Twiki and shibboleth

Jehan Procaccia - jehan.procaccia@int-evry.fr

29 juin 2006

Table des matières

1  Introduction

This is an howto enable shibboleth access control to tiwiki.This is the step by step procedure followed on an Fedora Core 4 system with TWiki-4.0.2.

2  References

http://twiki.org/cgi-bin/view/TWiki04/TWikiInstallationGuide http://twiki.org/cgi-bin/view/TWiki04/TWikiSystemRequirements

3  Packages Dependancies


$ yum install mod_perl

$ yum install perl-Config-IniFiles perl-Algorithm-Diff perl-Text-Diff perl-CGI-Session perl-Digest-SHA1 patch rcs diff

=============================================================================
 Package                 Arch       Version          Repository        Size
=============================================================================
Installing:
 patch                   i386       2.5.4-24         base               62 k
 perl-Algorithm-Diff     noarch     1.1901-1.2.fc4.rf  dries              46 k
 perl-CGI-Session        noarch     4.09-1.fc4.rf    dries             112 k
 perl-Config-IniFiles    noarch     2.39-3.fc4       extras             45 k
 perl-Digest-SHA1        i386       2.10-1           base               48 k
 perl-Text-Diff          noarch     0.35-2.fc4       extras             33 k
 rcs                     i386       5.7-28           base              299 k
 diffutils               i386       2.8.1-15         base              208 k
Installing for dependencies:
 perl-DBD-Pg             i386       1.41-2           base              102 k
 perl-FreezeThaw         noarch     0.43-2           extras             16 k
 postgresql-libs         i386       8.0.8-1.FC4.1    updates-released  184 k

4  Twiki installation

4.1  Untar


[root@xserv /var/www/html]
$ mkdir twiki ; cd twiki/
[root@xserv /var/www/html/twiki]
$ tar xvfz /root/TWiki-4.0.2.tgz

4.2  Owner of twiki tree

should be the apache user
[root@xserv /var/www/html]
$ chown -R apache twiki

5  Twiki Configuration

5.1  Conf file

Prepare a configuration file from the sample given in the tarball
[root@xserv /var/www/html/twiki/lib]
$ cp LocalSite.cfg.txt LocalSite.cfg

5.2  Paths

Adjust path to our local installation in /var/www/html/twiki:
[root@xserv /var/www/html/twiki/lib]
$ vi LocalSite.cfg
replace path, vi command:
:1,$s/home\/httpd/var\/www\/html/
3 substitutions on 3 lines

5.3  Apache configuration

Copy an enable (.conf) the twiki sample apache configuration file:
[root@xserv /etc/httpd/conf.d]
$ cp /var/www/html/twiki/twiki_httpd_conf.txt ./twiki_httpd.conf

5.4  Paths

Adjust path to our local installation in /var/www/html/twiki:

:1,$s/home\/httpd/var\/www\/html/
10 substitutions on 10 lines

5.5  Restart apache

restart apache apache so that it take s care of the new twiki conf file:
$ /etc/init.d/httpd restart
Arrêt de httpd :                                           [  OK  ]
Démarrage de httpd :                                       [  OK  ]

6  Adjust confuguration from a browser

6.1  Configure web script

go to:

http://xserv.int-evry.fr/twiki/bin/configure

check warnings an errors, correct them !
If everything seems OK click next.

