Topic on Extension talk:SimpleSAMLphp

Hello,

In examples I have seen to get this up and running, there is mention of authSourceId as default-sp (inside of $wgPluggableAuth_Config). Where is default-sp configured? There is also mention of a config.php file but I cannot find this in the installation folder for the simplesamlphp extension. Specifically, I am missing how to setup the SP metadata and also, ingest the IdP metadata into mediawiki for SAML authentication. Any help will be greatly appreciated, thank you.

This is where I am so far

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableAutoLogin = true;

$wgPluggableAuth_EnableLocalLogin = true; //false

$wgPluggableAuth_EnableLocalProperties = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

# adding SimpleSAMLphp extension

wfLoadExtension( 'SimpleSAMLphp' );

# SimpleSAMLphp install directory. Required.

$wgSimpleSAMLphp_InstallDir = '/extensions/SimpleSAMLphp/src';

$wgPluggableAuth_Config['Log in using Banks SAML'] = [

    'plugin' =>   'SimpleSAMLphp',

    'data'   => [

'authSourceId'      => 'default-sp',

'usernameAttribute' => '...emailaddress',

'realNameAttribute' => '...name',

'emailAttribute'    => '...emailaddress'

                ]

];

@Cindy.cicalese

Really sorry for tagging you Cindy if I am not supposed to. I am doing so because I see you an author for SimpleSamlphp and really need help. Thank you.

Note: took out the preceding part of the user attributes cause my topic was being warned as having spam links

The SAML ServiceProvider must be set up with the independent application SimpleSAMLphp: https://simplesamlphp.org/

Learn more about how to configure the SP here: https://simplesamlphp.org/docs/stable/simplesamlphp-sp.html

Be aware that $wgSimpleSAMLphp_InstallDir is not supposed to point to the MediaWiki extension codebase but the standalone application.

See Extension:SimpleSAMLphp#Example_for_MW_1.39 for an example.

Thank you very much. I had no idea simplesamlphp (the mediawiki extension) is different from simplesamlphp (from simplesaml.org). Since then, I have installed SimpleSAMLphp in my application at /var/simplesamlphp (version 2.2.1). But I get an error when trying to hit the admin page of simplesamlphp. Logs show a 500 error when trying to GET /mediawiki/var/simplesamlphp/public/module.php. Any help will be appreciated.

I also get this error when I try to login with SAML

PHP Deprecated: Creation of dynamic property Less_Tree_Dimension::$parensInOp is deprecated in /mediawiki/vendor/wikimedia/less.php/lib/Less/Parser.php

Here are relevant contents of my LocalSettings.php file

# adding PluggableAuth extension

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableAutoLogin = true;

$wgPluggableAuth_EnableLocalLogin = true; //false

$wgPluggableAuth_EnableLocalProperties = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

#adding SimpleSAMLphp extension

wfLoadExtension( 'SimpleSAMLphp' );

#SimpleSAMLphp install directory. Required.

$wgSimpleSAMLphp_InstallDir = 'var/simplesaml';

// SAML AuthENTICATION (Tell Mediawiki "WHO" the user "IS")

$wgPluggableAuth_Config['Log in using SAML'] = [

    'plugin' =>   'SimpleSAMLphp',

    'data'   => [

'authSourceId'      => 'default-sp',

'usernameAttribute' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',

'realNameAttribute' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name',

'emailAttribute'    => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'

                ]

];

You can ignore the PHP Deprecated: message. It does not do any harm.

Regarding your issue with the SimpleSAMLphp application: It there is an error 500, there should be an entry in the PHP error log as well, that provides additional information.

Also make sure to closely follow the instructions on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html

For further help on how to install and configure the SimpleSAMLphp application I recommend asking on their chat / mailing list: https://simplesamlphp.org/support/

Understood and thank you. I will try their support. Not sure if I should be looking else where but when I look in the logstream of the app service (Azure App service running php 8.x on linux) all I see is the 500 and no additional details. Please share any other place I should be looking. Not great with linux so I may be missing something very obvious.

Hello Osnard,

I have been communicating on simplesamlphp's slack since we last messaged each other and it has not born any fruits. Here is where I am stuck.

Azure App Service running on PHP 8.2 and Linux. Webserver is nginx. Followed the installation instructions here from the simpesamlphp.org page.

baseurlpath => 'https://mysimplesamlphp.azurewebsites.net/var/simplesamlphp/public/'

'secretsalt' => 'xxxxxxx' (masked)

'auth.adminpassword' => 'xxxxxxx' (masked)

Everything else default.

When I try to hit the /public/admin page, I always get a 404 error. Any ideas? As a test, I dropped a test php file in the same location and that loads fine.

Any ideas?

The value of https://mysimplesamlphp.azurewebsites.net/var/simplesamlphp/public/ for baseurlpath looks pretty wrong. I'd more have expected https://mysimplesamlphp.azurewebsites.net/. It is very uncommon to expose a serverside filesystem path entirely to the web. Instead /var/simplesamlphp/public/ should be set to be the "document root" in the webserver configuration for a website served under https://mysimplesamlphp.azurewebsites.net/

But: Be aware that usually the "SAML Service Provider" application (=SimpleSAMLphp) must run under the same domain as the wiki itself.

E.g. if your MediaWiki is hosted at https://mywiki.azurewebsites.net/wiki/Main_Page your SimpleSAMLphp application should be hosted at https://mywiki.azurewebsites.net/_saml. Otherwise you will probably run into session issues, as the session cookie is usually bound to the domain.