DokuWiki

It's better when it's simple

User Tools

Site Tools


Sidebar

Translations of this page?:

Learn about DokuWiki

Advanced Use

Corporate Use

Our Community


Follow us on Facebook, Twitter and other social networks.

auth:ssp

This is an old revision of the document!


SimpleSAMLphp Authentication Backend

This authentication backend deals with a single sign on web authentication system based on SimpleSAMLphp and SAML2.

Requirements

  • A Service Provider provided by the SimpleSAMLphp application in the same machine of the Dokuwiki installation
  • An Identity Provider installed on the same machine as the above or on a remote machine
  • SSL support on the server for production sites
  • Other requirements are possible depending on the configuration of SimpleSAMLphp

Code

Save this under …/dokuwiki/inc/auth/ssp.class.php:

<?php
/**
 * SSP. SimpleSAMLphp authentication backend
 * auth/ssp.class.php
 *
 * @author  Jorge Hervás <jordihv@gmail.com>
 * @license GPL2 http://www.gnu.org/licenses/gpl.html
 * @version 0.1
 * @date    June 2011
 */
 
class auth_ssp extends auth_basic {
  // declaration of the auth_simple object 
  var $as;
 
  /**
   * Constructor.
   * Sets additional capabilities and config strings
   */
  function auth_ssp() {
    // we set the features of our authentication backend to TRUE, the base class defaults to FALSE the rest
    $this->cando['external'] = true;
    $this->cando['logoff']   = true;
    $this->success = true;
  }
 
  /**
   * Do external authentication (SSO)
   * Params are not used
   */
  function trustExternal($user,$pass,$sticky=false){
    global $USERINFO;
    global $conf;
 
    $sticky ? $sticky = true : $sticky = false; //sanity check
 
    // loading of simplesamlphp library
    require_once($conf['ssp_path'] . '/lib/_autoload.php');
 
    // create auth object and use api to require authentication and get attributes
    $this->as = new SimpleSAML_Auth_Simple('default-sp');
 
    // the next line should be discommented to enable guest users (not authenticated) enter DokuWiki, see also documentation
    # if ($this->as->isAuthenticated()) {

    $this->as->requireAuth();
    $attrs = $this->as->getAttributes();
 
    // check for valid attributes (not empty) and update USERINFO var from dokuwiki
    if (!isset($attrs[$conf['ssp_attr_name']][0])) {
      $this->exitMissingAttribute('Name');
    }
    $USERINFO['name'] = $attrs[$conf['ssp_attr_name']][0];
 
    if (!isset($attrs[$conf['ssp_attr_mail']][0])) {
      $this->exitMissingAttribute('Mail');
    }
    $USERINFO['mail'] = $attrs[$conf['ssp_attr_mail']][0];
 
    // groups may be empty (by default any user belongs to the user group) don't perform empty check
    $USERINFO['grps'] = $attrs[$conf['ssp_attr_grps']];
 
    if (!isset($attrs[$conf['ssp_attr_user']][0])) {
      $this->exitMissingAttribute('User');
    }
 
    // assign user id to the user global information
    $_SERVER['REMOTE_USER'] = $attrs[$conf['ssp_attr_user']][0];
 
    // assign user id and the data from USERINFO to the DokuWiki session cookie
    $_SESSION[DOKU_COOKIE]['auth']['user'] = $attrs[$conf['ssp_attr_user']][0];
    $_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO;
 
    # } // end if_isAuthenticated()

    return true;
  }
 
  /**
   * exit printing info and logout link
   *
   */
  function exitMissingAttribute( $attribute ){
    // get logout link
    $url = $this->as->getLogoutURL();
    $logoutlink = '<a href="' . htmlspecialchars($url) . '">logout</a>';
    die( $attribute . ' attribute missing from IdP. Please ' . $logoutlink . ' to return to login form');
  }
 
  /**
   * Log off the current user from DokuWiki and IdP
   *
   */
  function logOff(){
    // use the simpleSAMLphp authentication object created in trustExternal to logout
    $this->as->logout('/');
  }
 
}
 
//Setup VIM: ex: et ts=2 enc=utf-8 :

Configuration

1. For configuring the SimpleSAMLphp application look at the online documentation of the project

2. For installing the new backend just save the above code under …/dokuwiki/inc/auth/ssp.class.php

3. Add the following lines in your DokuWiki configuration file (local.php):

// use the SimpleSAMLphp backend
$conf['authtype']   = 'ssp';
$conf['useacl'] = 1;
 
// path for the simplesamlphp installation root
$conf['ssp_path'] = '/var/simplesamlphp';
 
// configure attribute names to match the ones used by our authentication backend (IdP)
$conf['ssp_attr_name'] = 'cn';
$conf['ssp_attr_user'] = 'uid';
$conf['ssp_attr_mail'] = 'email';
$conf['ssp_attr_grps'] = 'eduPersonAffiliation';

4. Integrate SimpleSAMLphp and DokuWiki:

a) By changing SimpleSAMLphp in the default session store type in the config/config.php file: Change this line:

'store.type' => 'phpsession'

To this:

'store.type' => 'memcache'

b) OR by setting in the same file the value 'DokuWiki' to the php cookie name:

'session.phpsession.cookiename'  => 'DokuWiki',

and comment the lines that set the cookie params in the init.php file of DokuWiki,like this:

 if (version_compare(PHP_VERSION, '5.2.0', '>')) { 
        //session_set_cookie_params(0,DOKU_REL,'',($conf['securecookie'] && is_ssl()),true); 
    }else{ 
        //session_set_cookie_params(0,DOKU_REL,'',($conf['securecookie'] && is_ssl())); 

5. (optional) Uncomment the lines starting by '#' in the authentication backend to allow guest users visit the site without requiring user and password credentials

In this case you should also modify the inc/template.php file to correct the behaviour of the login button, redirecting it to the IdP login form

//   $out .= html_btn('login',$ID,'',array('do' => 'login', 'sectok' => getSecurityToken()));
$as = new SimpleSAML_Auth_Simple('default-sp');
$link_as = $as->getLoginURL();
$out .= '<form class="button btn_login" method="post" action="' . $link_as . '"><div class="no"><input type="submit" value="Login" class="button" title="Login" /></div></form>';
auth/ssp.1307372490.txt.gz · Last modified: 2011-06-06 17:01 by 83.49.108.130