Dokuwiki Shibboleth authentication backend
DokuWiki is a standards compliant, simple to use Wiki, mainly aimed at creating documentation of any kind. It is targeted at developer teams, workgroups and small companies. It has a simple but powerful syntax which makes sure the datafiles remain readable outside the Wiki and eases the creation of structured texts. All data is stored in plain text files – no database is required. (description taken from DokuWiki homepage)
The Shibboleth System is a standards based, open source software package for web single sign-on across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.
Making DokuWiki authenticate through Shibboleth is fairly easy due to the extensible DokuWiki authentication framework, which allows using different authentication backends easily. The Shibboleth backend itself only needs to check for some environment variables and determine user’s username and info.
You can get more information and download the backend at its homepage:
Dokuwiki Shibboleth Authentication Backend
Feel free to comment.
hello,
thank you for this great shibboleth-dikuwiki plugin.
It works fine for me for authenticating.
For autorisation I have doubt on how to use var_entitlement to map dokuwiki groups !?
here’s what I did in local.php
# ‘var_entitlement’ – The name of the attribute containing the user entitlement (eduPersonEntitlement)
$conf['auth']['shib']['var_entitlement'] = ‘unscoped-affiliation’;
But I can’t figure out how to use entitlement_groups
# ‘entitlement_groups’ – maps entitlements to user groups, ‘var_entitlement’ must be set
#$conf['auth']['shib']['entitlement_groups'] = array(
# ‘https://www.example.org/special’ => ’special_group’,
# ‘https://www.example.org/internal’ => ‘internal_group’
#);
here my unscoped-affiliation attributes conains values from edupersonAffiliation (faculty, member, employee, student …) , how can I generate associated dokuwiki groups ?
Thanks .
Hello Ivan,
I just wanted to say thanks for your Shibboleth plugins for Dokuwiki.
Great work!
I’m using both the auth and login plugins and I only had one issue which I thought I’d let you know about.
Clicking the logout button did not work for me.
I’m new to Dokuwiki, especially its internals, but I managed to get it working by adding an exit() at the end of the logOff() function. (Saw it used in another auth plugin)
I’m not sure if that is the correct way of making it work, but, it worked for me.
It seems to prevent Dokuwiki from sending its own redirect.
Thanks again,
Rob
forget my request about howto allocate dynamic groups with shib
I found it myself, the example with URL mislead me …
here’s how I use it now with success:
# ‘var_entitlement’ – The name of the attribute containing the user entitlement (eduPersonEntitlement)
$conf['auth']['shib']['var_entitlement'] = ‘unscoped-affiliation’;
# ‘entitlement_groups’ – maps entitlements to user groups, ‘var_entitlement’ must be set
$conf['auth']['shib']['entitlement_groups'] = array(
’student’ => ’student’,
‘employee’ => ‘employee’,
‘member’ => ‘member’
);
in my use case with edupersonAffiliation, when shibboleth retrieve user’s edupersonnAffiliation attribute (rewrote to unscoped-affiliation here)
if he is a student he gets affected in the “student” dokuwiki group .
That works like a charm, very clever !
thanks again for your contribution to dokuwiki & shibboleth .
regards .
finally, allocating dynamically groups based on shib attributes value does’nt seem to work
I did a wrong test with too much open ACL in my previous post.
Now I checked again with a better test, and it doesn’t work as expected.
I use the ?do=check option on the page I want to check ACL, and now I can clearly see that I am not in the expected groups .
?do=check on the start page after logged in with shib and a username that has “employee” for var_entitlement value only gives me:
“You are part of the groups allusers”
not the expected additional group “employee”
as programmed in
$conf['auth']['shib']['entitlement_groups'] = array(
’student’ => ’student’,
‘employee’ => ‘employee’,
‘member’ => ‘member’
);
did I missed something ?
I also read that all users not connected with ‘plain’ auth aren’t in @user group which is supposed to group all connected users
it’s quite ambarasing, any help greatly appreciated .
Regards .
Sorry, I finally found the problem
enable debug helped a lot, thanks for that fonctionnality
The problem comes from the admin page (id=start&do=admin&page=config), when I edit config from the admin web interface of dokuwiki, it rewrites the config, but wrongly for entitlement_groups
original:
$conf['auth']['shib']['entitlement_groups'] = array(
’student’ => ’student’,
‘member’ => ‘member’,
‘invite’ => ‘invite’,
‘employee’ => ‘employee’
);
had been rewriten to
#$conf['auth']['shib']['entitlement_groups'] = ‘array( \’student\’ => \’student\’, \’invite\’ => \’invite\’, \’member\’ => \’member\’ \’employee\’ => \’employee\’ )’;
which seems to be syntaxly wrong regarding debug message:
[Thu Jan 07 22:23:38 2010] [error] [client 82.230.31.137] entitlement groups not configured
[Thu Jan 07 22:23:38 2010] [error] [client 82.230.31.137] Array\n(\n [uid] => Procaccia\n [name] => Procaccia\n [mail] => procacci@enst.fr\n [grps] => Array\n (\n [0] => shibusers\n [1] => intraIT\n )\n\n)\n
now I have that I reset the ['entitlement_groups'] = array(… in multiple lines manually in local.php, I have no more the “entitlement groups not configured” error in apache error_log, and “invite” shib group is now set
:
[Thu Jan 07 22:28:36 2010] [error] [client 82.230.31.137] Array\n(\n [uid] => Procaccia\n [name] => Procaccia\n [mail] => procacci@enst.fr\n [grps] => Array\n (\n [0] => shibusers\n [1] => intraIT\n [2] => invite\n )\n\n)\n
I’ve checked ACL based on those shib group (?do=check also confirm that it is set), everything seems fine, I’ll post that positive experience on your blog when all my test will be concluant.
Thanks again for that wonderfull and powerfull plugin !
you should put that part of the configuration in local.protected.php.
When you save the settings in the admin panel, only local.php is modified.
Thanks for the plugin!
Regards,
micro
When shib plugin is enabled and you restrict acces to namespace with ACL, media files/images aren’t anymore visible
I double check my ACL and file permissions, no way . is this a bug ?
example
user:* @shibusers 1
for example, when accessing doku.php?id=user:shibusers:dsi page which contains images, before installing shib plugins (with @user acl 1 access at that time !) images were visible to a logged in user (plain), as soon as I enable shib auth, page and group access works fine, but not for images
.
please help.
thanks .
It’s not a bug , neither a mis-configuration of the ACL.
It’s just a silly Carriage Return left at the end of the file pointed by $conf['auth']['shib']['customgroups_file'] that added a CR at the begening of every media
(0a FF D8 ….) instead of (FF D8 ….)
I removed the CR at the end of my custom_group file, and now it works fine.