Enabling SAML 2.0 in a wiki Anders Lund (UNINETT) Andreas kre - - PowerPoint PPT Presentation

enabling saml 2 0 in a wiki
SMART_READER_LITE
LIVE PREVIEW

Enabling SAML 2.0 in a wiki Anders Lund (UNINETT) Andreas kre - - PowerPoint PPT Presentation

Sep 17, 2023 153 likes •316 views

Enabling SAML 2.0 in a wiki Anders Lund (UNINETT) Andreas kre Solberg (UNINETT) Software used - Dokuwiki http://wiki.splitbrain.org/wiki:dokuwiki - OpenSSO PHP Extension (lightbulb) https://lightbulb.dev.java.net/ Dokuwiki Pluggable

slide-1
SLIDE 1

Enabling SAML 2.0 in a wiki

Anders Lund (UNINETT) Andreas Åkre Solberg (UNINETT)

slide-2
SLIDE 2

Software used

  • Dokuwiki

http://wiki.splitbrain.org/wiki:dokuwiki

  • OpenSSO PHP Extension (lightbulb)

https://lightbulb.dev.java.net/

slide-3
SLIDE 3

Dokuwiki

Pluggable authentication modules Supports ACL lists, and is using groups for authorization.

slide-4
SLIDE 4

OpenSSO PHP

A pure PHP5 implementation of a SAML 2.0 SP . Extremely simple installation and configuration. Implemented as proof of concept. Not feature-rich. Opensourced from Sun, modified by Feide.

slide-5
SLIDE 5

OpenSSO Metadata

Feide Meta data Service Meta data

OpenSSO meta data is in a simple format, less verbose than standard SAML 2.0 meta data format. Most inportantly: endpoints urls, entity id and cert.-info.

slide-6
SLIDE 6

Loading Metadata at Feide

SAML 2.0 Meta data for service

Contains the same info in standard SAML 2.0 meta data format.

slide-7
SLIDE 7

Implementing an authentication module

A dokuwiki authentication module identifies whether the user is logged in

  • r not and returns either true or
  • false. If true it accociates the

authenticated user with a list of groups the user is member of, and also sets a username and a mail address.

slide-8
SLIDE 8

Implementing an authentication module

Load OpenSSOphp in the authmodule:

Set the OpenSSO SSOinit and logout URL in a variable

slide-9
SLIDE 9

Implementing an authentication module

Redirect to OpenSSO SSOinit URL if local session cookie does not exist. When a user does not have a local session at the service, she is redirected to the Feide IdP with SAML 2.0 authentication request (this is done by OpenSSO php). After successfull authentication the user is sent back to OpenSSO php with a response, and the OpenSSO php library will set a session cookie for you. When a user is authenticated, you can get a userid through a OpenSSO method:

slide-10
SLIDE 10

Dynamic group membership

Retrieve attributes from OpenSSO php Generate dynamic group membership based on attributes: In addition add personal group memberships from a file:

slide-11
SLIDE 11

Returning from the auth module

After retrieving attributes and dynamic group membership generation, we set name, mail and groups readable for dokuwiki internals and return true.

slide-12
SLIDE 12

Access Control List

We configure access control of the wiki, using the dynamic groups. The auth module requires no local users at the wiki to map

  • against. But optionally users can be configured custom group

membership in a separate file.

slide-13
SLIDE 13

Login sequence

dokuwiki.php

OpenSSO

Feide IdP

spSSOinit.php spSLOinit.php AssertionConsu merService.php SingleLogoutSe rvice.php S A M L 2 . A u t h R e q SAML 2.0 AuthResponse

PHP Session Storage

slide-14
SLIDE 14

Logout sequence

dokuwiki.php

OpenSSO

Feide IdP

spSSOinit.php spSLOinit.php AssertionConsu merService.php SingleLogoutSe rvice.php SAML 2.0 LogouthReq S A M L 2 . L

  • g
  • u

t R e s p

  • n

s e

PHP Session Storage

slide-15
SLIDE 15

?