Topic on Project:Support desk

SimpleSAML extension with Mediawiki 1.27.1

18 comments 11:47, 4 November 2017 6 years ago
18
Ashni rai (talkcontribs)

I'm trying to migrate our mediawiki from 1.23.5 to 1.27.1. But the SimpleSAML extension is throwing a HTTP 500 error. I'm not able to rectify the error since am quite new to SimpleSAML. PFB configuration changes made in Localsettings.php. Is there any other config changes to be made other than the following.Thanks.

wfLoadExtension( 'PluggableAuth' ); 
$wgPluggableAuth_EnableAutoLogin = false;
$wgPluggableAuth_EnableLocalLogin = false; 
$wgPluggableAuth_Class = "SimpleSAMLphp"; 
wfLoadExtension( 'SimpleSAMLphp' ); 
$wgSimpleSAMLphp_InstallDir = 'C:\MediaWiki\mediawiki-1.27.1\extensions\SimpleSAMLphp';
$wgSimpleSAMLphp_AuthSourceId = 'default-sp';
$wgSimpleSAMLphp_RealNameAttribute = //cn;
$wgSimpleSAMLphp_EmailAttribute = //mail;
$wgSimpleSAMLphp_UsernameAttribute = //uid;
Edited by MarkAHershberger 13:45, 21 March 2017 7 years ago
MarkAHershberger (talkcontribs)

I'm confused about the last three lines. Why are you putting slashes in front of cn, mail, and uid instead of surrounding them with quotes?

13:44, 21 March 2017 7 years ago
MarkAHershberger (talkcontribs)
  1. What is the error you're seeing?
  2. Could you replace the backslashes in $wgSimpleSAMLphp_InstallDir with forward slashes so that you have
$wgSimpleSAMLphp_InstallDir = 'C:/MediaWiki/mediawiki-1.27.1/extensions/SimpleSAMLphp';
13:48, 21 March 2017 7 years ago
Ashni rai (talkcontribs)

Hi Mark,

Actually we already have put the entire address of CN,Mail and UID in quotes like you mentioned followed by those with slashes as a comment. I think that's not the issue. Now i also tried with forward slashes as you said. It's still throwing me the same 'HTTP 500' error.

After setting wgShowExceptionDetails, it's showing the following backtrace:

backtrace 
#0 ...\includes\cache\localisation\LocalisationCache.php(941): Hooks::run(string, array)
#1 ...\includes\cache\localisation\LocalisationCache.php(462): LocalisationCache->recache(string)
#2 ...\includes\cache\localisation\LocalisationCache.php(336): LocalisationCache->initLanguage(string)
#3 ...\includes\cache\localisation\LocalisationCache.php(273): LocalisationCache->loadItem(string, string)
#4 ...\languages\Language.php(464): LocalisationCache->getItem(string, string)
#5 ...\includes\search\SearchEngineConfig.php(42): Language->getNamespaces()
#6 ...\includes\user\User.php(1530): SearchEngineConfig->searchableNamespaces()
#7 ...\includes\user\User.php(5049): User::getDefaultOptions()
#8 ...\includes\user\User.php(2750): User->loadOptions()
#9 ...\includes\context\RequestContext.php(363): User->getOption(string)
#10 ...\includes\Message.php(679): RequestContext->getLanguage()
#11 ...\includes\context\RequestContext.php(457): Message->setContext(RequestContext)
#12 [internal function]: RequestContext->msg(string)
#13 ...\includes\context\ContextSource.php(190): call_user_func_array(array, array)
#14 ...\includes\OutputPage.php(973): ContextSource->msg(string)
#15 ...\includes\page\Article.php(504): OutputPage->setPageTitle(string)
#16 ...\includes\actions\ViewAction.php(44): Article->view()
#17 ...\includes\MediaWiki.php(503): ViewAction->show()
#18 ...\includes\MediaWiki.php(288): MediaWiki->performAction(Article, Title)
#19 ...\includes\MediaWiki.php(745): MediaWiki->performRequest()
#20 ...\includes\MediaWiki.php(519): MediaWiki->main()
#21 ...\index.php(43): MediaWiki->run()
#22 {main}

Thanks & Regards

Ashni

Edited by MarkAHershberger 14:00, 22 March 2017 7 years ago
MarkAHershberger (talkcontribs)

There should be a message before the first line of the backtrace. What does it say?

14:02, 22 March 2017 7 years ago
Ashni rai (talkcontribs)

[f7e4f1c187b3bb5b5742b8c0] /mediawiki-1.27.1/index.php?title=PoP_Facilitation MWException from line 176 of C:\MediaWiki\mediawiki-1.27.1-downloaded\includes\Hooks.php: Invalid callback LocalisationUpdate::onRecacheFallback in hooks for LocalisationCacheRecacheFallback

05:42, 27 March 2017 7 years ago
MarkAHershberger (talkcontribs)

Does it work if you disable the LocalisationUpdate extension?

18:06, 27 March 2017 7 years ago
Ashni rai (talkcontribs)

Hi Mark. Thanks for the previous one. The HTTP 500 error is gone but still my SAML login is redirecting to the main page with the user as not logged after entering the credentials. I tried to backtrace with the simplesamlphp.log file. IT is showing me the following error.

simplesamlphp DEBUG [cb527bddb5] Session: 'default-sp' not valid because we are not authenticated.

Instead of pluggable auth we arre using SimpleSAMLAuth.

