Topic on User talk:Cindy.cicalese

Hello

@Cindy.cicalese first i woulk like to thank you very much for your support, finally i can implement SSO with AD Azure using OpenIDConnect and PluggableAuth_Config.

Now after login i have permission error

You do not have permission to read this page, for the following reason:

The action you have requested is limited to users in one of the groups: Administrators, app_wiki_usr

Acutally i have the groupe "app_wiki_usr" on my MW and it has a "READ" permission

$wgGroupPermissions['app_wiki_usr']['read'] = true;

1- should I create the same groupe on Azure AD and add users to IT ?

2- for mapping group do you confirm that I should add on $wgPluggableAuth_Config ONYLY this lines bellow  ?

'groupsyncs' => [

     [

       'type' => 'mapped',

       'map' => [

         'app_wiki_usr' => [ 'groups' => 'app_wiki_usr' ],

       ]

     ]

   ];

Have a nice day

I'm so glad you've gotten it working. If there was anything that you had to do that was accurately represented in the instructions on the extension wiki page, please update it.

The answer to your question depends on where you want you system administrator to manage the user permissions: in the wiki or in Azure AD. Either would work. If you want to administer the permissions in the wiki, a user with bureaucrat permissions would do so on page Special:UserRights. If you want to administer the permissions in Azure AD, you would add the code you indicate above or similar. What I do not know is what attribute name the group information will be provided in by Azure AD. 'groups' is a popular choice. You will need to make sure whatever attribute name is provided in Azure AD matches what is in the config snippet above.

Hello @Cindy.cicalese

Yes i will update pages that need to be updated.

excuse me i have some confusion from what you said

for me permission will be administrated from Azure AD Side

the group created on Azure Ad by Ad administrator is named "DSI - Wiki - USER", it contains all user allowed to connect to MW

in MW we have a group named "app_wiki_usr"

$wgGroupPermissions['app_wiki_usr']['read'] = true;

1- what do you mean please by attribute name does it the Objecttype and how to get it  ?

2- should i have the same name of group in MW and Azure AD ?

3-second configure the mapping , here what should i put at this line  ?

' (which group AD or MW)' => [ 'attribute name of AD group "DSI - Wiki - USER"' => '(which group AD or MW)' ],

Thanks

1) When the groups are synchronized between Azure AD and MediaWiki, the MediaWiki code will request the attributes provided by Azure AD. What is in the response depends upon how Azure AD is configured. The group information will be in the structure that is returned as the response to that request. The attribute name that is used to index into the resulting data structure is what you will need. If you don't know what is in that structure, you could add some debugging to https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/PluggableAuth/+/refs/heads/master/includes/Group/GroupProcessorRunner.php#51 to show what is returned in pluginAttributes.

2) It does not matter whether those names are the same.

3) <name of MW group> => [ <name of AD attribute> => <name of AD group> ]

<name of MW group> is the name you want the group to have on the MW side

<name of AD attribute> is the attribute name referred to in 1) above

<name of AD group> is the name of the group in AD that you want to have mapped to the MW group

Thanks a lot it work now

Great!

@RakingTheLeaves

perhaps i'm being premature in tagging you here without putting the above to the test.... but perhaps also, this is worth a read through?