Extension:SimpleSamlAuth

From MediaWiki.org
Jump to navigation Jump to search
MediaWiki extensions manual
Crystal Clear action run.svg
SimpleSamlAuth
Release status: beta
Ssplogo-fish.svg
Implementation Page action, User rights
Description Enables SAML authentication using SimpleSAMLphp
Author(s) Jørn de Jong (Nordyorntalk)
Latest version 0.8 (2017-06-03)
MediaWiki 1.15+
PHP 5.3+
Database changes No
License GNU Lesser General Public License 3.0
Download
README
Changelog
Parameters
  • $wgSamlRequirement
  • $wgSamlCreateUser
  • $wgSamlAuthSource
  • $wgSamlSspRoot
  • $wgSamlPostLogoutRedirect
  • $wgSamlGroupMap
  • $wgSamlUsernameAttr
  • $wgSamlRealnameAttr
  • $wgSamlMailAttr
Hooks used
UserLoadFromSession
GetPreferences
SpecialPage_initList
UserLoginForm
UserLogout
PersonalUrls
MediaWikiPerformAction
Translate the SimpleSamlAuth extension if it is available at translatewiki.net
Check usage and version matrix.

The SimpleSamlAuth extension enables SAML authentication using SimpleSAMLphp.

Installation[edit]

This is the management summary; see README.md for more information.

1) Install simpleSamlPhp and make sure the www folder is available from the same vhost Mediawiki is installed on (e.g. on /simplesaml).

Note Note: simpleSamlPhp cannot be configured to use phpession for store.type, since this is not compatible with MediaWiki's session management framework.

2) Configure simpleSamlPhp.

3) Clone mwSimpleSamlAuth to extensions/SimpleSamlAuth.

cd extensions
git clone https://github.com/jornane/mwSimpleSamlAuth.git SimpleSamlAuth -b v0.8
cd SimpleSamlAuth

or upgrade

cd extensions/SimpleSamlAuth
git pull --tags origin tags/v0.8
git checkout tags/v0.8

4) Add configuration to LocalSettings.php and change configuration values:

require_once "$IP/extensions/SimpleSamlAuth/SimpleSamlAuth.php";
// make sure that session storage matches to the one used in simplesaml most likely default PHPSESSID
$wgSessionName = "PHPSESSID"; 
// SAML_OPTIONAL // SAML_LOGIN_ONLY // SAML_REQUIRED //
$wgSamlRequirement = SAML_OPTIONAL;
// Should users be created if they don't exist in the database yet?
$wgSamlCreateUser = false;

// SAML attributes
$wgSamlUsernameAttr = 'uid';
$wgSamlRealnameAttr = 'cn';
$wgSamlMailAttr = 'mail';

// SimpleSamlPhp settings
$wgSamlSspRoot = '/usr/share/simplesamlphp';
$wgSamlAuthSource = 'default-sp';
$wgSamlPostLogoutRedirect = NULL;

// Array: [MediaWiki group][SAML attribute name][SAML expected value]
// If the SAML assertion matches, the user is added to the MediaWiki group
$wgSamlGroupMap = array(
	'sysop' => array(
		'groups' => array('admin'),
	),
);

Stability[edit]

This extension runs without problems in production environments, but can use some extra testing. Because of this the extension is still set on beta. A Stable version will be released as 1.0 ASAP.

If you encounter any problems, you are welcome to submit a bug report.

Important [edit]

If you run MediaWiki 1.27 or newer, SimpleSamlPhp MUST be configured to use an alternative session handler. If this is not done, SAML authentication succeeds, but MediaWiki still shows that nobody is logged in. Please refer to the SimpleSamlPhp website on how to configure SimpleSamlPhp for session storage.

See also[edit]