I have an ikiwiki-based website that is used for a university course. Every student has a page where she is supposed to provide information about a project being worked on. For this I want to authenticate students so that they can only edit their page. So far the authentication was implemented with unixauth plugin and the server used PAM modules to authenticate against LDAP server. This worked sufficiently well, however, this method was deprecated by our university IT. Instead, they want all web applications to use Shibboleth technology. I was surprised how easy it is to make ikiwiki work with Shibboleth.
Shibboleth project distributes Apache module modshib2
(libapache2-mod-shib2 package under Debian) that, when properly
configured, does the whole authentication for you. Its configuration
is not particularly easy but, with the documentation from our IT
department, it was possible to do it. When everything is configured,
the identity of the authenticated user is passed to the web
application in REMOTE_USER
environment variable (and a few other
variables may contain additional attributes). The use of REMOTE_USER
means that one can use the httpauth plugin and Shibboleth
authentication works out of the box.
It is sufficient to follow httpauth documentation and add this configuration to your Apache server.
<Directory /var/www/osp/auth> Options +ExecCGI -Indexes AuthType shibboleth ShibRequestSetting requireSession 1 Require valid-user <Files ikiwiki.cgi> SetHandler cgi-script </Files> </Directory>
That’s all.