Authentication and Authorization in Enterprise Wikis

Transcription

1 1 Authentication and Authorization in Enterprise Wikis Cindy Cicalese Approved for Public Release; Distribution Unlimited. Case Number

2 2 Agenda Terminology A comparison of Wikimedia project wikis and an enterprise wiki Different scenarios: MediaWiki with no authentication extensions CentralAuth LdapAuthentication PluggableAuth Multiple authentication extensions (MediaWiki 1.27+)

3 3 Terminology Identity: Who are you? Authentication: Prove it! something you know something you have something you are Authorization: What are you allowed to do? can be authorized to use an entire resource or certain parts of a resource access control

4 4 Terminology (continued) Single sign-on: Your credentials only need to be provided once Scope: Enter credentials once in an enterprise to get access to all (or many) different types of enterprise resources - OR - Enter credentials once to a resource and get access to all (or many) similar resources Does not necessarily imply login is automatic May still need to click wiki Log in link to switch from read-only to readwrite view

5 A comparison of Wikimedia project wikis and an enterprise wiki 5 Wikimedia project wikis Enterprise wiki * Internet accessible Many users Do not need to log in to read Do not need to log in to edit Anonymous and pseudonymous users encouraged Reputation may be based on contribution only Vandalism can be a problem May be behind a firewall (or not) Fewer users May need to log in to read Must log in to edit No anonymous users; rarely pseudonymous users Reputation generally based on contribution and real world identity Vandalism generally avoided through attribution * Our experience your mileage may vary

6 MediaWiki with no authentication extensions 6 Local authentication Password stored in database All authenticated users are authorized to log in to the wiki May share user information between multiple wikis $wgshareddb no single sign-on Anyone can create an account by default account creation may be disabled ConfirmAccount extension can be added to require administrator confirmation

7 7 CentralAuth extension Used for Wikimedia project wikis May be used by non-wikimedia wikis Not used for Wikimedia Foundation wiki (OATHAuth) Anyone can create an account Single sign-on If you log in to one wiki, you are automatically logged in if you visit another wiki

8 LdapAuthentication 8 from

9 LdapAuthentication (continued) 9 Does not to my knowledge support single sign-on Does allow limiting authorized users by filtering Synchronizes LDAP groups to MediaWiki groups

10 10 PluggableAuth Auth : refers to both Authentication and Authorization Pluggable : requires one authentication plugin accepts zero or more authorization plugins Provides the glue between MediaWiki core and domain-specific auth* capabilities Allows MediaWiki to integrate with enterprise authentication/authorization systems Allows different wikis in an enterprise to share authentication mechanisms but have custom authorization mechanisms

11 PluggableAuth architecture 11 MediaWiki core 1 PluggableAuth 1 PluggableAuth Authentication Extension Authentication Implementation 0..* Other Authentication Providers PluggableAuth Authorization Extensions Extensions: SimpleSAMLphp, OpenID Connect, PluggableSSO Extensions: LDAPAuthorization, Authorization (not yet released) PluggableAuth is unique in its approach to pluggable authorization PluggableAuth can be configured for auto log in 0..* Authorization Implementation Authentication Providers were introduced in MediaWiki 1.27 If no additional information is needed, log in form is bypassed (single sign-on)

12 12 Creating an authentication plugin PluggableAuth authentication subclasses must implement: public function authenticate( &$id, &$username, &$realname, &$ ); must return true or false and, if true, set username; null id means new user public function deauthenticate( User &$user ); may have null implementation public function saveextraattributes( $id ); may have null implementation Adding the user to the database is handled by MediaWiki core New users are only added to the database if they are authenticated AND authorized

13 PluggableAuth authentication examples 13 SimpleSAMLphp Uses SAML to communicate with an identity provider Wraps SimpleSAMLphp library ( OpenID Connect Uses OpenID Connect to communicate with an identity provider Wraps OpenID Connect library ( Supports Google authentication PluggableSSO Uses Kerberos to authenticate Not yet listed on mediawiki.org

14 OpenID Connect Multiple Authentication Issuers 14

15 Creating an authorization plugin 15 Implement hook: Hooks::run( 'PluggableAuthUserAuthorization', [ $user, &$authorized ] );

16 16 PluggableAuth authorization examples LDAPAuthorization not to be confused with LdapAuthentication Boolean rules in PHP configuration file determine who has access Authorization not yet released authorized addresses configured using a special page supports individual addresses or domains

17 LDAPAuthorization 17 $LDAPAuthorization_Rules = [ "&" => [ "status" => "active", " " => [ "department" => [ "100", "200" ), "level" => [ "5", "6" ] ] ] ];

18 Authorization Special:Config Authorization 18

19 Authorization Show Users 19

20 Multiple Authentication Extensions MediaWiki

21 Additional notes 21 There are other MediaWiki authentication extensions that provide access to enterprise authentication systems MediaWiki core authentication and session support was substantially rewritten in MediaWiki 1.27 and not all authentication extensions have been updated