Topic on Extension talk:SimpleSAMLphp

Hello, I'm running into an issue with PluggableAuth and/or SimpleSAMLphp plugins that are beyond my meager ability to rectify.

Mediawiki version: 1.34.2

PluggableAuth version: REL1_34

SimpleSAMLphp (plugin) version: REL1_34

SimpleSAMLphp (application) version: 1.18.7

The SimpleSAMLphp application appears to be working correctly, I can access the web control panel, have exchanged metadata with our SAML administrator here on campus, and it successfully passes me through to the university's login page when I test authentication. However, Mediawiki is not handling something correctly. Very possibly due to bad configuration on my part.

When I attempt to log in with the PluggableAuth button I am taken to my university's login page but when I enter my credentials there I am shortly returned back to the MediaWiki login page with the error "could not find username attribute: uid" in a red box above fields for username and password. This error message will change depending on what value is in the "$wgSimpleSAMLphp_UsernameAttribute" variable. If that contains "username" the error says "username". If it contains "uid" then the error says "uid", etc.

When I sent this error to the SAML administrator he said "Hmm...for some reason it isn't finding the uid attribute in the SAML assertion.  I know it's being released since I can see it in my logs."

Here are the relevant settings from my LocalSettings.php:

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableAutoLogin = true;

$wgPluggableAuth_EnableLocalLogin = true;

$wgPluggableAuth_EnableLocalProperties = true;

//$wgPluggableAuth_ButtonLabelMessage = "PluggableAuth Login";

//$wgPluggableAuth_Class = 'SimpleSAMLphp';

wfLoadExtension( 'SimpleSAMLphp' );

$wgSimpleSAMLphp_InstallDir = "/var/simplesamlphp";

$wgSimpleSAMLphp_AuthSourceId = "default-sp";

$wgSimpleSAMLphp_RealNameAttribute = "givenName";

$wgSimpleSAMLphp_EmailAttribute = "mail";

$wgSimpleSAMLphp_UsernameAttribute = "uid";

The wiki debug log contains the following seemingly relevant lines:

[PluggableAuth] In execute()

[PluggableAuth] Getting PluggableAuth singleton

[PluggableAuth] Class name: SimpleSAMLphp

[SimpleSAMLphp] Could not find username attribute: uid

[PluggableAuth] Authentication failure.

[PluggableAuth] ERROR: Could not find username attribute: uid

[session] SessionBackend "crqehku38g33i88npuilpc2r199rqmfs" data dirty due to dirty(): PluggableAuthLogin->execute/MediaWiki\Auth\AuthManager->setAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Se        ssion->set/MediaWiki\Session\SessionBackend->dirty

[session] SessionBackend "crqehku38g33i88npuilpc2r199rqmfs" save: dataDirty=1 metaDirty=0 forcePersist=0

For what its worth, I use the 1.15 version of SSP. If you downgrade to that version, maybe it will work?

Unfortunately that caused a laundry list of errors with the SSP web application, and I would very much like to avoid spending too much effort to get everything running on a version of SSP from three years ago.

Did you test the simpleSAMLphp library configuration using https://simplesamlphp.org/docs/stable/simplesamlphp-sp#section_5 to see what attributes are returned?

I am having the exact same issue.

Did you test your SimpleSAMLphp setup in isolation from MediaWiki first to see what attributes are returned as @Cindy.cicalese suggested?

If so, what attributes does SimpleSAMLphp say are being returned?

@MarkAHershberger the results of trying @Cindy.cicalese has only these attributes Email, sn, givenName. I contacted the team that set up the Federation. They are telling me they are supplying the uid attribute. Could I have done something on my end to have dropped it or should I push back on that team to double check?

I *think* that will only show what you are given. @Cindy.cicalese might know more here.

In any case, in my metadata file (saml20-idp-remote.php), which is updated every hour from the my SAML provider., there is a base64-encoded xml blob for the entityDescription key that contains a series ofsaml:Attributeelements. The Name attribute of these elements matches the order of list given in the SAML 2.0 Demo page. (There is one missing attribute, but it looks like that one is missing in the directory, as well.)

This would lead me to say that, if you can, try to extract the list of attributes from your saml20-idp-remote.php file (which I assume you got from information generated by the team that set this up) and see if it lists the uid.

If it doesn't, then I would tell them that.

But, in any case, I think you need to talk to them some more.

My understanding is that if the attribute is not shown on the test page, it is not being sent by the identity provider. So, yes, you should have them double check.