SimpleSAMLphp and Mediawiki 1.27 with the SimpleSamlAuth Extension

[Pete Olsen]

Hello,

  I am trying to set up SSO on Mediawiki and I keep getting an issue where the SAML handshake goes fine but Mediawiki never "picks up" the cookie or session and doesn't allow you to log in.

Any Ideas?

Thanks,

Pete.

[Jaime Perez Crespo]

Hi again Pete,

On 1 Dec 2016, at 21:45 PM, Pete Olsen <hepa...@gmail.com> wrote:
> Hello,
> I am trying to set up SSO on Mediawiki and I keep getting an issue where the SAML handshake goes fine but Mediawiki never "picks up" the cookie or session and doesn't allow you to log in.

You have conflicting sessions between Mediawiki and SimpleSAMLphp. Configure both to use different sessions and it will work.

--
Jaime Pérez
UNINETT / Feide

jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

[Pete Olsen]

Thanks for the help! :) When you say they are conflicting, what is conflicting? The Cookies? I don't really understand what to change and where in order to fix it.

Pete.

[Manilal K M]

Pete,

I'm not sure which MediaWiki version you are using. MediaWiki has
changed it's Authentication/Session management from v1.27. See the
details here: https://www.mediawiki.org/wiki/Manual:SessionManager_and_AuthManager.

Don't know whether the SimpleSamlAuth
(https://www.mediawiki.org/wiki/Extension:SimpleSamlAuth) extension
supports these new features

I was able to quickly configure MediaWiki-SimpleSAMLphp integration by
using the latest PluggableAuth and SimpleSAMLphp extensions.

https://www.mediawiki.org/wiki/Extension:PluggableAuth
https://www.mediawiki.org/wiki/Extension:SimpleSAMLphp

Do not forget to read the Installation notes in the SimpleSAMLphp
extension page.

regards
--
Manilal K M | മണിലാല്‍ കെ എം.
http://libregeek.blogspot.com

[Jaime Perez Crespo]

Hi!

On 1 Dec 2016, at 23:27 PM, Pete Olsen <hepa...@gmail.com> wrote:
> Thanks for the help! :) When you say they are conflicting, what is conflicting? The Cookies? I don't really understand what to change and where in order to fix it.
> Pete.

Apart from what Manilal is suggesting, which could also be the root of the issue (I just don’t know, I haven’t used mediawiki for years), the typical reason for this kind of errors is that you have SimpleSAMLphp and your application using the same PHP session. That can’t happen. SSP needs its own session, so you need to give them different names (meaning different cookies) or use a different session backend.

[Pete Olsen]

Thank you for you reply. I really appreciate it.

I have SSP's config.php set up with the following:

    'store.type' => 'phpsession',
    'session.save_handler'=> "files",
    'session.save_path' => "/tmp",
    'session.name' => "PHPSESSID_SAML",
    'session.cookie_path' => "/", 
    'session.cookie_domain' => "datawiki-dev",
    'session.phpsession.cookiename' => "PHPSESSID_SAML",
    'session.phpsession.savepath' => "/tmp",
    'session.phpsession.httponly' => true,

I have the following in the Mediawiki Localsettings.php:

$wgSessionName = "PHPSESSID_MEDIAWIKI";
$wgSamlRequirement = "SAML_OPTIONAL";
$wgSamlCreateUser = false;

// SAML attributes
$wgSamlUsernameAttr = 'NameID';
$wgSamlRealnameAttr = 'firstlast';
$wgSamlMailAttr = 'mail';

// SimpleSamlPhp settings
$wgSamlSspRoot = '/var/simplesamlphp';
$wgSamlAuthSource = 'default-sp';
$wgSamlPostLogoutRedirect = NULL;

$wgSamlGroupMap = array(
	'sysop' => array(
		'groups' => array('admin', 'fim-datawiki-admin'),
	),
	'user'  => array(
	    'groups' => array('fim-datawiki-reader'),		
	),
);

As I understand it this code should allow both Mediawiki and SSP to be using different php sessions. However, I still get the same issue where the SSP seems to work and returns back but mediawiki doesn't "See it".

Thanks,

Pete

[Pete Olsen]

Manilal,

  I am trying to set the sessions as you suggested, Check out my latest post with the settings I am trying. Can you share your settings?

Thanks,

Pete.

[Manilal K M]

On 2 December 2016 at 20:24, Pete Olsen <hepa...@gmail.com> wrote:
> Manilal,
> I am trying to set the sessions as you suggested, Check out my latest post
> with the settings I am trying. Can you share your settings?

There are two changes - I'm using the newer PluggableAuth and
SimpleSAMLphp extensions. Secondly, SimpleSAMLphp (idP) is configured
to use MySQL as the session storage. We had trouble using PHPSESSION
and we reconfigured to use SQL for session storage.

I'm not sure whether simply changing the session name make this works.
MediaWiki documentation has explicitly mentioned that you need to use
something other than PHPSESSION for store.type in SimpleSAMLphp.
Following is the excerpt from their doc:

"SimpleSAMLphp cannot be configured to use phpsession for store.type,
since this is not compatible with MediaWiki's session management
framework..."

Following is the config from SimpleSAMLphp/config/config.php
'store.type' => 'sql'
'store.sql.dsn' =>
'sqlite:/home/www/html/SimpleSAMLphp/sessionstore.sqlite',

Following are the config from MediaWiki/LocalSettings.php
##pluggable auth
wfLoadExtension( 'PluggableAuth' );
$wgPluggableAuth_EnableAutoLogin = false;
$wgPluggableAuth_EnableLocalLogin = false;
$wgPluggableAuth_Class = "SimpleSAMLphp";

##simplesamlauth
wfLoadExtension( 'SimpleSAMLphp' );
$wgSimpleSAMLphp_InstallDir = '/home/www/html/simplesaml-dev/';
$wgSimpleSAMLphp_AuthSourceId = 'default-sp';
$wgSimpleSAMLphp_RealNameAttribute = 'cn';
$wgSimpleSAMLphp_EmailAttribute = 'mail';
$wgSimpleSAMLphp_UsernameAttribute = 'uid';

Hope this helps.

regards,
Manilal

[Manilal K M]

One change:
'store.sql.dsn' =>
'sqlite:/home/www/html/simplesaml-dev/sessionstore.sqlite',

(It's a bad idea to store the session storage in apache document root.
This is the config from our test server, so we don't care).

[Pete Olsen]

Thanks Manilal! :) I will test these settings out.