I need to have Django (a python web framework) handle authentication/authorization instead of MediaWiki doing it (like normal). This way authentication/authorization is handled in one place with a single sign-on.
I've seen many extentions and notes regarding authentication, but none specifically deal with Django. Before I start seeing what I can mish-mosh together from all the other information I've found, I thought I would ask to see if anybody has already done this.
I'm currently running MediaWiki v1.12.3 and php 5.2.5, but can upgrade if necessary.
I need to have Django (a python web framework) handle authentication/authorization instead of MediaWiki doing it (like normal). This way authentication/authorization is handled in one place with a single sign-on.
I've seen many extentions and notes regarding authentication, but none specifically deal with Django. Before I start seeing what I can mish-mosh together from all the other information I've found, I thought I would ask to see if anybody has already done this.
I'm currently running MediaWiki v1.12.3 and php 5.2.5, but can upgrade if necessary.
Is your Django application using some specific method of authentication? Is this a custom built solution for web sso? Why not take a look at some open standards for web sso? If this is for a corporate environment, use LDAP or use some type of federated login like SAML or Shibboleth. If this is a non-corporate environment, look at using OpenID.
Take a look at OpenSSO with OpenDS, it'll do SAML 1/2, Shibboleth, OpenID, and a few other federation standards. OpenID and Shibboleth both have MediaWiki plugins available; it is possible to do SAML by using web agents with an HTTP authentication plugin.
V/r,
Ryan Lane
Thanks for replying.
Django actually is already using LDAP for authentication (company LDAP server, not under my control). In fact, I also have MediaWiki tied into the same LDAP server.
What I'm trying to avoid is logging into the Django site, clicking to get to the wiki (which is a part of the overall web site, the Django piece being the main content part), and having the user log in again (with exactly the same credentials).
What happened originally is that the Django site had no security while MediaWiki was read-only to everybody and read/write when you logged in. Now upper management MUST HAVE security on the Django part, so I was trying to avoid having people log in twice. This means that MediaWiki is read-only if user has a certain Django permission and read/write given another Django permission (which would tie into 'guest' for read-only and actually authenticated if read/write as far as MediaWiki is concerned).
On Thu, 2009-06-11 at 16:25 -0500, Lane, Ryan wrote:
I need to have Django (a python web framework) handle authentication/authorization instead of MediaWiki doing it (like normal). This way authentication/authorization is handled in one place with a single sign-on.
I've seen many extentions and notes regarding authentication, but none specifically deal with Django. Before I start seeing what I can mish-mosh together from all the other information I've found, I thought I would ask to see if anybody has already done this.
I'm currently running MediaWiki v1.12.3 and php 5.2.5, but can upgrade if necessary.
Is your Django application using some specific method of authentication? Is this a custom built solution for web sso? Why not take a look at some open standards for web sso? If this is for a corporate environment, use LDAP or use some type of federated login like SAML or Shibboleth. If this is a non-corporate environment, look at using OpenID.
Take a look at OpenSSO with OpenDS, it'll do SAML 1/2, Shibboleth, OpenID, and a few other federation standards. OpenID and Shibboleth both have MediaWiki plugins available; it is possible to do SAML by using web agents with an HTTP authentication plugin.
V/r,
Ryan Lane
------=_NextPart_000_0032_01C9EAB1.4048BEB0--
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Django actually is already using LDAP for authentication (company LDAP server, not under my control). In fact, I also have MediaWiki tied into the same LDAP server.
What I'm trying to avoid is logging into the Django site, clicking to get to the wiki (which is a part of the overall web site, the Django piece being the main content part), and having the user log in again (with exactly the same credentials).
What happened originally is that the Django site had no security while MediaWiki was read-only to everybody and read/write when you logged in. Now upper management MUST HAVE security on the Django part, so I was trying to avoid having people log in twice. This means that MediaWiki is read-only if user has a certain Django permission and read/write given another Django permission (which would tie into 'guest' for read-only and actually authenticated if read/write as far as MediaWiki is concerned).
You'll most likely have to write an authentication plugin for MediaWiki to trust the cookie created from Django. This can be tricky... See the CentralAuth extension (http://svn.wikimedia.org/viewvc/mediawiki/trunk/extensions/CentralAuth/) for an example of an authentication plugin that trusts other cookies. That plugin is more complex than you need, but it's a good example.
I definitely recommend going with some form of web sso though. You can set up an OpenSSO server that points to your LDAP server, and protect the web server with a web agent. Then you can install an HTTP auth plugin. With web sso, you can decide which URLs are protected, from what IPs, and can set up access policies based on groups and such.
Corporate web authentication only gets harder over time. Next they'll probably be asking to have third parties accessing your sites, or they'll want roles that cross applications. Web sso might be a PITA at first, but it'll save you a lot of trouble later.
V/r,
Ryan Lane
mediawiki-l@lists.wikimedia.org