DokuWiki

It's better when it's simple

User Tools

Site Tools


auth:ssp

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
auth:ssp [2011-06-03 20:01]
83.49.110.247 [Requirements]
auth:ssp [2013-01-14 01:07] (current)
2001:638:904:ffd0:25b2:71e7:e527:f807 [Code]
Line 1: Line 1:
 ====== SimpleSAMLphp Authentication Backend ====== ====== SimpleSAMLphp Authentication Backend ======
  
-This authentication backend deals with a single sign on web authentication system based on SimpleSAMLphp and SAML2. ​+This authentication backend deals with a single sign on web authentication system based on [[http://​simplesamlphp.org/​|SimpleSAMLphp]] and SAML2. ​
  
  
Line 19: Line 19:
 <?php <?php
 /** /**
- * SimpleSAMLphp authentication backend+ ​* ​SSP. SimpleSAMLphp authentication backend
  * auth/​ssp.class.php  * auth/​ssp.class.php
  *  *
- * @author ​ Jorge Hervás <​jordihv@gmail.com>​+ * @author ​ Jorge Hervás <​jordihv@gmail.com>, Lukas Slansky <​lukas.slansky@upce.cz>
  * @license GPL2 http://​www.gnu.org/​licenses/​gpl.html  * @license GPL2 http://​www.gnu.org/​licenses/​gpl.html
- * @version 0.1 + * @version 0.2 
- * @date    ​June 2011+ * @date    ​April 2012
  */  */
 + 
 class auth_ssp extends auth_basic { class auth_ssp extends auth_basic {
 +  var $users = null;
   // declaration of the auth_simple object ​   // declaration of the auth_simple object ​
   var $as;   var $as;
 + 
   /**   /**
    * Constructor.    * Constructor.
Line 41: Line 42:
     $this->​cando['​logoff'​] ​  = true;     $this->​cando['​logoff'​] ​  = true;
     $this->​success = true;     $this->​success = true;
 +  }
 + 
 +  /**
 +   * Return user info (copy from plain.class.php)
 +   *
 +   * Returns info about the given user needs to contain
 +   * at least these fields:
 +   *
 +   * name string ​ full name of the user
 +   * mail string ​ email addres of the user
 +   * grps array   list of groups the user is in
 +   *
 +   * @author ​ Lukas Slansky <​lukas.slansky@upce.cz>​
 +   */
 +  function getUserData($user){
 +
 +    if($this->​users === null) $this->​_loadUserData();​
 +    return isset($this->​users[$user]) ? $this->​users[$user] : false;
 +  }
 +
 +  /**
 +   * Load all user data (modified copy from plain.class.php)
 +   *
 +   * loads the user file into a datastructure
 +   *
 +   * @author ​ Lukas Slansky <​lukas.slansky@upce.cz>​
 +   */
 +  function _loadUserData(){
 +    global $conf;
 +
 +    $this->​users = array();
 +
 +    if(!@file_exists($conf['​ssp_usersfile'​])) return;
 +
 +    $lines = file($conf['​ssp_usersfile'​]);​
 +    foreach($lines as $line){
 +      $line = preg_replace('/#​.*$/','',​$line);​ //ignore comments
 +      $line = trim($line);​
 +      if(empty($line)) continue;
 +
 +      $row    = explode(":",​$line,​5);​
 +      $groups = array_values(array_filter(explode(",",​$row[3])));​
 +
 +      $this->​users[$row[0]]['​name'​] = urldecode($row[1]);​
 +      $this->​users[$row[0]]['​mail'​] = $row[2];
 +      $this->​users[$row[0]]['​grps'​] = $groups;
 +    }
 +  }
 +  ​
 +  /**
 +   * Save user data
 +   *
 +   * saves the user file into a datastructure
 +   *
 +   * @author ​ Lukas Slansky <​lukas.slansky@upce.cz>​
 +   */
 +  function _saveUserData($username,​ $userinfo) {
 +    global $conf;
 +
 +    if ($this->​users === null) $this->​_loadUserData();​
 +    $pattern = '/​^'​ . $username . ':/';​
 +    ​
 +    // Delete old line from users file
 +    if (!io_deleteFromFile($conf['​ssp_usersfile'​],​ $pattern, true)) {
 +      msg('​Error saving user data (1)', -1);
 +      return false;
 +    }
 +    $groups = join(',',​$userinfo['​grps'​]);​
 +    $userline = join(':',​array($username,​ $userinfo['​name'​],​ $userinfo['​mail'​],​ $groups))."​\n";​
 +    // Save new line into users file
 +    if (!io_saveFile($conf['​ssp_usersfile'​],​ $userline, true)) {
 +      msg('​Error saving user data (2)', -1);
 +      return false;
 +    }
 +    $this->​users[$username] = $userinfo;
 +    return true;
   }   }
  
