Extension talk:SimpleSAMLphp

Hello,

In examples I have seen to get this up and running, there is mention of authSourceId as default-sp (inside of $wgPluggableAuth_Config). Where is default-sp configured? There is also mention of a config.php file but I cannot find this in the installation folder for the simplesamlphp extension. Specifically, I am missing how to setup the SP metadata and also, ingest the IdP metadata into mediawiki for SAML authentication. Any help will be greatly appreciated, thank you.

This is where I am so far

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableAutoLogin = true;

$wgPluggableAuth_EnableLocalLogin = true; //false

$wgPluggableAuth_EnableLocalProperties = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

# adding SimpleSAMLphp extension

wfLoadExtension( 'SimpleSAMLphp' );

# SimpleSAMLphp install directory. Required.

$wgSimpleSAMLphp_InstallDir = '/extensions/SimpleSAMLphp/src';

$wgPluggableAuth_Config['Log in using Banks SAML'] = [

    'plugin' =>   'SimpleSAMLphp',

    'data'   => [

'authSourceId'      => 'default-sp',

'usernameAttribute' => '...emailaddress',

'realNameAttribute' => '...name',

'emailAttribute'    => '...emailaddress'

                ]

];

@Cindy.cicalese

Really sorry for tagging you Cindy if I am not supposed to. I am doing so because I see you an author for SimpleSamlphp and really need help. Thank you.

Note: took out the preceding part of the user attributes cause my topic was being warned as having spam links

The SAML ServiceProvider must be set up with the independent application SimpleSAMLphp: https://simplesamlphp.org/

Learn more about how to configure the SP here: https://simplesamlphp.org/docs/stable/simplesamlphp-sp.html

Be aware that $wgSimpleSAMLphp_InstallDir is not supposed to point to the MediaWiki extension codebase but the standalone application.

See Extension:SimpleSAMLphp#Example_for_MW_1.39 for an example.

Hello,

In examples I have seen to get this up and running, there is mention of authSourceId as default-sp (inside of $wgPluggableAuth_Config). Where is default-sp configured? There is also mention of a config.php file but I cannot find this in the installation folder for the simplesamlphp extension. Specifically, I am missing how to setup the SP metadata and also, ingest the IdP metadata into mediawiki for SAML authentication. Any help will be greatly appreciated, thank you.

This is where I am so far

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableAutoLogin = true;

$wgPluggableAuth_EnableLocalLogin = true; //false

$wgPluggableAuth_EnableLocalProperties = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

# adding SimpleSAMLphp extension

wfLoadExtension( 'SimpleSAMLphp' );

# SimpleSAMLphp install directory. Required.

$wgSimpleSAMLphp_InstallDir = '/extensions/SimpleSAMLphp/src';

$wgPluggableAuth_Config['Log in using Banks SAML'] = [

    'plugin' =>   'SimpleSAMLphp',

    'data'   => [

'authSourceId'      => 'default-sp',

'usernameAttribute' => '...emailaddress',

'realNameAttribute' => '...name',

'emailAttribute'    => '...emailaddress'

                ]

];

@Cindy.cicalese

Really sorry for tagging you Cindy if I am not supposed to. I am doing so because I see you an author for SimpleSamlphp and really need help. Thank you.

Note: took out the preceding part of the user attributes cause my topic was being warned as having spam links

You need to install the simplesamlphp library (see https://simplesamlphp.org/). There is documentation at that site. You can start with https://simplesamlphp.org/docs/stable/simplesamlphp-sp.html.

That makes sense! Thank you Cindy! Will give that a go and ask any questions I have after, if any.

may I suggest you add here: https://www.mediawiki.org/wiki/Extension:SimpleSAMLphp#Compatibility That 2.1 requires php 8.0 as minimum. https://simplesamlphp.org/docs/stable/simplesamlphp-upgrade-notes-2.1.html

Thanks for contributing this!

