Dokuwiki Shibboleth Authentication Backend

:!:
:!: Moved to https://github.com/ivan-novakov/dokushib
:!:

About

The Shibboleth System is a standards based, open source software package for web single sign-on across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.

This authentication backend takes advantage of the infrastructure provided by the Shibboleth Service Provider. The backend determines user's username and info based on the environmental variables corresponding to the user attributes set by Shibboleth.

Requirements

  • a Dokuwiki installation :)
  • Shibboleth Service Provider 1.3+

Installation

  1. Download the backend pack
  2. Unpack it anywhere
  3. Copy backend/shib.class.php to dokuwiki/inc/auth

Configuration

Dokuwiki

The only required part of the configuration is:

$conf['authtype'] = 'shib';

Put it in your conf/local.php configuration file. Or you can put it in a separate file and include it in conf/local.php;

You can use some additional configuration directives, if the default settings don't suit you or if you need some advanced features. These directives are described in the example configration file supplied with the pack - conf/example-shibauth-conf.php.

Shibboleth

Make sure, that you have configured Shibboleth to protect your Dokuwiki root directory.

In Apache:

<Directory "/var/www/site/dokuwiki/">
  AuthType shibboleth
  ShibRequireSession On
  require valid-user
</Directory>

In shibboleth2.xml:

    <RequestMapper type="Native">
        <RequestMap applicationId="default">
            <Host name="wiki.example.org">
                <Path name="dokuwiki" requireSession="true" />
            </Host>
        </RequestMap>
    </RequestMapper>

Lazy sessions

The above configuration is pretty simple, but is suitable only for closed wikis (that means, users always need to authenticate to get access). For anonymous access, the so called lazy sessions have to be enabled in Shibboleth.

In Apache:

<Directory "/var/www/sites/dokuwiki/">
  AuthType shibboleth
  require shibboleth
</Directory>

In shibboleth2.xml:

    <RequestMapper type="Native">
        <RequestMap applicationId="default">
            <Host name="wiki.example.org"> 
                <Path name="dokuwiki" requireSession="false" authType="shibboleth" />
            </Host>
        </RequestMap>
    </RequestMapper>

Lazy sessions have to be enabled in the wiki configuration too. Add the following to the authentication backend configuration in conf/local.php:

$conf['auth']['shib']['lazy_sessions'] = true; 

With that configuration anonymous access to your wiki is granted. But what if a user wants to log in? You need to trigger the session initiation process somehow. The simplest way to accomplish this is to add a login button somewhere in your wiki. That button (or link) will make the user simply visit the appropriate Shibboleth handler URL (something like /Shibboleth.sso/Login?target=https://wiki.example.org/afterlogin), which will trigger the session initiation process and upon successful authentication, the user will be redirected back.

A more elegant way is to intercept the native LOGIN action in Dokuwiki. That can be easily done through the simple action Dokuwiki plugin I wrote for that purpose.

Feedback

You can send your comments here.

Issues

Contact

dokuwiki/auth/shib.txt · Last modified: 2013/01/03 17:48 by commanche
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki