Extension talk:SimpleSAMLphp/Flow

Greetings. Has anyone gotten SimpleSAMLPHP/PluggableAuth and group mappings working?

I have SimpleSAMLPHP setup and working with azure AD. I also have sso working on mediawiki using PluggableAuth and the SimpleSAMLPHP plugin. However, I cannot get group mappings to work.

I have my mediawiki debug logging turned on and can see the Azure group identity/claims/role guids being returned to, however, Pluggable auth keeps removing my user from groups they should be in, in the debug logs:

[PluggableAuth] Removing 'username@domain.com' from group 'sysop'

I'm wondering if I should adding the addOnlyGroups array, but I can't figure out the syntax.

$wgPluggableAuth_Config['SSO Login'] = [
    'plugin' => 'SimpleSAMLphp',
    'data' => [
        'authSourceId' => 'default-sp',
        'emailAttribute' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
        'realNameAttribute' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name',
        'usernameAttribute' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name',
        'userinfoProviders' => [
            'username' => 'rawusername',
        ],
    ],
    'groupsyncs'  => [
        [
            'type' => 'mapped',
                'map'   => [
                    'sysop'           => [ 'groups' => 'azure group ID guids' ],
                    'user'            => [ 'groups' => 'azure group ID guids' ]
                ],
                'addOnlyGroups' => [ 'sysop', 'user' ],
        ]
    ]
];

In general this looks good and should work. I am not aware of any but in the "mapped groupsync" feature in Extension:PluggableAuth (that's where is it actually implemented) and I am ussing the "mapped groupsync" feature in production with Extension:OpenIDConnect.

I was wondering about 'azure group ID guids'. This is just one GUID, right? And you are sure it is included in the 'groups' attribute in the SAML response? Just asking, because of the plural in your example and because Azure AD usually has attribute names that look like "http://schema....".

Can you maybe share a (redacted) example of the SAML attributes reported on your debug log, then I can test this configuration in a UnitTest.

Hi,

I have functional SimpleSAML log in on my mediawiki, but in the case of error response from my IDP such as a "RequestDenied", i get redirected to the default SimpleSamlPHP UnhandledException page of my wiki, with the error stack, do you know if i can somehow customize here what is shown to the user ?

I guess this could be done using errors.show_function in config.php of the SimpleSAMLphp application.

Hello,

In examples I have seen to get this up and running, there is mention of authSourceId as default-sp (inside of $wgPluggableAuth_Config). Where is default-sp configured? There is also mention of a config.php file but I cannot find this in the installation folder for the simplesamlphp extension. Specifically, I am missing how to setup the SP metadata and also, ingest the IdP metadata into mediawiki for SAML authentication. Any help will be greatly appreciated, thank you.

This is where I am so far

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableAutoLogin = true;

$wgPluggableAuth_EnableLocalLogin = true; //false

$wgPluggableAuth_EnableLocalProperties = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

# adding SimpleSAMLphp extension

wfLoadExtension( 'SimpleSAMLphp' );

# SimpleSAMLphp install directory. Required.

$wgSimpleSAMLphp_InstallDir = '/extensions/SimpleSAMLphp/src';

$wgPluggableAuth_Config['Log in using Banks SAML'] = [

    'plugin' =>   'SimpleSAMLphp',

    'data'   => [

'authSourceId'      => 'default-sp',

'usernameAttribute' => '...emailaddress',

'realNameAttribute' => '...name',

'emailAttribute'    => '...emailaddress'

                ]

];

@Cindy.cicalese

Really sorry for tagging you Cindy if I am not supposed to. I am doing so because I see you an author for SimpleSamlphp and really need help. Thank you.

Note: took out the preceding part of the user attributes cause my topic was being warned as having spam links

The SAML ServiceProvider must be set up with the independent application SimpleSAMLphp: https://simplesamlphp.org/

Learn more about how to configure the SP here: https://simplesamlphp.org/docs/stable/simplesamlphp-sp.html

Be aware that $wgSimpleSAMLphp_InstallDir is not supposed to point to the MediaWiki extension codebase but the standalone application.

See Extension:SimpleSAMLphp#Example_for_MW_1.39 for an example.

