Windows Single Sign-On Extension

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Windows Single Sign-On Extension

François St-Arnaud
Hello,

To enable Single Sign-On to a MediaWiki hosted on IIS in a Windows Domain, the best MediaWiki extension I could find was NTLMActiveDirectory.
https://www.mediawiki.org/wiki/Extension:NTLMActiveDirectory

However, I had two peeves with this extension:
1) Its name; I'm not doing NTLM, but Negotiate and Kerberos; and
2) Its use of LDAP; feels too much like a wart on Windows!

See, I'm sitting on an IIS box on a Windows domain with Integrated Windows Authentication enabled. By the time the MW extension gets hit, IIS has already authenticated the user, so why not just leverage that instead?

I therefore used NTLMActiveDirectory as a starting point, but threw out all the LDAP stuff and replaced it with a simple Web call to an IIS-hosted handler to get the AD group membership for the already authenticated user. Of NTLMActiveDirectory, I kept the AD / MW group mapping configuration required for authorization.

Personally, I find this solution much simpler and intuitive for AD integration when hosting MW on a Windows/IIS box.

Does this make sense to others in the community?
Do others feel there was a need for a better AD integration extension?
Would others in the community benefit from such an extension?

If so, I would be happy to share my work, following instructions found here:
https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment

Regards,

François

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Windows Single Sign-On Extension

Ryan Lane-2
The best option here is:
https://www.mediawiki.org/wiki/Extension:LDAP_Authentication

I'm not sure why you think LDAP is a wart on Windows. Active Directory is
just LDAP with Kerberos.

Anyway, the LDAP Authentication extension has examples of how to do
auto-auth using kerberos. You still need LDAP for things like group
membership, username conversion, and other integrations.

- Ryan

On Tue, Feb 9, 2016 at 9:20 AM, François St-Arnaud <[hidden email]>
wrote:

> Hello,
>
> To enable Single Sign-On to a MediaWiki hosted on IIS in a Windows Domain,
> the best MediaWiki extension I could find was NTLMActiveDirectory.
> https://www.mediawiki.org/wiki/Extension:NTLMActiveDirectory
>
> However, I had two peeves with this extension:
> 1) Its name; I'm not doing NTLM, but Negotiate and Kerberos; and
> 2) Its use of LDAP; feels too much like a wart on Windows!
>
> See, I'm sitting on an IIS box on a Windows domain with Integrated Windows
> Authentication enabled. By the time the MW extension gets hit, IIS has
> already authenticated the user, so why not just leverage that instead?
>
> I therefore used NTLMActiveDirectory as a starting point, but threw out
> all the LDAP stuff and replaced it with a simple Web call to an IIS-hosted
> handler to get the AD group membership for the already authenticated user.
> Of NTLMActiveDirectory, I kept the AD / MW group mapping configuration
> required for authorization.
>
> Personally, I find this solution much simpler and intuitive for AD
> integration when hosting MW on a Windows/IIS box.
>
> Does this make sense to others in the community?
> Do others feel there was a need for a better AD integration extension?
> Would others in the community benefit from such an extension?
>
> If so, I would be happy to share my work, following instructions found
> here:
> https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment
>
> Regards,
>
> François
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Windows Single Sign-On Extension

François St-Arnaud
Thanks, I'll take a closer look at your extension.

Well, although I understand that using LDAP against AD is supposed to work mostly seamlessly, I've had troubles trying to use it in our client's domain, mostly due to GPOs and other security constraints. For one thing, LDAP, even TLS-secured, is not authorized for authentication in the domain. Also, LDAP starts to feel like a wart -- or an overkill -- when I have to require and configure a PHP LDAP client on the Web server and send LDAP requests when I know that the web server I'm sitting on, IIS, has already authentified the user via Negotiate/Kerberos and already knows the user's AD group membership and other such information.

