On Tue, Aug 24, 2010 at 12:34 PM, Owen B. Mehegan <owen(a)nerdnetworks.org> wrote:
I have a MediaWiki install (v. 1.15.3) and I'd
like to be able to use
an in-house single sign-on system that we have to authenticate users
and log them into the wiki. I've started down the path of using
AuthPlugin for this, but I'm stuck at one point.
Right now I've got it working such that when a user goes to the wiki
we check our SSO system to see if they are logged in and have the right
role (sounds like LDAP right? sadly, it's not). If so, we allow them
into the wiki. If not, we take them to our SSO sign-in page, they log
in, then get directed to the wiki. If they log in but don't have the
right role they are shown an error message. I want this to be the auth
flow, rather than using the MW login page, so that's all fine. The
problem is that I can't figure out how to get MW to auto-create
accounts for these users and log them in when they are sent back to the
wiki. They just end up back there as a logged-out anonymous user.
Is the web server handing this authentication, or does your plugin
need to handle it?
I've looked at the following resources but I still
can't figure out
what I'm doing wrong:
http://www.mediawiki.org/wiki/AuthPlugin
http://svn.wikimedia.org/doc/classAuthPlugin.html
http://wiki.case.edu/CaseWiki:External_Authentication
I guess I just don't know what functions I'm supposed to implement
myself to do account creation and login on the MW side, and I don't
know what the best practices are for calling those.
It is really better to look at working examples. The examples you want
to look at really depend on the answer to my first question...
If the web server handles the authentication, you can look at an
extension like HTTP auth, or the auto-authentication part of the LDAP
plugin:
http://www.mediawiki.org/wiki/Extension:HttpAuth
http://svn.wikimedia.org/viewvc/mediawiki/trunk/extensions/LdapAuthenticatiā¦
Note that the HTTP auth plugin isn't a *great* example, since its
configuration is really nasty. The LDAP version is better, but assumes
you are using LDAP as well, so it will have some things you won't
need.
If your plugin needs to handle it, you should take a look at the CAS
authentication extension:
http://www.mediawiki.org/wiki/Extension:CASAuthentication
This plugin redirects the user to the SSO server when clicking on the
login/logout link, checks the info from the server, and allows/denies
access accordingly.
Respectfully,
Ryan Lane