Question
The Shibboleth folks have listed TWiki as an application that supports Shibboleth. How do I set up TWiki to enable Shibboleth?
Environment
--
TWikiGuest - 07 Feb 2005
Answer
Since the comments and instructions below are not really usable anymore for the current TWiki, I added an "updated deployment guide" and some code of what you can do in order to get TWiki running with Shibboleth. Please use the following instructions with care. I just wrote them down in order to at least have something better than the outdated instructions below but they are not very detailed.
The result will be that your TWiki can be used with Shibboleth so that only Shibboleth authenticated users can login to TWiki. Optionally, it's also possible to automatically add users to certain TWiki groups based on their attributes or based on group information of a third party tool.
Instructions
- Install TWiki and configure it to use Apache authentication
- In the twiki/bin directory, replace the login script with the login script adapted for Shibboleth
- Make sure Perl has the Unicode::MapUTF8 and MIME::Base64 installed (otherwise use "perl -MCPAN -e 'install Unicode::MapUTF8; install MIME::Base64'")
- Adapt the script to suit your needs. In particular change the AAI attributes that shall be used for a Twiki user.
Currently it is configured for use within the Swiss SWITCHaai federation but feel free to upload more general versions of this script)
- Make sure Shibboleth protects the login script and forces the user to authenticate with Shibboleth. E.g. with an Apache rule like:
<FilesMatch "(attach|edit|manage|rename|save|upload|mail|login|logon|rest|register|.*auth).*">
#Shib authentication
AuthType shibboleth
ShibRequireSession On
require valid-user
</FilesMatch>
- Disable the registration form (replace all form stuff with a message telling people to just click on Login)
- Remove the register script in the bin directory or make it otherwise unusable.
The login script will use an authenticated users given name and surname attributes as well as an identifier attribute (eduPersonPrincipal name, swissEduUniqueID, mail, ...) to generate the user's
WikiName and store it in TWiki's .htpasswd file together with a random password, which won't be needed anyway.
In addition the script optionally allows adding users to TWiki groups according to information from the
Group Management Tool .
I hacked this together in about one day without much knowledge of the TWiki internas. Although I tried to accomplish as much as possible with already available TWiki functions, this was not always possible. But if somebody can come up with a better solution, feel free to overwrite my script. After all this is a Wiki, so contribute
Comments
A link to this application's website would be a good start...
--
RichardDonkin - 08 Feb 2005
Google to the rescue:
Google:TWiki+Shibboleth
http://shibboleth.internet2.edu/index.html
I seems to be some type of cross-platform authentication/authorization system.
--
PeterThoeny - 10 Feb 2005
You probably are looking for something like this:
http://stc.cis.brown.edu/~stc/Projects/Projects-using-Shib/TWiki/Shib-TWiki-install.html
--
LukasHaemmerle - 17 Feb 2005
contents of that document:
Configuring TWiki for use with Shibboleth
- install the CGI::Session Perl package, it its not already available on your system. It is available from CPAN. Bizarrely, it does not contain any installation instructions. Use the standard install process for a Perl package:
- perl Makefile.PL
- make
- make test
- make install
- Install and configure TWiki. Be sure to use TWiki20040902. Follow the TWikiInstallationGuide.
- Download and install the TWiki Session Plugin available SessionPlugin.
- Se sure to
chmod 755 bin/logon
- Apply the Shibboleth related patches
- lib/TWiki.pm
- lib/TWiki/Plugins/SessionPlugin.pm
- data/Main/webleftbar.txt. Actually, I can't seem to get this patch to work. Instead, just replace your WebLeftBar.txt file with this one. Lines 2-4 are new; that's the only change.
- create a
bin/.htaccess
file to protect logon (NOTE: change path to error template). Sample available here.
- Setup so new webs get proper webleftbar (not done yet)
anybody feel like encouraging the authors to post their patches to twiki.org?
--
MattWilkie - 17 Feb 2005
I'm one of the primary architect/authors of Shibboleth. At the moment, I'm not sure there'd be a whole lot to post, the "patches" are more in the area of "experimenting with the supported ways to get TWiki to listen to the web server about who the user is" and some non-generic patches that allow the higher ed community to use a standard attribute we defined as a username. The attribute contains an @ sign, and based on the work Steven did above, I think it caused problems with
RCS, so the patches are just to replace the @ with a - when passing in the userid to determine the
WikiName.
In most respects, it "just worked" pretty much as we expected, allowing for the somewhat incompatible approach of Wiki openness and self-registration and the Shib/SAML concept which is about federating strong authentication.
--
ScottCantor - 24 Feb 2005
I followed the above instructions, but Im not sure if the patches really work as one might expect. As far as I can see, the Shibboleth attributes are not used at all!?
Therefore I changed the logon script so that Shibboleth users authomatically are auhtorized. Additonally their
WikiName is also generated, their personal webpage is filled with their Shibboleth attributes (if available) and if desired, certain users can be added to a group (e.g. the
TwikiAdminGroup) according to the Shibboleth attributes.
If somebody is interested in this change, contact me at
haemmerle@switchPLEASENOSPAM.ch
The changes I made are rather specific for our Shibboleth federation but if other people are interested I could try to generalize the modification.
--
LukasHaemmerle - 14 Apr 2005
As
SessionPlugin is no longer used in recent versions of TWiki, I think the aforementioned is obsolete.
Some detailed steps on current versions seem to be available her :
https://mail.internet2.edu/wws/arc/shibboleth-users/2006-06/msg00042.html
--
OlivierBerger - 09 Jun 2006
I have done a modifications to the above script to enable user page creation/update on login.
http://code.arcs.org.au/gitorious/shibboleth/twiki
--
RussellSim - 2009-09-16