Mailing List Archive

An help with Mediawiki Shibboleth extension
Hi to all,

I'm Marco Malavolti from GARR (Italian NREN) and I'm trying to use
Shibboleth extension for Mediawiki to set user's rights with groups.

https://www.mediawiki.org/wiki/Extension:Shibboleth

I have successfully configured the extension to enable the SSO and it
works, but I don't know why the following configuration doesn't set
privilegies/groups to logged users:

wfLoadExtension( 'Shibboleth' );

$wgShibboleth_Username = 'eppn';
$wgShibboleth_Email = 'mail';
$wgShibboleth_DisplayName = "cn";
$wgShibboleth_Logout_Base_Url = "https://sp.example.org";
$wgShibboleth_Logout_Target_Url = '/index.php/Pagina_principale';

$wgShibboleth_GroupMap = [. 'attr_name' => 'unscoped-affiliation',
'sysop' => 'member',
'bureaucrat' => 'member',
'interface-admin' => 'member',
];

'unscoped-affiliation' is the eduPersonAffiliation attribute. That name
is what Shibboleth set by default.

I'm using the latest version of the extension provided here:

https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/Shibboleth/+/master


Can you help me to understand how to provide group's permission to my
logged users, please?

Thank you so much for any help you can provide!


--
Marco Malavolti
Consortium GARR - Servizio IDEM GARR AAI
Via dei Tizii, 6 - I-00185 (ROMA)
CF: 97284570583 - PI:07577141000
Tel.: 02 6448 2507
Skype: marco.mala
PGP KEY: https://keys.openpgp.org/search?q=marco.malavolti@garr.it

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Re: An help with Mediawiki Shibboleth extension [ In reply to ]
Hi Marco,

If there is not enough documentation about that extension I would
suggest to go inside the extension (it seems not that large) and debug
its related code about group handling.

E.g. I'm looking at the Shibboleth#populateGroups() function and it
seems that it only accepts 'sysop' and 'bureaucrat', so you may need to
patch the extension for your need.

https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/Shibboleth/+/master/Shibboleth.class.php#60

Hoping to have given a starting point, but actually I can't play with
that ecosystem to give more support.

Good luck for now!

On Wed, 2019-09-18 at 13:46 +0200, Marco Malavolti wrote:
> Hi to all,
>
> I'm Marco Malavolti from GARR (Italian NREN) and I'm trying to use
> Shibboleth extension for Mediawiki to set user's rights with groups.
>
> https://www.mediawiki.org/wiki/Extension:Shibboleth
>
> I have successfully configured the extension to enable the SSO and it
> works, but I don't know why the following configuration doesn't set
> privilegies/groups to logged users:
>
> wfLoadExtension( 'Shibboleth' );
>
> $wgShibboleth_Username = 'eppn';
> $wgShibboleth_Email = 'mail';
> $wgShibboleth_DisplayName = "cn";
> $wgShibboleth_Logout_Base_Url = "https://sp.example.org";
> $wgShibboleth_Logout_Target_Url = '/index.php/Pagina_principale';
>
> $wgShibboleth_GroupMap = [. 'attr_name' => 'unscoped-affiliation',
> 'sysop' => 'member',
> 'bureaucrat' => 'member',
> 'interface-admin' => 'member',
> ];
>
> 'unscoped-affiliation' is the eduPersonAffiliation attribute. That
> name
> is what Shibboleth set by default.
>
> I'm using the latest version of the extension provided here:
>
> https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/Shibboleth/+/master
>
>
> Can you help me to understand how to provide group's permission to my
> logged users, please?
>
> Thank you so much for any help you can provide!
>
>
--
--------
[[User:Valerio Bozzolan]]
Bot developer in it.wiki, Commmons, Wikidata

Talk me about an interesting import!



_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Re: An help with Mediawiki Shibboleth extension [ In reply to ]
Hi Valerio and thank you for your help,

I'm not a PHP expert and I have tried to remove "interface-admin" and
"bureaucrat" lines, but the rights/groups assignment doesn't work.

Are there someone that uses this extension with groups?

