From MediaWiki.org
Jump to navigation Jump to search
This page is a translated version of the page Extension:SimpleSAMLphp and the translation is 67% complete.
Other languages:
English • ‎中文 • ‎日本語
PluggableAuth Icon.svg This extension requires the PluggableAuth extension to be installed first.
MediaWiki 拡張機能マニュアル
OOjs UI icon advanced.svg
リリースの状態: 安定
実装 利用者識別
説明 Extends the PluggableAuth extension to provide authentication using SimpleSAMLphp.
作者 Cindy Cicalese, Robert Vogel
最新バージョン 4.5.1 (2019-10-27)
互換性ポリシー master
MediaWiki 1.31+
PHP 5.3+
ライセンス MIT ライセンス
  • $wgSimpleSAMLphp_InstallDir
  • $wgSimpleSAMLphp_AuthSourceId
  • $wgSimpleSAMLphp_RealNameAttribute
  • $wgSimpleSAMLphp_EmailAttribute
  • $wgSimpleSAMLphp_UsernameAttribute
  • $wgSimpleSAMLphp_MandatoryUserInfoProviderFactories
  • $wgSimpleSAMLphp_GroupMap
translatewiki.net で翻訳を利用できる場合は、SimpleSAMLphp 拡張機能の翻訳にご協力ください
使用状況とバージョン マトリクスを確認してください。
問題点 未解決のタスク · バグを報告

The SimpleSAMLphp extension extends the PluggableAuth extension to provide authentication using SimpleSAMLphp.


This extension requires the PluggableAuth extension and SimpleSAMLphp to be installed first.
  • ダウンロードして、ファイルを extensions/ フォルダー内の SimpleSAMLphp という名前のディレクトリ内に配置します。


Values must be provided for the following mandatory configuration variables:

フラグ 既定 説明
$wgSimpleSAMLphp_InstallDir no default value The path on the local server where SimpleSAMLphp is installed.
$wgSimpleSAMLphp_AuthSourceId no default value The AuthSourceId to be used for authentication.
$wgSimpleSAMLphp_RealNameAttribute no default value The name of the attribute(s) to be used for the user's real name. This may be a single attribute name or an array of attribute names. In the latter case, the attribute values will be concatenated with spaces between them to form the value for the user's real name.
$wgSimpleSAMLphp_EmailAttribute no default value The name of the attribute to be used for the user's email address.
$wgSimpleSAMLphp_UsernameAttribute no default value The name of the attribute to be used for the user's username.

In addition, the following optional configuration variables are provided:

フラグ 既定 説明 Since
$wgSimpleSAMLphp_GroupMap null Mapping from SAML attributes to MediaWiki groups of the form:

$wgSimpleSAMLphp_GroupMap = [ 'mediawiki group' => ['saml attribute' => ['group 1', 'group 2', '...']]];

No group mapping is performed if $wgSimpleSAMLphp_GroupMap is null.

$wgSimpleSAMLphp_GroupAttributeDelimiter null If the IdP returns the list of groups in a single string (e.g. "saml attribute" => [ "group 1,group 2,group 3" ] instead of "saml attribute" => [ "group 1", "group 2", "group 3" ] ) this value can be set to split up the string. Be aware that in this case only the first element of the SAML attribute value is being evaluated. This setting applies to both group synchronization mechanisms "MapGroups" and "SyncAllGroups" 4.3
$wgSimpleSAMLphp_SyncAllGroups_GroupAttributeName "groups" If configured to use "SyncAllGroups", this SAML attribute will be read out 4.3
$wgSimpleSAMLphp_SyncAllGroups_LocallyManaged [ "sysop" ] If configured to use "SyncAllGroups", these local user groups will not be influenced by what is set in the SAML response 4.3


null If configured to use "SyncAllGroups", this can be used to change/normalize the groups coming from the IdP. Example see below. 4.3
$wgSimpleSAMLphp_AttributeProcessorFactories [



This can be used to set up the group synchronization mechanism and to add processing of arbitrary SAML response data. Example see below. The factory callback has the following signature:


\User $user,

array $attributes,

\Config $config,

SimpleSAML\Auth\Simple $saml )

: MediaWiki\Extension\SimpleSAMLphp\IAttributeProcessor


Define custom user info provider

If you want to modify any of the fields username, realname or email before login, you can configure a custom callback for $wgSimpleSAMLphp_MandatoryUserInfoProviderFactories. The factory method has the following signature:

 factoryCallback( \Config $config ) : \MediaWiki\Extension\SimpleSAMLphp\IUserInfoProvider

For simple usecases one can use MediaWiki\Extension\SimpleSAMLphp\UserInfoProvider\GenericCallback:

 $wgSimpleSAMLphp_MandatoryUserInfoProviderFactories['username'] = function( $config ) {
     return new \MediaWiki\Extension\SimpleSAMLphp\UserInfoProvider\GenericCallback( function( $attributes ) {
         if ( !isset( $attributes['mail'] ) ) {
             throw new Exception( 'missing email address' );
         $parts = explode( '@', $attributes['mail'][0] );
         return strtolower( $parts[0] );
     } );

Group mapping

Use case: your SAML IdP reads groups from LDAP or Database and stores this information inside an attribute of the SAML response. You want to use this to map MediaWiki groups to users belonging to some known groups given by your IdP.


