I have an ikiwiki-based website that is used for a university course. Every student has a page where she is supposed to provide information about a project being worked on. For this I want to authenticate students so that they can only edit their page. So far the authentication was implemented with unixauth plugin and the server used PAM modules to authenticate against LDAP server. This worked sufficiently well, however, this method was deprecated by our university IT. Instead, they want all web applications to use Shibboleth technology. I was surprised how easy it is to make ikiwiki work with Shibboleth.

Shibboleth project distributes Apache module modshib2 (libapache2-mod-shib2 package under Debian) that, when properly configured, does the whole authentication for you. Its configuration is not particularly easy but, with the documentation from our IT department, it was possible to do it. When everything is configured, the identity of the authenticated user is passed to the web application in REMOTE_USER environment variable (and a few other variables may contain additional attributes). The use of REMOTE_USER means that one can use the httpauth plugin and Shibboleth authentication works out of the box.

It is sufficient to follow httpauth documentation and add this configuration to your Apache server.

<Directory /var/www/osp/auth>
    Options +ExecCGI -Indexes

    AuthType shibboleth
    ShibRequestSetting requireSession 1
    Require valid-user

    <Files ikiwiki.cgi>
        SetHandler cgi-script
    </Files>
</Directory>

That’s all.