This is an old revision of the document!
Table of Contents
CoSign Authentication Backend
CoSign is an open source single sign on web authentication system developed by the University of Michigan. If your group uses CoSign for web application authentication, you can use it to authenticate your dokuwiki accounts.
Since CoSign only handles authentication and NOT authorization, this solution still uses the user-manager plug-in for setting up users authorized to access the dokuwiki and the groups that they belong too. The passwords set in the user-manager plug-in are ignored.
Requirements
- a CoSign server
- configuration parameters for your web server (apache)
Code
Save this under …/dokuwiki/inc/auth/cosign.class.php:
- cosign.class.php
<?php /** * Cosign authentication backend * * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) * @author Paul Rentschler <par117@psu.edu> * Version: 1.0 * last modified: 2009-06-18 15:54 * * Work based on the plaintext authentication backend: * @author Andreas Gohr <andi@splitbrain.org> * @author Chris Smith <chris@jalakai.co.uk> */ define('DOKU_AUTH', dirname(__FILE__)); require_once(DOKU_AUTH.'/plain.class.php'); define('AUTH_USERFILE',DOKU_CONF.'users.auth.php'); // we only accept page ids for auth_plain if(isset($_REQUEST['u'])) $_REQUEST['u'] = cleanID($_REQUEST['u']); if(isset($_REQUEST['acl_user'])) $_REQUEST['acl_user'] = cleanID($_REQUEST['acl_user']); // the same goes for password reset requests if(isset($_POST['login'])){ $_POST['login'] = cleanID($_POST['login']); } class auth_cosign extends auth_plain { /** * Constructor * * Carry out sanity checks to ensure the object is * able to operate. Set capabilities. * * @author Paul Rentschler <par117@psu.edu> */ function auth_cosign() { // call the parent constructor parent::auth_plain(); // indicate we should be trusting an external auth checker $this->cando['external'] = true; } /** * Trust External AuthN * * @author Paul Rentschler <par117@psu.edu> * @return bool */ function trustExternal($user,$pass,$sticky=false) { global $USERINFO; $result = false; if (!empty($user)) { // verify the user is logged in through WebAccess if (isset($_SERVER['REMOTE_USER']) && $_SERVER['REMOTE_USER'] <> '' && $_SERVER['REMOTE_USER'] == $user) { $userinfo = $this->getUserData($user); if ($userinfo !== false) { $result = true; } } } else { // regular session auth check if (isset($_SERVER['REMOTE_USER']) && $_SERVER['REMOTE_USER'] <> '') { $userinfo = $this->getUserData($_SERVER['REMOTE_USER']); if ($userinfo !== false) { $result = true; } } } // set the necessary global variables if ($result) { $USERINFO = $userinfo; // set session $_SESSION[DOKU_COOKIE]['auth']['user'] = $_SERVER['REMOTE_USER']; $_SESSION[DOKU_COOKIE]['auth']['pass'] = ''; $_SESSION[DOKU_COOKIE]['auth']['buid'] = auth_browseruid(); $_SESSION[DOKU_COOKIE]['auth']['info'] = $userinfo; $_SESSION[DOKU_COOKIE]['auth']['time'] = time(); } return $result; } } //Setup VIM: ex: et ts=2 enc=utf-8 :
Configuration
Configure apache to use CoSign for authentication and preferably do it over SSL. See the CoSign documentation for how to set this up.
Authorized users can be managed via the user-manager plugin now. The passwords in users.auth.php is ignored. Just put a dummy value in there.
You may want to remove the Login and Logout buttons from the template as well since they have no use. Logout is accomplished by closing the browser window or by the timeout specified by the CoSign server.
Discussion
2009/06/05: Currently experiencing a problem that the authentication does not work when saving changes. Am working on a fix.2009/06/18: Reworked the authentication class and resolved the problem of being logged out when saving changes.
This is awesome. Thank you.