On Tue, Aug 24, 2010 at 12:34 PM, Owen B. Mehegan <[email protected]> wrote: > I have a MediaWiki install (v. 1.15.3) and I'd like to be able to use > an in-house single sign-on system that we have to authenticate users > and log them into the wiki. I've started down the path of using > AuthPlugin for this, but I'm stuck at one point. > > Right now I've got it working such that when a user goes to the wiki > we check our SSO system to see if they are logged in and have the right > role (sounds like LDAP right? sadly, it's not). If so, we allow them > into the wiki. If not, we take them to our SSO sign-in page, they log > in, then get directed to the wiki. If they log in but don't have the > right role they are shown an error message. I want this to be the auth > flow, rather than using the MW login page, so that's all fine. The > problem is that I can't figure out how to get MW to auto-create > accounts for these users and log them in when they are sent back to the > wiki. They just end up back there as a logged-out anonymous user. >
Is the web server handing this authentication, or does your plugin need to handle it? > I've looked at the following resources but I still can't figure out > what I'm doing wrong: > > http://www.mediawiki.org/wiki/AuthPlugin > http://svn.wikimedia.org/doc/classAuthPlugin.html > http://wiki.case.edu/CaseWiki:External_Authentication > > I guess I just don't know what functions I'm supposed to implement > myself to do account creation and login on the MW side, and I don't > know what the best practices are for calling those. > It is really better to look at working examples. The examples you want to look at really depend on the answer to my first question... If the web server handles the authentication, you can look at an extension like HTTP auth, or the auto-authentication part of the LDAP plugin: http://www.mediawiki.org/wiki/Extension:HttpAuth http://svn.wikimedia.org/viewvc/mediawiki/trunk/extensions/LdapAuthentication/LdapAutoAuthentication.php?revision=68500&view=markup Note that the HTTP auth plugin isn't a *great* example, since its configuration is really nasty. The LDAP version is better, but assumes you are using LDAP as well, so it will have some things you won't need. If your plugin needs to handle it, you should take a look at the CAS authentication extension: http://www.mediawiki.org/wiki/Extension:CASAuthentication This plugin redirects the user to the SSO server when clicking on the login/logout link, checks the info from the server, and allows/denies access accordingly. Respectfully, Ryan Lane _______________________________________________ MediaWiki-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
