Securing MediaWiki using Centrale KU Leuven Login: Difference between revisions

From ULYSSIS documentation
No edit summary
 
(27 intermediate revisions by 3 users not shown)
Line 4: Line 4:
==Prerequisites==
==Prerequisites==
Before installing, you need to have SSL and Shibboleth (Central KU Leuven Login) enabled on your domain.
Before installing, you need to have SSL and Shibboleth (Central KU Leuven Login) enabled on your domain.
* For instructions on how to get SSL: https://docs.ulyssis.org/Getting_SSL
* For instructions on how to get SSL/TLS: https://docs.ulyssis.org/Getting_SSL/TLS
* Information about requesting Shibboleth: https://docs.ulyssis.org/Shibboleth
* Information about requesting Shibboleth: https://docs.ulyssis.org/Shibboleth
Once you know everything is installed properly, you can proceed to install the extension.
Once you know everything is installed properly, you can proceed to install the extension.


==Installation==
==Installation==
First, download the latest release from [https://github.com/ULYSSIS-KUL/MediaWikiShibboleth/releases/latest github]. Make sure to click the <code>MediaWikiShibboleth.zip</code> download button. Then, unzip the zip file in your <code><mediawiki installation folder>/extensions/</code> directory. Finally, add the following lines to your <code><mediawiki installation folder>/LocalSettings.php</code>:
First, download the latest release from [https://github.com/ULYSSIS-KUL/MediaWikiShibboleth/releases/latest/download/MediaWikiShibboleth.zip github]. Unzip the zip file in the <code>extensions/</code> directory in your MediaWiki installation folder. Make sure there is now a <code>MediaWikiShibboleth</code> folder in <code>extensions/</code>. Finally, locate the <code>LocalSettings.php</code> file in your MediaWiki installation folder and add the following lines to it:


  wfLoadExtension('MediaWikiShibboleth');
  wfLoadExtension('MediaWikiShibboleth');
  include 'extensions/MediaWikiShibboleth/MediaWikiShibboleth_body.php';
  $wgGroupPermissions['*']['createaccount'] = false;
$wgRevokePermissions['Shibboleth']['editmyprivateinfo'] = true;
   
   
  $wgGroupPermissions['*']['edit'] = false;
  $wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['createtalk'] = false;
$wgGroupPermissions['*']['createpage'] = false;
  $wgGroupPermissions['*']['writeapi'] = false;
  $wgGroupPermissions['*']['writeapi'] = false;


If you want to allow anonymous editing, you should <b>not</b> add the last 4 lines of the previous paragraph. Though this really defeats the purpose of the extension.
If you want to allow anonymous editing, you should <b>not</b> add the last 2 lines of the previous paragraph. This really defeats the purpose of the extension though.


==Configuration==
==Configuration==
MediaWikiShibboleth has 3 configuration options which allow for restricting who can log in to your wiki. These options work especially well with restricting the access of the wiki to logged-in users only. They can be configured in the <code><mediawiki installation folder>/extensions/MediaWikiShibboleth/extension.json</code> file.
MediaWikiShibboleth has some configuration options which allow for restricting who can log in to your wiki. These restrictions are cumulative. For example, it is possible to allow only students enrolled in a specific degree or programme to log in. These options work especially well with restricting the access of the wiki to logged-in users only.


=== Restricting access to logged-in users only ===
=== Restricting access to logged-in users only ===
This option is not an option provided by the extension, but very useful in its context. If you do not want guest visitors to be able to view any page of your wiki, add the following line to your <code><mediawiki installation folder>/LocalSettings.php</code>:  
This option is not an option provided by the extension, but very useful in its context. If you do not want guest visitors to be able to view any page of your wiki, add the following line to your <code>LocalSettings.php</code>:  


  $wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['read'] = false;


