Extension talk:SimpleSAMLphp

Jump to navigation Jump to search

About this board

When reporting an error, please be sure to include version information for MediaWiki and all relevant extensions as well as configuration information. Also, please turn on debug logging as described at Manual:How to debug#Logging and include the relevant portions of the debug log.

Loic.tessier (talkcontribs)

Hello,

I try to config SSO with simpleSAML and PluggableAuth with simplesamlphp library. This one work as standalone : I can login throught SSO and the library show me all the attributes! good!

When I want to login to mediawiki, I am redirected to the sso page, enter my credentials, and redirect to 10.xxx.xx.xx//index.php/Sp%C3%A9cial:PluggableAuthLogin

note : the double slash // before index.php.


mediawiki is behind a proxy and simplesamlphp is on the same machine but on a different cluster.

and then, If I change manually the right URL, Login is ok !


Version mediawiki : 1.33


LocalSettings.php :


$wgSimpleSAMLphp_InstallDir = '/appli/saml/apache_2.4/htdocs/saml/simplesamlphp/';

$wgSimpleSAMLphp_AuthSourceId = 'default-sp';

$wgSimpleSAMLphp_RealNameAttribute = "websso_cn";

$wgSimpleSAMLphp_EmailAttribute = "websso_mail";

$wgSimpleSAMLphp_UsernameAttribute = "websso_groupid";

//$wgPluggableAuth_EnableAutoLogin = true;

$wgPluggableAuth_Class = "SimpleSAMLphp";

$wgGroupPermissions['*']['autocreateaccount'] = true;

$wgMainCacheType = CACHE_DB;


My questions :

Is Mediawiki able to have its own acsurl ?

Is the redirect path must be sent to IdP ?


Thanks in advance

Loic.tessier (talkcontribs)

After a few days and some long night, finally, I found a solution.


In my case, after login, and without any special config was https://domain/saml/modufle.php/saml/sp/saml2-cas.php


I modified the file <mediawikiRootPath>/extensions/SimpleSAMLphp/include/SimpleSAMLphp.php with the following code :


line : 109 :


- $saml->requireAuth();

+ $saml->requireAuth( array(

'ReturnTo' => $GLOBALS['wgServer'] . $ GLOBAS['wgScriptPath']

));


And then the redirect goes directly to my wiki.


If this answer can help anyone...

Reply to "Redirect after login failed"

Configuration of SimpleSAMLphp, Pluggable Auth et Extension SimpleSAMLphp

7
Summary by CCicalese (WMF)

configuration error

80.78.5.111 (talkcontribs)

Hello !

I have a probleme with my media wiki, I try to config a SSO with SimpleSAMLphp and PluggableAuth, but I have this error message :

"Warning: require_once(/wiki/extensions/SimpleSAMLphp/lib/_autoload.php): failed to open stream: No such file or directory in /var/www/html/extensions/SimpleSAMLphp/includes/SimpleSAMLphp.php on line 204

Fatal error: require_once(): Failed opening required '/wiki/extensions/SimpleSAMLphp/lib/_autoload.php' (include_path='/var/www/html/vendor/pear/console_getopt:/var/www/html/vendor/pear/mail:/var/www/html/vendor/pear/mail_mime:/var/www/html/vendor/pear/net_smtp:/var/www/html/vendor/pear/net_socket:/var/www/html/vendor/pear/pear-core-minimal/src:/var/www/html/vendor/pear/pear_exception:.:/usr/local/lib/php') in /var/www/html/extensions/SimpleSAMLphp/includes/SimpleSAMLphp.php on line 204"


I run in Linux.

