| 14 | The GuardPlugin should be install into app/plugins/guard |
| 15 | |
| 16 | The tree structure should look like this: |
| 17 | |
| 18 | {{{ |
| 19 | app/plugins/guard |
| 20 | |-- config |
| 21 | | `-- guard_default.php |
| 22 | |-- controllers |
| 23 | | |-- components |
| 24 | | | |-- auth_module.php |
| 25 | | | |-- default_module.php |
| 26 | | | |-- guard.php |
| 27 | | | `-- shibboleth_module.php |
| 28 | | `-- guard_controller.php |
| 29 | `-- views |
| 30 | |-- elements |
| 31 | | |-- login_default.ctp |
| 32 | | `-- login_shibboleth.ctp |
| 33 | `-- guard |
| 34 | `-- login.ctp |
| 35 | }}} |
| 36 | |
| 37 | After the installation of the files, the initial copy of the configuration file should be copy from app/plugins/guard/config/guard_default.php to app/config/guard.php. |
| 38 | |
| 39 | {{{ |
| 40 | cp app/plugins/guard/config/guard_default.php app/config/guard.php |
| 41 | }}} |
| 42 | |
19 | | == Develop New Authentication Module == |
| 67 | The configuration parameters for Shibboleth are: |
| 68 | {{{ |
| 69 | #!php |
| 70 | $config['Guard.AuthModule.Shibboleth'] = array('sessionInitiatorURL' => 'https://%HOST%/Shibboleth.sso/Login', |
| 71 | 'logoutURL' => 'https://%HOST%/Shibboleth.sso/Logout', |
| 72 | 'fieldMapping' => array('eppn' => 'username', |
| 73 | 'affiliation' => 'role', |
| 74 | ), |
| 75 | 'mappingRules' => array('eppn' => array('/@ubc.ca/' => ''), |
| 76 | 'affiliation' => array('/staff@ubc.ca/' => 'admin'), |
| 77 | ), |
| 78 | 'loginError' => 'You have successfully logged through Shibboleth. But you do not have access this appliction.', |
| 79 | ); |
| 80 | }}} |
| 81 | * sessionInitiatorURL: The URL for the Shibboleth login. %HOST% will be replaced to the actual host name |
| 82 | * logoutURL: The URL for Shibboleth logout. %HOST% will be replaced to the actual host name |
| 83 | * fieldMapping: The array to map the attributes from Shibboleth to database fields. The keys are the Shibboleth attributes and values are the fields in database. |
| 84 | * mappingRules: The array of rules for how to convert the values. The rules are regular expressions. |
| 85 | * loginError: The error message when user logged in successfully through Shibboleth but do not have an valid account or permission in the application. This is an example to override the [http://api13.cakephp.org/class/auth-component AuthComponent] properties. |
| 86 | |
| 87 | == Developing New Authentication Module == |
| 88 | All the authentication modules extend !AuthModule, which provides some default properties and methods required by the authentication module. |
| 89 | Every authentication must implement authenticate() method to verify the user. The authentication module should like look this: |
| 90 | {{{ |
| 91 | #!php |
| 92 | class MyAuthModule extends AuthModule { |
| 93 | var $name = 'MyAuth'; |
| 94 | var $hasLoginForm = true; |
| 95 | function authenticate() { |
| 96 | // return true if user is verified and false if not. |
| 97 | } |
| 98 | } |
| 99 | }}} |
| 100 | |
| 101 | * $name: The name of the authentication module. |
| 102 | * $hasLoginForm: If this module has login form |
| 103 | |
| 104 | |