Jump to content

Extension talk:SimpleSAMLphp

About this board

When reporting an error, please be sure to include version information for MediaWiki and all relevant extensions from the Special:Version page on your wiki as well as configuration information. Also, please turn on debug logging as described at Manual:How to debug#Logging and include the relevant portions of the debug log.

Group Mapping with SimpleSAMLPHP

2
Gsmith1031 (talkcontribs)

Greetings. Has anyone gotten SimpleSAMLPHP/PluggableAuth and group mappings working?

I have SimpleSAMLPHP setup and working with azure AD. I also have sso working on mediawiki using PluggableAuth and the SimpleSAMLPHP plugin. However, I cannot get group mappings to work.

I have my mediawiki debug logging turned on and can see the Azure group identity/claims/role guids being returned to, however, Pluggable auth keeps removing my user from groups they should be in, in the debug logs:

[PluggableAuth] Removing 'username@domain.com' from group 'sysop'

I'm wondering if I should adding the addOnlyGroups array, but I can't figure out the syntax.

$wgPluggableAuth_Config['SSO Login'] = [
    'plugin' => 'SimpleSAMLphp',
    'data' => [
        'authSourceId' => 'default-sp',
        'emailAttribute' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
        'realNameAttribute' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name',
        'usernameAttribute' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name',
        'userinfoProviders' => [
            'username' => 'rawusername',
        ],
    ],
    'groupsyncs'  => [
        [
            'type' => 'mapped',
                'map'   => [
                    'sysop'           => [ 'groups' => 'azure group ID guids' ],
                    'user'            => [ 'groups' => 'azure group ID guids' ]
                ],
                'addOnlyGroups' => [ 'sysop', 'user' ],
        ]
    ]
];

Osnard (talkcontribs)

In general this looks good and should work. I am not aware of any but in the "mapped groupsync" feature in Extension:PluggableAuth (that's where is it actually implemented) and I am ussing the "mapped groupsync" feature in production with Extension:OpenIDConnect.

I was wondering about 'azure group ID guids'. This is just one GUID, right? And you are sure it is included in the 'groups' attribute in the SAML response? Just asking, because of the plural in your example and because Azure AD usually has attribute names that look like "http://schema....".

Can you maybe share a (redacted) example of the SAML attributes reported on your debug log, then I can test this configuration in a UnitTest.

Reply to "Group Mapping with SimpleSAMLPHP"

Customize authenticate error message

2
2A01:CB06:8016:4996:75D6:1B5C:1E9A:56C0 (talkcontribs)

Hi,

I have functional SimpleSAML log in on my mediawiki, but in the case of error response from my IDP such as a "RequestDenied", i get redirected to the default SimpleSamlPHP UnhandledException page of my wiki, with the error stack, do you know if i can somehow customize here what is shown to the user ?

Osnard (talkcontribs)

I guess this could be done using errors.show_function in config.php of the SimpleSAMLphp application.

Reply to "Customize authenticate error message"

Where is the SP and IdP Metadata config?

7
WikiManBanx (talkcontribs)

Hello,

In examples I have seen to get this up and running, there is mention of authSourceId as default-sp (inside of $wgPluggableAuth_Config). Where is default-sp configured? There is also mention of a config.php file but I cannot find this in the installation folder for the simplesamlphp extension. Specifically, I am missing how to setup the SP metadata and also, ingest the IdP metadata into mediawiki for SAML authentication. Any help will be greatly appreciated, thank you.

This is where I am so far

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableAutoLogin = true;

$wgPluggableAuth_EnableLocalLogin = true; //false

$wgPluggableAuth_EnableLocalProperties = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

# adding SimpleSAMLphp extension

wfLoadExtension( 'SimpleSAMLphp' );

# SimpleSAMLphp install directory. Required.

$wgSimpleSAMLphp_InstallDir = '/extensions/SimpleSAMLphp/src';

$wgPluggableAuth_Config['Log in using Banks SAML'] = [

    'plugin' =>   'SimpleSAMLphp',

    'data'   => [

'authSourceId'      => 'default-sp',

'usernameAttribute' => '...emailaddress',

'realNameAttribute' => '...name',

'emailAttribute'    => '...emailaddress'

                ]

];

@Cindy.cicalese

Really sorry for tagging you Cindy if I am not supposed to. I am doing so because I see you an author for SimpleSamlphp and really need help. Thank you.

