I have got simplesamlphp working but the extension doesn't actually log me in. Any help you can offer would be great.
Thanks,
P.
Description
Description
Event Timeline
Comment Actions
I'm assuming that you've already tested your SimpleSAMLphp installation by browsing to https://.../module.php/core/authenticate.php and logging in. If that works, note your authentication source and the values of "Your attributes". Make sure that your LocalSettings.php file (or other config file you are loading) has the following:
wfLoadExtension( 'SimpleSAMLphp' ); $wgSimpleSAMLphp_UsernameAttribute = '<someattribute>'; $wgSimpleSAMLphp_RealNameAttribute = [ '<someattribute(s)>' ]; $wgSimpleSAMLphp_EmailAttribute = '<someattribute>'; $wgSimpleSAMLphp_InstallDir = '/path/to/simplesamlphp/'; $wgSimpleSAMLphp_AuthSourceId = '<your authentication source name>';
with the values in <> filled in as appropriate for your environment and the <> removed.
Comment Actions
I have all of those set up. Yes, I am able to authenticate from the simplesamlphp test application and get back the attributes. I do have those settings set up for MW, however I am still not able to connect.
Here are my simplesamlphp config.php settings:
'store.type' => 'phpsession', 'session.save_handler'=> "files", 'session.save_path' => "/tmp", 'session.name' => "PHPSESSIDSAML", 'session.cookie.name' => 'PHPSESSIDSAML', 'session.cookie_path' => "/", 'session.cookie_domain' => "datawiki-dev", 'session.phpsession.cookiename' => "PHPSESSIDSAML", 'session.phpsession.savepath' => "/tmp", 'session.phpsession.httponly' => true, 'session.phpsession.savepath' => "/tmp", 'session.phpsession.httponly' => true, 'session.authtoken.cookiename' => 'SimpleSAMLAuthToken',
Here are my MW settings:
$wgSessionName = "PHPSESSIDMW"; $wgSamlRequirement = "SAML_OPTIONAL"; $wgSamlCreateUser = false; $wgSimpleSAMLphp_InstallDir = "/var/simplesamlphp"; $wgSimpleSAMLphp_AuthSourceId = "default-sp"; $wgSimpleSAMLphp_RealNameAttribute = "firstlast"; $wgSimpleSAMLphp_EmailAttribute = "mail"; $wgSimpleSAMLphp_UsernameAttribute = "NameID"; // SAML attributes $wgSamlUsernameAttr = 'NameID'; $wgSamlRealnameAttr = 'firstlast'; $wgSamlMailAttr = 'mail'; // SimpleSamlPhp settings $wgSamlSspRoot = '/var/simplesamlphp'; $wgSamlAuthSource = 'default-sp'; $wgSamlPostLogoutRedirect = NULL; Thanks Pete.
Comment Actions
That's the problem. From the the extension page: " SimpleSAMLphp cannot be configured to use phpession for store.type, since this is not compatible with MediaWiki's session management framework." I have been successful using SQL storage, which is documented here. For MySQL, I use:
'store.type' => 'sql', 'store.sql.dsn' => 'mysql:host=localhost;dbname=<....>', 'store.sql.username' => '<....>', 'store.sql.password' => '<....>',
Also, you have listed the configuration variables for the the SimpleSAMLphp extension and the SimpleSamlAuth extension. From the MediaWiki configuration variables you listed, you should only need:
$wgSimpleSAMLphp_InstallDir = "/var/simplesamlphp"; $wgSimpleSAMLphp_AuthSourceId = "default-sp"; $wgSimpleSAMLphp_RealNameAttribute = "firstlast"; $wgSimpleSAMLphp_EmailAttribute = "mail"; $wgSimpleSAMLphp_UsernameAttribute = "NameID";
Comment Actions
I will have to try the SQL option.
I have seen differing opinions about this. Some say you need to set the phpsession to have a different names for Mediawiki and SSP. Others say they need to be the same so they share. I have tried both with no success so I am thinking you are right. One person says they have it working with phpsessions but I have not seen their settings.
Thanks again for your answer! :)
Pete.
Comment Actions
Before MediaWiki 1.27, you could share the session successfully. However, session management was completely redesigned in MediaWiki 1.27, and I was not able to get the two to work together.
You're very welcome :-)
Cindy
Comment Actions
Cindy,
Ugg this thing is still giving me issues! You say you where able to use the SimpleSAMLphp extension? It is not working for me. :P Any special fixes you had to do?
Thanks,
Pete.
Comment Actions
I use it with MW 1.27 and MW 1.28. Are you using the head of the master branch of SimpleSAMLphp and the head of the REL1_27 branch of MediaWiki core? With the configuration described above, there should be nothing else required. Could you describe how it is failing?
Comment Actions
There is also a bug in simplesamlphp that might be affecting you: http://stackoverflow.com/questions/27433038/requester-invalidnameidpolicy-error-with-simplesamlphp-sp-and-adfs-idp. To fix it, you need to set
'NameIDPolicy' => null,
in config/authsources.php.