Thank you very much. I had no idea simplesamlphp (the mediawiki extension) is different from simplesamlphp (from simplesaml.org). Since then, I have installed SimpleSAMLphp in my application at /var/simplesamlphp (version 2.2.1). But I get an error when trying to hit the admin page of simplesamlphp. Logs show a 500 error when trying to GET /mediawiki/var/simplesamlphp/public/module.php. Any help will be appreciated.

I also get this error when I try to login with SAML

PHP Deprecated: Creation of dynamic property Less_Tree_Dimension::$parensInOp is deprecated in /mediawiki/vendor/wikimedia/less.php/lib/Less/Parser.php

Here are relevant contents of my LocalSettings.php file

# adding PluggableAuth extension

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableAutoLogin = true;

$wgPluggableAuth_EnableLocalLogin = true; //false

$wgPluggableAuth_EnableLocalProperties = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

#adding SimpleSAMLphp extension

wfLoadExtension( 'SimpleSAMLphp' );

#SimpleSAMLphp install directory. Required.

$wgSimpleSAMLphp_InstallDir = 'var/simplesaml';

// SAML AuthENTICATION (Tell Mediawiki "WHO" the user "IS")

$wgPluggableAuth_Config['Log in using SAML'] = [

    'plugin' =>   'SimpleSAMLphp',

    'data'   => [

'authSourceId'      => 'default-sp',

'usernameAttribute' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',

'realNameAttribute' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name',

'emailAttribute'    => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'

                ]

];

You can ignore the PHP Deprecated: message. It does not do any harm.

Regarding your issue with the SimpleSAMLphp application: It there is an error 500, there should be an entry in the PHP error log as well, that provides additional information.

Also make sure to closely follow the instructions on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html

For further help on how to install and configure the SimpleSAMLphp application I recommend asking on their chat / mailing list: https://simplesamlphp.org/support/

Understood and thank you. I will try their support. Not sure if I should be looking else where but when I look in the logstream of the app service (Azure App service running php 8.x on linux) all I see is the 500 and no additional details. Please share any other place I should be looking. Not great with linux so I may be missing something very obvious.

Hello Osnard,

I have been communicating on simplesamlphp's slack since we last messaged each other and it has not born any fruits. Here is where I am stuck.

Azure App Service running on PHP 8.2 and Linux. Webserver is nginx. Followed the installation instructions here from the simpesamlphp.org page.

baseurlpath => 'https://mysimplesamlphp.azurewebsites.net/var/simplesamlphp/public/'

'secretsalt' => 'xxxxxxx' (masked)

'auth.adminpassword' => 'xxxxxxx' (masked)

Everything else default.

When I try to hit the /public/admin page, I always get a 404 error. Any ideas? As a test, I dropped a test php file in the same location and that loads fine.

Any ideas?

The value of https://mysimplesamlphp.azurewebsites.net/var/simplesamlphp/public/ for baseurlpath looks pretty wrong. I'd more have expected https://mysimplesamlphp.azurewebsites.net/. It is very uncommon to expose a serverside filesystem path entirely to the web. Instead /var/simplesamlphp/public/ should be set to be the "document root" in the webserver configuration for a website served under https://mysimplesamlphp.azurewebsites.net/

But: Be aware that usually the "SAML Service Provider" application (=SimpleSAMLphp) must run under the same domain as the wiki itself.

E.g. if your MediaWiki is hosted at https://mywiki.azurewebsites.net/wiki/Main_Page your SimpleSAMLphp application should be hosted at https://mywiki.azurewebsites.net/_saml. Otherwise you will probably run into session issues, as the session cookie is usually bound to the domain.

Using pluggableauth and simplesamlphp versions for mediawiki 1.41.1

I am going from this:

'mapGroups_Map' => [ 'mediawiki group' => ['saml attribute' => ['group 1', 'group 2', '...']]]

to this using pluggable auth, but it is not working. Better examples would be useful either in the simplesaml or the plugableauth docs . I have tried putting the mediawiki group first and that does not work either.

'...://schemas.microsoft.com/ws/2008/06/identity/claims/role' contains the attribute. I had to remove the http and replace with "..." because it would not let me post my question with it in place.

