pm
index 243aada..27b822d 100644 (file)
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -898,9 +898,7 @@ sub checkauth {
             }
 
             # If we are in a shibboleth session (shibboleth is enabled, a shibboleth match attribute is set and matches koha matchpoint)
-            if ( $shib and $shib_login and $shibSuccess and $type eq 'opac' ) {
-
-                # (Note: $type eq 'opac' condition should be removed when shibboleth authentication for intranet will be implemented)
+            if ( $shib and $shib_login and $shibSuccess) {
                 logout_shib($query);
             }
         }
@@ -982,8 +980,8 @@ sub checkauth {
             my $shibSuccess = 0;
             my ( $return, $cardnumber );
 
-            # If shib is enabled and we have a shib login, does the login match a valid koha user
-            if ( $shib && $shib_login && $type eq 'opac' ) {
+           # If shib is enabled and we have a shib login, does the login match a valid koha user
+            if ( $shib && $shib_login ) {
                 my $retuserid;
 
                 # Do not pass password here, else shib will not be checked in checkpw.

diff --git a/C4/Auth_with_shibboleth.pm b/C4/Auth_with_shibboleth.pm
index f855ae1..5485527 100644 (file)
--- a/C4/Auth_with_shibboleth.pm
+++ b/C4/Auth_with_shibboleth.pm
@@ -49,6 +49,7 @@ sub shib_ok {
     return 0;
 }
 
+
 # Logout from Shibboleth
 sub logout_shib {
     my ($query) = @_;
@@ -131,21 +132,33 @@ sub _autocreate {
 sub _get_uri {
 
     my $protocol = "https://";
+    my $interface = C4::Context->interface;
+    $debug and warn "shibboleth interface: " . $interface;
+
+    my $return;
+    my $uri;
+    if ( $interface eq 'intranet' ) {
 
-    my $uri = C4::Context->preference('OPACBaseURL') // '';
-    if ($uri eq '') {
-        $debug and warn 'OPACBaseURL not set!';
+        $uri = C4::Context->preference('staffClientBaseURL') // '';
+        if ($uri eq '') {
+            $debug and warn 'staffClientBaseURL not set!';
+        }
+    } else {
+        $uri = C4::Context->preference('OPACBaseURL') // '';
+        if ($uri eq '') {
+            $debug and warn 'OPACBaseURL not set!';
+        }
     }
+
     if ($uri =~ /(.*):\/\/(.*)/) {
         my $oldprotocol = $1;
         if ($oldprotocol ne 'https') {
             $debug
                 and warn
-                  'Shibboleth requires OPACBaseURL to use the https protocol!';
+                  'Shibboleth requires OPACBaseURL/staffClientBaseURL to use the https protocol!';
         }
         $uri = $2;
     }
-
     my $return = $protocol . $uri;
     return $return;
 }

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt
index 33006b3..66fd6bf 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt
@@ -49,6 +49,14 @@
 <div id="login_error"><strong>Error: </strong>Invalid username or password</div>
 [% END %]
 
+[% IF (shibbolethAuthentication) %]
+<!-- This is what is displayed if shib login has failed -->
+[% IF (invalidShibLogin ) %]
+<div id="login_error"><Strong>Error: </strong>Shibboleth login failed</div>
+[% END %]
+<p>If you have a shibboleth account, please <a href="[% shibbolethLoginUrl %]">click here</a> to login.</p>
+[% END %]
+
 <!-- login prompt time-->
 <form action="[% script_name | html %]" method="post" name="loginform" id="loginform">
     <input type="hidden" name="koha_login_context" value="intranet" />