Thank you for all your help!
Marco



Il 18/09/19 14:57, Valerio Bozzolan via MediaWiki-l ha scritto:
> Hi Marco,
>
> If there is not enough documentation about that extension I would
> suggest to go inside the extension (it seems not that large) and debug
> its related code about group handling.
>
> E.g. I'm looking at the Shibboleth#populateGroups() function and it
> seems that it only accepts 'sysop' and 'bureaucrat', so you may need to
> patch the extension for your need.
>
> https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/Shibboleth/+/master/Shibboleth.class.php#60
>
> Hoping to have given a starting point, but actually I can't play with
> that ecosystem to give more support.
>
> Good luck for now!
>
> On Wed, 2019-09-18 at 13:46 +0200, Marco Malavolti wrote:
>> Hi to all,
>>
>> I'm Marco Malavolti from GARR (Italian NREN) and I'm trying to use
>> Shibboleth extension for Mediawiki to set user's rights with groups.
>>
>> https://www.mediawiki.org/wiki/Extension:Shibboleth
>>
>> I have successfully configured the extension to enable the SSO and it
>> works, but I don't know why the following configuration doesn't set
>> privilegies/groups to logged users:
>>
>> wfLoadExtension( 'Shibboleth' );
>>
>> $wgShibboleth_Username = 'eppn';
>> $wgShibboleth_Email = 'mail';
>> $wgShibboleth_DisplayName = "cn";
>> $wgShibboleth_Logout_Base_Url = "https://sp.example.org";
>> $wgShibboleth_Logout_Target_Url = '/index.php/Pagina_principale';
>>
>> $wgShibboleth_GroupMap = [. 'attr_name' => 'unscoped-affiliation',
>> 'sysop' => 'member',
>> 'bureaucrat' => 'member',
>> 'interface-admin' => 'member',
>> ];
>>
>> 'unscoped-affiliation' is the eduPersonAffiliation attribute. That
>> name
>> is what Shibboleth set by default.
>>
>> I'm using the latest version of the extension provided here:
>>
>> https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/Shibboleth/+/master
>>
>>
>> Can you help me to understand how to provide group's permission to my
>> logged users, please?
>>
>> Thank you so much for any help you can provide!
>>
>>

--
Marco Malavolti
Consortium GARR - Servizio IDEM GARR AAI
Via dei Tizii, 6 - I-00185 (ROMA)
CF: 97284570583 - PI:07577141000
Tel.: 02 6448 2507
Skype: marco.mala
PGP KEY: https://keys.openpgp.org/search?q=marco.malavolti@garr.it

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Re: An help with Mediawiki Shibboleth extension [ In reply to ]
Hi to all,

Problem solved in the v1.1.1.

Thanks to Attila (the developer of the extension) and Davide Vaghetti we
have correctly patched the extension and now it works.

Best regards to all!
Marco



Il 18/09/19 13:46, Marco Malavolti ha scritto:
> Hi to all,
>
> I'm Marco Malavolti from GARR (Italian NREN) and I'm trying to use
> Shibboleth extension for Mediawiki to set user's rights with groups.
>
> https://www.mediawiki.org/wiki/Extension:Shibboleth
>
> I have successfully configured the extension to enable the SSO and it
> works, but I don't know why the following configuration doesn't set
> privilegies/groups to logged users:
>
> wfLoadExtension( 'Shibboleth' );
>
> $wgShibboleth_Username = 'eppn';
> $wgShibboleth_Email = 'mail';
> $wgShibboleth_DisplayName = "cn";
> $wgShibboleth_Logout_Base_Url = "https://sp.example.org";
> $wgShibboleth_Logout_Target_Url = '/index.php/Pagina_principale';
>
> $wgShibboleth_GroupMap = [. 'attr_name' => 'unscoped-affiliation',
> 'sysop' => 'member',
> 'bureaucrat' => 'member',
> 'interface-admin' => 'member',
> ];
>
> 'unscoped-affiliation' is the eduPersonAffiliation attribute. That name
> is what Shibboleth set by default.
>
> I'm using the latest version of the extension provided here:
>
> https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/Shibboleth/+/master
>
>
> Can you help me to understand how to provide group's permission to my
> logged users, please?
>
> Thank you so much for any help you can provide!
>
>

--
Marco Malavolti
Consortium GARR - Servizio IDEM GARR AAI
Via dei Tizii, 6 - I-00185 (ROMA)
CF: 97284570583 - PI:07577141000
Tel.: 02 6448 2507
Skype: marco.mala
PGP KEY: https://keys.openpgp.org/search?q=marco.malavolti@garr.it

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l