Question

We try to further adapt TWIKI to the Shibboleth architecture. Other people already have done that using the description which can be found on http://stc.cis.brown.edu/~stc/Projects/Projects-using-Shib/TWiki/Shib-TWiki-install.html (they basically install the session plugin and protect the /bin/logon script using Shibboleth)

But we additionally want to use Shibboleth to automatically add new users so that they don't have to register first. The principle is that the users are authenticated when they access the twiki/bin/login script. When authentication is successful, this script also should create a new user (and add him to a specific group) using apache server variables, which are provided by the apache shibboleth module. E.g. you have the full name, emailaddress, organization etc. of a user, which you could use to create a new TWIKI user.

But the question is how can one do that? What is the easiest way? My plan was to just edit the twiki/data/Main/TWikiUsers.txt file , but I am sure that there probably are more convenient ways to add users without registering...

Environment

-- LukasHaemmerle - 17 Feb 2005

Answer

at work we use NTLM authentication to access the whole webserver and just don't bother registering users with twiki at all. It should be be much the same with any other authentication mechanism. TWiki doesn't care as long as the REMOTE_USER variable is populated.

We don't use any twiki-related group access controls though. I don't know if they would work without user topics or not.

-- MattWilkie - 17 Feb 2005

Ok, I noticed the same What I did now is to modify the logon script (provided by the session plugin). This modified logon script is a protected shibboleth ressource, so if a user has authenticated himself over shibboleth, the logon script automatically creates a new tikik "account" is created after the first logon (first a unique wikiname is generated for this user, then his own user site is created and certain users are added to the admin group acording to the shibboleth attributes) and "authenticates" this user for TWiki (this can be done by something like "$TWiki::Plugins::SessionPlugin::session->param("AUTHUSER", $TwikiName);".).

-- LukasHaemmerle - 21 Feb 2005

Nice one, Lukas. Perhaps you can share the results of your work in the Codev web, perhaps as a new "twiki tip" e.g. UsingShibboleth

-- CrawfordCurrie - 21 Feb 2005

I'd definitely like some more specifics. In particular, if you don't "register" users somehow with the wiki (as in the NTLM example above), how does the user's WikiName get used for their edits? Is the user record created in some other way? I can see not needing a user topic, but I can't see how to avoid some form of registration, either automated or manual.

I'm not sure the "official" Shib wiki would want to try auto-registration, mainly because we don't want to depend on a bunch of different attributes being passed to the service, but I'd like to know how it works.

-- ScottCantor - 24 Feb 2005

I'm also very interested in how to bulk-add users. I've been playing with simple script to generate a WikiName.txt file, call rcs -i to initialize the rcs file, and call htpasswd. But it doesn't add the other links to the users index, etc. I've got a few hundred users to import and it would be really nice to find a better way.

I'm trying to synchronize a Slashcode based system that we've run for 3 years for News, with TWiki for collaboration.

-- GeorgeClark - 05 Mar 2005

When I set up our internal-use TWiki, I wrote a simple Perl script that took a list of usernames, ran an external Unix program to lookup their full names via our white pages e-mail database, constructed a WikiName from that full name, filled-in a template for the user's WikiName.txt file and copied it over, and then added the user to TWikiUsers.txt using code that was shamelessly stolen from User.pm. The number of users was small enough that I didn't have to worry about general-case details like handling duplicate WikiNames.

If your users are pre-authenticated (REMOTE_USER is populated with something meaningful), a more automated alternative might be to have a plugin that checked if the user was registered, and (if the page being viewed wasn't a registration page) redirected the user to a registration page if the user wasn't registered.

-- ClaussStrauch - 07 Mar 2005

The DevelopBranch has a BulkRegistration mode to handle this. RegisterCgiScriptRewrite has some details.

-- MartinCleaver - 08 Mar 2005