[Mediawiki-l] Plexcel Kerberos Single Sign-On (SSO)
Michael B Allen
mba2000 at ioplex.com
Mon Apr 16 19:05:44 UTC 2007
Hello List,
We have written a MediaWiki extension for Krb5 Single Sign-On (SSO)
that uses our Plexcel PHP extension. I have created an extension page
in the usual way:
http://www.mediawiki.org/wiki/Extension:Plexcel
The extension works great but we had to add the AuthPlugin initialization
to includes/Setup.php. We feel this procedure is sub-optimal so I would
like to explain why this was necessary hoping that a future version of
MediaWiki might improve this use-case (or at least no break it).
First, let me explain a little about what SSO means with respect to our
plugin. When a user logs into their IntrAnet workstation (e.g. Windows
XP) in the morning they enter their credentials and get a special Keberos
ticket. For the duration of their login session that ticket can be used
to authenticate with other Kebreros protected resources. Our plugin acts
as a Kerberos authentication acceptor for web clients that can perform
raw Kerberos or SPNEGO. The protocol sequence is as follows:
When a client visits a Kerberos protected site (e.g. MediaWiki with our
plugin) the request is rejected with 401 Unauthorized and a special
WWW-Authenticate: Negotiate header. This indicates to the client
(e.g. IE on XP) that Integrated Windows Authentication (IWA) should be
performed (IWA is Microsoft's way of saying SPNEGO negotiated NTLMSSP
or Kerberos which for most people it basically means Kerberos). Provided
the client's settings are suitable for performing Kerberos and they have
the appropriate tiicket the request will be resubmitted with a special
Authenticate: Negotiate <base64encodedblob> header. This blob of data
is consumed, used to authenticate the client and extract information
about the user such as their full name and what groups they are in.
There are several issues that arise when integrating Kerberos SSO into
an application like MediaWiki. First, notice that two HTTP requests are
required to fetch a page. This happends with EVERY SINGLE PAGE. Also, when
the base 64 authentication header is accepted it must be processed after
the necessary user infrastructure has been initialized because it will
need to query/create the user's MW account and update the login status.
For the above reasons, currently, the PlexcelPlugin class needs to be
initialized and invoked in includes/Setup.php around line 170 after the
StubUser is created. Invoking it before that location generates an error
because the StubUser is required to simulate the "login" of an SSO client.
I have ideas about how this use-case might be improved but I would first
like to hear if anyone is interested in all of this and if they have
any recommendations.
Mike
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
More information about the MediaWiki-l
mailing list