<Attribute Name="...://schemas.microsoft.com/ws/2008/06/identity/claims/role">
    <AttributeValue>Admin</AttributeValue>
</Attribute>

@Cindy.cicalese

$wgPluggableAuth_Config["Log in without Password (SSO)"] = [
    "plugin" => "SimpleSAMLphp",
    "data" => [
        "authSourceId" => "default-sp",
        "usernameAttribute" => "alias",
        "realNameAttribute" => "displayname",
        "emailAttribute" => "email"
    ],
    "groupsyncs" => [
        [
            'type' => 'mapped',
            'map' => [
                'Admin' => [ '...://schemas.microsoft.com/ws/2008/06/identity/claims/role' => ['sysop'] ],
                'User_draft_edit' => [ '...://schemas.microsoft.com/ws/2008/06/identity/claims/role' => ['bureaucrat'] ],
                'User_draft_read' => [ '...://schemas.microsoft.com/ws/2008/06/identity/claims/role' => ['suppress'] ]
            ]
        ]
    ]
];

Looking at the SAML attribute value, I guess your config should look like this:

$claim = '...://schemas.microsoft.com/ws/2008/06/identity/claims/role';

$wgPluggableAuth_Config["Log in without Password (SSO)"] = [
    "plugin" => "SimpleSAMLphp",
    ...
    "groupsyncs" => [
        [
            'type' => 'mapped',
            'map' => [
                'sysop' => [
                    $claim => [ 'Admin' ]
                ],
                'bureaucrat' => [
                    $claim =>  [ 'User_draft_edit' ]
                ],
                'suppress' => [
                    $claim => [ 'User_draft_read' ]
                ]
            ]
        ]
    ]
];

HINT: The suppress group may not be what you want for a group called 'User_draft_read'.

Hello,

In examples I have seen to get this up and running, there is mention of authSourceId as default-sp (inside of $wgPluggableAuth_Config). Where is default-sp configured? There is also mention of a config.php file but I cannot find this in the installation folder for the simplesamlphp extension. Specifically, I am missing how to setup the SP metadata and also, ingest the IdP metadata into mediawiki for SAML authentication. Any help will be greatly appreciated, thank you.

This is where I am so far

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableAutoLogin = true;

$wgPluggableAuth_EnableLocalLogin = true; //false

$wgPluggableAuth_EnableLocalProperties = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

# adding SimpleSAMLphp extension

wfLoadExtension( 'SimpleSAMLphp' );

# SimpleSAMLphp install directory. Required.

$wgSimpleSAMLphp_InstallDir = '/extensions/SimpleSAMLphp/src';

$wgPluggableAuth_Config['Log in using Banks SAML'] = [

    'plugin' =>   'SimpleSAMLphp',

    'data'   => [

'authSourceId'      => 'default-sp',

'usernameAttribute' => '...emailaddress',

'realNameAttribute' => '...name',

'emailAttribute'    => '...emailaddress'

                ]

];

@Cindy.cicalese

Really sorry for tagging you Cindy if I am not supposed to. I am doing so because I see you an author for SimpleSamlphp and really need help. Thank you.

Note: took out the preceding part of the user attributes cause my topic was being warned as having spam links

You need to install the simplesamlphp library (see https://simplesamlphp.org/). There is documentation at that site. You can start with https://simplesamlphp.org/docs/stable/simplesamlphp-sp.html.

That makes sense! Thank you Cindy! Will give that a go and ask any questions I have after, if any.

Thank you very much (I think Osnard also responded). I had no idea simplesamlphp (the mediawiki extension) is different from simplesamlphp (from simplesaml.org). Since then, I have installed SimpleSAMLphp in my application at /var/simplesamlphp (version 2.2.1). But I get an error when trying to hit the admin page of simplesamlphp. Logs show a 500 error when trying to GET /mediawiki/var/simplesamlphp/public/module.php. Any help will be appreciated.

I also get this error when I try to login with SAML

PHP Deprecated: Creation of dynamic property Less_Tree_Dimension::$parensInOp is deprecated in /mediawiki/vendor/wikimedia/less.php/lib/Less/Parser.php

Here are relevant contents of my LocalSettings.php file

# adding PluggableAuth extension

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableAutoLogin = true;

$wgPluggableAuth_EnableLocalLogin = true; //false

$wgPluggableAuth_EnableLocalProperties = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

#adding SimpleSAMLphp extension

wfLoadExtension( 'SimpleSAMLphp' );

#SimpleSAMLphp install directory. Required.

