Extension version: 1.4.1 (last update: 2011-09-14);
MediaWiki version: 1.13.x or newer (tested with 1.13.3, 1.16.0, 1.17.0);
simpleSAMLphp version: 1.6 or newer;
Author: Draženko Celjak, contact: aai@srce.hr;
Prerequisites
simpleSAMLphp and MediaWiki installed and operational
Installation and configuration
1. Add the following code to the bottom of LocalSettings.php file (in mediawiki directory):
# simpleSAMLphp authentication $simplesamlphp_basedir = '/your/path/to/simplesamlphp'; // simplesamlphp path $samlVersion = 'saml2'; // saml version; allowed values are: 'saml2' or 'shib13' $forceSSO = false; // forces user to login $simpleSAMLphpUserAutoCreate = true; // auto create a user that doesn't exist # attributes used by SimpleSAMLphp authentication (if array first value is taken): $usernameAttribute = 'urn:mace:dir:attribute-def:eduPersonPrincipalName'; $mailAttribute = 'urn:mace:dir:attribute-def:mail'; $givenNameAttribute = 'urn:mace:dir:attribute-def:givenName'; $surnameAttribute = 'urn:mace:dir:attribute-def:sn'; # setting up user permissions $wgGroupPermissions['*']['createaccount'] = false; $wgGroupPermissions['*']['read'] = true; $wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['*']['createpage'] = false; $wgGroupPermissions['*']['createtalk'] = false; // authorization // $wgHooks['simpleSAMLphpAuthorization'][] = 'customAuthHookFunction'; require_once($simplesamlphp_basedir . '/lib/_autoload.php'); require_once('extensions/SimpleSAMLphpAuth.php');
2. Adjust the value of variable $simplesamlphp_basedir, if needed change attribute names so that they comply to names you are getting from Identity Provider and optionaly change user group permissions. Note that you are able to select between saml2 and shib13. You can also implement custom authorization (more about that in custom authorization section);
3. Download the extension and unpack it to MediaWiki's extension directory;
That's all. If you run into problems or have any suggestions you can contact us by mail.
Custom authorization
Extension executes simpleSAMLphpAuthorization hook with array of simpleSAMLphp session attributes as parameter.
Example of custom authorization (LocalSettings.php):
/ authorization $wgHooks['simpleSAMLphpAuthorization'][] = 'sa5Authorization'; require_once($simplesamlphp_basedir . '/www/_include.php'); require_once('extensions/SimpleSAMLphpAuth.php'); function sa5Authorization($attributes) { // check if eduPersonEntitlement contains urn:geant:edugain:entitlement:eduroam:wiki $attributeName = 'urn:mace:dir:attribute-def:eduPersonEntitlement'; $requiredValue = 'urn:geant:edugain:entitlement:eduroam:wiki'; if (isset($attributes[$attributeName])) { $sum = implode(';',$attributes[$attributeName]) . ';'; if ( strpos($sum, $requiredValue.';' ) !== false ) { return true; } } echo "Sorry, this wiki is for SA5 members only."; exit(); }
Make sure that you define the hook (line $wgHooks['simpleSAMLphpAuthorization'][] = 'sa5Authorization';) before including extension ( require_once('extensions/SimpleSAMLphpAuth.php'); ) so that extension could "know" about it.
Authorization function could be implemented in separate file in extension directory and included somewhere in LocalSettings.php.
Troubleshooting
Q: I don't seem to be able to edit any pages on my wiki anymore, it throws an error showing the following text: "Your edit has been rejected because your client mangled the punctuation characters in the edit token. The edit has been rejected to prevent corruption of the page text. This sometimes happens when you are using a buggy web-based anonymous proxy service."
A: Turn off magic quotes either in php.ini or in .htaccess: http://www.php.net/magic_quotes