Hi

We are testing MW 1.39.5 with SAML SSO. with SSP 2.0.5 and it is working.

I see warning "You are running an outdated version of SimpleSAMLphp. Please update to the latest version as soon as possible" in the saml page.

This is the current setup we have:

mediawiki: 1.39.5

simplesamlphp 7.0

pluggableauth 7.0

SSP 2.0.5

Can you suggest which is the latest version of SSP supported with MW ?

Thanks

GT

The latest version of SimpleSAMLphp (application, not extension) is 2.1.1. Even though i have not tested this explicitly I believe it should be compatible to Extension:SimpleSAMLphp version 7.

If you try it, please consider updating the compatibility section

Ok. I will test this once my current test is over.

@Osnard

I tested with SSP 2.1.1 the latest one with MW 1.39.5. Its working as expected. Not much difference in the configuration.

MW 1.39.5

SSP 2.1.1

pluggableauth 7.0

simplesamlphp (extension) 7.0

on RHEL 7.9

Apache 2.4

php 8.0

mysql 8.0

I have updated the compatibility section also.

Hi,

I tested SSP 2.1.1 in docker, but that is not working. I think it has a compatibility issue with MySQL database minor version. There were couple of errors in the logs related to database. But I could not spend more time on it to troubleshoot.

So, with MW 1.39.5 & SSP 2.1.1

Working version in RHEL - MySQL 8.0.25 & PHP 8.0

Non-working in docker - MySQL 8.0.32 & PHP 8.1

Thanks a lot. That information is already very helpful.

mediawiki: 1.39.4

simplesamlphp 7

pluggableauth 7

I am getting the error Could not load authentication plugin

$wgPluggableAuth_Config['Log in using my SAML'] = [

'plugin' => 'SimpleSAMLphp',

'data' => [
 		'authSourceId' => 'default-sp',
 		'usernameAttribute' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
 		'realNameAttribute' => ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname','http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'],
 		'emailAttribute' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'
 	 ]
];

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'SimpleSAMLphp' );

$wgPluggableAuth_EnableAutoLogin = true;

$wgPluggableAuth_EnableLocalLogin = false;

$wgPluggableAuth_EnableLocalProperties = false;

$wgPluggableAuth_ButtonLabelMessage = 'Login';

$wgPluggableAuth_Class = 'SimpleSAMLphp';

$wgSimpleSAMLphp_InstallDir = '/var/simplesamlphp/';

installation path is added

storetype is sql 

$wgMainCacheType = CACHE_NONE;

$wgMainCacheType = CACHE_DB;

@Osnard

This looks quite good. I did some reformatting and removed unnecessary configs. Can you try that?

wfLoadExtension( 'PluggableAuth' );
wfLoadExtension( 'SimpleSAMLphp' );

$wgPluggableAuth_EnableAutoLogin = true;
$wgPluggableAuth_EnableLocalLogin = false;
$wgPluggableAuth_EnableLocalProperties = false;
$wgSimpleSAMLphp_InstallDir = '/var/simplesamlphp/';
$wgMainCacheType = CACHE_DB;
$wgPluggableAuth_Config['Log in using my SAML'] = [
    'plugin' => 'SimpleSAMLphp',
    'data' => [
 		'authSourceId' => 'default-sp',
 		'usernameAttribute' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
 		'realNameAttribute' => ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname','http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'],
 		'emailAttribute' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'
 	 ]
];

@Luciferindcok were you able to get it worked ? I am also getting same issue.

Thanks.

Maybe Topic:Xto1mjvt3vdgudxg helps.

The simplesaml/module.php/admin/test/default-sp URL shows my attributes with both "name" and "urn:oid..." values.

In the debug log, I see them only with urn:oid... values.