Hence, I feel that the approach of a simple loopback call from the extension back to a .NET ASHX web handler -- which is readily available via an API in that environment -- is more elegant. For example, to get the AD group membership of the currently logged-in user (some lines removed for clarity):

In PHP, using curl:

$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, 'roles.ashx');
$result = curl_exec($curl);
$wgAuth->userADGroups = Array($result);

In C#, in a roles.ashx file deployed with the extension on the IIS server:

public void ProcessRequest (HttpContext context) {
  context.Response.ContentType = @"text\json";
  context.Response.Write("[");
  int i = 0;
  int count = Roles.GetRolesForUser().Length;
  foreach (var role in Roles.GetRolesForUser())
  {
    context.Response.Write('"' + role + '"');
    if (++i != count) context.Response.Write(',');
  }
  context.Response.Write(']');
  context.Response.End();
}

- François

-----Original Message-----
From: Wikitech-l [mailto:[hidden email]] On Behalf Of Ryan Lane
Sent: Tuesday, February 09, 2016 14:43
To: Wikimedia developers <[hidden email]>
Subject: Re: [Wikitech-l] Windows Single Sign-On Extension

The best option here is:
https://www.mediawiki.org/wiki/Extension:LDAP_Authentication

I'm not sure why you think LDAP is a wart on Windows. Active Directory is just LDAP with Kerberos.

Anyway, the LDAP Authentication extension has examples of how to do auto-auth using kerberos. You still need LDAP for things like group membership, username conversion, and other integrations.

- Ryan

On Tue, Feb 9, 2016 at 9:20 AM, François St-Arnaud <[hidden email]>
wrote:

> Hello,
>
> To enable Single Sign-On to a MediaWiki hosted on IIS in a Windows
> Domain, the best MediaWiki extension I could find was NTLMActiveDirectory.
> https://www.mediawiki.org/wiki/Extension:NTLMActiveDirectory
>
> However, I had two peeves with this extension:
> 1) Its name; I'm not doing NTLM, but Negotiate and Kerberos; and
> 2) Its use of LDAP; feels too much like a wart on Windows!
>
> See, I'm sitting on an IIS box on a Windows domain with Integrated
> Windows Authentication enabled. By the time the MW extension gets hit,
> IIS has already authenticated the user, so why not just leverage that instead?
>
> I therefore used NTLMActiveDirectory as a starting point, but threw
> out all the LDAP stuff and replaced it with a simple Web call to an
> IIS-hosted handler to get the AD group membership for the already authenticated user.
> Of NTLMActiveDirectory, I kept the AD / MW group mapping configuration
> required for authorization.
>
> Personally, I find this solution much simpler and intuitive for AD
> integration when hosting MW on a Windows/IIS box.
>
> Does this make sense to others in the community?
> Do others feel there was a need for a better AD integration extension?
> Would others in the community benefit from such an extension?
>
> If so, I would be happy to share my work, following instructions found
> here:
> https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment
>
> Regards,
>
> François
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Windows Single Sign-On Extension

Ryan Lane-2
If this is what you'll need, you're going to need to write a custom
extension. None of the existing auth extensions do this.

On Tue, Feb 9, 2016 at 2:35 PM, François St-Arnaud <[hidden email]>
wrote:

