Issue Integrating SimpleSamlPHP on Mediawiki
379 views
Skip to first unread message
Pramod Singh
Aug 5, 2014, 3:21:22 AM8/5/14
to simple...@googlegroups.com
Hi All,
In my current setup, I have setup SP and IDP using SimpleSamlPHP on different CentOS 5.5 machines. SP and IDP are working correctly and I was able to integrate my corePHP application successfully.
Further, in order to integrate my current setup on Mediawiki V2.21, I install and configure Extension:SimpleSamlAuth from here - http://www.mediawiki.org/wiki/Extension:SimpleSamlAuth
But login using IDP is not working for Mediawiki.
When I try to Log-in Mediawiki using SAML, It goes to IDP and ask for credentials, after that redirect back to Application, till here everything is as expected, but Mediawiki show no user logged in.
I would appreciate any thoughts.
Thanks & Regards,
Pramod
Peter Schober
Aug 6, 2014, 5:14:55 AM8/6/14
to simple...@googlegroups.com
* Pramod Singh <askpram...@gmail.com> [2014-08-05 09:21]:
solve your problem?
Start with the config for the plug-in you added to your
LocalSettings.php and provide a list of recieved attribute names on
that SSP SP.
-peter
> When I try to Log-in Mediawiki using SAML, It goes to IDP and ask
> for credentials, after that redirect back to Application, till here
> everything is as expected, but Mediawiki show no user logged in.
You don't provide any technical details, so how should others help you
> for credentials, after that redirect back to Application, till here
> everything is as expected, but Mediawiki show no user logged in.
solve your problem?
Start with the config for the plug-in you added to your
LocalSettings.php and provide a list of recieved attribute names on
that SSP SP.
-peter
Pramod Singh
Aug 7, 2014, 12:47:01 AM8/7/14
to simple...@googlegroups.com, peter....@univie.ac.at
Thanks Peter !
Here is the config I added/changed on LocalSettings.php -
require_once "$IP/extensions/SimpleSamlAuth/SimpleSamlAuth.php";
// SAML_OPTIONAL // SAML_LOGIN_ONLY // SAML_REQUIRED //
$wgSamlRequirement = SAML_OPTIONAL;
// Should users be created if they don't exist in the database yet?
$wgSamlCreateUser = false;
// SAML attributes
$wgSamlUsernameAttr = 'sAMAccountName';
$wgSamlRealnameAttr = 'cn';
$wgSamlMailAttr = 'mail';
// SimpleSamlPhp settings
$wgSamlSspRoot = '/var/www/html/mwiki/simplesamlphp';
$wgSamlAuthSource = 'mwiki';
$wgSamlPostLogoutRedirect = NULL;
// Array: [MediaWiki group][SAML attribute name][SAML expected value]
// If the SAML assertion matches, the user is added to the MediaWiki group
$wgSamlGroupMap = array(
'sysop' => array(
'groups' => array('admin'),
),
);
Attribute names showing if I use "Test authentication sources" on my SP are -
cn
sAMAccountName
mail
Also I am using Active directory LDAP server as IDP backend.
Thanks,
Pramod
Peter Schober
Aug 7, 2014, 1:07:35 AM8/7/14
to simple...@googlegroups.com
* Pramod Singh <askpram...@gmail.com> [2014-08-07 06:47]:
with the aplication session integration, which probably only the
plugin's author can comment on.
(Sorry, I've only ever used MediaWiki with the Shibboleth plugin.)
-peter
> Here is the config I added/changed on LocalSettings.php -
[...]
> // SAML attributes
> $wgSamlUsernameAttr = 'sAMAccountName';
> $wgSamlRealnameAttr = 'cn';
> $wgSamlMailAttr = 'mail';
[...]
> $wgSamlUsernameAttr = 'sAMAccountName';
> $wgSamlRealnameAttr = 'cn';
> $wgSamlMailAttr = 'mail';
> Attribute names showing if I use "Test authentication sources" on my SP are
> -
> cn
> sAMAccountName
> mail
If that's all OK (and it sure looks like it is) it must be something
> -
> cn
> sAMAccountName
with the aplication session integration, which probably only the
plugin's author can comment on.
(Sorry, I've only ever used MediaWiki with the Shibboleth plugin.)
-peter
Sixto Martin
Aug 7, 2014, 2:22:08 AM8/7/14
to simple...@googlegroups.com
Hi Pramod,
I think that the plugin that you are using is quite old. Take a look on https://github.com/yorn/mwSimpleSamlAuth the author says that works with the Mediawiki versión that you are trying to use.
Other alternative, if you have a sesión issue, try to set simplesamlphp to handle sesión using memcache instead phpsession (that could solve your current problem).
--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.
Jason Haar
Aug 7, 2014, 2:57:00 AM8/7/14
to simple...@googlegroups.com
I can confirm that. I just got this mediawiki extension up and happily
running this week - so it definitely works
Of course you need to ensure SSP is working before even thinking about
integrating it with mediawiki. ie use the
/module.php/core/frontpage_welcome.php URL to test the Idp/SP
relationship before doing anything else
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
running this week - so it definitely works
Of course you need to ensure SSP is working before even thinking about
integrating it with mediawiki. ie use the
/module.php/core/frontpage_welcome.php URL to test the Idp/SP
relationship before doing anything else
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Yørn de Jong
Aug 11, 2014, 6:21:37 PM8/11/14
to simple...@googlegroups.com
Hi,
I’m the author of mwSimpleSamlAuth. The plugins referenced by Pramod Singh and Sixto Martin are the same. Sixto may be right about the different session handlers; these can conflict and prevent logins. A temporary fix for this problem is available. [1]
Alternatively, check that the mail attribute (defined in $wgSamlMailAttr) actually contains an e-mail address.
If this doesn’t help, check the MediaWiki logs. You’re welcome to make a ticket on the GitHub project if you have any further questions; this will also help me understand how the plugin is used and improve it accordingly :-)
Cheers,
Yørn
[1] https://github.com/yorn/mwSimpleSamlAuth/issues/11#issuecomment-45391700
I’m the author of mwSimpleSamlAuth. The plugins referenced by Pramod Singh and Sixto Martin are the same. Sixto may be right about the different session handlers; these can conflict and prevent logins. A temporary fix for this problem is available. [1]
Alternatively, check that the mail attribute (defined in $wgSamlMailAttr) actually contains an e-mail address.
If this doesn’t help, check the MediaWiki logs. You’re welcome to make a ticket on the GitHub project if you have any further questions; this will also help me understand how the plugin is used and improve it accordingly :-)
Cheers,
Yørn
[1] https://github.com/yorn/mwSimpleSamlAuth/issues/11#issuecomment-45391700
Pramod Singh
Aug 12, 2014, 5:44:11 AM8/12/14
to simple...@googlegroups.com, y.a.d...@me.com
Hi guys,
Thanks for your thoughts!
The default datastore is 'phpsession' in both SSP and Mediawiki. so session handler is the same for both.
Though issue has been fixed by the temporary fix suggested by Yorn.
Just added below line in my LocalSettings.php file -
$wgSessionName = ini_get('session.name');
But I don't understand the exact cause of the issue and how can I resolve it permanently.
Thanks,
Pramod Singh
Reply all
Reply to author
Forward
0 new messages