Extension:Shibboleth
<translate> This extension is currently not actively maintained!</translate> <translate> Although it may still work, any bug reports or feature requests will more than likely be ignored.</translate> <translate> If you are interested in taking on the task of developing and maintaining this extension, [[<tvar name=request>Special:MyLanguage/Gerrit/Privilege policy#Requesting Gerrit privileges</tvar>|you can request repository ownership]].</translate> <translate> As a courtesy, you may want to contact the author.</translate> <translate> You should also remove this template and list yourself as maintaining the extension in the page's <tvar name=extension>{{Extension }}</tvar> infobox.</translate> |
Shibboleth Release status: unmaintained |
|
---|---|
Implementation | User identity |
Description | Extends the PluggableAuth extension to provide authentication using Shibboleth. |
Author(s) | Attila Laszlo (n0rthwaytalk) |
Latest version | v1.0.0-rc.1 (2018-03-05) |
Compatibility policy | Master maintains backward compatibility. |
MediaWiki | 1.29+ |
PHP | 7.0+ |
License | MIT License |
Download | |
|
|
Quarterly downloads | Lua error in Module:Extension at line 172: bad argument #1 to 'inNamespace' (unrecognized namespace name 'skin'). |
Public wikis using | Lua error in Module:Extension at line 172: bad argument #1 to 'inNamespace' (unrecognized namespace name 'skin'). |
Translate the Shibboleth extension if it is available at translatewiki.net | |
Issues | Open tasks · Report a bug |
The Shibboleth extension extends the PluggableAuth extension to provide authentication using Shibboleth Apache module.
Installation
- Download and place the file(s) in a directory called
Shibboleth
in yourextensions/
folder. - Add the following code at the bottom of your LocalSettings.php:
wfLoadExtension( 'Shibboleth' );
- Configure as required
- Done! Navigate to Special:Version on your wiki to verify that the extension is successfully installed.
Configure
Values must be provided for the following mandatory configuration variables:
Flag | Default | Description |
---|---|---|
$wgShibboleth_Username | no default value | The name of the attribute to be used for the user's username. |
$wgShibboleth_Email | no default value | The name of the attribute to be used for the user's email address. |
$wgShibboleth_DisplayName | no default value | The name of the attribute to be used for the user's real name. |
$wgShibboleth_Logout_Base_Url | no default value | Single Logout (SLO) base URL |
$wgShibboleth_Logout_Target_Url | no default value | Single Logout (SLO) target URL |
In addition, the following optional configuration variable is provided:
Flag | Default | Description |
---|---|---|
$wgShibboleth_GroupMap | null | Mapping from SAML attributes to MediaWiki groups of the form: $wgShibboleth_GroupMap = array('attr_name' => 'groups','sysop' => 'wiki_admin','bureaucrat' => 'wiki_editor', '...'); No group mapping is performed if $wgShibboleth_GroupMap is null. |
Use case: your SAML IdP reads groups from LDAP or Database and stores this information inside an attribute of the SAML response. You want to use this to map MediaWiki groups to users belonging to some known groups given by your IdP.
Example:
- Your IdP sends an attribute named "groups" with a list of names like "administrator", "student", "teacher", ... in the SAML response after authentication.
- All users that have the value "administrator" in the "groups" attribute shall be mapped to the MediaWiki "sysop" group to give them admin rights within your MediaWiki instance.
- Create a group map in your LocalSettings.php as follows: $wgShibboleth_GroupMap = array('attr_name' => 'groups','sysop' => 'administrator',);
You can come up with rather complex mappings that fit your needs. If you have more than one attribute from SAML, just add it to the array with the array of values you like to map.
Hint: If a user belongs to a MediaWiki group that is no longer mapped to that user (for example, by losing the group membership in the SAML user data source), the user will be removed from that MediaWiki group at next log in. In that way you can mass remove groups from SAML and their memberships, too - just scramble the mapping values so they don't match the SAML response, but don't mess up the MediaWiki group name.
Single Logout (SLO)
Shibboleth Single Logout (SLO) URL structure:
$wgShibboleth_Logout_Base_Url . Shibboleth.sso/Logout?return= . $wgShibboleth_Logout_Target_Url
https://wiki.example.org/Shibboleth.sso/Logout?return=https://wiki.example.org/index.php
Known Bugs
See phab:tag/mediawiki-extensions-shibboleth in Phabricator.
See also
- Pages with script errors
- Pages with broken file links
- PluggableAuth plugins
- Unmaintained extensions
- Extensions without an image
- User identity extensions
- Extensions with master compatibility policy
- Extensions with manual MediaWiki version
- MIT licensed extensions
- Extensions in Wikimedia version control
- PluggableAuthPopulateGroups extensions
- All extensions