Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-41598

Shibboleth doesn't handle deep linking under HTTPS properly

XMLWordPrintable

    • MOODLE_24_STABLE, MOODLE_25_STABLE
    • MOODLE_28_STABLE, MOODLE_29_STABLE
    • MDL-41598-master
    • Hide

      This patch requires a Moodle environment with a working Shibboleth configuration. It assumes that you're using the internal WAYF and have the alternative login URL configured. You also need to set your Moodle instance to require HTTPS.

      1. Create a course in Moodle. Make a note of the direct link to the course.
      2. Logout. Make sure you aren't authenticated to the Moodle instance and that your session is completely closed.
      3. Verify that you are not currently authenticated to your Shib provider.
      4. Craft a direct link to your Moodle instance which incorporates the direct link to your course but not the entityID. This could be http://your-moodle-instance/course/view.php?id=2
      5. Point your browser to that link.

      You should be first taken to Moodle's WAYF page and then to your Shibboleth provider. After that you should be taken directly to the course.

      Show
      This patch requires a Moodle environment with a working Shibboleth configuration. It assumes that you're using the internal WAYF and have the alternative login URL configured. You also need to set your Moodle instance to require HTTPS. Create a course in Moodle. Make a note of the direct link to the course. Logout. Make sure you aren't authenticated to the Moodle instance and that your session is completely closed. Verify that you are not currently authenticated to your Shib provider. Craft a direct link to your Moodle instance which incorporates the direct link to your course but not the entityID. This could be http://your-moodle-instance/course/view.php?id=2 Point your browser to that link. You should be first taken to Moodle's WAYF page and then to your Shibboleth provider. After that you should be taken directly to the course.

      MDL-37020 introduced a validation check for WAYFLess URLs in Shibboleth. It's based on the assumption that in a Shib or Shib/CAS environment target is only passed back to Moodle when it's explicitly set per MDL-35153. This isn't the case: target is always set, and if the user doesn't set a deep link URL it's set to the authentication provider. This didn't show up in testing because the authentication provider is an HTTPS link, which PARAM_LOCALURL filtered out (which may be a bug, but that's for another issue). If you're running a Shibbolized Moodle instance you're going to see similar behavior to MDL-37020: deep links which don't include the IDP are ignored and you're redirected to the main page, because the wantsurl session variable isn't checked.

      I think the solution is to check if $SESSION->wantsurl is set and if so always use it in preference to target.

            cfulton Charles Fulton
            cfulton Charles Fulton
            Petr Skoda Petr Skoda
            Dan Poltawski Dan Poltawski
            Rajesh Taneja Rajesh Taneja
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.