Index: lams_build/conf/windows/authentication/lamsauthentication.xml
===================================================================
RCS file: /usr/local/cvsroot/lams_build/conf/windows/authentication/Attic/lamsauthentication.xml,v
diff -u -r1.2 -r1.2.2.1
--- lams_build/conf/windows/authentication/lamsauthentication.xml	21 Nov 2006 06:15:40 -0000	1.2
+++ lams_build/conf/windows/authentication/lamsauthentication.xml	30 Mar 2007 00:13:34 -0000	1.2.2.1
@@ -50,6 +50,22 @@
 	</Param>
 </Method>
 
+<Method Name="Shibboleth" Enabled="true">
+	<Param Name="ShibbLoginAttr">Shib-Person-commonName</Param>
+	<Param Name="ShibbFnameAttr">Shib-Person-commonName</Param>
+	<Param Name="ShibbLnameAttr">Shib-Person-commonName</Param>
+	<Param Name="ShibbEmailAttr">Shib-Person-commonName</Param>
+	<Param Name="dsJndiName">java:/jdbc/lams-ds</Param>
+	<Param Name="principalsQuery">select password from lams_user where login=?</Param>
+	<Param Name="rolesQuery">
+	            SELECT DISTINCT  r.name,'Roles' FROM
+             	lams_user u LEFT OUTER JOIN lams_user_organisation uo USING(user_id)
+             	LEFT OUTER JOIN lams_user_organisation_role urr USING(user_organisation_id)
+             	LEFT OUTER JOIN lams_role r USING (role_id)
+             	WHERE u.login=?
+	</Param>
+</Method>
+
 <!-- NOT in USE -->
 <Method Name="MQ-LDAP-BULK-IMPORT" Enabled="true">
 	<Param Name="com.lams.naming.import.ldap.provider.url">ldap://mams.melcoe.mq.edu.au:636</Param>
Index: lams_central/src/java/org/lamsfoundation/lams/security/UniversalLoginModule.java
===================================================================
RCS file: /usr/local/cvsroot/lams_central/src/java/org/lamsfoundation/lams/security/UniversalLoginModule.java,v
diff -u -r1.13 -r1.13.2.1
--- lams_central/src/java/org/lamsfoundation/lams/security/UniversalLoginModule.java	31 Oct 2006 04:13:13 -0000	1.13
+++ lams_central/src/java/org/lamsfoundation/lams/security/UniversalLoginModule.java	30 Mar 2007 00:13:33 -0000	1.13.2.1
@@ -174,7 +174,11 @@
 					isValid = authenticator.authenticate(username,inputPassword);
 					log.debug("===> WEBAUTH :: user:" + username + ":"
 							+ inputPassword + " authenticated! ");
-
+				} else if ("SHIBBOLETH".equals(type)) {
+					log.debug("===> SHIBBOLETH :: " + username);
+					// Shibboleth handles password authentication, we assume user is
+					// already authenticated at this point
+					isValid = true;
 				} else {
 					log.debug("Unexpected authentication type!");
 					return false;
@@ -231,7 +235,6 @@
 				return roleSets;
 			}
 
-			ArrayList<String> groupMembers = new ArrayList<String>();
 			do {
 				String name = rs.getString(1);
 				String groupName = rs.getString(2);
@@ -245,26 +248,23 @@
 
 				try {
 					Principal p;
-					if (name!=null) {
-						p = super.createIdentity(name);
-					} else {
-						p = super.createIdentity(Role.LEARNER);
+					if (name==null) {
 						log.info("Found no roles");
+						// give user account minimal role set so they can at
+						// least access the index page.
+						name = Role.LEARNER;
 					}
-					//if (!group.isMember(p)) {
-					if (!groupMembers.contains(name)) {
+					p = super.createIdentity(name);
+					if (!group.isMember(p)) {
 						log.info("Assign user to role " + p.getName());
 						group.addMember(p);
-						groupMembers.add(name);
 					}
 					if (name.equals(Role.SYSADMIN) || name.equals(Role.AUTHOR_ADMIN)) {
 						p = super.createIdentity(Role.AUTHOR);
 						log.info("Found "+name);
-						//if (!group.isMember(p)) {
-						if (!groupMembers.contains(Role.AUTHOR)) {
+						if (!group.isMember(p)) {
 							log.info("Assign user to role "+Role.AUTHOR);
 							group.addMember(p);
-							groupMembers.add(Role.AUTHOR);
 						}
 					}
 				} catch (Exception e) {