> Thanks, I'll take a closer look at your extension.
>
> Well, although I understand that using LDAP against AD is supposed to work
> mostly seamlessly, I've had troubles trying to use it in our client's
> domain, mostly due to GPOs and other security constraints. For one thing,
> LDAP, even TLS-secured, is not authorized for authentication in the domain.
> Also, LDAP starts to feel like a wart -- or an overkill -- when I have to
> require and configure a PHP LDAP client on the Web server and send LDAP
> requests when I know that the web server I'm sitting on, IIS, has already
> authentified the user via Negotiate/Kerberos and already knows the user's
> AD group membership and other such information.
>
> Hence, I feel that the approach of a simple loopback call from the
> extension back to a .NET ASHX web handler -- which is readily available via
> an API in that environment -- is more elegant. For example, to get the AD
> group membership of the currently logged-in user (some lines removed for
> clarity):
>
> In PHP, using curl:
>
> $curl = curl_init();
> curl_setopt($curl, CURLOPT_URL, 'roles.ashx');
> $result = curl_exec($curl);
> $wgAuth->userADGroups = Array($result);
>
> In C#, in a roles.ashx file deployed with the extension on the IIS server:
>
> public void ProcessRequest (HttpContext context) {
>   context.Response.ContentType = @"text\json";
>   context.Response.Write("[");
>   int i = 0;
>   int count = Roles.GetRolesForUser().Length;
>   foreach (var role in Roles.GetRolesForUser())
>   {
>     context.Response.Write('"' + role + '"');
>     if (++i != count) context.Response.Write(',');
>   }
>   context.Response.Write(']');
>   context.Response.End();
> }
>
> - François
>
> -----Original Message-----
> From: Wikitech-l [mailto:[hidden email]] On
> Behalf Of Ryan Lane
> Sent: Tuesday, February 09, 2016 14:43
> To: Wikimedia developers <[hidden email]>
> Subject: Re: [Wikitech-l] Windows Single Sign-On Extension
>
> The best option here is:
> https://www.mediawiki.org/wiki/Extension:LDAP_Authentication
>
> I'm not sure why you think LDAP is a wart on Windows. Active Directory is
> just LDAP with Kerberos.
>
> Anyway, the LDAP Authentication extension has examples of how to do
> auto-auth using kerberos. You still need LDAP for things like group
> membership, username conversion, and other integrations.
>
> - Ryan
>
> On Tue, Feb 9, 2016 at 9:20 AM, François St-Arnaud <
> [hidden email]>
> wrote:
>
> > Hello,
> >
> > To enable Single Sign-On to a MediaWiki hosted on IIS in a Windows
> > Domain, the best MediaWiki extension I could find was
> NTLMActiveDirectory.
> > https://www.mediawiki.org/wiki/Extension:NTLMActiveDirectory
> >
> > However, I had two peeves with this extension:
> > 1) Its name; I'm not doing NTLM, but Negotiate and Kerberos; and
> > 2) Its use of LDAP; feels too much like a wart on Windows!
> >
> > See, I'm sitting on an IIS box on a Windows domain with Integrated
> > Windows Authentication enabled. By the time the MW extension gets hit,
> > IIS has already authenticated the user, so why not just leverage that
> instead?
> >
> > I therefore used NTLMActiveDirectory as a starting point, but threw
> > out all the LDAP stuff and replaced it with a simple Web call to an
> > IIS-hosted handler to get the AD group membership for the already
> authenticated user.
> > Of NTLMActiveDirectory, I kept the AD / MW group mapping configuration
> > required for authorization.
> >
> > Personally, I find this solution much simpler and intuitive for AD
> > integration when hosting MW on a Windows/IIS box.
> >
> > Does this make sense to others in the community?
> > Do others feel there was a need for a better AD integration extension?
> > Would others in the community benefit from such an extension?
> >
> > If so, I would be happy to share my work, following instructions found
> > here:
> > https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment
> >
> > Regards,
> >
> > François
> >
> > _______________________________________________
> > Wikitech-l mailing list
> > [hidden email]
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Windows Single Sign-On Extension

François St-Arnaud
Right. As mentioned in my first post, I already have created a custom extension using this approach and NTLMActiveDirectory as a starting point.
Now, I wonder if it is worth sharing with the community, if others would benefit from an LDAP-less SSO solution for MW hosted on IIS?

-----Original Message-----
From: Wikitech-l [mailto:[hidden email]] On Behalf Of Ryan Lane
Sent: Tuesday, February 09, 2016 17:41
To: Wikimedia developers <[hidden email]>
Subject: Re: [Wikitech-l] Windows Single Sign-On Extension

If this is what you'll need, you're going to need to write a custom extension. None of the existing auth extensions do this.

