SyferLock Help Center

SimpleSAMLAuth Extension

Deploying SimpleSAMLAuth

The SimpleSAMLAuth is an extension for a MediaWiki deployment to support SAML and in our case GridGuard.

  1. First download version 0.4 of the extension from the extension's home site. (https://github.com/jornane/mwSimpleSamlAuth/archive/v0.4.zip)
  2. Extract the archive to the {MediaWiki Directory}/extensions/SimpleSAMLAuth (the directory should be created with the extraction)
  3. Now open up MediaWiki's LocalSettings.php configuration file in a text editor. Append the following line to the 'Enabled Extensions' area.
require_once "$IP/extensions/SimpleSamlAuth/SimpleSamlAuth.php";

Now save the LocalSetting.php file.

Configuring SimpleSAMLAuth

To configure the SimpleSAMLAuth extension, all of its configuration goes in the LocalSetting.php of MediaWiki. Open the file LocalSettings.php in the text editor of your choice. This section only goes through the minimal needed to configure the SimpleSAMLAuth extension. If you need more information about the configuration and workings of SimpleSAMLAuth extension, please browse to the link https://github.com/jornane/mwSimpleSamlAuth/

 

$wgSamlCreateUser Variable

The $wgSamlCreateUser variable is used to define if username from the SAML Asseration could automatically be created if they don't already exist in the MediaWiki database. In most cases, you want this value to be a 'TRUE' value.

Ex.

$wgSamlCreateUser = true;

 

$wgSamlRequirement Variable

The $wgSamlRequirement variable controls when a SAML session is required. The valid values are listed below.

  • SAML_OPTIONAL (A SAML is completely optional by the end user)
  • SAML_LOGIN_ONLY (A SAML Login is required if you are going to login. Anonymous access is available.
  • SAML_REQUIRED ( A SAML Login is required to access this MediaWiki deployment. No Anonymous access)

GridGuard recommends SAML_LOGIN_ONLY for read-only public deployments and SAML_REQUIRED for private deployments.

Ex.

$wgSamlRequirement = SAML_REQUIRED;

$wgSamlSspRoot Variable

The $wgSamlSspRoot variable defines the location where the SimpleSAMLAuth can find the SimpleSAMLPHP deployment in the filesyste.

Ex.

$wgSamlSspRoot = '/var/lib/simplesamlphp';

$wgSamlAuthSource Varilable

The $wgSamlAuthSource variable defines which SimpleSAMLPHP service provider profile that the SimpleSAMLAuth extension will use. Use the SimpleSAMLPHP label to identify it.

Ex.

$wgSamlAuthSource = 'default-sp';

$wgSessionName Variable

If you are PHP's internal session storage for your sessions, you will need to set the $wgSessionName variable to the following value.

$wgSessionName = ini_get('session.name');

Assertion Attribute Mapping

There are three main attributes that MediaWiki needs from the SAML Assertion. The SimpleSAMLAuth extension needs to know which SAML attributes map to what part of the user's profile. The $wgSamlUsernameAttr, $wgSamlRealnameAttr, and $wgSamlMailAttr variables are the three mapping profile attributes that need to set.

  • The $wgSamlMailAttr maps the user's e-mail address.
  • The $wgSamlUsernameAttr maps the user's username.
  • The $wgSamlRealnameAttr maps the user's real name.

Ex.

$wgSamlUsernameAttr = 'sAMAccountName';
$wgSamlRealnameAttr = 'cn';
$wgSamlMailAttr = 'mail';

Group Mapping

The SAML assertion is also used to provide group membership information also. You will need to map the MediaWiki group names to the SAML assertion attribute name to the list of group name values. The default MediaWiki groups names are listed below.

  • sysop : MediaWiki Adminsitrators
  • users :
  • autocreated_users : Users that were autocreated
  • bots : Automated Account Users
  • bureaucrats : Trusted Users

Ex.

$wgSamlGroupMap = array(
        'sysop' => array('memberOf' => array('CN=MediaWikiAdmins,OU=Groups,DC=mycompany,DC=local')),
        'users' => array('memberOf' => array('CN=MediaWikiUsers,OU=Groups,DC=mycompany,DC=local'))
);
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk