Extension:PIVLogin

The PIVLogin extension will enable PIV card authentication similar to the way Window OS authentication via PIV to Active Directory. This is compliant with US Federal Government Standards regarding HSPD-12.

This extension utilizes the value of subject alternate name in the PIV card to authenticate with Active Directory. The value of user principal name in Active Directory has to match the value of the subject alternate name in the PIV card. This extension fetches the subject alternate name from the PIV card bypassing php bug 60388 which normally prevents this.

Prerequisite Actions
yum install mod_ssl openssl php-ldap
 * 1) Install the extension SSL Authentication.
 * 2) * SSL Authentication extension requires some changes to LocalSettings.php. Be sure to replace them with the code from LocalSettings.php section below
 * 3) install mod_ssl openssl php-ldap by doing the following:

Installation
Follow these steps to install the PIVLogin extension. The steps listed below are for a server running Centos and Apache.

Download & Configure the PIV Login Extension

 * 1) Download the extension here and place the .zip file in /extensions/SSLAuthentication/
 * 2) Unzip the contents
 * 3) Create the USERCERT directory (must be in all caps) under /extensions/SSLAuthentication/ and make sure it has the following permissions: rwxr-xr-x and owned by apache
 * 4) Go into getldapsam.php and adjust the following parameter values:
 * 5) LDAPHost should be: ldaps://YourADServer:ADPort
 * 6) dn should be: "DC=YourOrg,DC=com"
 * 7) LDAPUser should be the username for the service account for your LDAP server (e.g. ADServiceAccountName@yourorganization.com)
 * 8) LDAPUserPassword is the password associated with the service account

Acquire Certificates & Configure LDAP settings

 * 1) Download the CA trust certificates from your PIV card
 * 2) Insert your PIV card into your computer and open Internet Explorer
 * 3) Go to Internet Options -> Content Tab and then click on the Certificates button
 * 4) Go through your list of certificates under the Personal Tab by clicking the View button for each and select the Certification Path Tab and look for the ...PIV Authentication Key (see screenshot below).
 * 5) ;PIVAuthenticationKeyScreenShot.png
 * 6) If you do not see ...PIV Authentication Key then go to the Details Tab and locate the Subject Alternate Name field and look for Principal Name = ... (see screenshot below).
 * 7) ;[[File:PIVAuthenticationAlternateScreenShot.png]]
 * 8) Once you have located it, select the first certificate in the hierarchy (CA Level 1) and click View Certificate
 * 9) Choose the Details Tab -> click Copy to File...
 * 10) Once you're in the certificate export wizard make sure you choose base-64 encoded X.509 (.CER)
 * 11) After all the certificates have been downloaded, open each one in notepad
 * 12) Copy/paste all of the contents into one of the certificates (order of certificates does not matter)
 * 13) place that file on your apache server under /etc/pki/tls/certs
 * 14) If the connection to AD is not done through LDAPS then you can skip this step
 * 15) Obtain the SSL certificates from your AD admin on the AD server
 * 16) Place the certificate under /etc/openldap/cacerts folder
 * 17) Modify the ldap.conf under /etc/openldap and modify the information to meet your environment.
 * 18) * the value TLS_CACERT should be /etc/openldap/cacerts/YourADSSL.pem

Configure HTTPS

 * 1) Configure HTTPS by following these steps

Modify ssl.conf
 ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn SSLEngine on               SSLProtocol -all +TLSv1 +SSLv3 SSLOptions +StrictRequire +OptRenegotiate +StdEnvVars +ExportCertData SSLCipherSuite HIGH:MEDIUM SSLProxyEngine off SSLCertificateFile /etc/pki/tls/certs/ca.crt  the certificate file you did at step 3 SSLCertificateKeyFile /etc/pki/tls/private/ca.key   the certificate file you did at step 3 SSLCACertificateFile /etc/pki/tls/certs/layer.crt  the file you obtain from step 1  make sure to substitute the name of your wiki SSLRequireSSL SSLVerifyClient optional Make sure this value is optional to handle errors in logging in SSLVerifyDepth 4 the value 4 is the number CA Levels as seen here: http://www.mediawiki.org/wiki/File:PIVAuthenticationKeyScreenShot.png RewriteEngine on               RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$ RewriteRule. http://%{SERVER_NAME}/NameOfYourWikiHere/index.php/PIV_Login_Error the name of your wiki should go here  
 * 1) Modify ssl.conf located here: /etc/httpd/conf.d/ with the text below (be sure to remove the text in red and modify accordingly):

LocalSettings.php
Copy & Paste the following: require_once('extensions/SSLauthentication/SSLAuthPlugin.php'); $ssl_map_info = false; include 'extensions/SSLauthentication/getsubjectaltname.php'; $output2 = getsubjectaltname; include 'extensions/SSLauthentication/getldapsam.php'; $ssl_UN = getldapsam($output2); SSLAuthSetup; shell_exec("rm -rf extensions/SSLauthentication/USERCERT/'$filename'");

Additional Steps

 * 1) Create a page on your Wiki entitled PIV_Login_Error and put in any text you would like to appear if the login fails
 * 2) Create a page on your Wiki entitled PIV_Login with only: #REDIRECT Main Page
 * 3) Protect this page
 * 4) Modify your UserLogin.php (/var/www/html/NAMEOFWIKI/includes/templates/) so that it will contain a link that goes to the page you created in Step #2. Make sure this link starts with "https://"