Line 50: Line 127:
     global $USERINFO;     global $USERINFO;
     global $conf;     global $conf;
 + 
     $sticky ? $sticky = true : $sticky = false; //sanity check     $sticky ? $sticky = true : $sticky = false; //sanity check
 + 
     // loading of simplesamlphp library     // loading of simplesamlphp library
     require_once($conf['​ssp_path'​] . '/​lib/​_autoload.php'​);​     require_once($conf['​ssp_path'​] . '/​lib/​_autoload.php'​);​
 + 
     // create auth object and use api to require authentication and get attributes     // create auth object and use api to require authentication and get attributes
     $this->​as = new SimpleSAML_Auth_Simple('​default-sp'​);​     $this->​as = new SimpleSAML_Auth_Simple('​default-sp'​);​
 + 
     // the next line should be discommented to enable guest users (not authenticated) enter DokuWiki, see also documentation     // the next line should be discommented to enable guest users (not authenticated) enter DokuWiki, see also documentation
     # if ($this->​as->​isAuthenticated()) {     # if ($this->​as->​isAuthenticated()) {
Line 64: Line 141:
     $this->​as->​requireAuth();​     $this->​as->​requireAuth();​
     $attrs = $this->​as->​getAttributes();​     $attrs = $this->​as->​getAttributes();​
 + 
     // check for valid attributes (not empty) and update USERINFO var from dokuwiki     // check for valid attributes (not empty) and update USERINFO var from dokuwiki
     if (!isset($attrs[$conf['​ssp_attr_name'​]][0])) {     if (!isset($attrs[$conf['​ssp_attr_name'​]][0])) {
Line 70: Line 147:
     }     }
     $USERINFO['​name'​] = $attrs[$conf['​ssp_attr_name'​]][0];​     $USERINFO['​name'​] = $attrs[$conf['​ssp_attr_name'​]][0];​
 + 
     if (!isset($attrs[$conf['​ssp_attr_mail'​]][0])) {     if (!isset($attrs[$conf['​ssp_attr_mail'​]][0])) {
       $this->​exitMissingAttribute('​Mail'​);​       $this->​exitMissingAttribute('​Mail'​);​
     }     }
     $USERINFO['​mail'​] = $attrs[$conf['​ssp_attr_mail'​]][0];​     $USERINFO['​mail'​] = $attrs[$conf['​ssp_attr_mail'​]][0];​
 + 
     // groups may be empty (by default any user belongs to the user group) don't perform empty check     // groups may be empty (by default any user belongs to the user group) don't perform empty check
     $USERINFO['​grps'​] = $attrs[$conf['​ssp_attr_grps'​]];​     $USERINFO['​grps'​] = $attrs[$conf['​ssp_attr_grps'​]];​
 + 
     if (!isset($attrs[$conf['​ssp_attr_user'​]][0])) {     if (!isset($attrs[$conf['​ssp_attr_user'​]][0])) {
       $this->​exitMissingAttribute('​User'​);​       $this->​exitMissingAttribute('​User'​);​
     }     }
-   +  
 +    // save user info 
 +    if (!$this->​_saveUserData($attrs[$conf['​ssp_attr_user'​]][0],​ $USERINFO)) { 
 +      return false; 
 +    } 
 + 
     // assign user id to the user global information     // assign user id to the user global information
     $_SERVER['​REMOTE_USER'​] = $attrs[$conf['​ssp_attr_user'​]][0];​     $_SERVER['​REMOTE_USER'​] = $attrs[$conf['​ssp_attr_user'​]][0];​
 + 
     // assign user id and the data from USERINFO to the DokuWiki session cookie     // assign user id and the data from USERINFO to the DokuWiki session cookie
     $_SESSION[DOKU_COOKIE]['​auth'​]['​user'​] = $attrs[$conf['​ssp_attr_user'​]][0];​     $_SESSION[DOKU_COOKIE]['​auth'​]['​user'​] = $attrs[$conf['​ssp_attr_user'​]][0];​
     $_SESSION[DOKU_COOKIE]['​auth'​]['​info'​] = $USERINFO;     $_SESSION[DOKU_COOKIE]['​auth'​]['​info'​] = $USERINFO;
 + 
     # } // end if_isAuthenticated()     # } // end if_isAuthenticated()
  
