Differences

This shows you the differences between two versions of the page.

--- auth:ssp [2011-06-06 16:24] – [Code] 83.49.108.130
+++ auth:ssp [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1
@@ Line 1: / Line 1: @@
-====== SimpleSAMLphp Authentication Backend ======
-This authentication backend deals with a single sign on web authentication system based on [[http://simplesamlphp.org/|SimpleSAMLphp]] and SAML2.
-===== Requirements =====
-  * A Service Provider provided by the SimpleSAMLphp application in the same machine of the Dokuwiki installation
-  * An Identity Provider installed on the same machine as the above or on a remote machine
-  * SSL support on the server for production sites
-  * Other requirements are possible depending on the configuration of SimpleSAMLphp
-===== Code =====
-Save this under .../dokuwiki/inc/auth/ssp.class.php:
-<code php>
-<?php
-/**
- * SSP. SimpleSAMLphp authentication backend
- * auth/ssp.class.php
- *
- * @author  Jorge Hervás <jordihv@gmail.com>
- * @license GPL2 http://www.gnu.org/licenses/gpl.html
- * @version 0.1
- * @date    June 2011
- */
-class auth_ssp extends auth_basic {
-  // declaration of the auth_simple object
-  var $as;
-  /**
-   * Constructor.
-   * Sets additional capabilities and config strings
-   */
-  function auth_ssp() {
-    // we set the features of our authentication backend to TRUE, the base class defaults to FALSE the rest
-    $this->cando['external'] = true;
-    $this->cando['logoff']   = true;
-    $this->success = true;
-  }
-  /**
-   * Do external authentication (SSO)
-   * Params are not used
-   */
-  function trustExternal($user,$pass,$sticky=false){
-    global $USERINFO;
-    global $conf;
-    $sticky ? $sticky = true : $sticky = false; //sanity check
-    // loading of simplesamlphp library
-    require_once($conf['ssp_path'] . '/lib/_autoload.php');
-    // create auth object and use api to require authentication and get attributes
-    $this->as = new SimpleSAML_Auth_Simple('default-sp');
-    // the next line should be discommented to enable guest users (not authenticated) enter DokuWiki, see also documentation
-    # if ($this->as->isAuthenticated()) {
-    $this->as->requireAuth();
-    $attrs = $this->as->getAttributes();
-    // check for valid attributes (not empty) and update USERINFO var from dokuwiki
-    if (!isset($attrs[$conf['ssp_attr_name']][0])) {
-      $this->exitMissingAttribute('Name');
-    }
-    $USERINFO['name'] = $attrs[$conf['ssp_attr_name']][0];
-    if (!isset($attrs[$conf['ssp_attr_mail']][0])) {
-      $this->exitMissingAttribute('Mail');
-    }
-    $USERINFO['mail'] = $attrs[$conf['ssp_attr_mail']][0];
-    // groups may be empty (by default any user belongs to the user group) don't perform empty check
-    $USERINFO['grps'] = $attrs[$conf['ssp_attr_grps']];
-    if (!isset($attrs[$conf['ssp_attr_user']][0])) {
-      $this->exitMissingAttribute('User');
-    }
-    // assign user id to the user global information
-    $_SERVER['REMOTE_USER'] = $attrs[$conf['ssp_attr_user']][0];
-    // assign user id and the data from USERINFO to the DokuWiki session cookie
-    $_SESSION[DOKU_COOKIE]['auth']['user'] = $attrs[$conf['ssp_attr_user']][0];
-    $_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO;
-    # } // end if_isAuthenticated()
-    return true;
-  }
-  /**
-   * exit printing info and logout link
-   *
-   */
-  function exitMissingAttribute( $attribute ){
-    // get logout link
-    $url = $this->as->getLogoutURL();
-    $logoutlink = '<a href="' . htmlspecialchars($url) . '">logout</a>';
-    die( $attribute . ' attribute missing from IdP. Please ' . $logoutlink . ' to return to login form');
-  }
-  /**
-   * Log off the current user from DokuWiki and IdP
-   *
-   */
-  function logOff(){
-    // use the simpleSAMLphp authentication object created in trustExternal to logout
-    $this->as->logout('/');
-  }
-}
-//Setup VIM: ex: et ts=2 enc=utf-8 :
-</code>
-===== Configuration =====
-** 1. ** For configuring the SimpleSAMLphp application look at the [[http://simplesamlphp.org/docs/1.8/|online documentation]] of the project
-** 2. ** For installing the new backend just save the above code under .../dokuwiki/inc/auth/ssp.class.php
-** 3. ** Add the following lines in your DokuWiki configuration file (local.php):
-<code php>
-// use the SimpleSAMLphp backend
-$conf['authtype']   = 'ssp';
-$conf['useacl'] = 1;
-// path for the simplesamlphp installation root
-$conf['ssp_path'] = '/var/simplesamlphp';
-// configure attribute names to match the ones used by our authentication backend (IdP)
-$conf['ssp_attr_name'] = 'cn';
-$conf['ssp_attr_user'] = 'uid';
-$conf['ssp_attr_mail'] = 'email';
-$conf['ssp_attr_grps'] = 'eduPersonAffiliation';
-</code>
-** 4. ** Integrate SimpleSAMLphp and DokuWiki:
-a) By changing SimpleSAMLphp in the default session store type in the config/config.php file:
-Change this line:
-<code php>
-'store.type' => 'phpsession'
-</code>
-To this:
-<code php>
-'store.type' => 'memcache'
-</code>
-b) OR by setting in the same file the value 'DokuWiki' to the php cookie name:
-<code php>
-'session.phpsession.cookiename'  => 'DokuWiki',
-</code>
-and comment the lines that set the cookie params in the init.php file of DokuWiki,like this:
-<code php>
- if (version_compare(PHP_VERSION, '5.2.0', '>')) {
-        //session_set_cookie_params(0,DOKU_REL,'',($conf['securecookie'] && is_ssl()),true);
-    }else{
-        //session_set_cookie_params(0,DOKU_REL,'',($conf['securecookie'] && is_ssl()));
-</code>
-** 5. (optional) **
-Comment out the lines starting by '#' in the authentication backend to allow guest users visit the site without requiring user and password credentials
-In this case you should also modify the inc/template.php file to correct the behaviour of the login button, redirecting it to the IdP login form
-<code php>
-//   $out .= html_btn('login',$ID,'',array('do' => 'login', 'sectok' => getSecurityToken()));
-$as = new SimpleSAML_Auth_Simple('default-sp');
-$link_as = $as->getLoginURL();
-$out .= '<form class="button btn_login" method="post" action="' . $link_as . '"><div class="no"><input type="submit" value="Login" class="button" title="Login" /></div></form>';
-</code>