MediaWiki with UniSign/CoSign

The University of Auckland is using a variety of CoSign for its single-sign on system, called UniSign.

I needed to modify MediaWiki to use the user accounts setup by the central University, rather than maintaining a separate login and password information for this particular wiki. Modifications were in two phases:

1. Require users to have an account before using the wiki
2. Use the UniSign login system, rather than the internal passwords

The first is good practice, and the second can be adapted in a variety of different ways, to even use HTTP Basic auth, NTLM, and backed against PAM or an LDAP database via mod_authz_ldap. It's your server, so go wild.

From this point I will expect you have your method of authentication is already selected and is working correctly, and is setting the REMOTE_USER environment variable.

User restrictions

Once the user is authenticated we need to know what they can do. If your authentication is working correctly, by the time the wiki is run by the server, you will know who they are. But that doesn't mean they are necessarily allowed to do things (the authorization step) which I have decided to handle by using the MediaWiki's account system.

Here are some entries for LocalSettings.php:

# http://meta.wikimedia.org/wiki/Help:User_rights

$wgWhitelistRead = array( "Special:Userlogin", "-", "MediaWiki:Monobook.css" );

# To disable account creation by anonymous visitors
$wgGroupPermissions['*'    ]['createaccount']   = false;
# Login to read
$wgGroupPermissions['*'    ]['read']            = false;
$wgGroupPermissions['*'    ]['edit']            = false;

This should be self-explanatory. The login page and the stylesheet may be read by unauthorized users. Only registered users can read and edit pages. Only registered users can create accounts for other users.

Use the UniSign login system

What happens in this next section is a little longer. Simply, I gut the internals of the login process so that it no longer tests the users password against its own database. If the user has gotten this far they have been externally authenticated, so all we need to do is authorize them. I have fiddled with the template as well so that it is simpler and more easily bypassed.

Diff: Either mediawiki-157-unisign.diff or mediawiki-158-unisign.diff, depending on MediaWiki version. 1.5.8 has not been tested and may have problems with the JavaScript on the login page.

Files changed:

• includes/SpecialUserlogin.php 2006-02-11 20:26:47.000000000 +1300
• includes/SpecialUserlogout.php 2005-03-14 04:29:43.000000000 +1300
• includes/templates/Userlogin.php 2005-06-03 23:56:01.000000000 +1200

Read the diff. Know what is happening.

This diff is made from a stock standard MediaWiki 1.5.7, which was the freshest version at the time.

To apply the diff simply jump into the directory that mediawiki-1.5.7 has created and run: patch -p0 < mediawiki-157-unisign.diff and then if you are lucky the four files will be patched.

Errata: Andrew Elwell had problems with the original diff. My diff was for 1.5.7 not 1.5.8. New diff that applies to 1.5.8 (but may not work properly) is now supplied.

Cosmetics

There is mention of the NetAccount system in the diff. Your authentication will have a different name, so change this. The logout page people are redirected to is our UniSign server.

Through the wiki Special:Allmessages page you will also need to edit the following:

logouttext

Perhaps send them to an external logout page?

nosuchuser

There is no user by the name "$1". You will need to contact a Wiki sysop to have an account created for you.