Extension:Shibboleth Authentication Plus

Overview
Shibboleth is a Single Signon identity managment solution that's a project of Internet2. It's in use not only in many universities through the US and elsewhere but also on sites such as openidp to provide authentication to a range of applications. This extension allows mediawiki to use Shibboleth as an external authentication source. Actually, this extension extents the functionality of Shibboleth Authentication Extension by supporting group based user authentication/authorization and implementing a messaging mechanism.

Current Version: 1.0

Compatibility
This extension is designed for MediaWiki 1.7 and up. If you want to use this extension with the 1.6 branch or earlier look at bugs 5819 and 6006 and apply the SVN changes that took place.

Shibboleth Configuration
The extension requires that shibboleth be configured and set up on the web server the wiki is hosted on. Once Shibboleth is running on the web server make sure your configuration file is correctly set-up. Your IdP should be able to help you with this. The extension uses lazy sessions and a WAYF url so you'll want to verify these are setup as well. (You can actually use full sessions if you want, but the extension is designed to use lazy sessions to allow for the standard wiki auth to co-exist alongside.) You'll need to tell the extension which WAYF url to use.

The part of the configuration file (shibboleth.xml) where a WAYF url will be present is here: ...   

For lazy sessions in Apache, the following lines in your apache configuration files will do: ...  AuthType shibboleth Require shibboleth 

If you don't want lazy sessions but instead would rather require shibboleth authentication, then use: ...  AuthType shibboleth ShibRequireSession On       Require valid-user 

Download the Extension
The code for this extension is composed from the extended code of Authentication Extension and the code that implements the group-based user authentication/authorization and the messaging mechanism. In the following sections there is a detailed descreption of the extension code.

Shibboleth Authentication Code
Below you can see the code of the Shibboleth Authentication Extension. The only change has been made in this code is the definition of the $shib_GRP variable that contains the list of the groups that a user belongs to and adds that list to the wiki's database. Place it in the extensions folder, in a file called "ShibAuthPlugin.php."

Shibboleth Authentication Plus Code
In this section you can see the code of Shibboleth Authentication Plus Extension. The authentication/authorization of the user is made by using the shibboleth's environmental variables eduPersonPrincipalName (REMOTE_USER) and eduPersonOrgUnitDN (HTTP_SHIB_EP_ORGUNITDN). The first variable contains the unique id of the user and the second a list of the groups (and domains) that the user belongs to. The value of the eduPersonOrgUnitDN variable is in the following format: ou=group1, ou=group2, o=domain, c=suffix (e.g ou=editor, o=university, c=com). The extension collects the groups of your domain and adds them to the current user list of groups. If the user groups are also defined locally, the user takes the authorization privileges of these groups. Place the code in the extensions folder, in a file called "ShibAuthPlusPlugin.php."