Note: took out the preceding part of the user attributes cause my topic was being warned as having spam links

Osnard (talkcontribs)
WikiManBanx (talkcontribs)

Thank you very much. I had no idea simplesamlphp (the mediawiki extension) is different from simplesamlphp (from simplesaml.org). Since then, I have installed SimpleSAMLphp in my application at /var/simplesamlphp (version 2.2.1). But I get an error when trying to hit the admin page of simplesamlphp. Logs show a 500 error when trying to GET /mediawiki/var/simplesamlphp/public/module.php. Any help will be appreciated.

I also get this error when I try to login with SAML

PHP Deprecated: Creation of dynamic property Less_Tree_Dimension::$parensInOp is deprecated in /mediawiki/vendor/wikimedia/less.php/lib/Less/Parser.php


Here are relevant contents of my LocalSettings.php file


# adding PluggableAuth extension

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableAutoLogin = true;

$wgPluggableAuth_EnableLocalLogin = true; //false

$wgPluggableAuth_EnableLocalProperties = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

#adding SimpleSAMLphp extension

wfLoadExtension( 'SimpleSAMLphp' );

#SimpleSAMLphp install directory. Required.

$wgSimpleSAMLphp_InstallDir = 'var/simplesaml';

// SAML AuthENTICATION (Tell Mediawiki "WHO" the user "IS")

$wgPluggableAuth_Config['Log in using SAML'] = [

    'plugin' =>   'SimpleSAMLphp',

    'data'   => [

'authSourceId'      => 'default-sp',

'usernameAttribute' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',

'realNameAttribute' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name',

'emailAttribute'    => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'

                ]

];

Osnard (talkcontribs)

You can ignore the PHP Deprecated: message. It does not do any harm.

Regarding your issue with the SimpleSAMLphp application: It there is an error 500, there should be an entry in the PHP error log as well, that provides additional information.

Also make sure to closely follow the instructions on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html

For further help on how to install and configure the SimpleSAMLphp application I recommend asking on their chat / mailing list: https://simplesamlphp.org/support/

WikiManBanx (talkcontribs)

Understood and thank you. I will try their support. Not sure if I should be looking else where but when I look in the logstream of the app service (Azure App service running php 8.x on linux) all I see is the 500 and no additional details. Please share any other place I should be looking. Not great with linux so I may be missing something very obvious.

WikiManBanx (talkcontribs)

Hello Osnard,

I have been communicating on simplesamlphp's slack since we last messaged each other and it has not born any fruits. Here is where I am stuck.


Azure App Service running on PHP 8.2 and Linux. Webserver is nginx. Followed the installation instructions here from the simpesamlphp.org page.

baseurlpath => 'https://mysimplesamlphp.azurewebsites.net/var/simplesamlphp/public/'

'secretsalt' => 'xxxxxxx' (masked)

'auth.adminpassword' => 'xxxxxxx' (masked)

Everything else default.

When I try to hit the /public/admin page, I always get a 404 error. Any ideas? As a test, I dropped a test php file in the same location and that loads fine.

Any ideas?

Osnard (talkcontribs)

The value of https://mysimplesamlphp.azurewebsites.net/var/simplesamlphp/public/ for baseurlpath looks pretty wrong. I'd more have expected https://mysimplesamlphp.azurewebsites.net/. It is very uncommon to expose a serverside filesystem path entirely to the web. Instead /var/simplesamlphp/public/ should be set to be the "document root" in the webserver configuration for a website served under https://mysimplesamlphp.azurewebsites.net/

But: Be aware that usually the "SAML Service Provider" application (=SimpleSAMLphp) must run under the same domain as the wiki itself.

E.g. if your MediaWiki is hosted at https://mywiki.azurewebsites.net/wiki/Main_Page your SimpleSAMLphp application should be hosted at https://mywiki.azurewebsites.net/_saml. Otherwise you will probably run into session issues, as the session cookie is usually bound to the domain.

Reply to "Where is the SP and IdP Metadata config?"

Confused by the new way to do group mapping using pluggable auth.

2
Hpyjoy (talkcontribs)

Using pluggableauth and simplesamlphp versions for mediawiki 1.41.1

I am going from this:

'mapGroups_Map' => [ 'mediawiki group' => ['saml attribute' => ['group 1', 'group 2', '...']]]

to this using pluggable auth, but it is not working. Better examples would be useful either in the simplesaml or the plugableauth docs . I have tried putting the mediawiki group first and that does not work either.

