Jump to content

Topic on Extension talk:SimpleSAMLphp/Flow

Group Mapping with SimpleSAMLPHP

2
Gsmith1031 (talkcontribs)

Greetings. Has anyone gotten SimpleSAMLPHP/PluggableAuth and group mappings working?

I have SimpleSAMLPHP setup and working with azure AD. I also have sso working on mediawiki using PluggableAuth and the SimpleSAMLPHP plugin. However, I cannot get group mappings to work.

I have my mediawiki debug logging turned on and can see the Azure group identity/claims/role guids being returned to, however, Pluggable auth keeps removing my user from groups they should be in, in the debug logs:

[PluggableAuth] Removing 'username@domain.com' from group 'sysop'

I'm wondering if I should adding the addOnlyGroups array, but I can't figure out the syntax.

$wgPluggableAuth_Config['SSO Login'] = [
    'plugin' => 'SimpleSAMLphp',
    'data' => [
        'authSourceId' => 'default-sp',
        'emailAttribute' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
        'realNameAttribute' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name',
        'usernameAttribute' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name',
        'userinfoProviders' => [
            'username' => 'rawusername',
        ],
    ],
    'groupsyncs'  => [
        [
            'type' => 'mapped',
                'map'   => [
                    'sysop'           => [ 'groups' => 'azure group ID guids' ],
                    'user'            => [ 'groups' => 'azure group ID guids' ]
                ],
                'addOnlyGroups' => [ 'sysop', 'user' ],
        ]
    ]
];

Osnard (talkcontribs)

In general this looks good and should work. I am not aware of any but in the "mapped groupsync" feature in Extension:PluggableAuth (that's where is it actually implemented) and I am ussing the "mapped groupsync" feature in production with Extension:OpenIDConnect.

I was wondering about 'azure group ID guids'. This is just one GUID, right? And you are sure it is included in the 'groups' attribute in the SAML response? Just asking, because of the plural in your example and because Azure AD usually has attribute names that look like "http://schema....".

Can you maybe share a (redacted) example of the SAML attributes reported on your debug log, then I can test this configuration in a UnitTest.

Reply to "Group Mapping with SimpleSAMLPHP"