Topic on Extension talk:SimpleSAMLphp

Hi,

I've just implemented simpleSAMLphp SSO with ADFS and it works great on several apps from my intranet.

When I test from the apache alias (https://wiki.mydomain.local/simplesaml), I connect successfully and I can get correct informations from claim list.

However, with Mediawiki and the extension SimpleSAMLphp, I can't connect.

______

When I try, browser is stuck in a loop :

Special:UserLogin --> Special:PluggableAuthLogin --> index.php?title=Special:UserLogin/return&wpLoginToken=... --> Special:UserLogin --> etc.

______

I've tried to put some var_dump in extensions/SimpleSAMLphp/SimpleSAMLphp.php, to track things.

So I know the authenticate function returns true and find correct user (with good $id and $username, the user already exists in mediawiki.mwuser table).

I have no clue about what's happening here, any idea ?

______

Some infos :

- PHP 7.1.13 (on Gentoo)

- Apache 2.4.27-r1

- SimpleSAMLphp 1.15.4 is using sqlite for session store (I had the same problem with 1.15.3)

- MediaWiki 1.27.3 (using postgresql as backend)

- tried with Firefox, Chrome, IE and Edge

Have you turned on MediaWiki debugging? See Manual:How to debug#Setting up a debug log file.

It would be good to see the lines that begin with "[PluggableAuth]" or "[authentication]" as well as any lines that include "SimpleSAMLphp". In particular, you should see:

[PluggableAuth] Getting PluggableAuth singleton

[PluggableAuth] Class name: SimpleSAMLphp

[PluggableAuth] Authenticated ...

and then later:

[PluggableAuth] User is authorized.

Hopefully you'll see an error indicating what is wrong.

If there is an error setting up the SimpleSAMLphp variables, you might see something like:

SimpleSAMLphp: $wgSimpleSAMLphp_UsernameAttribute is not set.

or

SimpleSAMLphp: Could not find username attribute.

However, that type of error would not result in the redirect loop. My hunch is that there is an issue with the session storage so that when Special:PluggableAuthLogin redirects back to Special:UserLogin, the required authentication information is not found in the session.

Thanks for your quick answer (and sorry for delay, I wasn't available).

I've tried to check what you said but there's no line with [PluggableAuth] or SimpleSAMLphp.

I just see :

[authentication] MediaWiki\Auth\LegacyHookPreAuthenticationProvider::testForAuthentication: No username in $reqs, skipping hooks

______

I wasn't able to solve this by myself, can you have a look at the log ?

I've extracted the loop, you can read it at https://pastebin.com/VTKCWJDL

Ah, you are using an older version of PluggableAuth that does not have the same level of debug logging.

I'm seeing:

    Authenticated existing user: Stopi
    .....
    User is authorized.

before the redirection back to Special:UserLogin, so it appears that SimpleSAMLphp and PluggableAuth are working correctly.

Then, I see:

[error] [WrG5FX8AAAEAAF4en5wAAAAQ] /index.php?title=Special:UserLogin/return&wpLoginToken=0d09a4e78fc399cdbdea6db3c4ffddd15ab1b914%2B%5C   ErrorException from line 3306 of /var/www/mediawiki/htdocs/includes/db/Database.php: PHP Notice: Uncommitted DB writes (transaction from DatabaseBase::query (JobQueueDB::doGetSiblingQueuesWithJobs)).

That may be a problem. I recall seeing that in previous versions of MediaWiki, although it never prevented authentication from working. I have not tested with postgresql, however.

One thing you could try is updating to the most recent version of the PluggableAuth extension.

Hi,

as I've mentioned in the first post, I was using the LTS version of mediawiki (1.27), so the versions for each extensions was used accordingly.

After what you said, I've decided to upgrade my whole system with mediawiki 1.30 and latest extensions.

It worked !

Thanks a lot for your time and efforts, I wish you a nice day, mine is already shiny.

And by the way, thanks for those useful extensions, having a working SSO is so nice to end-users.