Meza/Setup SAML authentication

Jump to navigation Jump to search

Step 1: Set secret config[edit]

Add the following to your secret config. See Meza/Secret config for info on editing this file. Pick good strong passwords and salt below. See comments.


  # A crypto salt for randomness. This should be random and unique. Use the
  # command below to generate a 32-character random string
  # tr -c -d '0-9a-zA-Z' </dev/urandom | dd bs=32 count=1 2>/dev/null;echo
  salt: <output of command from above>

  # A password to enter the SimpleSamlPhp web interface. Optionally use the
  # 16-character random generator below:
  # tr -c -d '0-9a-zA-Z' </dev/urandom | dd bs=16 count=1 2>/dev/null;echo
  adminpassword: <your strong password>

Step 2: Set public config[edit]

Add the following to your public config, located at /opt/conf-meza/public/public.yml. Fill in appropriate values for everything. You'll need to confer with your SAML Identity Provider for correct values.


  # MediaWiki

  # SAML attribute provided by IdP (Identity Provider) to map to MediaWiki username
  idp_username_attr: uid

  # SAML attribute provided by IdP to map to MediaWiki real name
  idp_realname_attr: fullname

  # SAML attribute provided by IdP to map to MediaWiki email address
  idp_email_attr: email

  # SAML IdP (identity provider) and SP (service provider) info

  # SP (service provider) ID, which should be the fully qualified domain name
  # of your application

  # Constraints on SAML request which may be required by IdP
  name_id_policy: "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"

  # Method to identify your IdP (identity provider). The URL is sufficient

  # URL of your SAML signon service

  # URL of your SAML logout service. Use signon if you don't have one.

  # Cert fingerprint for your saml IdP (identity provider) server. Should be a
  # list to support multiple values.

  # Other info

  # Contact info for issues with SAML
  technicalcontact_name: Administrator

Step 3: Re-deploy[edit]

With the new config in place, you need to re-deploy your desired environment:

sudo meza deploy <env>