=== MWSStudentsOnly ===
=== MWSStudentsOnly ===
This option tells MediaWikiShibboleth to only allow students to log in. KU Leuven employees, alumni, doctoral students, teaching assistants etc. will not be able to log in using their employee account. Do keep in mind doctoral students also have a student account, which will still work. Set this option by adding  
This option tells MediaWikiShibboleth to only allow students to log in. KU Leuven employees, alumni, doctoral students, teaching assistants etc. will not be able to log in using their employee account. Do keep in mind doctoral students also have a student account, which will still work. Set this option by adding  


  $wgMWSStudentsOnly = true;
$wgMWSStudentsOnly = true;


to <code><mediawiki installation folder>/LocalSettings.php</code>. If you combine this option with "Restricting access to logged-in users only", only students will be able to view, log in and edit your wiki.
to <code>LocalSettings.php</code>. If you combine this option with "Restricting access to logged-in users only", only students will be able to view, log in and edit your wiki.


=== MWSAllowedKULids ===
=== MWSAllowedKULids ===
This option can be used to only allow specific KUL ids to log in. An example KUL id is "r0653730". If this option is set to "", no KUL id checking will be performed. Set this option by adding  
This option can be used to only allow specific KUL ids to log in. An example KUL id is "r0653730". If this option is set to "", no KUL id checking will be performed. Set this option by adding  


  $wgMWSAllowedKULids = "r0653730, r0300342, KUL id 3...";
$wgMWSAllowedKULids = "r0653730, r0300342, KUL id 3...";


to <code><mediawiki installation folder>/LocalSettings.php</code>. You can add as many KUL ids as you like, separated by a comma.
to <code>LocalSettings.php</code>. You can add as many KUL ids as you like, separated by a comma.


=== MWSAllowedDegrees ===
=== MWSAllowedDegrees ===
This option can be used to only allow persons enrolled in specific degrees/programmes to log in. An example KUL degree number is "51016742". If this option is set to "[]", no degree number checking will be performed. Set this option by adding  
This option can be used to only allow students enrolled in specific degrees/programmes to log in. An example KUL degree number is "51016742". If this option is set to "", no degree number checking will be performed. Set this option by adding  


  $wgMWSAllowedDegrees = "51016742, 51016835, 51016753...";
$wgMWSAllowedDegrees = "51016742, 51016835, 51016753...";


to <code><mediawiki installation folder>/LocalSettings.php</code>. You can add as many degree numbers as you like, separated by a comma.
to <code>LocalSettings.php</code>. You can add as many degree numbers as you like, separated by a comma.
 
=== Translations ===
It's possible to translate and modify all public MediaWikiShibboleth messages. The translations can be found in the <code>extensions/MediaWikiShibboleth/i18n/</code>. Dutch (<code>nl.json</code>) and English (<code>en.json</code>) translations are already provided. Even the provided translations can be customized, and we strongly advise you to do so, in order to match them with your wiki situation.


==Operation==
==Operation==
When the extension is installed successfully, anonymous users will not be able to create an account and the account creation page will be removed from the home page. On the log in page, a new image is added: if you click on this image, you will be logged in using Shibboleth. If you want to log in with an explicit username/password combination, you can click "Password Login" to expand a login menu.
When the extension is installed successfully, anonymous users will not be able to create an account and the account creation page will be removed from the home page. On the log in page, a new image is added: if you click on this image, you will be logged in using Shibboleth. If you want to log in with an explicit username/password combination, you can click "Login without Central KU Leuven login" to expand a login menu.


The new log in page looks like this with "Password Login" expanded:
The new log in page looks like this with "Login without Central KU Leuven login" expanded:


[[File:Login.png]]
[[File:Login.png|thumb|none]]


==Creating accounts==
==Creating accounts==
If you want to create password accounts, you can navigate to the CreateAccount special page (make sure you are logged in using an administrator account). This is necessary to create accounts for users without a KU Leuven login. You should select "Use a temporary random password and send it to the specified email address".
If you want to create password accounts, you can navigate to the CreateAccount special page (make sure you are logged in using an administrator account). This is necessary to create accounts for users without a KU Leuven login. You should select "Use a temporary random password and send it to the specified email address".