'...://schemas.microsoft.com/ws/2008/06/identity/claims/role' contains the attribute. I had to remove the http and replace with "..." because it would not let me post my question with it in place.

<Attribute Name="...://schemas.microsoft.com/ws/2008/06/identity/claims/role">
    <AttributeValue>Admin</AttributeValue>
</Attribute>

@Cindy.cicalese

$wgPluggableAuth_Config["Log in without Password (SSO)"] = [
    "plugin" => "SimpleSAMLphp",
    "data" => [
        "authSourceId" => "default-sp",
        "usernameAttribute" => "alias",
        "realNameAttribute" => "displayname",
        "emailAttribute" => "email"
    ],
    "groupsyncs" => [
        [
            'type' => 'mapped',
            'map' => [
                'Admin' => [ '...://schemas.microsoft.com/ws/2008/06/identity/claims/role' => ['sysop'] ],
                'User_draft_edit' => [ '...://schemas.microsoft.com/ws/2008/06/identity/claims/role' => ['bureaucrat'] ],
                'User_draft_read' => [ '...://schemas.microsoft.com/ws/2008/06/identity/claims/role' => ['suppress'] ]
            ]
        ]
    ]
];
Osnard (talkcontribs)

Looking at the SAML attribute value, I guess your config should look like this:

$claim = '...://schemas.microsoft.com/ws/2008/06/identity/claims/role';

$wgPluggableAuth_Config["Log in without Password (SSO)"] = [
    "plugin" => "SimpleSAMLphp",
    ...
    "groupsyncs" => [
        [
            'type' => 'mapped',
            'map' => [
                'sysop' => [
                    $claim => [ 'Admin' ]
                ],
                'bureaucrat' => [
                    $claim =>  [ 'User_draft_edit' ]
                ],
                'suppress' => [
                    $claim => [ 'User_draft_read' ]
                ]
            ]
        ]
    ]
];


HINT: The suppress group may not be what you want for a group called 'User_draft_read'.

Reply to "Confused by the new way to do group mapping using pluggable auth."

Where is the SP and IdP Metadata config?

4
WikiManBanx (talkcontribs)

Hello,

In examples I have seen to get this up and running, there is mention of authSourceId as default-sp (inside of $wgPluggableAuth_Config). Where is default-sp configured? There is also mention of a config.php file but I cannot find this in the installation folder for the simplesamlphp extension. Specifically, I am missing how to setup the SP metadata and also, ingest the IdP metadata into mediawiki for SAML authentication. Any help will be greatly appreciated, thank you.

This is where I am so far

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableAutoLogin = true;

$wgPluggableAuth_EnableLocalLogin = true; //false

$wgPluggableAuth_EnableLocalProperties = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

# adding SimpleSAMLphp extension

wfLoadExtension( 'SimpleSAMLphp' );

# SimpleSAMLphp install directory. Required.

$wgSimpleSAMLphp_InstallDir = '/extensions/SimpleSAMLphp/src';

$wgPluggableAuth_Config['Log in using Banks SAML'] = [

    'plugin' =>   'SimpleSAMLphp',

    'data'   => [

'authSourceId'      => 'default-sp',

'usernameAttribute' => '...emailaddress',

'realNameAttribute' => '...name',

'emailAttribute'    => '...emailaddress'

                ]

];

@Cindy.cicalese

Really sorry for tagging you Cindy if I am not supposed to. I am doing so because I see you an author for SimpleSamlphp and really need help. Thank you.

Note: took out the preceding part of the user attributes cause my topic was being warned as having spam links

Cindy.cicalese (talkcontribs)
WikiManBanx (talkcontribs)

That makes sense! Thank you Cindy! Will give that a go and ask any questions I have after, if any.

WikiManBanx (talkcontribs)

Thank you very much (I think Osnard also responded). I had no idea simplesamlphp (the mediawiki extension) is different from simplesamlphp (from simplesaml.org). Since then, I have installed SimpleSAMLphp in my application at /var/simplesamlphp (version 2.2.1). But I get an error when trying to hit the admin page of simplesamlphp. Logs show a 500 error when trying to GET /mediawiki/var/simplesamlphp/public/module.php. Any help will be appreciated.

