SSO for MediaWiki with Azure
May 7, 2019
3 Comments
There is a an excellent tutorial on Medium.com called Mediawiki and Azure AD Single Sign On with step by step instructions how to set SSO for MediaWiki with Azure, but it’s a bit outdated.
One note is that the Reply URLs is now called “Redirect URIs” in Azure, in the Authentication tab. We also used both of these URI’s there:
https://wikisite.com/simplesaml/module.php/saml/sp/metadata.php/default-sp https://wikisite.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp
as it wasn’t clear which one was working, but with both, it anyhow works. 🙂
Beyond that, the code for the username provided did not work for us, so we left the code and used this for the settings:
$wgSimpleSAMLphp_UsernameAttribute = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname';
Aside from that, the basic directions there work. If you have any questions or need help, just contact us.
We have migrated MediaWiki from cloud to On-Premise. Is it possible to configure SSO via Azure AD for MediaWiki On-prem? Else, can you suggest any possible solution?
Yes, that should be possible. Try the method as above.
Thanks for posting this ‘change in Azure AD’ I was kinda looking where to change the Redirect URIs. So you confirmed my assumption.
On the second issue you had on the UsernameAttribute. I think SimpleSAMLphp is not supporting arrays anymore by default. I did edit myself the extensions/SimpleSAMLphp/src/UserInfoProvider/Username.php and changed the getValue method so it supports an array with attribute references. The Method now looks like:
public function getValue( $samlattributes ) {
$usernameAttr = $this->config->get( ‘UsernameAttribute’ );
$username = ”;
if ( $usernameAttr === null ) {
throw new Exception( ‘$wgSimpleSAMLphp_UsernameAttribute is not set’ );
}
// If no array given do normal behaviour
if ( !is_array($usernameAttr) ) {
if ( !isset( $samlattributes[$usernameAttr] ) ) {
throw new Exception( ‘Could not find username attribute: ‘ . $usernameAttr );
}
$username = $this->normalizeUsername( $samlattributes[$usernameAttr][0] );
} else {
// when array given
$username = “”;
foreach( $usernameAttr as $arr_usernameAttr ) {
if ( !isset( $samlattributes[$arr_usernameAttr] ) ) {
throw new Exception( ‘Could not find username attribute: ‘ . $arr_usernameAttr );
}
$username .= $this->normalizeUsername( $samlattributes[$arr_usernameAttr][0] );
}
}
$newTitle = Title::makeTitleSafe( NS_USER, $username );
if ( $newTitle === null ) {
throw new Exception( ‘Invalid username: ‘ . $username );
}
$username = $newTitle->getText();
return $username;
}