$wgSimpleSAMLphp_InstallDir = 'var/simplesaml';

// SAML AuthENTICATION (Tell Mediawiki "WHO" the user "IS")

$wgPluggableAuth_Config['Log in using SAML'] = [

    'plugin' =>   'SimpleSAMLphp',

    'data'   => [

'authSourceId'      => 'default-sp',

'usernameAttribute' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',

'realNameAttribute' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name',

'emailAttribute'    => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'

                ]

];

may I suggest you add here: https://www.mediawiki.org/wiki/Extension:SimpleSAMLphp#Compatibility That 2.1 requires php 8.0 as minimum. https://simplesamlphp.org/docs/stable/simplesamlphp-upgrade-notes-2.1.html

Thanks for contributing this!

Hi

We are testing MW 1.39.5 with SAML SSO. with SSP 2.0.5 and it is working.

I see warning "You are running an outdated version of SimpleSAMLphp. Please update to the latest version as soon as possible" in the saml page.

This is the current setup we have:

mediawiki: 1.39.5

simplesamlphp 7.0

pluggableauth 7.0

SSP 2.0.5

Can you suggest which is the latest version of SSP supported with MW ?

Thanks

GT

The latest version of SimpleSAMLphp (application, not extension) is 2.1.1. Even though i have not tested this explicitly I believe it should be compatible to Extension:SimpleSAMLphp version 7.

If you try it, please consider updating the compatibility section

Ok. I will test this once my current test is over.

@Osnard

I tested with SSP 2.1.1 the latest one with MW 1.39.5. Its working as expected. Not much difference in the configuration.

MW 1.39.5

SSP 2.1.1

pluggableauth 7.0

simplesamlphp (extension) 7.0

on RHEL 7.9

Apache 2.4

php 8.0

mysql 8.0

I have updated the compatibility section also.

Hi,

I tested SSP 2.1.1 in docker, but that is not working. I think it has a compatibility issue with MySQL database minor version. There were couple of errors in the logs related to database. But I could not spend more time on it to troubleshoot.

So, with MW 1.39.5 & SSP 2.1.1

Working version in RHEL - MySQL 8.0.25 & PHP 8.0

Non-working in docker - MySQL 8.0.32 & PHP 8.1

Thanks a lot. That information is already very helpful.

mediawiki: 1.39.4

simplesamlphp 7

pluggableauth 7

I am getting the error Could not load authentication plugin

$wgPluggableAuth_Config['Log in using my SAML'] = [

'plugin' => 'SimpleSAMLphp',

'data' => [
 		'authSourceId' => 'default-sp',
 		'usernameAttribute' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
 		'realNameAttribute' => ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname','http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'],
 		'emailAttribute' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'
 	 ]
];

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'SimpleSAMLphp' );

$wgPluggableAuth_EnableAutoLogin = true;

$wgPluggableAuth_EnableLocalLogin = false;

$wgPluggableAuth_EnableLocalProperties = false;

$wgPluggableAuth_ButtonLabelMessage = 'Login';

$wgPluggableAuth_Class = 'SimpleSAMLphp';

$wgSimpleSAMLphp_InstallDir = '/var/simplesamlphp/';

installation path is added

storetype is sql 

$wgMainCacheType = CACHE_NONE;

$wgMainCacheType = CACHE_DB;

@Osnard

This looks quite good. I did some reformatting and removed unnecessary configs. Can you try that?

wfLoadExtension( 'PluggableAuth' );
wfLoadExtension( 'SimpleSAMLphp' );

$wgPluggableAuth_EnableAutoLogin = true;
$wgPluggableAuth_EnableLocalLogin = false;
$wgPluggableAuth_EnableLocalProperties = false;
$wgSimpleSAMLphp_InstallDir = '/var/simplesamlphp/';
$wgMainCacheType = CACHE_DB;
$wgPluggableAuth_Config['Log in using my SAML'] = [
    'plugin' => 'SimpleSAMLphp',
    'data' => [
 		'authSourceId' => 'default-sp',
 		'usernameAttribute' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
 		'realNameAttribute' => ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname','http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'],
 		'emailAttribute' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'
 	 ]
];

@Luciferindcok were you able to get it worked ? I am also getting same issue.

