Siteminder Authentication Overview

Many enterprise IT environments use Netegrity© SiteMinder© (hereafter called SiteMinder) to secure Web applications and servers. Enterprise applications often use siteminder as authentication mechanism - this is often a showstopper for opensource-applications.

This article describes how to configure and customize authentication for moinmoin wiki using SiteMinder as the authentication engine. This article assumes that you already have installed a SiteMinder webagent and a moinmoin wiki, and that they are working properly.

Configuration details:

• The public wiki is available on context root : /wiki

• The protected wiki is available on context root : /protected-wiki

• To login open the "Login" link on the top of the page.
  • the webserver redirects you to the /protected-wiki context root
  • the webagent apache plugin redirects you to the siteminder policy server login form
  • after proper login policy server redirects you back to the wikiserver, conextroot /protected-wiki
• To logout open the "Logout" link on the top of the page.
  • the webserver redirects you to the logout url on the policyserver
  • policy server drops your session
• Grous and ACLs can be defined in moinmoin wiki to protect pages

• Pages with "All:read" ACLs are accessible via /wiki context root

Detailed configuration

Siteminder configuration

• Configure your siteminder policy server to protect your moinmoin context root with form based authentification. (In our case : /protected-wiki)
• Define a gour of users which should have the permission to access the wiki

MoinMoin Wiki Configuration

Add the following lines to your wiki configuration : wikiconfig.py

from MoinMoin.multiconfig import DefaultConfig

class Config(DefaultConfig):

    def external_cookie(request, **kw):
        """ authenticate via external cookie """
        import Cookie
        user = None
        try_next = True # if True, moin tries the next auth method
        cookiename = "SMSESSION" # use the siteminder session cookie as idicator for proper logon
        user_header = "HTTP_SM_USER" # user the username provided in the http header

        try:
            cookie = Cookie.SimpleCookie(request.saved_cookie)
        except Cookie.CookieError:
            # ignore invalid cookies
            cookie = None
        if cookie and cookie.has_key(cookiename):
            import urllib

            cookievalue = cookie[cookiename].value
            cookievalue = urllib.unquote(cookievalue) # cookie value is urlencoded, decode it
            cookievalue = cookievalue.decode('iso-8859-1') # decode cookie charset to unicode
            cookievalue = cookievalue.split('#') # cookie has format loginname#firstname#lastname#email

            if (request.env.has_key(user_header)):
                auth_username = request.env[user_header]
            else:
                sys.exit(1)

            aliasname = email = ''

            from MoinMoin.user import User
            # giving auth_username to User constructor means that authentication has already been done.
            user = User(request, name=auth_username, auth_username=auth_username)

            changed = False
            if aliasname != user.aliasname: # was the aliasname externally updated?
                user.aliasname = aliasname ; changed = True # yes -> update user profile
            if email != user.email: # was the email addr externally updated?
                user.email = email ; changed = True # yes -> update user profile

            if user:
                user.create_or_update(changed)
            if user and user.valid: # did we succeed making up a valid user?
                try_next = False # stop processing auth method list
        return user, try_next


    from MoinMoin.auth import moin_cookie, http
    # user external cookie for auth
    auth = [external_cookie]
    # cautomatically create a user
    user_autocreate = True
    # disable unneccessary configuration switches in the user-preferences page
    user_form_remove = ['aliasname', 'password', 'password2', 'logout', 'create', 'name']
    user_checkbox_remove = ['remember_me', 'disabled']
....
....

Apache configuration

Add the following lines to httpd.conf of your apache webserver:

# Script alias for unauthenticated requests (public access)
ScriptAlias /wiki "/srv/wiki/data_store/test/config/moin.cgi"
# Script alias for authenticated requests (protected access)
ScriptAlias /protected-wiki "/srv/wiki/data_store/test/config/moin.cgi"

# Automatically redirect the logout request to the siteminder-logout url
# https://<protected>/protected-wiki/UserPreferences?action=logout&logout=logout
RewriteEngine On
RewriteCond %{QUERY_STRING} ^.*action=logout&logout=logout.*$
RewriteRule ^/protected-form.*$ http://corporate.net/internal/logoff [R=301,L]

# Automatically redirect the login request to the protected wikispace
RewriteCond %{QUERY_STRING} ^.*action=login.*$
RewriteRule ^/wiki(.*)$ ^/protected-form/$1 [R=301,L]