Please find below Setting in localsettings.php

require_once "$IP/extensions/SimpleSamlAuth/SimpleSamlAuth.php"; 

// SAML_OPTIONAL // SAML_LOGIN_ONLY // SAML_REQUIRED //
$wgSamlRequirement = SAML_OPTIONAL;

// Should users be created if they don't exist in the database yet?
$wgSamlCreateUser = true; 

// SAML attributes
$wgSamlUsernameAttr = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'; //uid
$wgSamlRealnameAttr = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'; //cn
$wgSamlMailAttr = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'; //mail 

// SimpleSamlPhp settings
$wgSamlSspRoot = 'C:\MediaWiki\mediawiki-1.27.1\extensions\SimpleSAMLphp';
$wgSamlAuthSource = 'default-sp';
$wgSamlPostLogoutRedirect = NULL;

//Extra parameter added as per this URL - https://groups.google.com/forum/#!topic/simplesamlphp/k9cPe5q8qbE
$wgSessionName = ini_get('session.name'); 

// Array: [MediaWiki group][SAML attribute name][SAML expected value]
// If the SAML assertion matches, the user is added to the MediaWiki group
$wgSamlGroupMap = array(
    'sysop' => array(
        'groups' => array('admin'),
    ),
);
Edited by MarkAHershberger 14:54, 4 April 2017 7 years ago
MarkAHershberger (talkcontribs)

I think I would really recommend that you use PluggableAuth. Cindy has done the work of making SAML work and is available to help if you need help getting PluggableAuth to work.

Otherwise, the only advice that I can offer is that you make sure SimpleSAMLphp itself is working and then work on MediaWiki.

15:02, 4 April 2017 7 years ago
Ashni rai (talkcontribs)

That would be really nice Mark. Can you please help me get in touch with Cindy?

06:04, 6 April 2017 7 years ago
Ashni rai (talkcontribs)

@Cindy.cicalese

Hi Cindy,

Can you please help us with this?

Thanks & Regards,

Ashni Rai

08:45, 14 April 2017 7 years ago
Cindy.cicalese (talkcontribs)

Ashi,

Sorry for the delayed reply. I have been on vacation. To me it looks like you are providing too much information in the attribute strings (assuming that the strings you show above for SimpleSAMLAuth are the same ones you were using for SimpleSAMLphp/PluggableAuth. Here, for example, is my configuration:

$wgSimpleSAMLphp_UsernameAttribute = 'uid';
$wgSimpleSAMLphp_RealNameAttribute = [
        'givenname',
        'sn'
];
$wgSimpleSAMLphp_EmailAttribute = 'mail';

You need to check to see what the attribute names being returned by your identity provider are. Perhaps they are the full URLs that you provided, but you might try just 'emailaddress'.

Also, have you checked your simplesamlphp installation itself to make sure that you can log into that directly with default-sp? If not, go to <url of your server>simplesaml/module.php/core/authenticate.php and click on detault-sp and attempt to authenticate.

Cindy

19:26, 17 April 2017 7 years ago
MarkAHershberger (talkcontribs)

You can contact Cindy on her talk page or via EmailUser.

Before contacting her, though, try switching back to PluggableAuth and Extension:SimpleSAMLphp. It seems like you switched extensions before we were able to fully diagnose the problems.

13:37, 6 April 2017 7 years ago
101.160.137.82 (talkcontribs) 
$wgSimpleSAMLphp_RealNameAttribute = //cn;
$wgSimpleSAMLphp_EmailAttribute = //mail;
$wgSimpleSAMLphp_UsernameAttribute = //uid;

Because "//" starts a comment, these lines actually mean:

$wgSimpleSAMLphp_RealNameAttribute = $wgSimpleSAMLphp_EmailAttribute = $wgSimpleSAMLphp_UsernameAttribute =

Which is obviously a syntax error. They are probably meant to be strings.

10:11, 22 March 2017 7 years ago
Ashni rai (talkcontribs)

Hi 101.160.137.82,

No i actually did have the entire 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress' in quotes not like the one mentioned above. I just removed them since i was posting in a forum. The error message is shared above. Kindly go through it and let me know what might be the issue.

Thanks & Regards,

Ashni

10:21, 22 March 2017 7 years ago
S0ring (talkcontribs)

After the installation PluggableAuth + SimpleSAMLphp for MW 1.27, the SAML authentication failed, here the debug logs:

...
[SQLBagOStuff] Connection 3450 will be used for SqlBagOStuff
Fully initialised
Authentication failure.
[DBPerformance] Expectation (writes <= 0) by MediaWiki::main not met:
query-m: REPLACE INTO `objectcache` (keyname,value,exptime) VALUES ('X')
TransactionProfiler.php line 311 calls wfBacktrace()
TransactionProfiler.php line 200 calls TransactionProfiler->reportExpectationViolated()
Database.php line 856 calls TransactionProfiler->recordQueryCompletion()
...

The issue has been fixed after replacing:

$wgSimpleSAMLphp_RealNameAttribute = [
        'givenname',
        'sn'
];

with

 $wgSimpleSAMLphp_RealNameAttribute= 'cn';
19:48, 26 October 2017 6 years ago
Cindy.cicalese (talkcontribs)

The value used for $wgSimpleSAMLphp_RealNameAttribute depends upon what attributes your identity provider is configured to return. Either of the values above could be appropriate, depending upon the environment.

15:36, 27 October 2017 6 years ago
S0ring (talkcontribs)

Indeed, the Idp returns 'givenName' and not 'givenname', therefore this will work:

$wgSimpleSAMLphp_RealNameAttribute = [
        'givenName',
        'sn'
];

The initial suspicion was that $wgSimpleSAMLphp_RealNameAttribute doesn't support the array format, but this is not the case. As well, the Authentication failure error didn't point out to the root cause of it. But now the issue is solved.

Thank you for this great extension(s)!

Edited 23:13, 29 October 2017 6 years ago
Retrieved from "https://www.mediawiki.org/wiki/Topic:Tn65x7yg9khnu32w"