Comment Actions
Yes, I was using the master branch of 1.27.1 and simpleSAMLphp. I will check out that error. :) I will double check my config tomorrow.
Thanks,
Pete.
Comment Actions
Cindy,
Once I do get this working, :) How do I assign users into groups based on their attrs?
Thanks,
Pete.
Comment Actions
It gives back the error "The Supplied Credentials could not be authenticated".
That error corresponds to the following MediaWiki core message:
languages/i18n/en.json: "authmanager-authn-no-primary": "The supplied credentials could not be authenticated.",
That message is issued by includes/auth/AuthManager.php when no matching primary authentication provider can be found. That should not happen if the PluggableAuth and SimpleSAMLphp extensions are the correct version and are installed/configured correctly. Do you have
wfLoadExtension( 'PluggableAuth' );
in addition to
wfLoadExtension( 'SimpleSAMLphp' );
I'm assuming you do, otherwise you would be getting the standard username/password login, which would be the primary authentication provider. Have you removed any other authentication extensions that may be interfering? Have you enabled detailed debugging and checked for errors or exceptions in the MediaWiki (and simplesamlphp, although it doesn't appear to be getting that far) debug log (https://www.mediawiki.org/wiki/Manual:How_to_debug)? I usually debug with the following in LocalSettings.php:
error_reporting( -1 ); ini_set( 'display_errors', 1 ); $wgResourceLoaderDebug = true; $wgShowExceptionDetails = true; $wgDebugLogFile= "/tmp/MediaWikiDebug.log";
Checking the MediaWiki, simplesamlphp, and web server error logs (e.g. /var/log/httpd/error_log for Apache) should yield further clues.
Once I do get this working, :) How do I assign users into groups based on their attrs?
I believe @MarkAHershberger was working on an extension that works with PluggableAuth and assigns users to MediaWiki groups based upon LDAP attributes.
Comment Actions
I am wondering how we can map a SAML attribute (Group) we get from ADFS to a Mediawiki group. Is this possible with this extension, if yes, how?
Comment Actions
@PeterBodifee: General support questions are best asked on https://www.mediawiki.org/wiki/Extension_talk:SimpleSAMLphp (where this topic is already covered).
Comment Actions
We finally got the debug information to be logged; this is from a full cycle of mediawiki login (Aanmelden) to the external IdP host and back. The message in the red box we get on the mediawiki login screen reads: "Authentication or authorization failure."
Attached is de MediaWiki debug log file as well as the simplesamlphp log file.
We applied all the suggestions we could find around caching and sessions, but are now stuck. Any help/pointers are appreciated!
Comment Actions
The debugging statement Authentication failure. on line 529 of debug-wikitstdb.log.full-login-cycle indicates that the SimpleSAMLphp::authenticate() function returned false, which would cause the error you are seeing. Unfortunately, that function does not emit any debugging information to give us a hint as to which return false; statement was executed. You could add some wfDebug("debugging message"); statements before each of those return statements to further narrow down which condition is failing. The SimpleSAMLphp::authenticate() function is in the file SimpleSAMLphp.php. I will make a note to add some additional debugging statements to that function when I next revisit it.
Something else to check: are you sure you have values set for all five of the configuration variables mentioned at https://www.mediawiki.org/wiki/Extension:SimpleSAMLphp#Configuration_parameters? In particular, if any of the last three are not set, you would get a failure as the one described.
Comment Actions
Thank you Cindy, the debug statements helped me to see that there were errors made both in the parameter as well as in the value in LocalSettings.php. Have it now working that it will login.
You got to love interpreted code without syntax and type checking...
Comment Actions
Great news! Yes, I'm a fan of compiled, strongly type checked languages, myself. But, alas, that isn't an option.
Comment Actions
Glad it works for you. As this was a configuration bug and not a bug in the code base, I'm closing this task as invalid.
Comment Actions
Hi Cicalese,
I think I'm having the same problem with PHPSESSION. I'm trying to integrate Mediawiki with Okta using SimpleSamlphp. I'm authenticating to Okta. That part is working. The issue is I can't get both the SimpleSamlphp and Mediawiki sessions to match. When I uncomment the "require_once "$IP/extensions/SimpleSamlAuth/SimpleSamlAuth.php" in LocalSettings, it works. Without it, the login does not redirect to Okta.
I'm using 2 extensions: SimpleSamlAuth and Auth_remoteuser. I've been struggling with this for a while. Any help is appreciated.
Ulysses
Comment Actions
@Ulysses.ronquillo, this task is related to the SimpleSAMLphp extension, not SimpleSamlAuth or Auth_remoteuser. If you are having issues with those extensions, you should open a task related to them. That being said, as mentioned above, the MediaWiki session handling code is not compatible with the simplesamlphp library (as opposed to the extension) PHP code, so it is recommended to use SQL storage for the simplesamlphp sessions.