[[File:CreateAccount.png]]
[[File:CreateAccount.png|thumb|none]]
 
[[Category:Security & anti-spam]]
[[Category:CMSs]]

Latest revision as of 22:25, 9 May 2023

About

MediaWikiShibboleth is a MediaWiki extension created by ULYSSIS to allow for login through the Central KU Leuven Login (Shibboleth). The extension disables editing and creating of (talk) pages by anonymous users, and requires Shibboleth authentication for account creation and login.

Prerequisites

Before installing, you need to have SSL and Shibboleth (Central KU Leuven Login) enabled on your domain.

Once you know everything is installed properly, you can proceed to install the extension.

Installation

First, download the latest release from github. Unzip the zip file in the extensions/ directory in your MediaWiki installation folder. Make sure there is now a MediaWikiShibboleth folder in extensions/. Finally, locate the LocalSettings.php file in your MediaWiki installation folder and add the following lines to it:

wfLoadExtension('MediaWikiShibboleth');
$wgGroupPermissions['*']['createaccount'] = false;
$wgRevokePermissions['Shibboleth']['editmyprivateinfo'] = true;

$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['writeapi'] = false;

If you want to allow anonymous editing, you should not add the last 2 lines of the previous paragraph. This really defeats the purpose of the extension though.

Configuration

MediaWikiShibboleth has some configuration options which allow for restricting who can log in to your wiki. These restrictions are cumulative. For example, it is possible to allow only students enrolled in a specific degree or programme to log in. These options work especially well with restricting the access of the wiki to logged-in users only.

Restricting access to logged-in users only

This option is not an option provided by the extension, but very useful in its context. If you do not want guest visitors to be able to view any page of your wiki, add the following line to your LocalSettings.php:

$wgGroupPermissions['*']['read'] = false;

MWSStudentsOnly

This option tells MediaWikiShibboleth to only allow students to log in. KU Leuven employees, alumni, doctoral students, teaching assistants etc. will not be able to log in using their employee account. Do keep in mind doctoral students also have a student account, which will still work. Set this option by adding

$wgMWSStudentsOnly = true;

to LocalSettings.php. If you combine this option with "Restricting access to logged-in users only", only students will be able to view, log in and edit your wiki.

MWSAllowedKULids

This option can be used to only allow specific KUL ids to log in. An example KUL id is "r0653730". If this option is set to "", no KUL id checking will be performed. Set this option by adding

$wgMWSAllowedKULids = "r0653730, r0300342, KUL id 3...";

to LocalSettings.php. You can add as many KUL ids as you like, separated by a comma.

MWSAllowedDegrees

This option can be used to only allow students enrolled in specific degrees/programmes to log in. An example KUL degree number is "51016742". If this option is set to "", no degree number checking will be performed. Set this option by adding

$wgMWSAllowedDegrees = "51016742, 51016835, 51016753...";

to LocalSettings.php. You can add as many degree numbers as you like, separated by a comma.

Translations

It's possible to translate and modify all public MediaWikiShibboleth messages. The translations can be found in the extensions/MediaWikiShibboleth/i18n/. Dutch (nl.json) and English (en.json) translations are already provided. Even the provided translations can be customized, and we strongly advise you to do so, in order to match them with your wiki situation.

Operation

When the extension is installed successfully, anonymous users will not be able to create an account and the account creation page will be removed from the home page. On the log in page, a new image is added: if you click on this image, you will be logged in using Shibboleth. If you want to log in with an explicit username/password combination, you can click "Login without Central KU Leuven login" to expand a login menu.

The new log in page looks like this with "Login without Central KU Leuven login" expanded:

Login.png

Creating accounts

If you want to create password accounts, you can navigate to the CreateAccount special page (make sure you are logged in using an administrator account). This is necessary to create accounts for users without a KU Leuven login. You should select "Use a temporary random password and send it to the specified email address".

CreateAccount.png