Extension:Shibboleth Authentication Plus

Overview
This extension extents the functionality of Shibboleth Authentication Extension by supporting group-based user authentication/ authorization and by implementing a messaging mechanism for user notification during the authentication/authorization process. It is already in use in the Grnet Wikis MediaWiki Farm.

Current Version: 1.0

Compatibility
This extension is designed for MediaWiki 1.7 and up. If you want to use this extension with the 1.6 branch or earlier look at bugs 5819 and 6006 and apply the SVN changes that took place.

Shibboleth Environment Configuration
The extension requires that shibboleth has been configured and set up on the web server the wiki is hosted on. Once Shibboleth is running on the web server make sure your configuration file is correctly set-up. Your IdP should be able to help you with this. The extension uses lazy sessions and a WAYF url so you'll want to verify these are setup as well. (You can actually use full sessions if you want, but the extension is designed to use lazy sessions to allow for the standard wiki auth to co-exist alongside.) You'll need to tell the extension which WAYF url to use.

The part of the configuration file (shibboleth.xml) where a WAYF url will be present is here: ...   

For lazy sessions in Apache, the following lines in your apache configuration files will do: ...  AuthType shibboleth Require shibboleth 

If you don't want lazy sessions but instead would rather require shibboleth authentication, then use: ...  AuthType shibboleth ShibRequireSession On       Require valid-user 

Download the Extension
The code of this extension is composed from the extended code of the Authentication Extension and the code that implements the group-based user authentication/authorization and the messaging mechanism. In the following sections there is a detailed description of the extension code.

Shibboleth Authentication Code
Below you can see the code of the Shibboleth Authentication Extension. The only changes have been made in the code is the definition of the $shib_GRP variable that contains the list of the groups that a user belongs to and the mapping of that list to the user's local groups. Place the code in the extensions folder, in a file called "ShibAuthPlugin.php."

Shibboleth Authentication Plus Code
In this section you can see the code of Shibboleth Authentication Plus Extension. The authentication/authorization of the user is based on eduPersonPrincipalName and eduPersonOrgUnitDN shibboleth environmental variables. The first variable contains the unique id of the user and the second a list of the groups (and domains) that the user belongs to. The value of the eduPersonOrgUnitDN variable has the following format: ou=group1, ou=group2, o=domain, c=suffix (e.g ou=editor, o=university, c=com). The extension collects the groups of your domain and maps them to the current list of the local user groups. The user takes the authorization privileges of these groups. Place the code in the extensions folder, in a file called "ShibAuthPlusPlugin.php."

In addition, the Shibboleth Authentication Plus extension implements a messaging mechanism in order to inform the user during his authentication/authorization process. You can see the generated messages by simply adding the {SHIBMESSAGE} variable in your wiki's first page. Place the code in the extensions folder, in a file called "ShibAuthPlusMessaging.php."

Extension Configuration
Now it's time to configure and load the extension. To do that, just add the following lines to LocalSettings.php in the root of the mediawiki directory (Most of the configuration ??? have been taken from Shibboleth Authentication Extension page).

At the very minimum you'll need to make the following changes:
 * 1) Place the following code into the LocalSettings.php file.
 * 2) Set the WAYF url.
 * 3) Look over the rest of the variables and ensure that you don't want to make any more changes.

require_once('extensions/ShibAuthPlusPlugin.php');
 * 1) Shibboleth Authentication Stuff
 * 2) Load ShibAuthPlusPlugin

$shib_WAYF = "idp.example.org";
 * 1) Last portion of the shibboleth WAYF url for lazy sessions.
 * 2) This value is found in your shibboleth.xml file on the setup for your SP
 * 3) WAYF url will look something like: /Shibboleth.sso/WAYF/$shib_WAYF

$shib_Https = true;
 * 1) Is the assertion consumer service located at an https address (highly recommended)
 * 2) Default for compatibility with previous version: false

$shib_LoginHint = "Login via Single Sign-on";
 * 1) Prompt for user to login

$shib_AssertionConsumerServiceURL = "/Shibboleth.sso";
 * 1) Where is the assertion consumer service located on the website?
 * 2) Default: "/Shibboleth.sso"

$shib_map_info = "true";
 * 1) Do you want to map in names from Shibboleth data?
 * 2) Feel free to use extra PHP code to munge the variables if you'd like
 * 3) Additionally if you wish to only map some of the name data, set this to true
 * 4) and either blank shib_RN and shib_email or comment them out entirely.

$olderror = error_reporting(E_ALL ^ E_NOTICE);
 * 1) Ssssh.... quiet down errors

$shib_RN = ucfirst(strtolower($_SERVER['HTTP_FIRST_NAME'])). ' '	 . ucfirst(strtolower($_SERVER['HTTP_LAST_NAME']));
 * 1) Map Real Name to what Shibboleth variable(s)?

$shib_email = $_SERVER['HTTP_EMAIL'];
 * 1) Map e-mail to what Shibboleth variable?


 * 1) Shibboleth doesn't really support logging out very well. To take care of
 * 2) this we simply get rid of the logout link when a user is logged in through
 * 3) Shib. Alternatively, you can uncomment and set the variable below to a link
 * 4) that will either clear the user's cookies or log the user out of the Idp and
 * 5) instead of deleting the logout link, the extension will change it instead.
 * 6) $shib_logout = "http://example.org";

error_reporting($olderror);
 * 1) Turn error reporting back on

SetupShibAuth;
 * 1) Activate Shibboleth Plugin


 * 1) Define here the list of your local groups and the privileges of that groups


 * 1) $wgGroupPermissions['test']['read']= true;
 * 2) $wgGroupPermissions['test']['edit']= true;
 * 3) $wgGroupPermissions['test']['createpage']= true;
 * 4) $wgGroupPermissions['test']['createtalk']= true;
 * 5) $wgGroupPermissions['test']['upload']= true;
 * 6) $wgGroupPermissions['test']['reupload']= true;
 * 7) $wgGroupPermissions['test']['minoredit']= true;
 * 8) $wgGroupPermissions['test']['delete']= true;
 * 9) $wgGroupPermissions['test']['move']= true;
 * 10) $wgGroupPermissions['test']['editinterface']= true;
 * 11) $wgGroupPermissions['test']['upload_by_url']= true;
 * 12) $wgGroupPermissions['test']['uploadlocal']= true;
 * 13) $wgGroupPermissions['test']['protect']= true;