The version of my Mediawiki is 1.33, the extensions too and SimpleSAMLphp version is 1.17.


here is my LocalSettings.php :

#Other Extensions

        wfLoadExtension( 'SimpleSAMLphp' );

        wfLoadExtension( 'PluggableAuth' );

        #

        #         #Configuration of SimpleSAML

        $wgSimpleSAMLphp_InstallDir = '/wiki/extensions/SimpleSAMLphp/';

        $wgSimpleSAMLphp_AuthSourceId = 'default-sp';

        $wgSimpleSAMLphp_RealNameAttribute = "givenName";

        $wgSimpleSAMLphp_EmailAttribute = "mail";

        $wgSimpleSAMLphp_UsernameAttribute = "uid";

        #

        #         #Configuration of PluggableAuth

        $wgPluggableAuth_EnableAutoLogin = true;

        $wgPluggableAuth_EnableLocalLogin = false;

        $wgPluggableAuth_EnableLocalProperties = false;

        $wgPluggableAuth_ButtonLabelMessage = "Log In";

        $wgPluggableAuth_ButtonLabel = "Log In";

        $wgPluggableAuth_Class = "SimpleSAMLphp";

        #


And here the configuration fo SimpleSAMLphp.php (I would like to say that I change nothing in here) :

private static function getSAMLClient() {

                // Make MW core `SpecialPageFatalTest` pass

                if ( defined( 'MW_PHPUNIT_TEST' ) ) {

                        return new MediaWiki\Extension\SimpleSAMLphp\Tests\Dummy\SimpleSAML\Auth\Simple();

                }

                require_once rtrim( $GLOBALS['wgSimpleSAMLphp_InstallDir'], '/' )

                        . '/lib/_autoload.php';

                $class = 'SimpleSAML_Auth_Simple';

                if ( class_exists( 'SimpleSAML\Auth\Simple' ) ) {

                        $class = 'SimpleSAML\\Auth\\Simple';

                }

                return new $class( $GLOBALS['wgSimpleSAMLphp_AuthSourceId'] );

        }


I don't want to press, but it is an urgent problem that I must solve quickly...


Thanks a lot for your help !

Have a nice day !

Cindy.cicalese (talkcontribs)

Did you install and configure the SimpleSAMLphp PHP library (https://simplesamlphp.org/)? If so, in which directory did you install it? I see you have


$wgSimpleSAMLphp_InstallDir = '/wiki/extensions/SimpleSAMLphp/';


That should point to the directory where the SimpleSAMLphp PHP library is installed, not where the SimpleSAMLphp MediaWiki extension is installed.

I'm sorry for the confusion in the naming. If I were to go back and do it all again, I would have named the extension something different than the library.

80.78.5.106 (talkcontribs)

The SimpleSAMLphp PHP is installed in the directory extensions SimpleSAMLphp. I don't know where I must put it so... Sorry if it's wrong... I just beggin witch Mediawiki and everything around... And I must configure a SSo between WSO2 and Wiki...

I manage to made it the beginning was wrong it was supposed to be /html/extensions... and not /wiki/extensions

But now I have this error:

The configuration (config/authsources.php) is invalid: syntax error, unexpected entityID(T_CONSTANT_ENCAPSED_STRING), expecting ']'

And in the file, I have this :

// The entity ID of this SP.

        // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.

        'entityID' => null,


Thanks again for your help and sorry too...

Cindy.cicalese (talkcontribs)

Could you be missing a comma at the end of the line before the comments?

193.57.121.254 (talkcontribs)

I change nothing in this file that's why I don't understand, there is all the "]" That are needed and the "," too...

Cindy.cicalese (talkcontribs)
80.78.5.104 (talkcontribs)

Yes I've configured and tested it. I copy/paste the original configuration and it is working now... i must have delete a "]" by inadvertence...

Sorry again and thank you for your help ! ^^

Multiple Wiki's to authenticate through a common SP

5
Summary by Cindy.cicalese

Used memcache

S0ring (talkcontribs)

Would be possible to authenticate Multiple Wiki's (like WikiFamily) through the same SP?

I made an attempt with 2 Wiki's (v.1.31) installed on separate Docker containers, on the first one I will succeed to authenticate, on the second it will fail right away with the error:

[dd62f8c9d21437953ac9a89f] /wikifamily-en/index.php/Special:PluggableAuthLogin InvalidArgumentException from line 203 of /var/www/html/includes/session/SessionManager.php: Invalid session ID
MarkAHershberger (talkcontribs)

The problem you're seeing looks like it is because you are using PHP session management. Try setting up Memcached or DB-based session management.

