Extension talk:SAMLAuth

In the statement below... You must install, and configure SimpleSAMLphp as a SAML 2.0 Service Provider on the same domain as the Media Wiki instance.

What exactly do you mean by "same domain"?

Supposing that my domain is www.example.com ...


 * 1) Could my SP be sp.example.com ?
 * 2) If not, what it could be?
 * 3) If I had to have something like www.example.com/sp could I employ mod_rewrite and tell Apache to redirect to sp.example.com ?

Thanks a lot :)

Richard Gomes 03:13, 3 January 2011 (UTC)


 * Should work. Check http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language 134.91.30.112 11:44, 18 June 2012 (UTC)

Support for MediaWiki 1.18+
In MediaWiki 1.18, the internal user handling has changed, so SAMLAuth 0.3 doesn't work with MediaWiki 1.18 and above. The same issue concerns other authentification modules (for example HttpAuth and Shibboleth Authentication). The following patch is a workaround for the problem:

diff -pur old/SpecialSAMLAuth/SpecialSAMLAuth_body.php new/SpecialSAMLAuth/SpecialSAMLAuth_body.php --- old/SpecialSAMLAuth/SpecialSAMLAuth_body.php	2013-06-09 15:55:50.000000000 +0200 +++ new/SpecialSAMLAuth/SpecialSAMLAuth_body.php	2013-06-09 15:54:39.000000000 +0200 @@ -114,7 +114,7 @@ class SAMLAuth extends SpecialPage { $token = LoginForm::getLoginToken; $params = new FauxRequest(array( 'wpName' => $simplesaml_UN, -                   'wpPassword' => '', +                   'wpPassword' => 'a', 'wpDomain' => '', 'wpRemember' => '', 'wpLoginToken' => $token, @@ -148,7 +148,7 @@ class SAMLAuth extends SpecialPage { $user->setRealName($simplesaml_RN); }                 $wgUser->saveSettings; -               $wgUser->setupSession; +               wfSetupSession; $wgSamlAuthDebug && error_log('Debug simpleSAMLphp + MediaWiki: USER-IDENTIFIED [' . $simplesaml_UN . ']'); $wgUser->setCookies; } @@ -176,9 +176,18 @@ class SAMLAuth extends SpecialPage { $loginForm = new LoginForm($params); $result = $loginForm->authenticateUserData; +               /* For security, scramble the password to ensure the user can +                * only login through simpleSAMLphp. This set the password to a 15 byte +                * random string. +                */ +                $pass = null; +               for($i = 0; $i < 15; ++$i) +                       $pass .= chr(mt_rand(0,255)); +               $loginForm->mPassword = $pass; +                 //Now we _do_ the black magic $loginForm->mRemember = false; -               $loginForm->initUser(&$user, TRUE); +               $loginForm->initUser($user, TRUE); // set the user values $user->setOption('SAMLAuth_IdentityProvider', $idp); @@ -188,14 +197,6 @@ class SAMLAuth extends SpecialPage { if($simplesaml_RN != null) { $user->setRealName($simplesaml_RN); } -               /* For security, scramble the password to ensure the user can -                * only login through simpleSAMLphp. This set the password to a 15 byte -                * random string. -                */ -                $pass = null; -               for($i = 0; $i < 15; ++$i) -                       $pass .= chr(mt_rand(0,255)); -               $user->setPassword($pass); // email confirmation loop global $wgEmailAuthentication; @@ -206,7 +207,7 @@ class SAMLAuth extends SpecialPage { //Finish it off $user->setToken; $user->saveSettings; -               $user->setupSession; +               wfSetupSession; $user->setCookies; $wgUser = $user; $user->addNewUserLogEntry;

Save it as  and execute the following command in  :

patch -p1 < SpecialSAMLAuth.patch

Redirect Login
When I enabled SAMLAuth, I was expecting it to work similar to such extensions as:


 * ExtAuthDB
 * GoogleAppsAuthentification

In other words, I was expecting it to override/bypass the built-in MediaWiki log-in authentication and jump right to the SAML authentication. If it failed, then it would go to the Log-in page. Is it documented anywhere how to enable this? Thanks.

--Technomensch (talk) 15:29, 19 August 2013 (UTC)