  • Your IdP sends an attribute named "groups" with a list of names like "administrator", "student", "teacher", ... in the SAML response after authentication.
  • All users that have the value "administrator" in the "groups" attribute shall be mapped to the MediaWiki "sysop" group to give them admin rights within your MediaWiki instance.
  • Create a group map in your LocalSettings.php as follows: $wgSimpleSAMLphp_GroupMap = ['sysop' => ['groups' => ['administrator']]];

You can come up with rather complex mappings that fit your needs. If you have more than one attribute from SAML, just add it to the array with the array of values you like to map.

If a MediaWiki group does not exist, it will be created "on the fly" on first successful mapping of a user.

HINT: If a user belongs to a MediaWiki group that is no longer mapped to that user (for example, by losing the group membership in the SAML user data source), the user will be removed from that MediaWiki group at next log in. In that way you can mass remove groups from SAML and their memberships, too - just scramble the mapping values so they don't match the SAML response, but don't mess up the MediaWiki group name.

Group mapping #2

Since version 4.3 one can also configure an alternative group synchronization mechanism. Besides the default "MapGroups" one can use "SyncAllGroups", which takes all groups from the SAML response and assign the user to them.

To do so, add

$wgSimpleSAMLphp_AttributeProcessorFactories = [

to the LocalSettings.php.

If the IdP returns group names that are not suitable for the wiki, one can set up a callback to modify the group names. E.g. some IdP-Setups may return LDAP-DNs like "CN=Admin,OU=Groups,DC=SomeDomain". One could then specify

$wgSyncAllGroups_GroupNameModificationCallback = function ( $origGroupName ){
    return preg_replace( '#^CN=(.*?),OU=.*$#', '$1', $origGroupName );

in LocalSettings.php.

Processing arbitrary data from the SAML response

The "attribute processors" can also be used to handle arbitrary data from the SAML response. In this case one must first create a new PHP class that implements the MediaWiki\Extension\SimpleSAMLphp\IAttributeProcessor interface. For convenience the base class MediaWiki\Extension\SimpleSAMLphp\AttributeProcessor\Base can be used, which has a proper factory callback and constructor implemented. An example

use MediaWiki\Extension\SimpleSAMLphp\AttributeProcessor\Base;

class SyncLanguage extends Base {
    public function run() {
        //Set gender on $this->user from a value in $this->attributes

It then needs to be instantiated by using the $wgSimpleSAMLphp_AttributeProcessorFactories.


Version 4.5.1
  • fixed warning: $wgSimpleSAMLphp_GroupMap is not an array
  • improved loading UserInfo and Groups
  • improved tests
Version 4.5
  • added support for custom user info providers
  • updated to manifest version 2
Version 4.4
Version 4.3
  • Added support for attribute processors
  • Fixed bug in SAML attribute processing
  • Added PSR-4 compatible namespace
  • Dropped support for MW <1.31
Version 4.2
  • Broke out username, real name, and email functions so they could be overridden in a subclass to allow custom rules
  • Coding style and directories
  • Improved debugging
Version 4.1
Version 4.0
  • Added optional error message to authenticate()
  • Bumped version number to synchronize with PluggableAuth and OpenID Connect extensions


If you are using MediaWiki 1.27 or later with PluggableAuth 2.0 or later, problems have been observed when SimpleSAMLphp is configured to use phpession for store.type. This may be due to T147161. To fix this, use a different store type in the configuration of the SimpleSAMLphp software by adjusting simplesamlphp/config/config.php (see https://simplesamlphp.org/docs/stable/simplesamlphp-maintenance#section_2_3). For example, for SQLite, use:

'store.type' => 'sql',
'store.sql.dsn' => 'sqlite:/path/where/the/apache/user/can/write/sqlitedatabase.sq3',

For MySQL, use:

'store.type' => 'sql',
'store.sql.dsn' => 'mysql:host=xxx;port=xxx;dbname=xxx',
'store.sql.username' => 'xxx',
'store.sql.password' => 'xxx',