Hello List,
We have written a MediaWiki extension for Krb5 Single Sign-On (SSO) that uses our Plexcel PHP extension. I have created an extension page in the usual way:
http://www.mediawiki.org/wiki/Extension:Plexcel
The extension works great but we had to add the AuthPlugin initialization to includes/Setup.php. We feel this procedure is sub-optimal so I would like to explain why this was necessary hoping that a future version of MediaWiki might improve this use-case (or at least no break it).
First, let me explain a little about what SSO means with respect to our plugin. When a user logs into their IntrAnet workstation (e.g. Windows XP) in the morning they enter their credentials and get a special Keberos ticket. For the duration of their login session that ticket can be used to authenticate with other Kebreros protected resources. Our plugin acts as a Kerberos authentication acceptor for web clients that can perform raw Kerberos or SPNEGO. The protocol sequence is as follows:
When a client visits a Kerberos protected site (e.g. MediaWiki with our plugin) the request is rejected with 401 Unauthorized and a special WWW-Authenticate: Negotiate header. This indicates to the client (e.g. IE on XP) that Integrated Windows Authentication (IWA) should be performed (IWA is Microsoft's way of saying SPNEGO negotiated NTLMSSP or Kerberos which for most people it basically means Kerberos). Provided the client's settings are suitable for performing Kerberos and they have the appropriate tiicket the request will be resubmitted with a special Authenticate: Negotiate <base64encodedblob> header. This blob of data is consumed, used to authenticate the client and extract information about the user such as their full name and what groups they are in.
There are several issues that arise when integrating Kerberos SSO into an application like MediaWiki. First, notice that two HTTP requests are required to fetch a page. This happends with EVERY SINGLE PAGE. Also, when the base 64 authentication header is accepted it must be processed after the necessary user infrastructure has been initialized because it will need to query/create the user's MW account and update the login status.
For the above reasons, currently, the PlexcelPlugin class needs to be initialized and invoked in includes/Setup.php around line 170 after the StubUser is created. Invoking it before that location generates an error because the StubUser is required to simulate the "login" of an SSO client.
I have ideas about how this use-case might be improved but I would first like to hear if anyone is interested in all of this and if they have any recommendations.
Mike