This post was hidden by S0ring (history)
MarkAHershberger (talkcontribs)
Cindy.cicalese (talkcontribs)

It is definitely possible to authenticate multiple wikis through the same SP.

Summary by Cindy.cicalese

Extension:SimpleSamlAuth is a different extension from Extension:SimpleSAMLphp. You cannot use the configuration settings for the latter to configure the former.

Revansx (talkcontribs)

I'm using Ext:SimpleSAMLphp to automatically log users in to an enterprise wiki. This part is configured and works well. The next step is to have specific users automatically added to the "sysop" group when they meet certain criteria in the SAMLresponse.

By using the simpleSAMLphp diagnostic page I can confirm that my SSO is indeed providing an attribute in the SAML response the contains the "groups" that each user belongs to (per the enterprise AD/LDAP). The attribute is called "isMemberOf" and the SAML response is in the form:

"isMemberOf": [
            "cn=Active Staff, ou=Company, ou=groups, dc=acme,dc=com",
            "cn=Application Owner,ou=XYZ,ou=Groups,dc=acme,dc=com",
            "cn=Thing Maintainer,ou=XYZ,ou=Groups,dc=acme,dc=com",
            "cn=Resourse1,ou=ABC,ou=Groups,dc=acme,dc=com",
            "cn=Mailing-List-978,ou=LMN,ou=Groups,dc=acme,dc=com",
            "cn=Operator, ou=SAP Portal, ou=ABC,ou=Groups, dc=acme,dc=com"
        ]

While wordy, this meets the description of the "groups" info being encoded as a comma-seperated list of string in the form: "Group1", "Group2", "Group3", etc.. and so if I want to automatically assign a user to the 'Sysop' group based on their being the "Application Owner" of the XYZ System as evidence by the SAML group "cn=Application Owner,ou=XYZ,ou=Groups,dc=acme,dc=com", my understanding is that all I have to do is add the following line in my LocalSettings:

$wgSimpleSAMLphp_GroupMap = ['sysop' => ['isMemberOf' => ['cn=Application Owner,ou=XYZ,ou=Groups,dc=acme,dc=com']]];

However, this does not work and I don't understand why or how to debug it.

Could it be a problem that each group string contains commas as well? Please help.

  • MW:1.31.1
  • simplesamlphp (1.16.1)
  • Ext:SimpleSamlAuth: GIT-master (25f17ce) 10:39, 24 July 2018
Lvlaccscott (talkcontribs)

I am using SimpleSAMLphp with our ADFS server and while everything is working well the one thing I can't figure out how to adjust is session timeout. If my users don't load a page once an hour (aprox) their session expires and they are logged out. No error messages are displayed (unless you are trying to submit a page edit) you are just suddenly logged out. The mediawiki session cookie is valid for a whole month so I doubt that is it and I've tried adjusting php session variables but nothing seems to affect this timeout. Is there any way to control this and if so where is it configured?

Cindy.cicalese (talkcontribs)

This would depend upon what type of session storage you are using for the SimpleSAMLphp library. As noted at Extension:SimpleSAMLphp#Known_Bugs, the extension does not work well if PHP sessions are used for the library, as there is a conflict with MediaWiki session storage. The symptoms of that issue are not the same as what you are describing, but perhaps there is an issue with the configuration of the method you are using.

Reply to "Session Timeout?"

Mapping from SAML attributes to MediaWiki groups

6
S0ring (talkcontribs)

With MW 1.31 and SimpleSAMLphp v.4.5 I attempted to assign the users with businessCategory B, N or Z to the existing user group 'staffer':


$wgSimpleSAMLphp_GroupMap = [

       ['staffer' => ['businessCategory' => ['B','N','Z']]]

];


IDP sends the attributes correctly, but it doesn't work, the users won't be assigned to it.

