Extension talk:SimpleSamlAuth/Flow

About this board

help with automatic group removal

1
Revansx (talkcontribs)

From the example in the page (code below) I am able to add users to groups based on their SAML attributes:

// Array: [MediaWiki group][SAML attribute name][SAML expected value]
// If the SAML assertion matches, the user is added to the MediaWiki group
$wgSamlGroupMap = array(
	'sysop' => array(
		'groups' => array('admin'),
	),
);

however, once added, users are added, this code does not remove them the groups that they are added to. Is this expected behavior? I'm wondering what the rigth/best way is to remove members from a group based on SAML as well. Does anyone have any experience with this?

Reply to "help with automatic group removal"

get realname from uid, not from cn

1
Laninuser (talkcontribs)

Simplesamlphp successfuly get "cn" from ADFS, but i have "uid" as user realname.

Reply to "get realname from uid, not from cn"
115.113.69.206 (talkcontribs)

Backtrace: 0 C:\MediaWiki\mediawiki-1.23.5\extensions\SimpleSAMLphp\www\module.php:179 (N/A) Caused by: Exception: Missing key in public key details.

how to fix>?

Reply to "Missing public key"

No tag/branch "v.08" in git repo

1
Osnard (talkcontribs)

The documentation recommends usage of version "0.8". Unfortunately there is no such tag/branch on the referenced git repo. The command from the setup instructions results in

fatal: Remote branch v0.8 not found in upstream origin
Reply to "No tag/branch "v.08" in git repo"

SimpleSamlAuth since 1.27?

7
2001:4898:8010:0:0:0:0:27C (talkcontribs)

Has anyone successfully used SImpleSamlAuth and SimpleSamlPHP with MediaWiki 1.27? I'm working on building a 1.27 replacement for an existing 1.25 environment and I can't get authentication working for the life of me. Using SamlTracer I can see that the 1.25 environment sets a session cookie before SimpleSaml redirects to the IDP. In 1.27 that cookie is not set. The other difference (and the main symptom/cause) of my login failure is that my session ID changes between being redirected to the IDP and the response being sent back to SimpleSaml. This causes a NOSTATE error.

Just wondering if anyone else has ran into this, or if i've done something stupid in my config that I just haven't noticed.

193.5.216.100 (talkcontribs)

HI!

Were you able to get it to work? I'm am also trying to get it to work, but I get the Error:

Exception encountered, of type "LogicException"

Could it be that simplesamlauth is not compatible with Mediawiki 1.27? I also used it in an 1.25 environment.

2001:4898:8010:1:0:0:0:59A (talkcontribs)

I haven't been able to get around the problem I ran into but my error is significantly different. I'm fairly certain the issue is SimpleSamlAuth needing to be updated for the changes to session management in MediaWiki. While troubleshooting I compared my 1.25 environment behavior against the 1.27 environment and 1.25 drops a session cookie to the browser before redirecting to the login provider. 1.27 doesn't drop this cookie, and as far as I can tell that's the root of my problem. I've tried modifying simplesamlauth to set the session cookie prior to redirecting and while I can get a cookie to set, it doesn't appear to be used.

I'd wager there's something obvious I'm missing like I just need to create an instance of the MediaWiki session manager and use it to setup the session, but I can't figure out exactly how to do that in a way that works :)

2001:41F0:53D4:1:203D:5179:91E6:2175 (talkcontribs)

Hi.

I found a workaround (or fix) for the Exception encountered, of type "LogicException"

tested on MediaWiki 1.27, SimpleSamlAuth tags/v0.6

When $wgShowExceptionDetails = true in LocalSettings.php; we learn the error comes from includes/user/User.php line 2493.

From 1.27 MediaWiki uses a different mechanism (AuthManager) for changing authentication data.

In the function setPasswordInternal, line 2488 (called by setInternalPassword) we see we cannot set a password for a user that is not in the database.

WORKAROUND (or fix):

in SimpleSamlAuth.class.php, first add the user to the database, then set password. (Basically swap line 440 & 441 around) to become:

$user->addToDatabase();

$user->setInternalPassword( null ); // prevent manual login until reset

Piele

46.59.63.183 (talkcontribs)

I am developing a SAML extension for MediaWiki 1.27 as part of a larger customization effort for a web site I have been working on. I previously used some of the existing SAML extensions available but like you, I found that they no longer work on 1.27.

I'm far from done but perhaps some of my code can be of use: https://github.com/wsv-accidis/tmeit-wiki/tree/tmeit-master/extensions/TmeitSamlAuth

Note that this is not a patched SimpleSamlAuth but a new extension based on the same concept, but with fewer options (I am only implementing what I need for my project).

2001:4898:8010:1:0:0:0:59A (talkcontribs)

It turns out the only problem I was having is leaving SimpleSamlPHP configured to use cookies for session storage. After moving session storage to memcached I'm able to use SimpleSamlAuth and SimpleSamlPHP just fine!

115.113.69.206 (talkcontribs)

Hi all...please healp me....i am trying to configure comment extension but i have getting error ..please look below

Database error

A database query error has occurred. This may indicate a bug in the software.

  • Query: SELECT Comment_Username,Comment_IP,Comment_Text,Comment_Date,UNIX_TIMESTAMP(Comment_Date) AS timestamp,Comment_user_id,CommentID,Comment_Parent_ID FROM "Comments" WHERE Comment_Page_ID = '774'
  • Function: CommentsPage::getComments
  • Error: 42P01 ERROR: relation "Comments" does not exist LINE 1: ...Comment_user_id,CommentID,Comment_Parent_ID FROM "Comments"
Reply to "SimpleSamlAuth since 1.27?"

Filter SAML Attribute

1
193.5.216.100 (talkcontribs)

Hi Guys,

I'm trying to get my permissions right. I have a DN string like this:

cn=Foo Bar,ou=Governance,ou=Organisation,o=Business,c=CH

Now I want to filter the Attribute in my SAML-Token only for the "ou=Governance" part of it:

$wgSamlGroupMap = array(

'trusted' => array(

'DN' => array('ou=Governance'),

),

);

Are there any available Wildcards? That I cold even filter by: "ou=Governance*o=Business"?

Is that possible or does it have to match exactly?

Thank you for your answers!

Reply to "Filter SAML Attribute"

How to use SimpleSAML to provide MediaWiki a SSO feature.

1
125.16.180.5 (talkcontribs)

I have installed MediaWiki V1.23 in Windows Azure Website (PaaS) and its working fine. Now I want to provide the user the functionality to login to this site using credentials of some other private domain i.e. different domain login. In the documentation, it says that we have to configure SimpleSAMLphp first, can you tell me how to do it in my project and also can you explain me the meaning of parameters that it is asking to add in LocalSettings.php. Since I am new to PHP and MediaWiki, I couldn't much of it but I really need to implement this. The idea which I am intending to follow is to provide authentication by this path: MediaWiki -> SimpleSAML -> ADFS. Thanks in advance.

Reply to "How to use SimpleSAML to provide MediaWiki a SSO feature."
There are no older topics
Return to "SimpleSamlAuth/Flow" page.