Thanks.

Maybe Topic:Xto1mjvt3vdgudxg helps.

The simplesaml/module.php/admin/test/default-sp URL shows my attributes with both "name" and "urn:oid..." values.

In the debug log, I see them only with urn:oid... values.

[SimpleSAMLphp] Received attributes: {"urn:oid:2.16.840.1.113730.3.1.241":["First M Last"],"urn:oid:0.9.2342.19200300.10 0.1.3":["email@domain"],"urn:oid:1.3.6.1.4.1.5923.1.1.1.9":["Staff@domain","Member@domain"],"urn:oid:2. 5.4.42":["First"],"urn:oid:1.3.6.1.4.1.5923.1.1.1.6":["user@domain"],"urn:oid:2.5.4.4":["Last"],"urn:oid:2.5.4.3 ":["First M Last"]}

And when I try to use these in $wgPluggableAuth_Config, only the urn:oid values seem to be valid.

I see the /var/simplesamlphp/attributemap/* files seem to have these defined, but they are not being propagated back to the SimpleSAMLphp and PluggableAuth extensions.

I'm not sure what I'm missing.

So these are the attributes you receive:

{
  "urn:oid:2.16.840.1.113730.3.1.241": [
    "First M Last"
  ],
  "urn:oid:0.9.2342.19200300.10 0.1.3": [
    "email@domain"
  ],
  "urn:oid:1.3.6.1.4.1.5923.1.1.1.9": [
    "Staff@domain",
    "Member@domain"
  ],
  "urn:oid:2. 5.4.42": [
    "First"
  ],
  "urn:oid:1.3.6.1.4.1.5923.1.1.1.6": [
    "user@domain"
  ],
  "urn:oid:2.5.4.4": [
    "Last"
  ],
  "urn:oid:2.5.4.3 ": [
    "First M Last"
  ]
}

ATTENTION: The keys look a little bit odd. E.g. "urn:oid:0.9.2342.19200300.10 0.1.3", "urn:oid:2.5.4.3 " and "urn:oid:2. 5.4.42" contain spaces!

OIDRefs

• "First M Last" - https://oidref.com/2.16.840.1.113730.3.1.241 -> displayName
• "email@domain" - https://oidref.com/0.9.2342.19200300.100.1.3 -> rfc822Mailbox
• "Staff@domain", "Member@domain" - https://oidref.com/1.3.6.1.4.1.5923.1.1.1.9 -> ???, probably user groups
• "First" - https://oidref.com/2.5.4.42 -> givenName
• "user@domain" - https://oidref.com/1.3.6.1.4.1.5923.1.1.1.6 --> ??? probably user ID
• "Last" - https://oidref.com/2.5.4.4 -> surname
• "First M Last" - https://oidref.com/2.5.4.3 -> commonName

Your config should looks something like this:

$wgPluggableAuth_Config['Log in using my SAML'] = [
	'plugin' => 'SimpleSAMLphp',
	'data' => [
		'authSourceId' => 'default-sp',
		'usernameAttribute' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6', //Acctually not used, see "myusername" below
		'realNameAttribute' => 'urn:oid:2.16.840.1.113730.3.1.241',
		'emailAttribute' => 'urn:oid:0.9.2342.19200300.10 0.1.3', //ATTENTION: SPACE!
		'userinfoProviders' => [
			'username' => 'myusername'
		]
	]
];

$wgSimpleSAMLphp_MandatoryUserInfoProviders['myusername'] = [
	'factory' => function() {
		return new \MediaWiki\Extension\SimpleSAMLphp\UserInfoProvider\GenericCallback( function( $attributes ) {
			if ( !isset( $attributes['urn:oid:1.3.6.1.4.1.5923.1.1.1.6'] ) ) {
				throw new Exception( 'No user ID!' );
			}
			$parts = explode( '@', $attributes['urn:oid:1.3.6.1.4.1.5923.1.1.1.6'][0] );
			return strtolower( $parts[0] );
		} );
	}
];

See also Extension:SimpleSAMLphp#Define_custom_user_info_provider.