On Tue, Feb 9, 2016 at 2:35 PM, François St-Arnaud <[hidden email]>
wrote:

> Thanks, I'll take a closer look at your extension.
>
> Well, although I understand that using LDAP against AD is supposed to
> work mostly seamlessly, I've had troubles trying to use it in our
> client's domain, mostly due to GPOs and other security constraints.
> For one thing, LDAP, even TLS-secured, is not authorized for authentication in the domain.
> Also, LDAP starts to feel like a wart -- or an overkill -- when I have
> to require and configure a PHP LDAP client on the Web server and send
> LDAP requests when I know that the web server I'm sitting on, IIS, has
> already authentified the user via Negotiate/Kerberos and already knows
> the user's AD group membership and other such information.
>
> Hence, I feel that the approach of a simple loopback call from the
> extension back to a .NET ASHX web handler -- which is readily
> available via an API in that environment -- is more elegant. For
> example, to get the AD group membership of the currently logged-in
> user (some lines removed for
> clarity):
>
> In PHP, using curl:
>
> $curl = curl_init();
> curl_setopt($curl, CURLOPT_URL, 'roles.ashx'); $result =
> curl_exec($curl); $wgAuth->userADGroups = Array($result);
>
> In C#, in a roles.ashx file deployed with the extension on the IIS server:
>
> public void ProcessRequest (HttpContext context) {
>   context.Response.ContentType = @"text\json";
>   context.Response.Write("[");
>   int i = 0;
>   int count = Roles.GetRolesForUser().Length;
>   foreach (var role in Roles.GetRolesForUser())
>   {
>     context.Response.Write('"' + role + '"');
>     if (++i != count) context.Response.Write(',');
>   }
>   context.Response.Write(']');
>   context.Response.End();
> }
>
> - François
>
> -----Original Message-----
> From: Wikitech-l [mailto:[hidden email]] On
> Behalf Of Ryan Lane
> Sent: Tuesday, February 09, 2016 14:43
> To: Wikimedia developers <[hidden email]>
> Subject: Re: [Wikitech-l] Windows Single Sign-On Extension
>
> The best option here is:
> https://www.mediawiki.org/wiki/Extension:LDAP_Authentication
>
> I'm not sure why you think LDAP is a wart on Windows. Active Directory
> is just LDAP with Kerberos.
>
> Anyway, the LDAP Authentication extension has examples of how to do
> auto-auth using kerberos. You still need LDAP for things like group
> membership, username conversion, and other integrations.
>
> - Ryan
>
> On Tue, Feb 9, 2016 at 9:20 AM, François St-Arnaud <
> [hidden email]>
> wrote:
>
> > Hello,
> >
> > To enable Single Sign-On to a MediaWiki hosted on IIS in a Windows
> > Domain, the best MediaWiki extension I could find was
> NTLMActiveDirectory.
> > https://www.mediawiki.org/wiki/Extension:NTLMActiveDirectory
> >
> > However, I had two peeves with this extension:
> > 1) Its name; I'm not doing NTLM, but Negotiate and Kerberos; and
> > 2) Its use of LDAP; feels too much like a wart on Windows!
> >
> > See, I'm sitting on an IIS box on a Windows domain with Integrated
> > Windows Authentication enabled. By the time the MW extension gets
> > hit, IIS has already authenticated the user, so why not just
> > leverage that
> instead?
> >
> > I therefore used NTLMActiveDirectory as a starting point, but threw
> > out all the LDAP stuff and replaced it with a simple Web call to an
> > IIS-hosted handler to get the AD group membership for the already
> authenticated user.
> > Of NTLMActiveDirectory, I kept the AD / MW group mapping
> > configuration required for authorization.
> >
> > Personally, I find this solution much simpler and intuitive for AD
> > integration when hosting MW on a Windows/IIS box.
> >
> > Does this make sense to others in the community?
> > Do others feel there was a need for a better AD integration extension?
> > Would others in the community benefit from such an extension?
> >
> > If so, I would be happy to share my work, following instructions
> > found
> > here:
> > https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment
> >
> > Regards,
> >
> > François
> >
> > _______________________________________________
> > Wikitech-l mailing list
> > [hidden email]
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Windows Single Sign-On Extension

Ryan Lane-2
Never hurts :)

