Single Sign On (Shibboleth) + Bootstrap OPAC

I've got a first pass at this here:
https://git.evergreen-ils.org/?p=working/Evergreen.git;a=shortlog;h=refs/heads / working/collab/jboyer/lp1917083_thats_sso_bpac

Unfortunately the SSO bits don't actually work, you're just routed to the native login page (/eg/opac/login). If you disable native login you get a generic username or password was invalid message.

The actual login fields have been pulled out into a reusable chunk that's included by both the modal and regular login pages. I've also normalized the text around logging in (Login to Evergreen, Log in to My Account, Sign in with..., no, no, no.)

I'll keep poking at it but if anyone has time to see what I may be missing (I suspect either a problem with the when and where's of something in a .tt2 or something in EGCatLoader.pm) I've thrown it into a collab branch.

Update; I've force-pushed a fixed branch to the previous location: https://git.evergreen-ils.org/?p=working/Evergreen.git;a=shortlog;h=refs/heads/collab/jboyer/lp1917083_thats_sso_bpac / working/collab/jboyer/lp1917083_thats_sso_bpac that Does The Thing. SSO logins are supported in the BPAC and more of the login form is shared between the modal and whole-page login methods.

Testing is fairly straightforward, given you have a functional SAML setup:
Pre-patch, you cannot login via SSO in the BPAC at all. That's a bummer.
Apply patch.
Load BPAC, login via My Account link on the home page or by being redirected to the main login page (by placing a hold, etc.) Happiness.

I pushed a small bugfix to the collab branch ($ctx wasn't available to load_manual_shib_login, needed to use $self->ctx).

Jason, Jeff, are you two willing to mutually sign off on the patches? And is this in production anywhere?

I certainly am, Jeff's bugfix is spot-on. I'm not aware of this patch being used in production currently.

Well later it finally occurred to me that actually doing the signing-off would be a good idea. Not giving it enough thought I force-pushed an update to the collab branch. Jeff, if you (or other SAML-interested parties) are able to give this a test and are happy signing off on it we can finally put it to rest.

Sorry, I missed the earlier updates. We don't have this in production yet but it works successfully in testing. Working branch user/jeffdavis/lp1917083_thats_sso_bpac_signoff has my signoff.

Jason or Jeff, could you rebase? There are merge conflicts with the login form in main & rel_3_11. A rel_3_10 version of the branch would be a niceness as well.

Working branch user/jeffdavis/lp1917083_thats_sso_bpac_signoff_rebased has a commit that should apply cleanly to main and rel_3_11.

Working branch user/jeffdavis/lp1917083_thats_sso_bpac_signoff_rel_3_10 has a version that should work for rel_3_10.

I don't think I should commit this since I did the rebase. Here's a test plan:

1. Apply the fix.
2. Make sure native OPAC login still works correctly via both the login modal and /eg/opac/login.
3. Make sure OPAC logout also works correctly.
4. Set the opac.login.shib_sso.enable org setting to 'true'. OPAC login should now present a "Login with SSO" button instead of the usual login form; clicking it should redirect you to /Shibboleth.sso/Login.
5. Set the opac.login.shib_sso.allow_native org setting to 'true'. OPAC login should now present both a "Login with SSO" button (which should work as in step 4) as well as the native EG login form (which should work as usual).
6. Make sure that clicking "Logout" ends your EG auth session and redirects to /Shibboleth.sso/Logout.

You don't technically need a working Shibboleth install to follow this test plan, you'll just get a 404 error when you're redirected to the Shibboleth.sso pages.

Thanks for these branches, Jason and Jeff! I ran through the test plan on the 3.11+ and 3.10 branches, both worked great. Pushed to rel_3_10 and above.