From NSDLWiki

Jump to: navigation, search

The MediaWiki Shibboleth Authentication extension is used in the NSDL MediaWiki application for Community Sign On (CSO). I've written an extension to supplement this extension since it does not provide a way to logout, nor an override for the user login link that is displayed in the edit tab when not logged in. This page does NOT address getting Shibboleth installed on your server! These are the steps I did to get the CSO working with MediaWiki once Shibboleth was installed and tested.



Download, activate, and configure Shibboleth Authentication Extension

Grab the open source ShibAuthPlugin.php and follow their directions and adjust for your environment. I'm not an expert in Shibboleth and needed help from our systems manager to get the correct Shibboleth server settings.

Modify configuration settings

Add an additional var to LocalSettings.php and make changes to ShibAuthPlugin.php extension.

  • In LocalSettings.php with the other Shibboleth variables add a new variable. We needed this to change the login url to our system. You may not need to do this, but keep in mind I use the $shib_shire_providerId later on in the footer.php to recreate the login link.
#This is an NSDL variable workaround for the Shibboleth authentication ext.
$shib_shire_providerId = "" .
  • In conjunction with new variable, change ShibAuthPlugin.php extension around Line 284 of V1.6.
                /*********** removed 5/7/07 ************
                'href' => ($shib_Https ? 'https' :  'http') .'://' . $_SERVER['HTTP_HOST'] .
                        $shib_AssertionConsumerServiceURL . "/WAYF/" . $shib_WAYF .
                        '?target=' . (isset($_SERVER['HTTPS']) ? 'https' : 'http') .
                        '://' . $_SERVER['HTTP_HOST'] . $pageurl, );
                ************** added 5/7/07  *************
                ** See $shib_shire_providerId variable along with other 
                ** settings for Shib extension in LocalSettings.php - elly
                'href' => $shib_WAYF .
                        '?shire=' . $shib_shire_providerId . 
                        '&target=https://' . $_SERVER['HTTP_HOST'] . $pageurl, );

Download, Activate, and Configure NSDLAuthenticationExtension

This plugin supplements the Shibboleth Authentication extension. You can activate it by adding the require statement below to LocalSettings.php and creating the needed files. These are work-arounds for the lack of logout and to override the Login link in the edit tab. The extension uses two class files in our file structure.

  • Add to LocalSettings.php
## NSDL Wiki Auth Ext. - elly
## NSDLUserLogin and NSDLUserLogin 
  • Add the following Plugin files:
    • extension/NSDLAuthenticationExtension.php
    • extension/nsdl/NSDLAuthentication/NSDLUserLogin.php
    • extension/nsdl/NSDLAuthentication/NSDLUserLogout.php

Setup a ReWrite rule in apache

You'll need a redirect for the embedded "Login" links in the edit tab. I want them to go to the Special:NSDLUserLogin page which was created in the NSDLAuthenticationExtension. This is a work-around until the mediawik developers add a hook for altering the embedded login links. A bug has been submitted to them. I got the ReWrite idea from the wiki (their ReWrite example is slightly different).

    # Redirecting the builtin mediawiki login to use the shibboleth and NSDL extensions.
    RewriteRule ^/Special:Userlogin http://%{SERVER_NAME}/index.php/Special:NSDLUserLogin [R,L]
    RewriteCond %{REQUEST_URI} ^/wiki/index.php$
    RewriteCond %{QUERY_STRING} ^title=Special:Userlogin
    RewriteCond %{REQUEST_METHOD} ^GET$
    RewriteRule ^(.*)$ /index.php/Special:NSDLUserLogin?%{QUERY_STRING} [R,L]

Removing Built-in Login link in header

To remove the built-in login link in the header, edit YOUR_SKIN/main.css

  • Original style:
        li#pt-anonuserpage, li#pt-login {
                background: url(images/user.gif) top left no-repeat;
                padding-left: 20px;
                text-transform: none;
  • Changed to:
        li#pt-anonuserpage {
                background: url(images/user.gif) top left no-repeat;
                padding-left: 20px;
                text-transform: none;
        li#pt-login {
                display: none; //HIDES THE LINK

Add Login/out link in footer

I have a custom file called footer.php to add the NSDL Sign In link. Our skin is built on MonoBook, so I add the include to skins/MonoBook.php around Line 269, look for the <ul> with id "f-list".

