Mediawiki: 1.39.1 Pluggable Auth: 6.2 SimpleSAMLphp: 5.0.1 Local SimpleSAMLphp: 2.0.3 PHP: 8.2
I'm hoping someone can shed some light on an odd problem I'm having with SAML and pluggable auth. If a user is completely logged out of the mediawiki instance and attempts to log in with SAML to an Okta IdP, I get Fatal error authenticating user.
However, if I try and log in again, I'm in without issue. It doesn't reach out to the external server and proceeds without a hitch.
If I go to Special:UserLogout and then attempt to log in, the behavior repeats.
I've dug into the logs and found almost identical GET requests, one is same-origin that works and has this mentioned in the log:
[PluggableAuth] In execute()
[PluggableAuth] Getting PluggableAuth instance
[PluggableAuth] Plugin name: SimpleSAMLphp
[PluggableAuth] Instance already exists
The other fails, is a cross-site request and has this message:
[PluggableAuth] Getting PluggableAuth instance
[PluggableAuth] Could not get authentication plugin instance.
I've tried authorizing XSS in my vhost configuration, and I know for a fact nothing is being denied by a firewall. Is there something I need to change in my configuration?
$wgPluggableAuth_Config['Log in using my SAML'] = [
'plugin' => 'SimpleSAMLphp',
'data' => [
'authSourceId' => 'default-sp',
'usernameAttribute' => 'NameID',
'realNameAttribute' => 'NameID',
'emailAttribute' => 'NameID',
]
];
$wgSimpleSAMLphp_InstallDir = "/var/simplesamlphp";
I've added the remote IDP to the trusted.url.domains value in the config.php file for simpleSAMLphp
The GET requests are identical barring the one that works says:
SEC-FETCH-SITE: same-origin
The one that doesn't says:
SEC-FETCH-SITE: cross-site with a referrer of my IdP
Note: Technical limitations on the part of my IdP require me to keep a list of authenticated users, and getting them to add NameID (which is the account's email address) as an attribute was painful enough. I have autocreateaccount and createaccount set to false. I know this isn't considered the typical use case.