How is possible to debug this issue?

S0ring (talkcontribs)

After I removed the first array (my first attempt was to add more mappings)

$wgSimpleSAMLphp_GroupMap =['staffer' => ['businessCategory' => ['B','N','Z']];

then the following error occured:

[271a2066e23f4ae672c61c69] /zeus/index.php/Spezial:PluggableAuthLogin UnexpectedValueException from line 169 of /var/www/html/includes/user/UserGroupMembership.php: UserGroupMembership::insert() needs a positive user ID. Did you forget to add your User object to the database before calling addGroup()?

Backtrace:

#0 /var/www/html/includes/user/User.php(3669): UserGroupMembership->insert(boolean)

#1 /var/www/html/extensions/SimpleSAMLphp/src/AttributeProcessor/MapGroups.php(34): User->addGroup(string)

#2 /var/www/html/extensions/SimpleSAMLphp/includes/SimpleSAMLphp.php(226): MediaWiki\Extension\SimpleSAMLphp\AttributeProcessor\MapGroups->run()

#3 /var/www/html/includes/Hooks.php(177): SimpleSAMLphp::populateGroups(User)

#4 /var/www/html/includes/Hooks.php(205): Hooks::callHook(string, array, array, NULL)

#5 /var/www/html/extensions/PluggableAuth/includes/PluggableAuthLogin.php(41): Hooks::run(string, array)

#6 /var/www/html/includes/specialpage/SpecialPage.php(522): PluggableAuthLogin->execute(NULL)

#7 /var/www/html/includes/specialpage/SpecialPageFactory.php(568): SpecialPage->run(NULL)

#8 /var/www/html/includes/MediaWiki.php(288): SpecialPageFactory::executePath(Title, RequestContext)

#9 /var/www/html/includes/MediaWiki.php(861): MediaWiki->performRequest()

#10 /var/www/html/includes/MediaWiki.php(524): MediaWiki->main()

#11 /var/www/html/index.php(42): MediaWiki->run()

#12 {main}


This is an attempt to create a new user and assigned it to an existing user group. What went wrong?

S0ring (talkcontribs)

For comparison, I perfomed a similar test with extension SimpleSamlAuth and it worked:

$wgSamlGroupMap = ['staffer' => ['businessCategory' => ['B','N','Z']]];

The first attempt failed with the following error:

User "test01" does not exist and "$wgSamlCreateUser" flag is false.

Of course, after I enabled this flag, the user was successfully created and assigned to the user group 'staffer'.


Going back to the the extension SimpleSAMLphp, it seems the previous error occured because the new user couldn't be added to the database. Does the extension have a flag like $wgSamlCreateUser?

Cindy.cicalese (talkcontribs)

@Osnard, do you have any thoughts on this?

S0ring (talkcontribs)

Could you take a look at this issue, please?

Osnard (talkcontribs)

SimpleSAMLphp does not have a flag like $wgSamlCreateUser. The "PluggableAuth" base extension will create the user automatically if it does not exist. The only requirement is that the user group * has at least the autocreateaccount permission.

When the AttributeProcessors of "SimpleSAMLphp" are being executed the user should already exist.

Regarding the group mapping: I have added a Unit test for your configuration, and everything seems to be okay: https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/SimpleSAMLphp/+/520687/

In which way does your IdP return the groups? As "multivalue" or as "singlevalue" with a delimiter? Maybe you need to set $SimpleSAMLphp_GroupAttributeDelimiter?

Reply to "Mapping from SAML attributes to MediaWiki groups"

SimpleSAMLphp extension version lineup

3
S0ring (talkcontribs)

The ExtensionDistributor for MW 1.31 points to 4.1 (1e36e1d).

Does it mean that 4.2 and above are compatible with MW 1.32 only? Would 4.5 work with MW 1.31?


Cindy.cicalese (talkcontribs)

I believe that version 4.5 should work with MW 1.31 and above.

S0ring (talkcontribs)

Yes, it works fine without error.

