 
|
|
developer.aaiedu.hr
|
| |
simpleSAMLphp authentication extension for MediaWiki |
|
|
Description
- Authentication extension for MediaWiki that allows users to Singe Sign-On (SSO)
by using SAML protocol and simpleSAMLphp tool.
Extension Version
- 1.4.1 (last update: 2011-09-14)
MediaWiki Version
- 1.13.x and newer versions (tested with 1.13.3, 1.16.0, 1.17.0)
simpleSAMLphp Version
- 1.6 and newer versions
Contact
- team@aaiedu.hr, author: Draženko Celjak
Download
- mediawki-simplesamlphp.zip
Installation and configuration
-
Prerequisites: simpleSAMLphp and MediaWiki installed and operational
-
Add the following code to the bottom of LocalSettings.php
file (in mediawiki directory):
# simpleSAMLphp authentication
$simplesamlphp_basedir = '/your/path/to/simplesamlphp'; // simplesamlphp path
$samlVersion = 'saml2'; // saml version; allowed values are: 'saml2' or 'shib13'
$forceSSO = false; // forces user to login
$simpleSAMLphpUserAutoCreate = true; // auto create a user that doesn't exist
# attributes used by SimpleSAMLphp authentication (if array first value is taken):
$usernameAttribute = 'urn:mace:dir:attribute-def:eduPersonPrincipalName';
$mailAttribute = 'urn:mace:dir:attribute-def:mail';
$givenNameAttribute = 'urn:mace:dir:attribute-def:givenName';
$surnameAttribute = 'urn:mace:dir:attribute-def:sn';
# setting up user permissions
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['read'] = true;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['createpage'] = false;
$wgGroupPermissions['*']['createtalk'] = false;
// authorization
// $wgHooks['simpleSAMLphpAuthorization'][] = 'customAuthHookFunction';
require_once($simplesamlphp_basedir . '/lib/_autoload.php');
require_once('extensions/SimpleSAMLphpAuth.php');
-
Adjust the value of variable $simplesamlphp_basedir,
if needed change attribute names so that they comply to names you are getting from Identity Provider
and optionaly change user group permissions. Note that you are able to select between saml2 and shib13.
You can also implement custom authorization (more about that in custom authorization section).
-
Download the extension and unpack it (1 file) to mediawiki's extension directory.
Custom authorization
-
Extension executes 'simpleSAMLphpAuthorization' hook
with array of simpleSaml session attributes as parameter.
Example of custom authorization (LocalSettings.php):
// authorization
$wgHooks['simpleSAMLphpAuthorization'][] = 'sa5Authorization';
require_once($simplesamlphp_basedir . '/www/_include.php');
require_once('extensions/SimpleSAMLphpAuth.php');
function sa5Authorization($attributes) {
// check if eduPersonEntitlement contains urn:geant:edugain:entitlement:eduroam:wiki
$attributeName = 'urn:mace:dir:attribute-def:eduPersonEntitlement';
$requiredValue = 'urn:geant:edugain:entitlement:eduroam:wiki';
if (isset($attributes[$attributeName])) {
$sum = implode(';',$attributes[$attributeName]) . ';';
if ( strpos($sum, $requiredValue.';' ) !== false ) {
return true;
}
}
echo "Sorry, this wiki is for SA5 members only.";
exit();
}
Make sure that you define the hook (line
$wgHooks['simpleSAMLphpAuthorization'][] = 'sa5Authorization';
) before including extension (
require_once('extensions/SimpleSAMLphpAuth.php');
) so that extension could "know" about it.
Authorization function could be implemented in separate file in extension directory
and included somewhere in LocalSettings.php.
Troubleshooting
- Q: I don't seem to be able to edit any pages on my wiki anymore,
it throws an error showing the following text:
"Your edit has been rejected because your client mangled the punctuation
characters in the edit token. The edit has been rejected to prevent
corruption of the page text. This sometimes happens when you are using a
buggy web-based anonymous proxy service."
- A:Turn off magic quotes either in php.ini or in .htaccess:
http://www.php.net/magic_quotes
|
| |