  • skins/NSDLDefault/footer.php
global $wgTitle, $shib_UN, $shib_WAYF, $shib_shire_providerId;

if (!empty($shib_UN)) {
	$logOutLink = "http://{$_SERVER['SERVER_NAME']}/index.php?title=Special:NSDLUserlogout";
	$authLink = "<a href='{$logOutLink}' title='Sign Out'>Sign Out</a>";
} else {
	$signInLink = "{$shib_WAYF}?shire={$shib_shire_providerId}&target=https://{$_SERVER['HTTP_HOST']}" .
	$authLink = "<a href='{$signInLink}' title='Sign In'>Sign In</a>";

<div id="nsdl-footer">
        <?php echo $authLink; ?>
        | <a href="" title="Contact NSDL">Contact</a>
        | <img src="<?php echo $wgScriptPath; ?>/skins/common/images/poweredby_ndr.gif" alt="Powered by NSDL Data Repository" width="88" height="31" />
        | <a href="" title="NSDL privacy policy">Privacy</a>
        | <a href="" title="Funded by National Science Foundation">Funded by NSF</a>

Using built-in MediaWiki login

To use the built-in mediawiki login:

You can still use the built-in login via this link:


And create new accounts in built-in mediawiki if need be:


NSDLAuthenticationExtension files

  • extension/NSDLAuthenticationExtension.php

/* MediaWiki extension point for NSDL CSO Authenticatoin
 * This extension supplements the open source CSO Mediawiki Extension
 * Part one is used to override the built-in mediawiki login page.
 * Part two is used to logout of CSO

$wgExtensionFunctions[] = "initNSDLAuthenticationExtension";
$wgExtensionCredits['specialpage'][] = array(
    'name' => 'NSDL Shibboleth Connection',
    'version' => 'V0.03, 2007/05/07',
    'author' => 'Elly Cramer',
    'url' => '../index.php/Community:NSDLWiki/NSDLAuthenticationExtension',
    'description' => 'Logs users out of shibboleth and redirects built-in login links to the Shibboleth login',

/* As per bug described in 
$wgExtensionFunctions[] = 'nsdlAuthenticationSetup';
require_once ("nsdl/NSDLAuthentication/NSDLUserLogin.php");
require_once ("nsdl/NSDLAuthentication/NSDLUserLogout.php");

/* Register this extension with the appropriate hooks */
function initNSDLAuthenticationExtension() {
	global $wgSpecialPages;
	global $wgAutoloadClasses;
	global $wgExtensionFunctions;
	$wgAutoloadClasses['NSDLUserLogin'] = dirname(__FILE__) . "nsdl/NSDLAuthentication/NSDLUserLogin.php";
	$wgSpecialPages['NSDLUserLogin'] = 'NSDLUserLogin';
	$wgAutoloadClasses['NSDLUserLogout'] = dirname(__FILE__) . "nsdl/NSDLAuthentication/NSDLUserLogout.php";
	$wgSpecialPages['NSDLUserLogout'] = 'NSDLUserLogout';

function nsdlAuthenticationSetup() {
  global $wgMessageCache;
  $wgMessageCache->addMessage('nsdluserlogin', 'NSDL User Login');
  $wgMessageCache->addMessage('nsdluserlogout', 'NSDL User Logout');
  • extension/nsdl/NSDLAuthentication/NSDLUserLogin.php
 * This is a special page that overrides the built-in login and
 * redirects the user to the NSDL Shibboleth CSO login.
global $IP;
require_once( "$IP/includes/SpecialPage.php" );

class NSDLUserLogin extends SpecialPage {
	function NSDLUserLogin() {
	function execute () {
		global $wgOut, $wgServer, $wgTitle, $wgRequest;
		global $shib_WAYF, $shib_shire_providerId;
		$wgOut->setPagetitle("NSDL Shibboleth Login");
		$returnto = $wgRequest->getVal( 'returnto', false );
		$signInLink = "{$shib_WAYF}?shire={$shib_shire_providerId}&target=https://{$_SERVER['HTTP_HOST']}/index.php/" .
		$wgOut->addMeta( 'http:Refresh', '0;url=' . $signInLink );
		return true;
  • extension/nsdl/NSDLAuthentication/NSDLUserLogout.php
 * This is a special page that logs the user out of the NSDL Shibboleth CSO.
global $IP;
require_once( "$IP/includes/SpecialPage.php" );

class NSDLUserLogout extends SpecialPage {
	 function NSDLuserLogout() {
	function execute () {
		global $user, $wgOut, $wgServer;
		$wgOut->setPagetitle("NSDL Shibboleth Logout");
		$wgOut->addHTML( wfMsgExt( 'logouttext', array( 'parse' ) ) );
		$wgOut->setRobotpolicy( 'noindex,nofollow' );
	 	* Kill cookies
		setcookie("_shibsession__DOMAIN_EXT_shibboleth_session", "", time(), "/");
		setcookie("_shibstate__DOMAIN_EXT_shibboleth_session", "", time(), "/");
		setcookie("_saml_idp", "", time(), "/");
		setcookie("mediawiki_session", "", time(), "/");
		setcookie("mediawikiUserName", "", time(), "/");
		setcookie("mediawikiUserID", "", time(), "/");
		$wgOut->addMeta( 'http:Refresh', '0;url=' . $wgServer );
		return true;
Personal tools