Shibboleth Authentication for TikiWiki



To Enable Shibboleth Authentication you will need to Do 2 main Steps.

Shibboleth Step 1: Update the Wiki


To enable Shibboleth authentication within the Wiki goto the Admin page and in dropdown box select Shibboleth

When Selected Goto the bottom to the Shibboleth Seettings.

Below is a table of the options and what they do.


Option Description Default
Create user if not registered in Tiki If a user was externally authenticated, but not found in the Tiki user database, Tiki will create an entry in its user database. Disabled
Use Tiki authentication for Admin log-in The user “admin” will be authenticated by only using Tiki’s user database. This option has no effect on users other than “admin”. Disabled
Valid affiliations A list of affiliations which will allow users to log in to this wiki
Separate multiple affiliations with commas
None
Create with default group Disabled
Default group The name of the default group Shibboleth
The jQuery Sortable Tables feature must be activated for the sort feature to work.
Option Description Default
Create user if not registered in Tiki If a user was externally authenticated, but not found in the Tiki user database, Tiki will create an entry in its user database. Disabled
Use Tiki authentication for Admin log-in The user “admin” will be authenticated by only using Tiki’s user database. This option has no effect on users other than “admin”. Disabled
Valid affiliations A list of affiliations which will allow users to log in to this wiki
Separate multiple affiliations with commas
None
Create with default group Disabled
Default group The name of the default group Shibboleth
The jQuery Sortable Tables feature must be activated for the sort feature to work.
Option Description Default
Create user if not registered in Tiki If a user was externally authenticated, but not found in the Tiki user database, Tiki will create an entry in its user database. Disabled
Use Tiki authentication for Admin log-in The user “admin” will be authenticated by only using Tiki’s user database. This option has no effect on users other than “admin”. Disabled
Valid affiliations A list of affiliations which will allow users to log in to this wiki
Separate multiple affiliations with commas
None
Create with default group Disabled
Default group The name of the default group Shibboleth
The jQuery Sortable Tables feature must be activated for the sort feature to work.
Option Description Default
Create user if not registered in Tiki If a user was externally authenticated, but not found in the Tiki user database, Tiki will create an entry in its user database. Disabled
Use Tiki authentication for Admin log-in The user “admin” will be authenticated by only using Tiki’s user database. This option has no effect on users other than “admin”. Disabled
Valid affiliations A list of affiliations which will allow users to log in to this wiki
Separate multiple affiliations with commas
None
Create with default group Disabled
Default group The name of the default group Shibboleth
The jQuery Sortable Tables feature must be activated for the sort feature to work.
Option Description Default
Create user if not registered in Tiki If a user was externally authenticated, but not found in the Tiki user database, Tiki will create an entry in its user database. Disabled
Use Tiki authentication for Admin log-in The user “admin” will be authenticated by only using Tiki’s user database. This option has no effect on users other than “admin”. Disabled
Valid affiliations A list of affiliations which will allow users to log in to this wiki
Separate multiple affiliations with commas
None
Create with default group Disabled
Default group The name of the default group Shibboleth
The jQuery Sortable Tables feature must be activated for the sort feature to work.



When the above is completed the wiki is ready to use shibboleth as an authentication source. You will now need to ensure that shibboleth is setup correctly.

Below are the files that were modified to enable Shibboleth Authentication;

  • lib/userslib.php
  • templates/modules/mod-login_box.tpl
  • templates/tiki-admin-include-login.tpl
  • tiki-admin_include_login.php
  • tiki-setup_base.php


Below is a table of these files and a description of the changes;

File nameDescription
userslib.phpThis is used to validate a shibboleth user, changes have been made to the validate_user function.
tiki-admin-include-login.tplThis file needs to be changed to display “Login through Shibboleth�? login box when not loged in.
tiki-admin-include-login.tplThis file needs to be changed to display the Shibboleth options in the Login Admin page
tiki-admin_include_login.phpThis file changes will process the new values in the Login Admin page above.
tiki-setup_base.phpThis page will need to be changed to ensure the shibboleth user is validated.

Shibboleth step 2:Update Shibboleth


To enable the wiki to be protected by Shibboleth you will need to add a the following to you apache conf.

<Location /tikiwiki/tiki-login_scr.php>
   AuthType shibboleth
   ShibRequireSession On
   ShibRequireAll On
   require valid-user
</Location>

The other thing you will need to do is update your Shibboleth Service Providers AAP (Attribute Assertion Policy) AAP.XML.

Below are the Attributes required by the Tikiwiki Auth and the required Header values;


<AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" Scoped="false" Header="REMOTE_USER">
   <AnySite>
      <!-- Ensure the value is unscoped so all IDs are unique-->
      <Value Type="regexp">.*@.*</Value>
   </AnySite>
</AttributeRule>

<AttributeRule Name="urn:mace:dir:attribute-def:mail" Header="MAIL">
   <AnySite>
      <AnyValue/>
   </AnySite>
</AttributeRule>

<AttributeRule Name="urn:mace:dir:attribute-def:eduPersonAffiliation" Header="Shib-EP-UnscopedAffiliation">
   <AnySite>
      <AnyValue/>
   </AnySite>
</AttributeRule>