On Tue, Feb 9, 2016 at 6:06 PM, François St-Arnaud <[hidden email]>
wrote:

> Right. As mentioned in my first post, I already have created a custom
> extension using this approach and NTLMActiveDirectory as a starting point.
> Now, I wonder if it is worth sharing with the community, if others would
> benefit from an LDAP-less SSO solution for MW hosted on IIS?
>
> -----Original Message-----
> From: Wikitech-l [mailto:[hidden email]] On
> Behalf Of Ryan Lane
> Sent: Tuesday, February 09, 2016 17:41
> To: Wikimedia developers <[hidden email]>
> Subject: Re: [Wikitech-l] Windows Single Sign-On Extension
>
> If this is what you'll need, you're going to need to write a custom
> extension. None of the existing auth extensions do this.
>
> On Tue, Feb 9, 2016 at 2:35 PM, François St-Arnaud <
> [hidden email]>
> wrote:
>
> > Thanks, I'll take a closer look at your extension.
> >
> > Well, although I understand that using LDAP against AD is supposed to
> > work mostly seamlessly, I've had troubles trying to use it in our
> > client's domain, mostly due to GPOs and other security constraints.
> > For one thing, LDAP, even TLS-secured, is not authorized for
> authentication in the domain.
> > Also, LDAP starts to feel like a wart -- or an overkill -- when I have
> > to require and configure a PHP LDAP client on the Web server and send
> > LDAP requests when I know that the web server I'm sitting on, IIS, has
> > already authentified the user via Negotiate/Kerberos and already knows
> > the user's AD group membership and other such information.
> >
> > Hence, I feel that the approach of a simple loopback call from the
> > extension back to a .NET ASHX web handler -- which is readily
> > available via an API in that environment -- is more elegant. For
> > example, to get the AD group membership of the currently logged-in
> > user (some lines removed for
> > clarity):
> >
> > In PHP, using curl:
> >
> > $curl = curl_init();
> > curl_setopt($curl, CURLOPT_URL, 'roles.ashx'); $result =
> > curl_exec($curl); $wgAuth->userADGroups = Array($result);
> >
> > In C#, in a roles.ashx file deployed with the extension on the IIS
> server:
> >
> > public void ProcessRequest (HttpContext context) {
> >   context.Response.ContentType = @"text\json";
> >   context.Response.Write("[");
> >   int i = 0;
> >   int count = Roles.GetRolesForUser().Length;
> >   foreach (var role in Roles.GetRolesForUser())
> >   {
> >     context.Response.Write('"' + role + '"');
> >     if (++i != count) context.Response.Write(',');
> >   }
> >   context.Response.Write(']');
> >   context.Response.End();
> > }
> >
> > - François
> >
> > -----Original Message-----
> > From: Wikitech-l [mailto:[hidden email]] On
> > Behalf Of Ryan Lane
> > Sent: Tuesday, February 09, 2016 14:43
> > To: Wikimedia developers <[hidden email]>
> > Subject: Re: [Wikitech-l] Windows Single Sign-On Extension
> >
> > The best option here is:
> > https://www.mediawiki.org/wiki/Extension:LDAP_Authentication
> >
> > I'm not sure why you think LDAP is a wart on Windows. Active Directory
> > is just LDAP with Kerberos.
> >
> > Anyway, the LDAP Authentication extension has examples of how to do
> > auto-auth using kerberos. You still need LDAP for things like group
> > membership, username conversion, and other integrations.
> >
> > - Ryan
> >
> > On Tue, Feb 9, 2016 at 9:20 AM, François St-Arnaud <
> > [hidden email]>
> > wrote:
> >
> > > Hello,
> > >
> > > To enable Single Sign-On to a MediaWiki hosted on IIS in a Windows
> > > Domain, the best MediaWiki extension I could find was
> > NTLMActiveDirectory.
> > > https://www.mediawiki.org/wiki/Extension:NTLMActiveDirectory
> > >
> > > However, I had two peeves with this extension:
> > > 1) Its name; I'm not doing NTLM, but Negotiate and Kerberos; and
> > > 2) Its use of LDAP; feels too much like a wart on Windows!
> > >
> > > See, I'm sitting on an IIS box on a Windows domain with Integrated
> > > Windows Authentication enabled. By the time the MW extension gets
> > > hit, IIS has already authenticated the user, so why not just
> > > leverage that
> > instead?
> > >
> > > I therefore used NTLMActiveDirectory as a starting point, but threw
> > > out all the LDAP stuff and replaced it with a simple Web call to an
> > > IIS-hosted handler to get the AD group membership for the already
> > authenticated user.
> > > Of NTLMActiveDirectory, I kept the AD / MW group mapping
> > > configuration required for authorization.
> > >
> > > Personally, I find this solution much simpler and intuitive for AD
> > > integration when hosting MW on a Windows/IIS box.
> > >
> > > Does this make sense to others in the community?
> > > Do others feel there was a need for a better AD integration extension?
> > > Would others in the community benefit from such an extension?
> > >
> > > If so, I would be happy to share my work, following instructions
> > > found
> > > here:
> > > https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment
> > >
> > > Regards,
> > >
> > > François
> > >
> > > _______________________________________________
> > > Wikitech-l mailing list
> > > [hidden email]
> > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> > _______________________________________________
> > Wikitech-l mailing list
> > [hidden email]
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> > _______________________________________________
> > Wikitech-l mailing list
> > [hidden email]
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> >
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Windows Single Sign-On Extension