Reply to "SimpleSAMLphp extension version lineup"

State information lost when logging in to our Azure AD

5
Sethu S P (talkcontribs)

I am using the SimpleSAML php extension for authenticating to my azure AD. When am browsing my wiki application, i am getting the below error. But when i try connecting to my application in an incognito or private window it works perfectly fine. I guess the issue is with cache or something which needs to be cleared but cannot ask all the users in our organization to do the same. Am i missing something in configuring the session that would store the session correctly. Please find the installed software and error message below. Thanks in advance.

Product Version
MediaWiki 1.26.4
PHP 5.6.14 (cgi-fcgi)
MySQL 5.6.25-log

State information lost

State information lost

State information lost, and no way to restart the request

Suggestions for resolving this problem:

  • Go back to the previous page and try again.
  • Close the web browser, and try again.

This error may be caused by:

  • Using the back and forward buttons in the web browser.
  • Opened the web browser with tabs saved from the previous session.
  • Cookies may be disabled in the web browser.

If you report this error, please also report this tracking number which makes it possible to locate your session in the logs available to the system administrator: **********

Debug information

The debug information below may be of interest to the administrator / help desk:

SimpleSAML_Error_NoState: NOSTATE

Backtrace:
2 C:\inetpub\wwwroot\MediaWiki\mediawiki-1.23.5\extensions\SimpleSAMLphp\lib\SimpleSAML\Auth\State.php:225 (SimpleSAML_Auth_State::loadState)
1 C:\inetpub\wwwroot\MediaWiki\mediawiki-1.23.5\extensions\SimpleSAMLphp\modules\saml\www\sp\saml2-acs.php:63 (require)
0 C:\inetpub\wwwroot\MediaWiki\mediawiki-1.23.5\extensions\SimpleSAMLphp\www\module.php:134 (N/A)

How to get help

This error probably is due to some unexpected behaviour or to misconfiguration of simpleSAMLphp. Contact the administrator of this login service, and send them the error message above.

Cindy.cicalese (talkcontribs)
Sethu S P (talkcontribs)

Hi @Cindy.cicalese

Thanks a lot for the response. We are using MySql as our application database. Should i do any changes particularly for that or would it work if i just change the session store type to sql. If so i am confused on the below. Please help me on this.


'store.sql.dsn' => 'sqlite:/sum/path/where/the/apache/user/can/write/sqlitedatabase.sq3'


Thanks in Advance.


Cindy.cicalese (talkcontribs)

I added a bit more detail on using MySQL on the extension page, but it was grabbed from the docs. I don't have a site set up to test that right now. Give it a try, and if it is incorrect, let me know. If there are any errors in the configuration that you are able to fix, please edit the extension page to fix it or add more detail.

Sethu S P (talkcontribs)

Hi @Cindy.cicalese

Thanks for the info. I will give it a try and let you know how it turns out.

Reply to "State information lost when logging in to our Azure AD"

PHP Warning: count(): Parameter must be an array or an object that implements Countable

1
134.34.200.62 (talkcontribs)

The PluggableAuth for MW 1.31 (v.5.4) reports the following warning:

PHP Warning:  count(): Parameter must be an array or an object that implements Countable in /var/www/html/extensions/PluggableAuth/includes/PluggableAuthLogin.php on line 74

It doesn't harm the functionality but could it be fixed?

Reply to "PHP Warning: count(): Parameter must be an array or an object that implements Countable"

Our Web Analytics application is receiving referrer website origin of my SAML server.

3
199.65.1.32 (talkcontribs)

Is there a way to fix that in the SimpleSAMLphp configuration? I have notices that http referrers are erased by the SAML redirection, and messes up the web analytics reports.

Legaulph (talk) 14:51, 24 January 2019 (UTC)

Cindy.cicalese (talkcontribs)

I'm not sure. @Osnard, do you know?

Osnard (talkcontribs)
Reply to "Our Web Analytics application is receiving referrer website origin of my SAML server."