[SimpleSAMLphp] Received attributes: {"urn:oid:2.16.840.1.113730.3.1.241":["First M Last"],"urn:oid:0.9.2342.19200300.10 0.1.3":["email@domain"],"urn:oid:1.3.6.1.4.1.5923.1.1.1.9":["Staff@domain","Member@domain"],"urn:oid:2. 5.4.42":["First"],"urn:oid:1.3.6.1.4.1.5923.1.1.1.6":["user@domain"],"urn:oid:2.5.4.4":["Last"],"urn:oid:2.5.4.3 ":["First M Last"]}

And when I try to use these in $wgPluggableAuth_Config, only the urn:oid values seem to be valid.

I see the /var/simplesamlphp/attributemap/* files seem to have these defined, but they are not being propagated back to the SimpleSAMLphp and PluggableAuth extensions.

I'm not sure what I'm missing.

So these are the attributes you receive:

{
  "urn:oid:2.16.840.1.113730.3.1.241": [
    "First M Last"
  ],
  "urn:oid:0.9.2342.19200300.10 0.1.3": [
    "email@domain"
  ],
  "urn:oid:1.3.6.1.4.1.5923.1.1.1.9": [
    "Staff@domain",
    "Member@domain"
  ],
  "urn:oid:2. 5.4.42": [
    "First"
  ],
  "urn:oid:1.3.6.1.4.1.5923.1.1.1.6": [
    "user@domain"
  ],
  "urn:oid:2.5.4.4": [
    "Last"
  ],
  "urn:oid:2.5.4.3 ": [
    "First M Last"
  ]
}

ATTENTION: The keys look a little bit odd. E.g. "urn:oid:0.9.2342.19200300.10 0.1.3", "urn:oid:2.5.4.3 " and "urn:oid:2. 5.4.42" contain spaces!

OIDRefs

• "First M Last" - https://oidref.com/2.16.840.1.113730.3.1.241 -> displayName
• "email@domain" - https://oidref.com/0.9.2342.19200300.100.1.3 -> rfc822Mailbox
• "Staff@domain", "Member@domain" - https://oidref.com/1.3.6.1.4.1.5923.1.1.1.9 -> ???, probably user groups
• "First" - https://oidref.com/2.5.4.42 -> givenName
• "user@domain" - https://oidref.com/1.3.6.1.4.1.5923.1.1.1.6 --> ??? probably user ID
• "Last" - https://oidref.com/2.5.4.4 -> surname
• "First M Last" - https://oidref.com/2.5.4.3 -> commonName

Your config should looks something like this:

$wgPluggableAuth_Config['Log in using my SAML'] = [
	'plugin' => 'SimpleSAMLphp',
	'data' => [
		'authSourceId' => 'default-sp',
		'usernameAttribute' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6', //Acctually not used, see "myusername" below
		'realNameAttribute' => 'urn:oid:2.16.840.1.113730.3.1.241',
		'emailAttribute' => 'urn:oid:0.9.2342.19200300.10 0.1.3', //ATTENTION: SPACE!
		'userinfoProviders' => [
			'username' => 'myusername'
		]
	]
];

$wgSimpleSAMLphp_MandatoryUserInfoProviders['myusername'] = [
	'factory' => function() {
		return new \MediaWiki\Extension\SimpleSAMLphp\UserInfoProvider\GenericCallback( function( $attributes ) {
			if ( !isset( $attributes['urn:oid:1.3.6.1.4.1.5923.1.1.1.6'] ) ) {
				throw new Exception( 'No user ID!' );
			}
			$parts = explode( '@', $attributes['urn:oid:1.3.6.1.4.1.5923.1.1.1.6'][0] );
			return strtolower( $parts[0] );
		} );
	}
];

See also Extension:SimpleSAMLphp#Define_custom_user_info_provider.