     return true;     return true;
   }   }
 + 
   /**   /**
    * exit printing info and logout link    * exit printing info and logout link
Line 105: Line 187:
     die( $attribute . ' attribute missing from IdP. Please ' . $logoutlink . ' to return to login form'​);​     die( $attribute . ' attribute missing from IdP. Please ' . $logoutlink . ' to return to login form'​);​
   }   }
 + 
   /**   /**
    * Log off the current user from DokuWiki and IdP    * Log off the current user from DokuWiki and IdP
Line 112: Line 194:
   function logOff(){   function logOff(){
     // use the simpleSAMLphp authentication object created in trustExternal to logout     // use the simpleSAMLphp authentication object created in trustExternal to logout
-    $this->​as->​logout('/'​);​+    ​if ($this->​as->​isAuthenticated()) 
 +      ​$this->​as->​logout('/'​);​
   }   }
 + 
 } }
 + 
 //Setup VIM: ex: et ts=2 enc=utf-8 : //Setup VIM: ex: et ts=2 enc=utf-8 :
 </​code>​ </​code>​
Line 123: Line 206:
 ===== Configuration ===== ===== Configuration =====
  
-1. For configuring the SimpleSAMLphp application look at the [[http://​simplesamlphp.org/​docs/​1.8/​|online documentation]] of the project +** 1. ** For configuring the SimpleSAMLphp application look at the [[http://​simplesamlphp.org/​docs/​1.8/​|online documentation]] of the project  
-2. For installing the new backend just save the above code under .../​dokuwiki/​inc/​auth/​ssp.class.php + 
-3. Add the following lines in your DokuWiki configuration file (local.php):​+** 2. ** For installing the new backend just save the above code under .../​dokuwiki/​inc/​auth/​ssp.class.php  
 + 
 +** 3. ** Add the following lines in your DokuWiki configuration file (local.php): ​
 <code php> <code php>
 // use the SimpleSAMLphp backend // use the SimpleSAMLphp backend
Line 133: Line 218:
 // path for the simplesamlphp installation root // path for the simplesamlphp installation root
 $conf['​ssp_path'​] = '/​var/​simplesamlphp';​ $conf['​ssp_path'​] = '/​var/​simplesamlphp';​
 +
 +// username to save user details
 +$conf['​ssp_usersfile'​] = $conf['​savedir'​] . '/​users.ssp.php';​
  
 // configure attribute names to match the ones used by our authentication backend (IdP) // configure attribute names to match the ones used by our authentication backend (IdP)
Line 140: Line 228:
 $conf['​ssp_attr_grps'​] = '​eduPersonAffiliation';​ $conf['​ssp_attr_grps'​] = '​eduPersonAffiliation';​
 </​code>​ </​code>​
-4. Integrate SimpleSAMLphp and DokuWiki:+ 
 +** 4. ** Integrate SimpleSAMLphp and DokuWiki: ​
  
 a) By changing SimpleSAMLphp in the default session store type in the config/​config.php file: a) By changing SimpleSAMLphp in the default session store type in the config/​config.php file:
 Change this line:  Change this line: 
 <code php> <code php>
- '​store.type'​ => '​phpsession'​+'​store.type'​ => '​phpsession'​
 </​code>​ </​code>​
 To this: To this:
 <code php> <code php>
- '​store.type'​ => '​memcache'​+'​store.type'​ => '​memcache'​
 </​code>​ </​code>​
  
Line 164: Line 253:
 </​code>​ </​code>​
  
-5. (optional) +** 5. (optional) ​** 
-Comment out the lines starting by '#'​ in the authentication backend to allow guest users visit the site without requiring user and password credentials+Uncomment ​the lines starting by '#'​ in the authentication backend to allow guest users visit the site without requiring user and password credentials
  
 In this case you should also modify the inc/​template.php file to correct the behaviour of the login button, redirecting it to the IdP login form In this case you should also modify the inc/​template.php file to correct the behaviour of the login button, redirecting it to the IdP login form
auth/ssp.1307124080.txt.gz · Last modified: 2011-06-03 20:01 by 83.49.110.247