Extension:PIVLogin

The PIVLogin extension will enable PIV (HSPD-12) card authentication similar to the way Window OS authentication via PIV to Active Directory. This is compliant with US Federal Government Standards regarding HSPD-12.

This extension utilizes the value of subject alternate name in the PIV card to authenticate with Active Directory. The value of user principal name in Active Directory has to match the value of the subject alternate name in the PIV card. This extension fetches the subject alternate name from the PIV card bypassing php bug 60388 which normally prevents this.

This PIVLogin extension was developed by the Division of Information Development - IAIT - ASIA - Bureau of Indian Affairs for use on the Department of the Interior internal Wiki.

Prerequisite Actions

 * 1) Install the extension SSL Authentication.
 * 2) * SSL Authentication extension requires some changes to LocalSettings.php. Be sure to replace them with the code from LocalSettings.php section below
 * 3) install mod_ssl openssl php-ldap by doing the following:

Installation
Follow these steps to install the PIVLogin extension. The steps listed below are for a server running Centos and Apache.

Download & Configure the PIV Login Extension

 * 1) Download the extension here and place the .zip file in /extensions/SSLAuthentication/
 * 2) Unzip the contents
 * 3) Create the USERCERT directory (must be in all caps) under /extensions/SSLAuthentication/ and make sure it has the following permissions: rwxr-xr-x and owned by apache
 * 4) Go into getldapsam.php and adjust the following parameter values:
 * 5) LDAPHost should be: ldaps://YourADServer:ADPort
 * 6) dn should be: "DC=YourOrg,DC=com"
 * 7) LDAPUser should be the username for the service account for your LDAP server (e.g. ADServiceAccountName@yourorganization.com)
 * 8) LDAPUserPassword is the password associated with the service account

Acquire Certificates & Configure LDAP settings

 * 1) Download the CA trust certificates from your PIV card
 * 2) Insert your PIV card into your computer and open Internet Explorer
 * 3) Go to Internet Options -> Content Tab and then click on the Certificates button
 * 4) Go through your list of certificates under the Personal Tab by clicking the View button for each and select the Certification Path Tab and look for the ...PIV Authentication Key (see screenshot below).
 * 5) ;PIVAuthenticationKeyScreenShot.png
 * 6) If you do not see ...PIV Authentication Key then go to the Details Tab and locate the Subject Alternate Name field and look for Principal Name = ... (see screenshot below).
 * 7) ;[[File:PIVAuthenticationAlternateScreenShot.png]]
 * 8) Once you have located it, select the first certificate in the hierarchy (CA Level 1) and click View Certificate
 * 9) Choose the Details Tab -> click Copy to File...
 * 10) Once you're in the certificate export wizard make sure you choose base-64 encoded X.509 (.CER)
 * 11) After all the certificates have been downloaded, open each one in notepad
 * 12) Copy/paste all of the contents into one of the certificates (order of certificates does not matter)
 * 13) place that file on your apache server under /etc/pki/tls/certs
 * 14) If the connection to AD is not done through LDAPS then you can skip this step
 * 15) Obtain the SSL certificates from your AD admin on the AD server
 * 16) Place the certificate under /etc/openldap/cacerts folder
 * 17) Modify the ldap.conf under /etc/openldap and modify the information to meet your environment.
 * 18) * the value TLS_CACERT should be /etc/openldap/cacerts/YourADSSL.pem

Configure HTTPS

 * 1) Configure HTTPS by following these steps

Modify ssl.conf

 * 1) Modify ssl.conf located here: /etc/httpd/conf.d/ with the text below (be sure to remove the text in light grey and modify accordingly):

LocalSettings.php
Copy & Paste the following:

Additional Steps

 * 1) Create a page on your Wiki entitled PIV_Login_Error and put in any text you would like to appear if the login fails
 * 2) Create a page on your Wiki entitled PIV_Login with only: #REDIRECT Main Page
 * 3) Protect this page
 * 4) Modify your UserLogin.php (/var/www/html/NAMEOFWIKI/includes/templates/) so that it will contain a link that goes to the page you created in Step #2. Make sure this link starts with "https://"