Gergo Tisza
In reply to this post by François St-Arnaud
On Tue, Feb 9, 2016 at 6:06 PM, François St-Arnaud <[hidden email]>
wrote:

> Right. As mentioned in my first post, I already have created a custom
> extension using this approach and NTLMActiveDirectory as a starting point.
> Now, I wonder if it is worth sharing with the community, if others would
> benefit from an LDAP-less SSO solution for MW hosted on IIS?
>

Note that the way authentication extensions need to be written is just
about to change:
https://www.mediawiki.org/wiki/User:Anomie/SessionManager_and_AuthManager
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Windows Single Sign-On Extension

François St-Arnaud
Thanks Gergo, timely information! When is this new authentication mechanism slated to make it to the baseline? Is it planned / on track for 1.27? Will (have) existing extensions be (been) adapted? Where can I see examples of adapted extensions (link to a branch in Phabricator, perhaps)?

-----Original Message-----
From: Wikitech-l [mailto:[hidden email]] On Behalf Of Gergo Tisza
Sent: Wednesday, February 10, 2016 12:19
To: Wikimedia developers <[hidden email]>
Subject: Re: [Wikitech-l] Windows Single Sign-On Extension

On Tue, Feb 9, 2016 at 6:06 PM, François St-Arnaud <[hidden email]>
wrote:

> Right. As mentioned in my first post, I already have created a custom
> extension using this approach and NTLMActiveDirectory as a starting point.
> Now, I wonder if it is worth sharing with the community, if others
> would benefit from an LDAP-less SSO solution for MW hosted on IIS?
>

Note that the way authentication extensions need to be written is just about to change:
https://www.mediawiki.org/wiki/User:Anomie/SessionManager_and_AuthManager
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: Windows Single Sign-On Extension

Gergo Tisza
On Wed, Feb 10, 2016 at 1:11 PM, François St-Arnaud <[hidden email]
> wrote:

> When is this new authentication mechanism slated to make it to the
> baseline? Is it planned / on track for 1.27?


It's planned to happen before 1.27. Probably not long before, though.


> Will (have) existing extensions be (been) adapted?


We plan to update all extensions that are deployed on the Wikimedia cluster
( https://phabricator.wikimedia.org/T110282 ), but not other affected
extensions ( https://phabricator.wikimedia.org/T110291 ).


> Where can I see examples of adapted extensions (link to a branch in
> Phabricator, perhaps)?
>

 https://gerrit.wikimedia.org/r/#/c/251930/ is probably the one that's
interesting to you.
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l