Hello List,
We have written a MediaWiki extension for Krb5 Single Sign-On (SSO) that uses our Plexcel PHP extension. I have created an extension page in the usual way:
http://www.mediawiki.org/wiki/Extension:Plexcel
The extension works great but we had to add the AuthPlugin initialization to includes/Setup.php. We feel this procedure is sub-optimal so I would like to explain why this was necessary hoping that a future version of MediaWiki might improve this use-case (or at least no break it).
First, let me explain a little about what SSO means with respect to our plugin. When a user logs into their IntrAnet workstation (e.g. Windows XP) in the morning they enter their credentials and get a special Keberos ticket. For the duration of their login session that ticket can be used to authenticate with other Kebreros protected resources. Our plugin acts as a Kerberos authentication acceptor for web clients that can perform raw Kerberos or SPNEGO. The protocol sequence is as follows:
When a client visits a Kerberos protected site (e.g. MediaWiki with our plugin) the request is rejected with 401 Unauthorized and a special WWW-Authenticate: Negotiate header. This indicates to the client (e.g. IE on XP) that Integrated Windows Authentication (IWA) should be performed (IWA is Microsoft's way of saying SPNEGO negotiated NTLMSSP or Kerberos which for most people it basically means Kerberos). Provided the client's settings are suitable for performing Kerberos and they have the appropriate tiicket the request will be resubmitted with a special Authenticate: Negotiate <base64encodedblob> header. This blob of data is consumed, used to authenticate the client and extract information about the user such as their full name and what groups they are in.
There are several issues that arise when integrating Kerberos SSO into an application like MediaWiki. First, notice that two HTTP requests are required to fetch a page. This happends with EVERY SINGLE PAGE. Also, when the base 64 authentication header is accepted it must be processed after the necessary user infrastructure has been initialized because it will need to query/create the user's MW account and update the login status.
For the above reasons, currently, the PlexcelPlugin class needs to be initialized and invoked in includes/Setup.php around line 170 after the StubUser is created. Invoking it before that location generates an error because the StubUser is required to simulate the "login" of an SSO client.
I have ideas about how this use-case might be improved but I would first like to hear if anyone is interested in all of this and if they have any recommendations.
Mike
We have written a MediaWiki extension for Krb5 Single Sign-On (SSO) that uses our Plexcel PHP extension. I have created an extension page in the usual way:
http://www.mediawiki.org/wiki/Extension:Plexcel
The extension works great but we had to add the AuthPlugin initialization to includes/Setup.php. We feel this procedure is sub-optimal so I would like to explain why this was necessary hoping that a future version of MediaWiki might improve this use-case (or at least no break it).
Is it not possible to use the auto-authentication hook, or is the hook called too late?
On Mon, 16 Apr 2007 15:44:47 -0500 "Lane, Ryan" Ryan.Lane@ocean.navo.navy.mil wrote:
We have written a MediaWiki extension for Krb5 Single Sign-On (SSO) that uses our Plexcel PHP extension. I have created an extension page in the usual way:
http://www.mediawiki.org/wiki/Extension:Plexcel
The extension works great but we had to add the AuthPlugin initialization to includes/Setup.php. We feel this procedure is sub-optimal so I would like to explain why this was necessary hoping that a future version of MediaWiki might improve this use-case (or at least no break it).
Is it not possible to use the auto-authentication hook, or is the hook called too late?
I'm not sure about the timing, it might be ok. But I could never figure out how to set the user's information. I had to make an entirely new User object and set it to $wgUser. Actually I remember now that that is why I had to initialize *after* $wgUser = new StubUser; because that statement would overwrite the $wgUser value.
But let's explore the AutoAuthenticate hook again. If I make a plugin roughly like the following:
class PlexcelAuth extends AuthPlugin {
function PlexcelAuth() { // other stuff $wgHooks['AutoAuthenticate'][] = array($this, 'authenticateSso'); }
function authenticateSso($user) { // do sso if (sso_is_successful) { $user->mName = $acct['sAMAccountName']; return; } } }
The user's name is never acknowledged. Even though the user is passed by reference it seems I'm doing something wrong. I'm a lot better at C than I am at PHP. How am I supposed to be setting the user's information?
Currently, in the non-AutoAuthenticate version I have the following which is invoked manually from within includes/Setup.php:
function authenticateSso($user) { // do sso if (sso_is_successful) { global $wgUser;
$wgUser = User::newFromName($this->acct['sAMAccountName']); if ($wgUser->idForName() == 0) { if (isset($this->acct['mail'])) $wgUser->mEmail = $this->acct['mail']; if (isset($this->acct['displayName'])) $wgUser->mRealName = $this->acct['displayName']; $wgUser->addToDatabase(); $wgUser->setToken(); }
plexcel_log(3, 'MediaWiki: SSO successful: ' . $wgUser->getName()); return;
How do I do this using AutoAuthenticate and the supplied user?
Mike
But let's explore the AutoAuthenticate hook again. If I make a plugin roughly like the following:
class PlexcelAuth extends AuthPlugin {
function PlexcelAuth() { // other stuff $wgHooks['AutoAuthenticate'][] = array($this, 'authenticateSso'); }
function authenticateSso($user) { // do sso if (sso_is_successful) { $user->mName = $acct['sAMAccountName']; return; } } }
You need to look at some examples of other auto-authentication plugins. You need to do quite a bit more than you are doing. You should be checking to see if the user is already logged in, and if so returning, if not, checking to make sure the authentication went through ok. If it did, you need to check to see if the user has an account; if so, log them in; if not create an account manually.
The HttpAuth plugin is a good simple example (http://www.mediawiki.org/wiki/Extension:HttpAuth), the LDAP Authentication plugin is a slightly more complicated example (http://svn.wikimedia.org/viewvc/mediawiki/trunk/extensions/LdapAuthenti cation/LdapAuthentication.php?view=markup). There are a few more on mediawiki.org (http://www.mediawiki.org/wiki/Category:Authentication_and_Login).
Currently, in the non-AutoAuthenticate version I have the following which is invoked manually from within includes/Setup.php:
function authenticateSso($user) { // do sso if (sso_is_successful) { global $wgUser;
$wgUser =User::newFromName($this->acct['sAMAccountName']); if ($wgUser->idForName() == 0) { if (isset($this->acct['mail'])) $wgUser->mEmail = $this->acct['mail']; if (isset($this->acct['displayName'])) $wgUser->mRealName = $this->acct['displayName']; $wgUser->addToDatabase(); $wgUser->setToken(); }
plexcel_log(3, 'MediaWiki: SSOsuccessful: ' . $wgUser->getName()); return;
This looks similar to how the auto-authentication plugins work. I'm pretty sure you'll be able to use the auto-authentication hook instead of mucking around in Setup.php.
V/r,
Ryan Lane
On Mon, 16 Apr 2007 17:04:39 -0500 "Lane, Ryan" Ryan.Lane@ocean.navo.navy.mil wrote:
You need to look at some examples of other auto-authentication plugins.
Hi Ryan,
I have modified our plugin to use the AutoAuthenticate hook and it is working well now. All configureation is in LocalSettings.php as it should be.
Thanks, Mike
mediawiki-l@lists.wikimedia.org