The following internal error occurs

Warning: require(/var/simplesamlphp/vendor/composer/../../tests/_autoload_modules.php): Failed to open stream: No such file or directory in /var/simplesamlphp/vendor/composer/autoload_real.php on line 71

with the current MW software and SSP 2.0.2

[c33ba6ef8bb34c22ebbb2df9] /gamelab/index.php/Special:PluggableAuthLogin Error: Failed opening required '/var/simplesamlphp/vendor/composer/../../tests/_autoload_modules.php' (include_path='/var/www/html/vendor/pear/console_getopt:/var/www/html/vendor/pear/mail:/var/www/html/vendor/pear/mail_mime:/var/www/html/vendor/pear/net_smtp:/var/www/html/vendor/pear/net_socket:/var/www/html/vendor/pear/net_url2:/var/www/html/vendor/pear/pear-core-minimal/src:/var/www/html/vendor/pear/pear_exception:.:/usr/local/lib/php')

Backtrace:

from /var/simplesamlphp/vendor/composer/autoload_real.php(71)

#0 /var/simplesamlphp/vendor/composer/autoload_real.php(61): composerRequire03590d0c044a5d25ee9291b3dc5654e6(string, string)

#1 /var/simplesamlphp/vendor/autoload.php(7): ComposerAutoloaderInit03590d0c044a5d25ee9291b3dc5654e6::getLoader()

#2 /var/simplesamlphp/src/_autoload.php(14): require_once(string)

#3 /var/www/html/extensions/SimpleSAMLphp/src/SimpleSAMLphpSAMLClient.php(5): require_once(string)

#4 /var/www/html/includes/AutoLoader.php(244): require(string)

#5 /var/www/html/extensions/SimpleSAMLphp/src/Factory/SAMLClientFactory.php(25): AutoLoader::autoload(string)

#6 /var/www/html/extensions/SimpleSAMLphp/src/SimpleSAMLphp.php(91): MediaWiki\Extension\SimpleSAMLphp\Factory\SAMLClientFactory->getInstance(MediaWiki\Extension\SimpleSAMLphp\SimpleSAMLphp)

#7 /var/www/html/extensions/PluggableAuth/includes/PluggableAuthFactory.php(175): MediaWiki\Extension\SimpleSAMLphp\SimpleSAMLphp->init(string, array)

#8 /var/www/html/extensions/PluggableAuth/includes/PluggableAuthLogin.php(90): MediaWiki\Extension\PluggableAuth\PluggableAuthFactory->getInstance()

#9 /var/www/html/includes/specialpage/SpecialPage.php(701): MediaWiki\Extension\PluggableAuth\PluggableAuthLogin->execute(NULL)

#10 /var/www/html/includes/specialpage/SpecialPageFactory.php(1428): SpecialPage->run(NULL)

#11 /var/www/html/includes/MediaWiki.php(316): MediaWiki\SpecialPage\SpecialPageFactory->executePath(string, RequestContext)

#12 /var/www/html/includes/MediaWiki.php(904): MediaWiki->performRequest()

#13 /var/www/html/includes/MediaWiki.php(562): MediaWiki->main()

#14 /var/www/html/index.php(50): MediaWiki->run()

#15 /var/www/html/index.php(46): wfIndexMain()

#16 {main}

Is the extension compatible with SSP 2.0?

Hi!

Yes, it should be. I have successfully tested it with SimpleSAMLphp version 2.0.2.

The error you are reporting you are reporting looks more like an issue within the SimpleSAMLphp ServiceProvider application itself.

Have you been able to perform a test login using the <service-provider-baserurl>/module.php/admin/test page?

How did you set up the Service provider? Using a tarball or a git clone? If you cloned from git, have you run composer install on the directory?

Have you followed https://simplesamlphp.org/docs/stable/simplesamlphp-install.html ?

glad to hear that SSP 2.0.x should work. Should I also work with 7.0 (non DEV) This table seems not updated: https://www.mediawiki.org/w/index.php?title=Extension:SimpleSAMLphp&action=edit&section=11

Mediawiki: 1.39.1 Pluggable Auth: 6.2 SimpleSAMLphp: 5.0.1 Local SimpleSAMLphp: 2.0.3 PHP: 8.2

I'm hoping someone can shed some light on an odd problem I'm having with SAML and pluggable auth. If a user is completely logged out of the mediawiki instance and attempts to log in with SAML to an Okta IdP, I get Fatal error authenticating user.

