SimpleSAMLAuth Extension

Deploying SimpleSAMLAuth

The SimpleSAMLAuth is an extension for a MediaWiki deployment to support SAML and in our case GridGuard.

  1. First download version 0.4 of the extension from the extension's home site. (https://github.com/jornane/mwSimpleSamlAuth/archive/v0.4.zip)
  2. Extract the archive to the {MediaWiki Directory}/extensions/SimpleSAMLAuth (the directory should be created with the extraction)
  3. Now open up MediaWiki's LocalSettings.php configuration file in a text editor. Append the following line to the 'Enabled Extensions' area. 
require_once "$IP/extensions/SimpleSamlAuth/SimpleSamlAuth.php";

Now save the LocalSetting.php file.

Configuring SimpleSAMLAuth

To configure the SimpleSAMLAuth extension, all of its configuration goes in the LocalSetting.php of MediaWiki. Open the file LocalSettings.php in the text editor of your choice.

https://github.com/jornane/mwSimpleSamlAuth/

 

$wgSamlCreateUser Variable

The $wgSamlCreateUser variable is used to define if username from the SAML Asseration could automatically be created if they don't already exist in the MediaWiki database. In most cases, you want this value to be a 'TRUE' value.

Ex.

$wgSamlCreateUser = true;

 

$wgSamlRequirement Variable

The $wgSamlRequirement variable controls when a SAML session is required. The valid values are listed below.

  • SAML_OPTIONAL (A SAML is completely optional by the end user)
  • SAML_LOGIN_ONLY (A SAML Login is required if you are going to login. Anonymous access is available.
  • SAML_REQUIRED ( A SAML Login is required to access this MediaWiki deployment. No Anonymous access)

GridGuard recommends SAML_LOGIN_ONLY for read-only public deployments and SAML_REQUIRED for private deployments.

Ex.

$wgSamlRequirement = SAML_REQUIRED;

$wgSamlSspRoot Variable

The $wgSamlSspRoot variable defines the location where the SimpleSAMLAuth can find the SimpleSAMLPHP deployment in the filesyste.

Ex.

$wgSamlSspRoot = '/var/lib/simplesamlphp';

$wgSamlAuthSource Varilable

The $wgSamlAuthSource variable defines which SimpleSAMLPHP service provider profile that the SimpleSAMLAuth extension will use. Use the SimpleSAMLPHP label to identify it.

Ex.

$wgSamlAuthSource = 'default-sp';

$wgSessionName Variable

If you are PHP's internal session storage for your sessions, you will need to set the $wgSessionName variable to the following value. 

$wgSessionName = ini_get('session.name');

$wgSamlPostLogoutRedirect Variable

This is the URL that MediaWiki redirects the browser to after the user clicks on the 'logout' link. This value should be the SAML Logout URL in the SAML SP's entry in the GridGuard ACC. Don't use the angle brackets.

$wgSamlPostLogoutRedirect = '<SAML LOGOUT URL>';

 

Assertion Attribute Mapping

There are three main attributes that MediaWiki needs from the SAML Assertion. The SimpleSAMLAuth extension needs to know which SAML attributes map to what part of the user's profile. The $wgSamlUsernameAttr, $wgSamlRealnameAttr, and $wgSamlMailAttr variables are the three mapping profile attributes that need to set.

  • The $wgSamlMailAttr maps the user's e-mail address.
  • The $wgSamlUsernameAttr maps the user's username.
  • The $wgSamlRealnameAttr maps the user's real name.

Ex.

$wgSamlUsernameAttr = 'sAMAccountName';
$wgSamlRealnameAttr = 'cn';
$wgSamlMailAttr = 'mail';

Group Mapping

The SAML assertion is also used to provide group membership information also. You will need to map the MediaWiki group names to the SAML assertion attribute name to the list of group name values. The default MediaWiki groups names are listed below.

  • sysop : MediaWiki Adminsitrators
  • users :
  • autocreated_users : Users that were autocreated
  • bots : Automated Account Users
  • bureaucrats : Trusted Users

Ex.

$wgSamlGroupMap = array(
        'sysop' => array('memberOf' => array('CN=MediaWikiAdmins,OU=Groups,DC=mycompany,DC=local')),
        'users' => array('memberOf' => array('CN=MediaWikiUsers,OU=Groups,DC=mycompany,DC=local'))
);