auth:ssp
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revisionNext revisionBoth sides next revision | ||
auth:ssp [2011-06-03 20:00] – created 83.49.110.247 | auth:ssp [2013-01-14 01:07] – [Code] 2001:638:904:ffd0:25b2:71e7:e527:f807 | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== SimpleSAMLphp Authentication Backend ====== | ====== SimpleSAMLphp Authentication Backend ====== | ||
- | This authentication backend deals with a single sign on web authentication system based on SimpleSAMLphp and SAML2. | + | This authentication backend deals with a single sign on web authentication system based on [[http:// |
Line 9: | Line 9: | ||
* An Identity Provider installed on the same machine as the above or on a remote machine | * An Identity Provider installed on the same machine as the above or on a remote machine | ||
* SSL support on the server for production sites | * SSL support on the server for production sites | ||
- | * Other requirements are possible depending on the configuration of the SimpleSAMLphp | + | * Other requirements are possible depending on the configuration of SimpleSAMLphp |
Line 19: | Line 19: | ||
<?php | <?php | ||
/** | /** | ||
- | * SimpleSAMLphp authentication backend | + | |
* auth/ | * auth/ | ||
* | * | ||
- | * @author | + | * @author |
* @license GPL2 http:// | * @license GPL2 http:// | ||
- | * @version 0.1 | + | * @version 0.2 |
- | * @date | + | * @date |
*/ | */ | ||
+ | |||
class auth_ssp extends auth_basic { | class auth_ssp extends auth_basic { | ||
+ | var $users = null; | ||
// declaration of the auth_simple object | // declaration of the auth_simple object | ||
var $as; | var $as; | ||
+ | |||
/** | /** | ||
* Constructor. | * Constructor. | ||
Line 41: | Line 42: | ||
$this-> | $this-> | ||
$this-> | $this-> | ||
+ | } | ||
+ | |||
+ | /** | ||
+ | * Return user info (copy from plain.class.php) | ||
+ | * | ||
+ | * Returns info about the given user needs to contain | ||
+ | * at least these fields: | ||
+ | * | ||
+ | * name string | ||
+ | * mail string | ||
+ | * grps array list of groups the user is in | ||
+ | * | ||
+ | * @author | ||
+ | */ | ||
+ | function getUserData($user){ | ||
+ | |||
+ | if($this-> | ||
+ | return isset($this-> | ||
+ | } | ||
+ | |||
+ | /** | ||
+ | * Load all user data (modified copy from plain.class.php) | ||
+ | * | ||
+ | * loads the user file into a datastructure | ||
+ | * | ||
+ | * @author | ||
+ | */ | ||
+ | function _loadUserData(){ | ||
+ | global $conf; | ||
+ | |||
+ | $this-> | ||
+ | |||
+ | if(!@file_exists($conf[' | ||
+ | |||
+ | $lines = file($conf[' | ||
+ | foreach($lines as $line){ | ||
+ | $line = preg_replace('/# | ||
+ | $line = trim($line); | ||
+ | if(empty($line)) continue; | ||
+ | |||
+ | $row = explode(":", | ||
+ | $groups = array_values(array_filter(explode(",", | ||
+ | |||
+ | $this-> | ||
+ | $this-> | ||
+ | $this-> | ||
+ | } | ||
+ | } | ||
+ | | ||
+ | /** | ||
+ | * Save user data | ||
+ | * | ||
+ | * saves the user file into a datastructure | ||
+ | * | ||
+ | * @author | ||
+ | */ | ||
+ | function _saveUserData($username, | ||
+ | global $conf; | ||
+ | |||
+ | if ($this-> | ||
+ | $pattern = '/ | ||
+ | | ||
+ | // Delete old line from users file | ||
+ | if (!io_deleteFromFile($conf[' | ||
+ | msg(' | ||
+ | return false; | ||
+ | } | ||
+ | $groups = join(',', | ||
+ | $userline = join(':', | ||
+ | // Save new line into users file | ||
+ | if (!io_saveFile($conf[' | ||
+ | msg(' | ||
+ | return false; | ||
+ | } | ||
+ | $this-> | ||
+ | return true; | ||
} | } | ||
Line 50: | Line 127: | ||
global $USERINFO; | global $USERINFO; | ||
global $conf; | global $conf; | ||
+ | |||
$sticky ? $sticky = true : $sticky = false; //sanity check | $sticky ? $sticky = true : $sticky = false; //sanity check | ||
+ | |||
// loading of simplesamlphp library | // loading of simplesamlphp library | ||
require_once($conf[' | require_once($conf[' | ||
+ | |||
// create auth object and use api to require authentication and get attributes | // create auth object and use api to require authentication and get attributes | ||
$this-> | $this-> | ||
+ | |||
// the next line should be discommented to enable guest users (not authenticated) enter DokuWiki, see also documentation | // the next line should be discommented to enable guest users (not authenticated) enter DokuWiki, see also documentation | ||
