Extension:SimpleSamlAuth

MediaWiki extensions manual
SimpleSamlAuth
Release status: unmaintained
Implementation Page action , User rights
Description Enables SAML authentication using SimpleSAMLphp
Author(s) Jørn de Jong (Nordyorntalk)
Latest version 0.8 (2017-06-03)
MediaWiki 1.15+
PHP 5.3+
Database changes No
License GNU Lesser General Public License 3.0
Download
README
Changelog

  • $wgSamlRequirement
  • $wgSamlCreateUser
  • $wgSamlAuthSource
  • $wgSamlSspRoot
  • $wgSamlPostLogoutRedirect
  • $wgSamlGroupMap
  • $wgSamlUsernameAttr
  • $wgSamlRealnameAttr
  • $wgSamlMailAttr

The SimpleSamlAuth extension enables SAML authentication using SimpleSAMLphp.

InstallationEdit

This is the management summary; see README.md for more information.

1) Install simpleSamlPhp and make sure the www folder is available from the same vhost MediaWiki is installed on (e.g. on /simplesaml).

simpleSamlPhp cannot be configured to use phpession for store.type, since this is not compatible with MediaWiki's session management framework.

2) Configure simpleSamlPhp.

3) Clone mwSimpleSamlAuth to extensions/SimpleSamlAuth.

cd extensions
git clone https://github.com/jornane/mwSimpleSamlAuth.git SimpleSamlAuth -b v0.8
cd SimpleSamlAuth

or upgrade

cd extensions/SimpleSamlAuth
git pull --tags origin tags/v0.8
git checkout tags/v0.8

4) Add configuration to LocalSettings.php and change configuration values:

require_once "$IP/extensions/SimpleSamlAuth/SimpleSamlAuth.php";
// make sure that session storage matches to the one used in simplesaml most likely default PHPSESSID
$wgSessionName = "PHPSESSID"; 
// SAML_OPTIONAL // SAML_LOGIN_ONLY // SAML_REQUIRED //
$wgSamlRequirement = SAML_OPTIONAL;
// Should users be created if they don't exist in the database yet?
$wgSamlCreateUser = false;

// SAML attributes
$wgSamlUsernameAttr = 'uid';
$wgSamlRealnameAttr = 'cn';
$wgSamlMailAttr = 'mail';

// SimpleSamlPhp settings
$wgSamlSspRoot = '/usr/share/simplesamlphp';
$wgSamlAuthSource = 'default-sp';
$wgSamlPostLogoutRedirect = NULL;

// Array: [MediaWiki group][SAML attribute name][SAML expected value]
// If the SAML assertion matches, the user is added to the MediaWiki group
$wgSamlGroupMap = array(
	'sysop' => array(
		'groups' => array('admin'),
	),
);

StabilityEdit

This extension runs without problems in production environments, but can use some extra testing. Because of this the extension is still set on beta. A Stable version will be released as 1.0 ASAP.

If you encounter any problems, you are welcome to submit a bug report.

Important Edit

If you run MediaWiki 1.27 or newer, SimpleSamlPhp MUST be configured to use an alternative session handler. If this is not done, SAML authentication succeeds, but MediaWiki still shows that nobody is logged in. Please refer to the SimpleSamlPhp website on how to configure SimpleSamlPhp for session storage.

See alsoEdit