6.2  configure a password

now we are ask for a ``Enter the configuration password''
click ``set and save''
if you get the following message, it's a mode acces problem to the LocalSite.cfg file:
Failed to open /var/www/html/twiki/lib/LocalSite.cfg for write at /var/www/html/twiki/bin/configure line 1108.

indeed !
[root@xserv /var/www/html/twiki/lib]
$ ls -al LocalSite.cfg
-r--r-----  1 apache root 2123 jun  7 17:25 LocalSite.cfg
[root@xserv /var/www/html/twiki/lib]
$ chmod 640 LocalSite.cfg

6.3  configure confirmation

if everything goes right, the configure script racalls what have been done:
Configuration
Password changed
Updating configuration
$TWiki::cfg{LocalesDir}
old
new /var/www/html/twiki/locale
$TWiki::cfg{Site}{CharSet}
old
new iso-8859-15
$TWiki::cfg{Site}{Lang}
old
new en
$TWiki::cfg{Site}{FullLang}
old
new en-us
5 configuration items changed.
Return to configuration

6.4  Test first install

We can now go to http://xserv.int-evry.fr/twiki/bin/view and see our public (twikiguest) twiki !
to set preferences : http://xserv.int-evry.fr/twiki/bin/view/TWiki/TWikiPreferences

7  User auth

go to the doc :

http://xserv.int-evry.fr/twiki/bin/view/TWiki/TWikiUserAuthentication http://xserv.int-evry.fr/twiki/bin/configure#LoginManager

From philip.brusten AT cc.kuleuven.ac.be advices :
in {LoginManager} choose TWiki::Client::ApacheLogin

more info: \url{http://twiki.org/cgi-bin/view/TWiki04/TWikiUserAuthentication#Apache_Login}

The \verb+REMOTE_USER+ might contain some exotic characters that aren't WikiName-conform. Therefore, we need to map this \verb+REMOTE_USER+ (also LoginName) to a WikiName.
{MapUserToWikiName} checked 


When using Shibboleth for authentication, of course you don't need to provide a password at registration.
{PasswordManager} None 


Let the LoginName field appear in the registration form.
{Register}{AllowLoginName} checked

NEXT
Enter the configuration password
click save changes
Configuration
Updating configuration
$TWiki::cfg{LoginManager}
old none
new TWiki::Client::ApacheLogin
$TWiki::cfg{PasswordManager}
old TWiki::Users::HtPasswdUser
new none
$TWiki::cfg{Register}{AllowLoginName}
old
new 1

3 configuration items changed.

Return to configuration

7.0.1  Localization


Configuration
Updating configuration
$TWiki::cfg{Site}{Locale}
old en_US.ISO-8859-1
new fr_FR.ISO-8859-15
$TWiki::cfg{Site}{Lang}
old en
new us

2 configuration items changed.

Return to configuration

8  Apache shibboleth twiki config

8.1  Apache configuration


[root@wpublic /etc/httpd/conf.d]
$ tail -20  twiki_httpd.conf

#Make sure the shibboleth module is loaded for the entire application
<Directory "/var/www/html/twiki">
#  AuthType Shibboleth
#  require shibboleth
AuthType shibboleth
ShibRequireSession On
ShibExportAssertion On
require statut permanent
</Directory>


# /bin/logon needs to be secured with authentication
# require valid-user will take care of authentication only
<Files "/var/www/TWiki/bin/logon*">
 AuthType shibboleth
 ShibRequireSession On
 require valid-user
</Files>

8.2  Map attributes

Here we need to map the uid attribute retrieve from the IDP through LDAP to the REMOTE_USER http env variable, which will eventually be the logged in user !

8.2.1  Resolver.xml on the IDP



resolver.xml defines which attributes should be retrieved from the IDP.
[root@shibidp /usr/local/shibboleth-idp/etc]
$ vim resolver.xml

<AttributeResolver xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:mace:shibboleth:resolver:1.0" xsi:schemaLocation="urn:mace:shibboleth:resolver:1.0 shibboleth-resolver-1.0.xsd">
 <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:uid">
                <DataConnectorDependency requires="get-test"/>
        </SimpleAttributeDefinition>

