Table of Contents

CoSign Authentication Backend

CoSign is an open source single sign on web authentication system developed by the University of Michigan. If your group uses CoSign for web application authentication, you can use it to authenticate your dokuwiki accounts.

Since CoSign only handles authentication and NOT authorization, this solution still uses the user-manager plug-in for setting up users authorized to access the dokuwiki and the groups that they belong too. The passwords set in the user-manager plug-in are ignored.

Requirements

Code

Save this under …/dokuwiki/inc/auth/cosign.class.php:

cosign.class.php
<?php
/**
 * Cosign authentication backend
 *
 * @license    GPL 2 (http://www.gnu.org/licenses/gpl.html)
 * @author     Paul Rentschler <par117@psu.edu>
 * Version: 1.0
 * last modified: 2009-06-18 15:54
 *
 * Work based on the plaintext authentication backend:
 * @author     Andreas Gohr <andi@splitbrain.org>
 * @author     Chris Smith <chris@jalakai.co.uk>
 */
 
define('DOKU_AUTH', dirname(__FILE__));
require_once(DOKU_AUTH.'/plain.class.php');
 
define('AUTH_USERFILE',DOKU_CONF.'users.auth.php');
 
// we only accept page ids for auth_plain
if(isset($_REQUEST['u']))
  $_REQUEST['u'] = cleanID($_REQUEST['u']);
if(isset($_REQUEST['acl_user']))
  $_REQUEST['acl_user'] = cleanID($_REQUEST['acl_user']);
// the same goes for password reset requests
if(isset($_POST['login'])){
  $_POST['login'] = cleanID($_POST['login']);
}
 
class auth_cosign extends auth_plain {
 
    /**
     * Constructor
     *
     * Carry out sanity checks to ensure the object is
     * able to operate. Set capabilities.
     *
     * @author  Paul Rentschler <par117@psu.edu>
     */
    function auth_cosign() {
      // call the parent constructor
      parent::auth_plain();
 
      // indicate we should be trusting an external auth checker
      $this->cando['external'] = true;
    }
 
 
 
    /**
     * Trust External AuthN
     *
     * @author  Paul Rentschler <par117@psu.edu>
     * @return  bool
     */
    function trustExternal($user,$pass,$sticky=false) {
      global $USERINFO;
 
      $result = false;
 
      if (!empty($user)) {
        // verify the user is logged in through WebAccess
        if (isset($_SERVER['REMOTE_USER']) && $_SERVER['REMOTE_USER'] <> '' && $_SERVER['REMOTE_USER'] == $user) {
          $userinfo = $this->getUserData($user);
          if ($userinfo !== false) {
            $result = true;
          }
        }
 
      } else {
        // regular session auth check
        if (isset($_SERVER['REMOTE_USER']) && $_SERVER['REMOTE_USER'] <> '') {
          $userinfo = $this->getUserData($_SERVER['REMOTE_USER']);
          if ($userinfo !== false) {
            $result = true;
          }
        }
      }
 
      // set the necessary global variables
      if ($result) {
        $USERINFO = $userinfo;
 
        // set session
        $_SESSION[DOKU_COOKIE]['auth']['user'] = $_SERVER['REMOTE_USER'];
        $_SESSION[DOKU_COOKIE]['auth']['pass'] = '';
        $_SESSION[DOKU_COOKIE]['auth']['buid'] = auth_browseruid();
        $_SESSION[DOKU_COOKIE]['auth']['info'] = $userinfo;
        $_SESSION[DOKU_COOKIE]['auth']['time'] = time();
      }
 
      return $result;
    }
 
}
 
//Setup VIM: ex: et ts=2 enc=utf-8 :

Configuration

Configure apache to use CoSign for authentication and preferably do it over SSL. See the CoSign documentation for how to set this up.

Authorized users can be managed via the user-manager plugin now. The passwords in users.auth.php is ignored. Just put a dummy value in there.

You may want to remove the Login and Logout buttons from the template as well since they have no use. Logout is accomplished by closing the browser window or by the timeout specified by the CoSign server.

Discussion

2009/06/05: Currently experiencing a problem that the authentication does not work when saving changes. Am working on a fix.
2009/06/18: Reworked the authentication class and resolved the problem of being logged out when saving changes.

This is awesome. Thank you.