However, if I try and log in again, I'm in without issue. It doesn't reach out to the external server and proceeds without a hitch.

If I go to Special:UserLogout and then attempt to log in, the behavior repeats.

I've dug into the logs and found almost identical GET requests, one is same-origin that works and has this mentioned in the log:

[PluggableAuth] In execute()

[PluggableAuth] Getting PluggableAuth instance

[PluggableAuth] Plugin name: SimpleSAMLphp

[PluggableAuth] Instance already exists

The other fails, is a cross-site request and has this message:

[PluggableAuth] Getting PluggableAuth instance

[PluggableAuth] Could not get authentication plugin instance.

I've tried authorizing XSS in my vhost configuration, and I know for a fact nothing is being denied by a firewall. Is there something I need to change in my configuration?

$wgPluggableAuth_Config['Log in using my SAML'] = [

       'plugin' => 'SimpleSAMLphp',

       'data' => [

               'authSourceId' => 'default-sp',

               'usernameAttribute' => 'NameID',

               'realNameAttribute' => 'NameID',

               'emailAttribute' => 'NameID',

               ]

       ];

$wgSimpleSAMLphp_InstallDir = "/var/simplesamlphp";

I've added the remote IDP to the trusted.url.domains value in the config.php file for simpleSAMLphp

The GET requests are identical barring the one that works says:

SEC-FETCH-SITE: same-origin

The one that doesn't says:

SEC-FETCH-SITE: cross-site with a referrer of my IdP

Note: Technical limitations on the part of my IdP require me to keep a list of authenticated users, and getting them to add NameID (which is the account's email address) as an attribute was painful enough. I have autocreateaccount and createaccount set to false. I know this isn't considered the typical use case.

I am not quite sure if I fully understand your setup and issue. But I guess this is some session issue.

[PluggableAuth] Could not get authentication plugin instance.

indicates that the user session was not properly loaded on side of MediaWiki. This an either be due to missing cookies, or cookies are not accepted by MediaWiki.

Have a look at Manual:Hooks/RequestHasSameOriginSecurity, maybe it can be used to "whitelist" your "cross-site" request.

Thank you so much for your reply and I'm sorry I need to be vague, I'm working with a company that's got a slight lawyer infestation and I need to be super careful to avoid mentioning anything identifiable. Was mostly just trying to justify the silly values I had to punch into the username and realname attributes.

I am attempting to authenticate against an Okta SSO provider located over the web. When I click login the first time, I get Fatal error authenticating user and the Could not get authentication plugin instance. I then return to the homepage, attempt to login again, and it goes through without reaching out to the Okta environment. The cookie is being saved to my browser.

The part that's boggling my mind is, when I DO succeed, there's an existing session.

I've set $wgCrossSiteAJAXDomains to allow the Okta environment I'm checking against, and set $wgCookieSameSite = "None" Are there any other values in mediawiki that might be relevant in this situation? Do I need to add a pause or something?

Hello guys,

UlfrTheRed bro i need you. Like you I am stuck with a fatal authentication error when I try to setup the sso. I don't use Okta but simpleamlphp as SP. However I have the same behaviour as you on the first login attempt I get the auth error and if I try again I end up logged on my mediawiki instance. I am also doing this for my company in a production environment, and have been stuck with this problem for about 2 weeks now. Would you have a solution or any tips to give me. This is the first time I've tried to set up SSO but mediawiki clearly doesn't make it easy with conflicting versions of extensions and configurations that change from one version to another etc. Thank you very much in advance for any help or answers.

@Osnard

I think I found a very important clue! I didn't look hard enough at the cookies themselves.

