Securing MediaWiki using Centrale KU Leuven Login
About
MediaWikiShibboleth is the name of a MediaWiki extension created by ULYSSIS to allow for Shibboleth (Centrale KU Leuven) login. The extension disables editing and creating of (talk) pages by anonymous users, and requires Shibboleth account creation and login.
Prerequisites
Before installing, you need to have SSL and Shibboleth (Centrale KU Leuven) login enabled on your domain. For instructions on how to get SSL: https://docs.ulyssis.org/Getting_SSL Information about requesting Shibboleth: https://docs.ulyssis.org/Shibboleth Once you know everything is installed properly, you can proceed to install the extension.
Installation
First, download the latest release from github. Make sure to click the MediaWikiShibboleth.zip
download button. Then, unzip the zip file in your <mediawiki installation folder>/extensions/
directory. Finally, add the following lines to your <mediawiki installation folder>/LocalSettings.php
:
wfLoadExtension('MediaWikiShibboleth'); include 'extensions/MediaWikiShibboleth/MediaWikiShibboleth_body.php'; $wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['*']['createtalk'] = false; $wgGroupPermissions['*']['createpage'] = false; $wgGroupPermissions['*']['writeapi'] = false;
If you want to allow anonymous editing, you should not add the last 4 lines of the previous paragraph. Though this really defeats the purpose of the extension.
Configuration
MediaWikiShibboleth has 3 configuration options which allow for restricting who can log in to your wiki. These options work especially well with restricting the access of the wiki to logged-in users only. They can be configured in the <mediawiki installation folder>/extensions/MediaWikiShibboleth/extension.json
file.
Restricting access to logged-in users only
If you do not want guest visitors to visit any page of your wiki, add the following line to your <mediawiki installation folder>/LocalSettings.php
:
$wgGroupPermissions['*']['read'] = false;
MWSStudentsOnly
This option tells MediaWikiShibboleth to only allow students to log in. KU Leuven employees, alumni, doctorate students, teaching assistants etc. will not be able to log in. Set this option by changing
"config": { "MWSStudentsOnly": false, "MWSAllowedKULids": [], "MWSAllowedDegrees": [] },
to
"config": { "MWSStudentsOnly": true, "MWSAllowedKULids": [], "MWSAllowedDegrees": [] },
in <mediawiki installation folder>/extensions/MediaWikiShibboleth/extension.json
. If you combine this option with "Restricting access to logged-in users only", only students will be able to view, log in and edit your wiki.
MWSAllowedKULids
This option can be used to only allow specific KUL ids to log in. An example KUL id is "r0653730". If this option is set to "[]", no KUL id checking will be performed. Set this option by changing
"config": { "MWSStudentsOnly": false, "MWSAllowedKULids": [], "MWSAllowedDegrees": [] },
to
"config": { "MWSStudentsOnly": false, "MWSAllowedKULids": ["r0653730", "KUL id 2", "KUL id 3"...], "MWSAllowedDegrees": [] },
in <mediawiki installation folder>/extensions/MediaWikiShibboleth/extension.json
.
MWSAllowedDegrees
This option can be used to only allow persons enrolled in specific degrees/programmes to log in. An example KUL degree number is 51016742. If this option is set to "[]", no degree number checking will be performed. Set this option by changing
"config": { "MWSStudentsOnly": false, "MWSAllowedKULids": [], "MWSAllowedDegrees": [] },
to
"config": { "MWSStudentsOnly": false, "MWSAllowedKULids": [], "MWSAllowedDegrees": [51016742, degree number 2, degree number 3...] },
in <mediawiki installation folder>/extensions/MediaWikiShibboleth/extension.json
.
Operation
When the extension is installed successfully, anonymous users will not be able to create an account and the account creation page will be removed from the home page. On the log in page, a new image is added: if you click on this image, you will be logged in using Shibboleth. If you want to log in with an explicit username/password combination, you can click "Password Login" to expand a login menu.
The new log in page looks like this with "Password Login" expanded:
Creating accounts
If you want to create password accounts, you can navigate to the CreateAccount special page (make sure you are logged in using an administrator account). This is necessary to create accounts for users without a KU Leuven login. You should select "Use a temporary random password and send it to the specified email address".