# if ($this-> | # if ($this-> | ||
Line 64: | Line 141: | ||
$this-> | $this-> | ||
$attrs = $this-> | $attrs = $this-> | ||
+ | |||
// check for valid attributes (not empty) and update USERINFO var from dokuwiki | // check for valid attributes (not empty) and update USERINFO var from dokuwiki | ||
if (!isset($attrs[$conf[' | if (!isset($attrs[$conf[' | ||
Line 70: | Line 147: | ||
} | } | ||
$USERINFO[' | $USERINFO[' | ||
+ | |||
if (!isset($attrs[$conf[' | if (!isset($attrs[$conf[' | ||
$this-> | $this-> | ||
} | } | ||
$USERINFO[' | $USERINFO[' | ||
+ | |||
// groups may be empty (by default any user belongs to the user group) don't perform empty check | // groups may be empty (by default any user belongs to the user group) don't perform empty check | ||
$USERINFO[' | $USERINFO[' | ||
+ | |||
if (!isset($attrs[$conf[' | if (!isset($attrs[$conf[' | ||
$this-> | $this-> | ||
} | } | ||
- | + | ||
+ | // save user info | ||
+ | if (!$this-> | ||
+ | return false; | ||
+ | } | ||
+ | |||
// assign user id to the user global information | // assign user id to the user global information | ||
$_SERVER[' | $_SERVER[' | ||
+ | |||
// assign user id and the data from USERINFO to the DokuWiki session cookie | // assign user id and the data from USERINFO to the DokuWiki session cookie | ||
$_SESSION[DOKU_COOKIE][' | $_SESSION[DOKU_COOKIE][' | ||
$_SESSION[DOKU_COOKIE][' | $_SESSION[DOKU_COOKIE][' | ||
+ | |||
# } // end if_isAuthenticated() | # } // end if_isAuthenticated() | ||
return true; | return true; | ||
} | } | ||
+ | |||
/** | /** | ||
* exit printing info and logout link | * exit printing info and logout link | ||
Line 105: | Line 187: | ||
die( $attribute . ' attribute missing from IdP. Please ' . $logoutlink . ' to return to login form' | die( $attribute . ' attribute missing from IdP. Please ' . $logoutlink . ' to return to login form' | ||
} | } | ||
+ | |||
/** | /** | ||
* Log off the current user from DokuWiki and IdP | * Log off the current user from DokuWiki and IdP | ||
Line 112: | Line 194: | ||
function logOff(){ | function logOff(){ | ||
// use the simpleSAMLphp authentication object created in trustExternal to logout | // use the simpleSAMLphp authentication object created in trustExternal to logout | ||
- | $this-> | + | |
+ | | ||
} | } | ||
+ | |||
} | } | ||
+ | |||
//Setup VIM: ex: et ts=2 enc=utf-8 : | //Setup VIM: ex: et ts=2 enc=utf-8 : | ||
</ | </ | ||
Line 123: | Line 206: | ||
===== Configuration ===== | ===== Configuration ===== | ||
- | 1. For configuring the SimpleSAMLphp application look at the [[http:// | + | ** 1. ** For configuring the SimpleSAMLphp application look at the [[http:// |
- | 2. For installing the new backend just save the above code under .../ | + | |
- | 3. Add the following lines in your DokuWiki configuration file (local.php): | + | ** 2. ** For installing the new backend just save the above code under .../ |
+ | |||
+ | ** 3. ** Add the following lines in your DokuWiki configuration file (local.php): | ||
<code php> | <code php> | ||
// use the SimpleSAMLphp backend | // use the SimpleSAMLphp backend | ||
Line 133: | Line 218: | ||
// path for the simplesamlphp installation root | // path for the simplesamlphp installation root | ||
$conf[' | $conf[' | ||
+ | |||
+ | // username to save user details | ||
+ | $conf[' | ||
// configure attribute names to match the ones used by our authentication backend (IdP) | // configure attribute names to match the ones used by our authentication backend (IdP) | ||
Line 140: | Line 228: | ||
$conf[' | $conf[' | ||
</ | </ | ||
- | 4. Integrate SimpleSAMLphp and DokuWiki: | + | |
+ | ** 4. ** Integrate SimpleSAMLphp and DokuWiki: | ||
a) By changing SimpleSAMLphp in the default session store type in the config/ | a) By changing SimpleSAMLphp in the default session store type in the config/ | ||
Change this line: | Change this line: | ||
<code php> | <code php> | ||
- | ' | + | ' |
</ | </ | ||
To this: | To this: | ||
<code php> | <code php> | ||
- | ' | + | ' |
</ | </ | ||
Line 164: | Line 253: | ||
</ | </ | ||
- | 5. (optional) | + | ** 5. (optional) |
- | Comment out the lines starting by '#' | + | Uncomment |
In this case you should also modify the inc/ | In this case you should also modify the inc/ |