 <JNDIDirectoryDataConnector id="get-test">
                <Search filter="uid=%PRINCIPAL%">
                        <Controls searchScope="SUBTREE_SCOPE" returningObjects="false" />
                </Search>
                <Property name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" />
                <Property name="java.naming.provider.url" value="ldap://ldap2.int-evry.fr/ou=people,dc=int-evry,dc=fr" />        <!--    <Property name="java.naming.security.protocol" value="ssl" /> -->
        <!--    <Property name="java.naming.security.principal" value="cn=admin,dc=example,dc=edu" /> -->
        <!--    <Property name="java.naming.security.credentials" value="examplepw" /> -->
        </JNDIDirectoryDataConnector>

8.2.2  arp on the IDP

On the arp.site.xml file we define which attributes we allow to send to Service Providers, so here we need to include the uid attribute .
[root@shibidp /usr/local/shibboleth-idp/etc/arps]
$ vim arp.site.xml

<AttributeReleasePolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:mace:shibboleth:arp:1.0" xsi:schemaLocation="urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd" >
        <Description>ARP GET</Description>
<Rule>
                <Target>
                        <AnyTarget/>
                </Target>
<Attribute name="urn:mace:dir:attribute-def:uid">
                        <AnyValue release="permit"/>
                </Attribute>

        </Rule>
</AttributeReleasePolicy>

8.2.3  arp on the IDP

Finally on the SP, we need to define which attribute we get from the IDP on the AAP.xml file. Here the uid attribute is sent in the http headers as the REMOTE_USER environement variable .
[root@wpublic /etc/shibboleth]
$ vim AAP.xml

<AttributeAcceptancePolicy xmlns="urn:mace:shibboleth:1.0">
 <AttributeRule Name="urn:mace:dir:attribute-def:uid" Header="REMOTE_USER" Alias="uid">

        <AnySite>
            <AnyValue/>
        </AnySite>
        </AttributeRule>
</AttributeAcceptancePolicy>

8.3  Test it


go to 
http://www-public.int-evry.fr/twiki/bin/view

redirected to the WAYF:
https://shibidp.int-evry.fr/cru-wayf/?shire=https%3A%2F%2Fwww-public.int-evry.fr%2Fshib%2FShibboleth.sso%2FSAML%2FPOST&time=1150207769&target=cookie&providerId=https%3A%2F%2Fwww-public.int-evry.fr%2Fshib

Select state in france on the WAYF map:

https://shibidp.int-evry.fr/cru-wayf/?action=selectMap&mapId=ileDeFrance

redirected to CAS for INT site:
https://cas2.int-evry.fr/cas/login?service=https%3A%2F%2Fshibidp.int-evry.fr%2Fshibboleth-idp%2FSSO%3Ftarget%3Dcookie%26shire%3Dhttps%253A%252F%252Fwww-public.int-evry.fr%252Fshib%252FShibboleth.sso%252FSAML%252FPOST%26providerId%3Dhttps%253A%252F%252Fwww-public.int-evry.fr%252Fshib%26time%3D1150207850

Auth success and attribute maps (status= permanent and REMOTE_USER = uid) so we get access to the service: http://www-public.int-evry.fr/twiki/bin/view as the shibboleth logged in user :-) .

Next step, map that logged in user to a twiki user ....

9  Individuals Registration

9.1  Procedure

While going to the root twiki page:

http://www-public.int-evry.fr/twiki/bin/view you are going through the WAYF (select your region and site for GET users !), the the SSO to get authenticated on your local directory. By doing that you have gone through an authentification process and through a autoristion process as well. Indeed , acces to twiki/bin/view is protect by the apache shibboleth module which restrict acces to GET 'permanent' only users.

9.2  Registration

Now that you are authentificated and authorized to get in twiki, locals twiki acces restriction needs you to get a TWIKIUSERNAME , it will give you also a personnal page. To do that you need once to register. Choose TwikiRegistration

Fill the form

You'll get an email confirmation


10  AddOns

10.1  WYSIWYG twiki


Installed: perl-HTML-Parser.i386 0:3.45-1
Dependency Installed: perl-HTML-Tagset.noarch 0:3.04-1

Ce document a été traduit de LATEX par HEVEA.