ShibbolethSupport

Add Shibboleth based Single Sign-On authentication support for moinmoin logins .

Authentication support

strict session support

• it is possible to implement with Apache and configured mod_shib module.

  • you have to use http authentiction modul with apache with shibboleth apache module configured. Example apache configuration snippet:

          <Location /shibtest>
            AuthType shibboleth
            require valid-user
          </Location>

  • You have to install the following patch in order to overcome bug?? in version 1.7.x in the current http authentication module in site-packages/MoinMoin/auth/http.py

         diff -ruN http.py.save http.py
    --- http.py.save        2008-09-30 10:56:58.000000000 +0200
    +++ http.py     2008-11-13 10:46:34.000000000 +0100
    @@ -56,7 +56,8 @@
             elif not isinstance(request, request_cli.Request):
                 env = request.env
                 auth_type = env.get('AUTH_TYPE', '')
    -            if auth_type in ['Basic', 'Digest', 'NTLM', 'Negotiate', ]:
    +
    +            if auth_type in ['Basic', 'Digest', 'NTLM', 'Negotiate', '' ]:
                     username = env.get('REMOTE_USER', '').decode(config.charset)
                     if auth_type in ('NTLM', 'Negotiate', ):
                         # converting to standard case so the user can even enter wrong case

  • You have to install the following patch in order to overcome bug?? in version 1.8.3 in the current http authentication module in site-packages/MoinMoin/auth/http.py

    root@mignon# diff -ruN http.py.save http.py
    --- http.py.save        2009-05-26 17:13:00.000000000 +0200
    +++ http.py     2009-05-26 17:13:58.000000000 +0200
    @@ -60,7 +60,7 @@
             elif not isinstance(request, request_cli.Request):
                 env = request.env
                 auth_type = env.get('AUTH_TYPE', '')
    -            if auth_type in ['Basic', 'Digest', 'NTLM', 'Negotiate', ]:
    +            if auth_type in ['Basic', 'Digest', 'NTLM', 'Negotiate', '']:
                     username = env.get('REMOTE_USER', '').decode(config.charset)
                     if auth_type in ('NTLM', 'Negotiate', ):
                         # converting to standard case so the user can even enter wrong case

  • You have to install the following patch to support shibboleth authentication for shibboleth2 in version 1.8.3 in the current http authentication module in site-packages/MoinMoin/auth/http.py

    root@mignon# diff -ruN http.py.save http.py
    --- http.py.save        2009-05-26 17:13:00.000000000 +0200
    +++ http.py     2009-05-26 17:13:58.000000000 +0200
    @@ -60,7 +60,7 @@
             elif not isinstance(request, request_cli.Request):
                 env = request.env
                 auth_type = env.get('AUTH_TYPE', '')
    -            if auth_type in ['Basic', 'Digest', 'NTLM', 'Negotiate', ]:
    +            if auth_type in ['Basic', 'Digest', 'NTLM', 'Negotiate', 'shibboleth',]:
                     username = env.get('REMOTE_USER', '').decode(config.charset)
                     if auth_type in ('NTLM', 'Negotiate', ):
                         # converting to standard case so the user can even enter wrong case

lazy session support

I have written a basic Shibboleth auth module with lazy authentication (users need to click the Login link):

from MoinMoin.auth import ContinueLogin, MultistageRedirectLogin
from MoinMoin.auth.http import HTTPAuth

class ShibbolethAuth(HTTPAuth):
    """ Authenticate with Shibboleth """
    name = 'shibboleth'
    login_inputs = ['special_no_input']

    def request(self, request, user_obj, **kw):
        try:
            # hack to make HTTPAuth work with Shibboleth                        
            if request.env.get('REMOTE_USER'):
                request.env['AUTH_TYPE'] = 'Basic'
        except AttributeError:
            pass
        return HTTPAuth.request(self, request, user_obj, **kw)

    def login(self, request, user_obj, **kw):
        if kw.get('multistage'):
            u, cont = self.request(request, user_obj, **kw)
            return ContinueLogin(u)
        else:
            shiburl = request.getQualifiedURL('/Shibboleth.sso/Login')
            return MultistageRedirectLogin(shiburl + '?target=%return')

I have tested it with MoinMoin 1.7.1. Simply paste it into your configuration file (or in a separate file and import it). It also works with non-lazy (strict) authentication.

Bug: You always get redirected to the front page after login.

I'm not experienced with Python or the MoinMoin codebase, so any suggestions are welcome. --PerOlofsson

Authorisation support

• requires shibboleth attributes converting - not implemented

Discussion

• Which moin version ?
  • See patches
• Why an empty auth_type string has to be added?
  • shibboleth module is not using auth_type 'Basic, Digest etc.'.

So, to summarize, we need auth method '' for shibboleth v1 and 'shibboleth' for v2? And that's all we need to do on the moin side to start with basic support for it? Or do we need to wait for more code first?

• For strict session support, you only need to add support for AUTH_TYPE "shibboleth" in HTTPAuth. For lazy session support (user needs to click login button), see my code above. --PerOlofsson

CategoryFeatureRequest