I'm going to be attempting to make MediaWiki read Harvard authentication. The Harvard system handles login and then passes a verified, user-unique token back to the caller. It's the caller's responsibility to look up the token in whatever their own authorization system is, and say, "Oh, yeah, that's this user, he has these rights" and proceed accordingly.
The idea here is that a user comes to the MediaWiki top URL, gets passed to Harvard auth, back to the wiki, which does the right thing and logs him in.
I realize there's going to need to be some PHP work here, and that's fine - but I'd rather try to hack an existing auth extension that's semi-close to what I'm trying to do than start from scratch. Unfortunately I'm sort of lost in the thick woods of all the auth extensions out there. Would anyone care to make recommendations for what I should use as a starting point?
I'm going to be attempting to make MediaWiki read Harvard authentication. The Harvard system handles login and then passes a verified, user-unique token back to the caller. It's the caller's responsibility to look up the token in whatever their own authorization system is, and say, "Oh, yeah, that's this user, he has these rights" and proceed accordingly.
The idea here is that a user comes to the MediaWiki top URL, gets passed to Harvard auth, back to the wiki, which does the right thing and logs him in.
Is the harvard auth using Shibboleth or SAML? Even if not, it sounds like it works a lot like one of those. Pat Patterson, previously of Sun, wrote an OpenSSO plugin a while back that may be useful as a partial example. It does the redirection and checking of the returned cookie. It is missing the ability to create new users (which is important), and pull attributes from the token (which you may be able to live without). AFAIK, this is the only authentication extension that actually implements the redirect/cookie check instead of relying on a web server agent. See:
http://blogs.sun.com/superpat/entry/opensso_single_sign_on_extension
Note: this code is CDDL licensed, which is incompatible with GPL. I've asked Sun numerous times to relicense this to GPL without success.
You can use the AutoAuthentication portion of the LDAP authentication extension for an example of how to create users on login:
http://svn.wikimedia.org/viewvc/mediawiki/trunk/extensions/LdapAuthenticatio n/LdapAutoAuthentication.php?view=markup
Specifically, look at the attemptAddUser function.
Note that the LDAP extension is GPL, hence the problem with the OpenSSO extension (thanks Sun). Make sure you only take ideas from the OpenSSO plugin, and don't copy code. I'll try again with Oracle to get it relicensed as GPL.
Respectfully,
Ryan Lane
mediawiki-l@lists.wikimedia.org