Jump to content

Topic on Extension talk:SimpleSAMLphp

Confused by the new way to do group mapping using pluggable auth.

2
Hpyjoy (talkcontribs)

Using pluggableauth and simplesamlphp versions for mediawiki 1.41.1

I am going from this:

'mapGroups_Map' => [ 'mediawiki group' => ['saml attribute' => ['group 1', 'group 2', '...']]]

to this using pluggable auth, but it is not working. Better examples would be useful either in the simplesaml or the plugableauth docs . I have tried putting the mediawiki group first and that does not work either.

'...://schemas.microsoft.com/ws/2008/06/identity/claims/role' contains the attribute. I had to remove the http and replace with "..." because it would not let me post my question with it in place.

<Attribute Name="...://schemas.microsoft.com/ws/2008/06/identity/claims/role">
    <AttributeValue>Admin</AttributeValue>
</Attribute>

@Cindy.cicalese

$wgPluggableAuth_Config["Log in without Password (SSO)"] = [
    "plugin" => "SimpleSAMLphp",
    "data" => [
        "authSourceId" => "default-sp",
        "usernameAttribute" => "alias",
        "realNameAttribute" => "displayname",
        "emailAttribute" => "email"
    ],
    "groupsyncs" => [
        [
            'type' => 'mapped',
            'map' => [
                'Admin' => [ '...://schemas.microsoft.com/ws/2008/06/identity/claims/role' => ['sysop'] ],
                'User_draft_edit' => [ '...://schemas.microsoft.com/ws/2008/06/identity/claims/role' => ['bureaucrat'] ],
                'User_draft_read' => [ '...://schemas.microsoft.com/ws/2008/06/identity/claims/role' => ['suppress'] ]
            ]
        ]
    ]
];
Osnard (talkcontribs)

Looking at the SAML attribute value, I guess your config should look like this:

$claim = '...://schemas.microsoft.com/ws/2008/06/identity/claims/role';

$wgPluggableAuth_Config["Log in without Password (SSO)"] = [
    "plugin" => "SimpleSAMLphp",
    ...
    "groupsyncs" => [
        [
            'type' => 'mapped',
            'map' => [
                'sysop' => [
                    $claim => [ 'Admin' ]
                ],
                'bureaucrat' => [
                    $claim =>  [ 'User_draft_edit' ]
                ],
                'suppress' => [
                    $claim => [ 'User_draft_read' ]
                ]
            ]
        ]
    ]
];


HINT: The suppress group may not be what you want for a group called 'User_draft_read'.

Reply to "Confused by the new way to do group mapping using pluggable auth."