Extension:Siteminder Authentication

Overview
SiteMinder is a centralized Web access management system that enables user authentication and single sign-on, policy-based authorization, identity federation, and auditing of access to Web applications and portals.

This extension (which was derived from the work on the Shibboleth Authentication extension ) is designed to aid in synchronizing Mediawiki internal authorization with the credentials supplied via SiteMinder. Current Version: 1.0

Compatibility
This extension is designed for MediaWiki 1.7 and up. However, that compatibility is based solely upon the heritage of the extension, being derived from the Shibboleth Authentication extension. It has only been tested by the author on MediaWiki 1.11.

SiteMinder Configuration
The extension requires that a SiteMinder agent be configured and set up on the web server the wiki is hosted on. Once SiteMinder is running on the web server make sure your configuration file is correctly set-up. As shown in the sample configuration for this extension, the SiteMinder agent should supply HTTP headers named You may also choose to use other SiteMinder capabilities for communicating from Siteminder to the extension, such as cookies, but you'll need to modify the LocalSettings.php configuration accordingly.
 * full_name
 * user_name
 * email

Download the Extension
The code for the extension is at the bottom of this page. Place it in the extensions folder, in a file called "SiteminderAuthPlugin.php."

Extension Configuration
Now it's time to configure and load the extension. To do that, just add the following lines to LocalSettings.php in the root of the mediawiki directory.

Most of the configuration directives are of the form: $siteminder_SOMELETTERS = data_manipulation_functions($_SERVER['HEADER_FOR_SITEMINDER_DATA']); This allows you to map whatever SiteMinder identifiers you choose to a variety of fields for each user as well as use the standard PHP functions to massage the data as it enters.

At the very minimum you'll need to make the following changes:
 * 1) Place the following code into the LocalSettings.php file.
 * 2) Map a valid piece of Siteminder data for the username.
 * 3) Look over the rest of the variables and ensure that you don't want to make any more changes.

require_once('extensions/SiteminderAuthPlugin.php');
 * 1) Siteminder Authentication
 * 2) Load SiteminderPlugin

$siteminder_map_info = "true";
 * 1) Map data from Siteminder to local user data

$olderror = error_reporting(E_ALL ^ E_NOTICE);
 * 1) Ssssh.... quiet down errors

$siteminder_real_name = $_SERVER['HTTP_FULL_NAME']; $siteminder_user_name = ucfirst(strtolower($_SERVER['HTTP_USER_NAME'])); $siteminder_email = $_SERVER['HTTP_EMAIL'];
 * 1) Map Siteminder variables to extension variables


 * 1) Siteminder logoff URL (uncomment and set proper URL if you want a logout link)
 * 2) $siteminder_logout = "";

error_reporting($olderror);
 * 1) Turn error reporting back on

SetupSiteminderAuth;
 * 1) Activate Siteminder Plugin

Using the Extension
The extension is designed to be fairly simple to use. Once everything is configured and SiteMinder is running the user should be challenged before seeing any of the wiki screens, unless they have already been authenticated elsewhere for some other SiteMinder-protected application.

Adding more Metadata
If you wish to add more mappings from Mediawiki data to SiteMinder data than is available, you can simply add them in the configuration file. The only code changes you will have to do are in the updateUser function of the SiteminderAuthPlugin.php file.

Logout Functionality
By default logout is disabled, relying on the closing of the browser or possibly logging out via an enclosing portal's authentication scheme. Alternatively you may point logout to a url provided by your SiteMinder administrator which will allow logout.

Username Munging
While the extension will enforce the rule that all usernames must begin with a capital letter, it will not enforce any of the rest of mediawiki's usual rules for usernames. If your SiteMinder data will break other mediawiki username rules you should filter that out at the configuration level when $siteminder_user_name gets set. In addition, if your SiteMinder data includes sets of usernames that may only be separated by difference of upper and lower-case initial letters (Like "Nick@example.org" and "nick@example.org") then the plugin will treat these two as if they were not distinct. Again the solution is to provide additional filtering in LocalSettings.php. By default we simply use the SiteMinder user name converting any letters to lowercase and then pass those in. (Again, the extension takes care of converting the initial letter to uppercase.)

Missing Features
There are several features I'd like to incorporate, but haven't yet. Having used the LDAP Authentication extension before, I'd like to borrow some of its features. Note that references below to LDAP Group would be replaced with what ever ACL mechanism your authentication facility provides:
 * Restrictions by LDAP groups Presently, the Siteminder facility itself can control access by examining LDAP groups and allowing/denying access to the site. However, I'd like to provide the flexibility to do that within the wiki so that a more generic SiteMinder definition might be used on a given server.
 * Synchronization with LDAP groups Essentially, I'd like to be able to populate permission groups via the external authentication facility's features and have those flow into the wiki implementation.
 * Disable password change Changing of passwords within the wiki is meaningless if the site is protected only by Siteminder. I'd like to add code to remove the option of changing your password, but I simply haven't done any research into that area.

Suggestions
Feel free...

Changelog
No changes yet.

Heritage
Based upon the Shibboleth extension authored by D.J. Capelis and Steven Langenake

Bug Reporters
No bugs (found) yet

Testers
No testers yet