I also get this error when I try to login with SAML

PHP Deprecated: Creation of dynamic property Less_Tree_Dimension::$parensInOp is deprecated in /mediawiki/vendor/wikimedia/less.php/lib/Less/Parser.php

Here are relevant contents of my LocalSettings.php file

# adding PluggableAuth extension

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableAutoLogin = true;

$wgPluggableAuth_EnableLocalLogin = true; //false

$wgPluggableAuth_EnableLocalProperties = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

#adding SimpleSAMLphp extension

wfLoadExtension( 'SimpleSAMLphp' );

#SimpleSAMLphp install directory. Required.

$wgSimpleSAMLphp_InstallDir = 'var/simplesaml';

// SAML AuthENTICATION (Tell Mediawiki "WHO" the user "IS")

$wgPluggableAuth_Config['Log in using SAML'] = [

    'plugin' =>   'SimpleSAMLphp',

    'data'   => [

'authSourceId'      => 'default-sp',

'usernameAttribute' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',

'realNameAttribute' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name',

'emailAttribute'    => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'

                ]

];

Reply to "Where is the SP and IdP Metadata config?"

simplesamlphp 2.1 needs php 8.0

2
TiloWiki (talkcontribs)
Osnard (talkcontribs)

Thanks for contributing this!

Reply to "simplesamlphp 2.1 needs php 8.0"

SSP version for MW 1.39.5

6
Testergt1302 (talkcontribs)

Hi

We are testing MW 1.39.5 with SAML SSO. with SSP 2.0.5 and it is working.

I see warning "You are running an outdated version of SimpleSAMLphp. Please update to the latest version as soon as possible" in the saml page.

This is the current setup we have:

mediawiki: 1.39.5

simplesamlphp 7.0

pluggableauth 7.0

SSP 2.0.5

Can you suggest which is the latest version of SSP supported with MW ?

Thanks

GT

Osnard (talkcontribs)

The latest version of SimpleSAMLphp (application, not extension) is 2.1.1. Even though i have not tested this explicitly I believe it should be compatible to Extension:SimpleSAMLphp version 7.

If you try it, please consider updating the compatibility section

Testergt1302 (talkcontribs)

Ok. I will test this once my current test is over.

Testergt1302 (talkcontribs)

@Osnard

I tested with SSP 2.1.1 the latest one with MW 1.39.5. Its working as expected. Not much difference in the configuration.

MW 1.39.5

SSP 2.1.1

pluggableauth 7.0

simplesamlphp (extension) 7.0


on RHEL 7.9

Apache 2.4

php 8.0

mysql 8.0

I have updated the compatibility section also.

Testergt1302 (talkcontribs)

Hi,

I tested SSP 2.1.1 in docker, but that is not working. I think it has a compatibility issue with MySQL database minor version. There were couple of errors in the logs related to database. But I could not spend more time on it to troubleshoot.

So, with MW 1.39.5 & SSP 2.1.1

Working version in RHEL - MySQL 8.0.25 & PHP 8.0

Non-working in docker - MySQL 8.0.32 & PHP 8.1

Osnard (talkcontribs)

Thanks a lot. That information is already very helpful.

Reply to "SSP version for MW 1.39.5"

Could not load aMeuthentication plugin

4
Luciferindcok (talkcontribs)

mediawiki: 1.39.4

simplesamlphp 7

pluggableauth 7

I am getting the error Could not load authentication plugin

$wgPluggableAuth_Config['Log in using my SAML'] = [

'plugin' => 'SimpleSAMLphp',

'data' => [
 		'authSourceId' => 'default-sp',
 		'usernameAttribute' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
 		'realNameAttribute' => ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname','http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'],
 		'emailAttribute' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'
 	 ]
];

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'SimpleSAMLphp' );

$wgPluggableAuth_EnableAutoLogin = true;

$wgPluggableAuth_EnableLocalLogin = false;

$wgPluggableAuth_EnableLocalProperties = false;

$wgPluggableAuth_ButtonLabelMessage = 'Login';

$wgPluggableAuth_Class = 'SimpleSAMLphp';

$wgSimpleSAMLphp_InstallDir = '/var/simplesamlphp/';

installation path is added

storetype is sql 

$wgMainCacheType = CACHE_NONE;

$wgMainCacheType = CACHE_DB;

@Osnard

Osnard (talkcontribs)

This looks quite good. I did some reformatting and removed unnecessary configs. Can you try that?