The cross-site cookie that I am issued has two values: SimpleSAMLSessionID and SimpleSAMLAuthToken

The local login that succeeds has several more values: SimpleSAMLSessionID, SimpleSAMLAuthToken, wikiUserName, SimpleSAML, and wiki_session.

I am very very new to the astonishingly frightening world of SSO. Did I goof in my configuration? Or is my provider giving me a bum steer.

Also, thank you very much for your feedback and time, I very much appreciate it!

That explains the issue at least. Without the wiki_session cookie, the wiki does not recognize the request as part of an authentication flow.

I believe this may be due to security policies. At some point, the browser does not allow to send that cookie to a certain context.

In general I don't believe the "cross-site" aspect in your setup is reasonable. I can not tell what, but something is wrong in that flow in general. This is probably not connected to MediaWiki, PluggableAuth or SimpleSAMLphp. And I somehow doubt that it can be solved there.

@Baldrom I have good news and bad news for you!

Good news is, I fixed it!

Bad news is, there was nothing wrong!

That error message is appearing because after you log your wiki session out, mediawiki destroys the session. When you then attempt to log in to the session using SAML, it requests the session that mediawiki had already destroyed. PluggableAuth then throws an error because it can't find the destroyed session, and then the second authentication works because it's either recreated using the session details provided by the first or something. Unsure what exactly.

The tentative solution I have is just to remove the log out button, but I'm also kind of in crunch time mode. Looks like adding a Single Sign Out behavior should remove the disconnect, but for now I've just removed the log out button

Hello @UlfrTheRed thank you very much for your feedback. In this case, it is enough to remove the disconnect button to solve the problem? This is done in the config pluggable auth of the localsettings.php of my wiki ? Thank you in advance for your answer and sorry for the "stupid" questions I can't manage with this wiki anymore, too many things are illogical

Best regards bro !

@UlfrTheRed I'm probably asking a lot but could you share with me your configs in your localsettings.php, in your simplesaml.conf and in your idp declaration ? I don't see precisely where and how I could bypass the error as you said you did above. 

@UlfrTheRed I just did some tests and indeed you are right! During my first login I don't have any session cookie for my wiki but during the second login ( which works ) I get the wiki media session cookie ! I'm waiting for a feedback from you to deactivate the logout but I thank you very much for this very precious information that you could bring me !

Hi @Baldrom!

Unfortunately I wasn't able to figure out any method to make the ACS assertion work in one step without an error. What I WAS able to do was bypass the error completely by using the IdP's pre-authenticate link to access the wiki, and set the cookie and session expiration timers to 15 minutes.

I wish I could provide you with an example of what I'm talking about but I'm operating under an NDA and can't provide an actual example. In my use case, we're using Okta as an IdP, and Okta provides a link that will redirect to the application and initiate the session that way. Then the login request comes and simpleSAML already has the session set up and ready to go. So rather than going directly to somewiki.org, there's an okta link that's something like okta.com/somerandomnumbers/somewikiredirect that eventually takes you to somewiki.org while also initiating the session.

I wish I could explain this better, best of luck!

@UlfrTheRed Thank you for documenting this issue! I am seeing the exact same issue on my organization's wiki when upgrading from mediawiki 1.35 to 1.39.3. Now I have some clues on how to move forward - seeing the same missing wiki_session cookie on first auth, and the "Fatal error" message thrown by PluggableAuth, and then the second auth succeeds.

I'm on PluggableAuth 6.2, SimpleSAML extension 5.0.1, simplesamlphp 1.18.4 and php 7.4.

@UlfrTheRed @Baldrom

So, I got things to work. This seems to be a known bug documented here: https://phabricator.wikimedia.org/T322828 that was fixed just recently in PluggableAuth. So, now using the latest version of PluggableAuth 7.0-dev, as well as updating the SimpleSAMLphp extension to 7.0-dev as well, login succeeds with no errors.