Tags:
authentication1Add my vote for this tag sso1Add my vote for this tag usability1Add my vote for this tag create new tag
, view all tags
ALERT! NOTE: This is a SupplementalDocument topic which is not included with the official TWiki distribution. Please help maintain high quality documentation by fixing any errors or incomplete content. Put questions and suggestions concerning the documentation of this topic in the comments section below! Use the Support web for problems you are having using TWiki.

How to Enable Single Sign on with TWiki

Overview

If your IT organisation has deployed SingleSignOn (SSO, Wikipedia:Single_sign_on) for the principal servers and applications, it would be nice to do the same for TWiki so that users are not bothered with a login screen. There are several SSO technologies available: Shibboleth, JA-SIG Central Authentication Service (CAS), Web-SSO, Kerberos, Java Open Single Sign-On (JOSSO), SigSSO and more. This article describes SSO using Shibboleth. (If you have done other SSO integrations please add to this how-to article!)

Shibboleth for Single Sign On

Assuming that TWiki runs under the Apache web server, you should enable the Apache Login and take advantage of an Apache authentication module to implement SSO.

A common SSO solution is to use Microsoft Active Directory Federation Services (ADFS). Now, how to integrate this Microsoft-based stuff with Apache on a Linux server?

The Shibboleth open source middleware can be used to set up an SSO based on the OASIS SAML specification, or to link to an SSO provider such as Microsoft ADFS. As many organisations have implemented ADFS, we here outline how to use Shibboleth with Apache to connect to the ADFS.

  1. Install Apache httpd and TWiki (if not already present.)
  2. Download and compile Shibboleth and install it as described on the Shibboleth pages. Do not forget to lauch the /etc/shibd daemon and to add it to your server startup configuration.
  3. For integration with ADFS, you need the Shibboleth Ms ADFS integration. Once installed, you need to update the configuration files under /etc/shibboleth to match your SSO configuration. Notably the following files must be updated:shibboleth.xml and AAP.xml.
  4. Update your Apache webserver configuration (httpd.conf) to load the Shibboleth module:
    #
    # Load the SHIBBOLETH module
    #
    LoadModule mod_shib /usr/libexec/mod_shib_20.so
    #
    # Global Configuration
    # This is the XML file that contains all the global, non-apache-specific
    # configuration.  Look at this file for most of your configuration parameters.
    #
    ShibSchemaDir /usr/share/xml/shibboleth
    ShibConfig /etc/shibboleth/shibboleth.xml
    
  5. Enable Shibboleth authentication for the TWiki root directory in your httpd configuration directives or add the directives to use Shibboleth into the .htaccess file for twiki/bin:
    SSLRequireSSL
    AuthType shibboleth
    ShibRequireSession On
    
  6. Make sure that the TWiki login names in TWikiUsers are mapped to the login name provided by your SSO in the REMOTE_USER variable.

TWiki's SSO Login Contrib Package

TWiki has a SsoLoginContrib package for cookie based SSO authentication with auth tokens. Blog How to: Single Sign-on, a Convenient Way to Authenticate Users gives an overview.

SSO with Kerberos and Windows 2003

See Windows2003Authentication

Additional TWiki Customization

You can easily customize your TWiki installation to take advantage of the user information provided by the SSO:

  • TWiki registration page, prefill with values provided by the SSO
  • Enable RequireRegistrationPlugin to force new users to register as TWiki users when editing a page for the first time.
  • Another plugin project could be to create TWikiGroups based on ADFS groups.

Related Topics

-- Contributors: NilsHoeimyr, PeterThoeny - 2012-06-28



Comments & Questions about this Supplemental Document Topic

Thank you NilsHoeimyr and PeterJones for contributing the SSO setup, this is very much in line with the TWikiMission! I am glad I asked and you delivered. smile

-- PeterThoeny - 13 Sep 2007

Please use the Support forum if you have questions about TWiki features. This comment section is about the documentation of this topic.
Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r4 - 2012-06-29 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2018 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.