Monday, July 30, 2012

Shibboleth SP part 4 (MediaWiki Configuration)

Integrating Shibboleth login with Mediawiki


  • This extension will not create a new user if the user is not exist, the mediawiki user must be created first before they can login using shibboleth, if the user is not exist, the mediawiki will report an error after the user authenticated with shibboleth.
  • Create file ShibAuthPlugin.php in mediawiki extensions directory, and put the code like in this link.
  • Create file wiki_login.php in mediawiki root directory, and put the code like in this link, and add header("Location: /Shibboleth.sso/Logout"); so the code looks like the following:
 $obj_user = new User();
 header("Location: /Shibboleth.sso/Logout");
  • For mediawiki lower than 1.13 version change in both files this directive:
specials/SpecialUserlogin.php to SpecialUserlogin.php
  • and in file ShibAuthPlugin.php change this line:
ShibUserLoadFromSession($user, true); to ShibUserLoadFromSession($user, $result);

above line is a hack for mediawiki prior 1.13 version, that hack is work but need to refresh the browser after login via shibboleth.


Configure LocalSettings.php and add the following code:
$shib_WAYF = "Login";
$shib_WAYFStyle = "";
$shib_Https = true;
$shib_LoginHint = "Shibboleth Login";
$shib_AssertionConsumerServiceURL = "/Shibboleth.sso";

// prevent errors reported because the variable not defined yet
if (!isSet($_SERVER['fn']))$_SERVER['fn']="aaaa";
if (!isSet($_SERVER['mail']))$_SERVER['mail']="bbbb";
if (!isSet($_SERVER['uid']))$_SERVER['uid']="";

$shib_RN = ucfirst(strtolower($_SERVER['fn']));
$shib_email = $_SERVER['mail'];

// enable this to update mediawiki data using Shibboleth attribute
#$wgHooks['ShibUpdateUser'][] = 'ShibUpdateTheUser';
#function ShibUpdateTheUser($existing, &$user) {
#       global $shib_email;
#       global $shib_RN;
#       if (! $existing) {
#               if($shib_email != null)
#                       $user->setEmail($shib_email);
#               if($shib_RN != null)
#                       $user->setRealName($shib_RN);
#       }

$shib_UN = strtolower($_SERVER['uid']);
# call the logout script
$shib_logout = "/mediawiki/wiki_login.php?logout=yes";

apache configuration

  • Add the following rule in the apache configuration
AuthType Shibboleth
ShibRequireSession Off
Require Shibboleth
  • Example
<Directory /var/www/https/>
   Options -Indexes FollowSymLinks -MultiViews
   AllowOverride None
   Order allow,deny
   allow from all
   AuthType shibboleth
   Require shibboleth


Original source from CakePHP Mediawiki :

global $preIP ;
$preIP dirname__FILE__ );
"$preIP/includes/WebStart.php" );
#Initialize MediaWiki base class
require_once( "$preIP/includes/Wiki.php" );
session_id() == '' ) {
$form = new LoginForm$wgRequestNULL );
$obj_user = new User();
$_GET['wpLoginattempt']) && $_GET['wpLoginattempt']=="Log in")
$_GET['wpCreateaccount']) && $_GET['wpCreateaccount']=="Create account")
//Create account

<< Moodle & Wordpress Conf | Shibboleth IDP and Kerberos >>

No comments: