I'm going to be attempting to make MediaWiki read
Harvard
authentication. The Harvard system handles login and then passes a
verified, user-unique token back to the caller. It's the caller's
responsibility to look up the token in whatever their own
authorization
system is, and say, "Oh, yeah, that's this user, he has these rights"
and proceed accordingly.
The idea here is that a user comes to the MediaWiki top URL,
gets passed
to Harvard auth, back to the wiki, which does the right thing and logs
him in.
Is the harvard auth using Shibboleth or SAML? Even if not, it sounds like it
works a lot like one of those. Pat Patterson, previously of Sun, wrote an
OpenSSO plugin a while back that may be useful as a partial example. It does
the redirection and checking of the returned cookie. It is missing the
ability to create new users (which is important), and pull attributes from
the token (which you may be able to live without). AFAIK, this is the only
authentication extension that actually implements the redirect/cookie check
instead of relying on a web server agent. See:
http://blogs.sun.com/superpat/entry/opensso_single_sign_on_extension
Note: this code is CDDL licensed, which is incompatible with GPL. I've asked
Sun numerous times to relicense this to GPL without success.
You can use the AutoAuthentication portion of the LDAP authentication
extension for an example of how to create users on login:
http://svn.wikimedia.org/viewvc/mediawiki/trunk/extensions/LdapAuthenticatio
n/LdapAutoAuthentication.php?view=markup
Specifically, look at the attemptAddUser function.
Note that the LDAP extension is GPL, hence the problem with the OpenSSO
extension (thanks Sun). Make sure you only take ideas from the OpenSSO
plugin, and don't copy code. I'll try again with Oracle to get it relicensed
as GPL.
Respectfully,
Ryan Lane