Release status: experimental
|Description||Replaces password authentication with the one based on client SSL certificates.|
|License||BSD 3-clause "Modified" License|
|Translate the SSLClientAuth extension if it is available at translatewiki.net|
|Check usage and version matrix.|
The SSLClientAuth extension replaces password authentication with the one based on client SSL certificates.
Conceptually it's the same as SSL authentication extension, but it has been written for modern (1.25) MediaWiki version and uses much less hacks.
The first time user tries to open the wiki with a valid client certificate, a new account with name specified in certificate's Common Name is created automatically. Account registration should probably be disabled, as no user can log in without a certificate anyway.
It has only been tested with nginx with PHP running in FastCGI mode, but it should be easy to add support for other servers, too.
- Enable client certificate validation on nginx:
ssl_client_certificate <path to .ca file>
fastcgi_param SSL_CLIENT_S_DN $ssl_client_s_dn
- Download and place the file(s) in a directory called
- Add the following code at the bottom of your LocalSettings.php:
wfLoadExtension( 'SSLClientAuth' );
- Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.
To users running MediaWiki 1.24 or earlier:
The instructions above describe the new way of installing this extension using
wfLoadExtension(). If you need to install this extension on these earlier versions (MediaWiki 1.24 and earlier), instead of
wfLoadExtension( 'SSLClientAuth' );, you need to use: