Tags:
create new tag
, view all tags

Question

The Shibboleth folks have listed TWiki as an application that supports Shibboleth. How do I set up TWiki to enable Shibboleth?

Environment

TWiki version: >= 4.2
TWiki plugins: No additional plugins needed except for Perl
Server OS: All
Web server: All
Perl version: All
Client OS: All
Web Browser: All (must support Cookies, HTTP Redirects and Javascript for Shibboleth)
Categories:  

-- TWikiGuest - 07 Feb 2005

Answer

Since the comments and instructions below are not really usable anymore for the current TWiki, I added an "updated deployment guide" and some code of what you can do in order to get TWiki running with Shibboleth. Please use the following instructions with care. I just wrote them down in order to at least have something better than the outdated instructions below but they are not very detailed.

The result will be that your TWiki can be used with Shibboleth so that only Shibboleth authenticated users can login to TWiki. Optionally, it's also possible to automatically add users to certain TWiki groups based on their attributes or based on group information of a third party tool.

Instructions
  1. Install TWiki and configure it to use Apache authentication
  2. In the twiki/bin directory, replace the login script with the login script adapted for Shibboleth
  3. Make sure Perl has the Unicode::MapUTF8 and MIME::Base64 installed (otherwise use "perl -MCPAN -e 'install Unicode::MapUTF8; install MIME::Base64'")
  4. Adapt the script to suit your needs. In particular change the AAI attributes that shall be used for a Twiki user.
    Currently it is configured for use within the Swiss SWITCHaai federation but feel free to upload more general versions of this script)
  5. Make sure Shibboleth protects the login script and forces the user to authenticate with Shibboleth. E.g. with an Apache rule like:
    <FilesMatch "(attach|edit|manage|rename|save|upload|mail|login|logon|rest|register|.*auth).*">
        #Shib authentication
        AuthType shibboleth
        ShibRequireSession On  
        require valid-user
    </FilesMatch>
    
  6. Disable the registration form (replace all form stuff with a message telling people to just click on Login)
  7. Remove the register script in the bin directory or make it otherwise unusable.

The login script will use an authenticated users given name and surname attributes as well as an identifier attribute (eduPersonPrincipal name, swissEduUniqueID, mail, ...) to generate the user's WikiName and store it in TWiki's .htpasswd file together with a random password, which won't be needed anyway.

In addition the script optionally allows adding users to TWiki groups according to information from the Group Management Tool .

I hacked this together in about one day without much knowledge of the TWiki internas. Although I tried to accomplish as much as possible with already available TWiki functions, this was not always possible. But if somebody can come up with a better solution, feel free to overwrite my script. After all this is a Wiki, so contribute smile

Comments

A link to this application's website would be a good start...

-- RichardDonkin - 08 Feb 2005

Google to the rescue: Google:TWiki+Shibboleth

http://shibboleth.internet2.edu/index.html

I seems to be some type of cross-platform authentication/authorization system.

-- PeterThoeny - 10 Feb 2005

You probably are looking for something like this: http://stc.cis.brown.edu/~stc/Projects/Projects-using-Shib/TWiki/Shib-TWiki-install.html

-- LukasHaemmerle - 17 Feb 2005

contents of that document:

Configuring TWiki for use with Shibboleth

  1. install the CGI::Session Perl package, it its not already available on your system. It is available from CPAN. Bizarrely, it does not contain any installation instructions. Use the standard install process for a Perl package:
    1. perl Makefile.PL
    2. make
    3. make test
    4. make install
  2. Install and configure TWiki. Be sure to use TWiki20040902. Follow the TWikiInstallationGuide.
  3. Download and install the TWiki Session Plugin available SessionPlugin.
  4. Se sure to chmod 755 bin/logon
  5. Apply the Shibboleth related patches
    1. lib/TWiki.pm
    2. lib/TWiki/Plugins/SessionPlugin.pm
    3. data/Main/webleftbar.txt. Actually, I can't seem to get this patch to work. Instead, just replace your WebLeftBar.txt file with this one. Lines 2-4 are new; that's the only change.
  6. create a bin/.htaccess file to protect logon (NOTE: change path to error template). Sample available here.
  7. Setup so new webs get proper webleftbar (not done yet)

anybody feel like encouraging the authors to post their patches to twiki.org?

-- MattWilkie - 17 Feb 2005

I'm one of the primary architect/authors of Shibboleth. At the moment, I'm not sure there'd be a whole lot to post, the "patches" are more in the area of "experimenting with the supported ways to get TWiki to listen to the web server about who the user is" and some non-generic patches that allow the higher ed community to use a standard attribute we defined as a username. The attribute contains an @ sign, and based on the work Steven did above, I think it caused problems with RCS, so the patches are just to replace the @ with a - when passing in the userid to determine the WikiName.

In most respects, it "just worked" pretty much as we expected, allowing for the somewhat incompatible approach of Wiki openness and self-registration and the Shib/SAML concept which is about federating strong authentication.

-- ScottCantor - 24 Feb 2005

I followed the above instructions, but Im not sure if the patches really work as one might expect. As far as I can see, the Shibboleth attributes are not used at all!?

Therefore I changed the logon script so that Shibboleth users authomatically are auhtorized. Additonally their WikiName is also generated, their personal webpage is filled with their Shibboleth attributes (if available) and if desired, certain users can be added to a group (e.g. the TwikiAdminGroup) according to the Shibboleth attributes.

If somebody is interested in this change, contact me at haemmerle@switchPLEASENOSPAM.ch

The changes I made are rather specific for our Shibboleth federation but if other people are interested I could try to generalize the modification.

-- LukasHaemmerle - 14 Apr 2005

As SessionPlugin is no longer used in recent versions of TWiki, I think the aforementioned is obsolete.

Some detailed steps on current versions seem to be available her : https://mail.internet2.edu/wws/arc/shibboleth-users/2006-06/msg00042.html

-- OlivierBerger - 09 Jun 2006

I have done a modifications to the above script to enable user page creation/update on login. http://code.arcs.org.au/gitorious/shibboleth/twiki

-- RussellSim - 2009-09-16

Topic attachments
I Attachment History Action Size Date Who Comment
Unknown file formatEXT shib-login r1 manage 10.5 K 2009-01-27 - 16:01 LukasHaemmerle Shibboleth login script
Edit | Attach | Watch | Print version | History: r12 < r11 < r10 < r9 < r8 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r12 - 2009-09-16 - RussellSim
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.