Authorization is not invoked when an Image/File access occurs by executing img_auth.php (Manual:Image authorization). I wonder wheather the Extension:PluggableAuth respectively Extension:SimpleSAMLphp are interacting or not with this script, while in the source code https://doc.wikimedia.org/mediawiki-core/1.31.0/php/img__auth_8php_source.html there is a check for basic user authorization only.
Topic on Extension talk:PluggableAuth
Image authorization does indeed work with PluggableAuth. The authentication checks are done outside img_auth.php.
Thank you for your quick reply. I am struggle with the img_auth.php script to make it working. I followed the article, I renamed the images directory, I moved it outside the DocumentRoot and I turned the php_admin_flag engine off. The images/files are now available under https://wiki.yourwiki.org/w/img_auth.php/01/01/Example.png
., but they are reachable without login, I expected to get a 403.
More information about your configuration would be helpful. For example, do you have your wiki set to require login to read?
$wgGroupPermissions['*']['read'] = false;
Login will only be enforced for image authorization if the content in your wiki is not readable without login.
Wow, exactly this settings was guilt, now the access to images/files is denied without login as expected. Thank you a lot!
Great! You're welcome!