Topic on Extension talk:PluggableAuth

MediaWiki Verison: 1.31

PHP Version: 7.2.1

Web Server: IIS

Good Afternoon,

I have recently installed the above. In order to have this setup correctly I am looking to have it so that only users with the correct AD group can access it AND so that when they do access it they are logged in automatically.

I have been looking at the LDAP hub to try and understand what is required to achieve this but it's all quite confusing.

Before I start installing extentions I wanted clarification on this particular extention.

Am I right in understanding that this extension is primarily used to allow users to login automatically? If so, would authenticating via a windows prompt (Windows Authentication, Basic Authentication) be applicable to this?

Based on the configuration items listed I don't fully understand how it would pass the login variables set via Windows prompt or alternative method.

Lastly am I also correct in saying that an alternative plugin would be required that prevents users from accessing the application if they do not have the required groups?

> Am I right in understanding that this extension is primarily used to allow users to login automatically?

The extension is used to integrate with a external authentication provider. It is possible to configure the extension (using the $wgPluggableAuth_EnableAutoLogin configuration variable) so that the authentication workflow is initiated automatically, rather than having the user have to click on the Login link.

> If so, would authenticating via a windows prompt (Windows Authentication, Basic Authentication) be applicable to this?

I'm not familiar with the Windows environment from this perspective. Depending upon how you have your external authentication provider configured, it is possible that, if the user is already logged in to the environment, the authentication will happen without requiring additional interaction from the user.

> Based on the configuration items listed I don't fully understand how it would pass the login variables set via Windows prompt or alternative method.

If you use Azure ADFS, you might be interested in using this extension, PluggableAuth, with the OpenIDConnect extension (see Extension:OpenID Connect#Example: Using it against Azure ADFS). Authenticating with Azure may also be possible with Extension:SimpleSAMLphp, but I'm not sure of the configuration for that. @Osnard may be able to help you with that.

> Lastly am I also correct in saying that an alternative plugin would be required that prevents users from accessing the application if they do not have the required groups?

Yes, PluggableAuth separates the process of proving who you are (authentication) from determining what you have access to (authorization). Extension:SimpleSAMLphp does provide this additional functionality for controlling access by groups.

MS Azure AD can act as a SAML IdP, so Extension:SimpleSAMLphp can also be used.