There is a an excellent tutorial on Medium.com called Mediawiki and Azure AD Single Sign On with step by step instructions how to set SSO for MediaWiki with Azure, but it’s a bit outdated.
One note is that the Reply URLs is now called “Redirect URIs” in Azure, in the Authentication tab. We also used both of these URI’s there:
Aside from that, the basic directions there work. If you have any questions or need help, just contact us.
3 Replies to “SSO for MediaWiki with Azure”
We have migrated MediaWiki from cloud to On-Premise. Is it possible to configure SSO via Azure AD for MediaWiki On-prem? Else, can you suggest any possible solution?
Thanks for posting this ‘change in Azure AD’ I was kinda looking where to change the Redirect URIs. So you confirmed my assumption.
On the second issue you had on the UsernameAttribute. I think SimpleSAMLphp is not supporting arrays anymore by default. I did edit myself the extensions/SimpleSAMLphp/src/UserInfoProvider/Username.php and changed the getValue method so it supports an array with attribute references. The Method now looks like:
public function getValue( $samlattributes ) {
$usernameAttr = $this->config->get( ‘UsernameAttribute’ );
$username = ”;
if ( $usernameAttr === null ) {
throw new Exception( ‘$wgSimpleSAMLphp_UsernameAttribute is not set’ );
}
// If no array given do normal behaviour
if ( !is_array($usernameAttr) ) {
if ( !isset( $samlattributes[$usernameAttr] ) ) {
throw new Exception( ‘Could not find username attribute: ‘ . $usernameAttr );
}
$username = $this->normalizeUsername( $samlattributes[$usernameAttr][0] );
} else {
// when array given
$username = “”;
foreach( $usernameAttr as $arr_usernameAttr ) {
if ( !isset( $samlattributes[$arr_usernameAttr] ) ) {
throw new Exception( ‘Could not find username attribute: ‘ . $arr_usernameAttr );
}
$username .= $this->normalizeUsername( $samlattributes[$arr_usernameAttr][0] );
}
We have migrated MediaWiki from cloud to On-Premise. Is it possible to configure SSO via Azure AD for MediaWiki On-prem? Else, can you suggest any possible solution?
Yes, that should be possible. Try the method as above.
Thanks for posting this ‘change in Azure AD’ I was kinda looking where to change the Redirect URIs. So you confirmed my assumption.
On the second issue you had on the UsernameAttribute. I think SimpleSAMLphp is not supporting arrays anymore by default. I did edit myself the extensions/SimpleSAMLphp/src/UserInfoProvider/Username.php and changed the getValue method so it supports an array with attribute references. The Method now looks like:
public function getValue( $samlattributes ) {
$usernameAttr = $this->config->get( ‘UsernameAttribute’ );
$username = ”;
if ( $usernameAttr === null ) {
throw new Exception( ‘$wgSimpleSAMLphp_UsernameAttribute is not set’ );
}
// If no array given do normal behaviour
if ( !is_array($usernameAttr) ) {
if ( !isset( $samlattributes[$usernameAttr] ) ) {
throw new Exception( ‘Could not find username attribute: ‘ . $usernameAttr );
}
$username = $this->normalizeUsername( $samlattributes[$usernameAttr][0] );
} else {
// when array given
$username = “”;
foreach( $usernameAttr as $arr_usernameAttr ) {
if ( !isset( $samlattributes[$arr_usernameAttr] ) ) {
throw new Exception( ‘Could not find username attribute: ‘ . $arr_usernameAttr );
}
$username .= $this->normalizeUsername( $samlattributes[$arr_usernameAttr][0] );
}
}
$newTitle = Title::makeTitleSafe( NS_USER, $username );
if ( $newTitle === null ) {
throw new Exception( ‘Invalid username: ‘ . $username );
}
$username = $newTitle->getText();
return $username;
}