wfLoadExtension( 'PluggableAuth' );
wfLoadExtension( 'SimpleSAMLphp' );

$wgPluggableAuth_EnableAutoLogin = true;
$wgPluggableAuth_EnableLocalLogin = false;
$wgPluggableAuth_EnableLocalProperties = false;
$wgSimpleSAMLphp_InstallDir = '/var/simplesamlphp/';
$wgMainCacheType = CACHE_DB;
$wgPluggableAuth_Config['Log in using my SAML'] = [
    'plugin' => 'SimpleSAMLphp',
    'data' => [
 		'authSourceId' => 'default-sp',
 		'usernameAttribute' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
 		'realNameAttribute' => ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname','http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'],
 		'emailAttribute' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'
 	 ]
];
Testergt1302 (talkcontribs)

@Luciferindcok were you able to get it worked ? I am also getting same issue.

Thanks.

Osnard (talkcontribs)
Reply to "Could not load aMeuthentication plugin"
Testergt1302 (talkcontribs)

Hi,

I am trying to configure SAML auth for our Wiki 1.39.4 on RHEL7.9.

I have 2 queries here.

1. which version of simplesamlphp library is supported for:

wiki 1.39.4

php 8.0

pluggableauth 7.0

SimpleSAMLphp: 7.0


2. I just trying with simplesamlphp 2.0.5. While accessing the wiki, it gives error :

"Could not load authentication plugin"

Not sure where it is failing. can someone suggest ?

--

GT

Osnard (talkcontribs)

"Could not load authentication plugin" most likely means $wgPluggableAuth_Config from Extension:PluggableAuth is not properly set up. Can you please share your config?

Testergt1302 (talkcontribs)

Hi Osnard,

This is the config:

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'SimpleSAMLphp' );

$wgSimpleSAMLphp_InstallDir = '/var/simplesamlphp';

$wgSimpleSAMLphp_AuthSourceId = 'default-sp';

$wgPluggableAuth_EnableAutoLogin = true;

$wgPluggableAuth_EnableLocalLogin = false;

$wgPluggableAuth_EnableLocalProperties = false;

$wgPluggableAuth_ButtonLabelMessage = 'Login';

$wgPluggableAuth_Class = 'SimpleSAMLphp';

$wgMainCacheType = CACHE_DB;

$wgSimpleSAMLphp_MandatoryUserInfoProviders['myusername'] = [

        'factory' => function() {

                return new \MediaWiki\Extension\SimpleSAMLphp\UserInfoProvider\GenericCallback( function( $attributes ) {

                        if ( !isset( $attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'] ) ) {

                                throw new Exception( 'missing email address' );

                        }

                        $parts = explode( '@', $attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'][0]);

                                                return strtolower( $parts[0] );

                } );

        }

];

$wgPluggableAuth_Config['Log in using my SAML'] = [

        'plugin' => 'SimpleSAMLphp',

        'data' => [

                'authSourceId' => 'default-sp',

                'usernameAttribute' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',

                'realNameAttribute' => ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname','http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'],

                'emailAttribute' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',

                'userinfoProviders' => [

                        'username' => 'myusername'

                ]

         ]

];

Testergt1302 (talkcontribs)

@Osnard Any suggestions on this ? Am I missing something here ?

Testergt1302 (talkcontribs)

Hi,

@Osnard @Cindy.cicaleseThese are from the logs. is it something related to session data?

> Authentication.log <

2023-11-20 11:48:34 hostname wiki: Primary login with MediaWiki\Extension\PluggableAuth\PrimaryAuthenticationProvider returned REDIRECT

> PluggableAuth.log <

2023-11-20 11:48:34 hostname wiki: In execute() 2023-11-20 11:48:34 hostname wiki: Getting PluggableAuth instance 2023-11-20 11:48:34 hostname wiki: Plugin name: SimpleSAMLphp

> simplesamlphp.log <

Nov 20 11:48:34 simplesamlphp ERROR [TR72440098] Error loading session: Invalid session ID

> PluggableAuth.log <

2023-11-20 11:48:34 hostname wiki: Invalid authentication plugin class: Invalid session ID

> Authentication.log <

2023-11-20 11:48:35 hostname wiki: Login failed in primary authentication by MediaWiki\Extension\PluggableAuth\PrimaryAuthenticationProvider

Testergt1302 (talkcontribs)

Hi,

This issue has been solved.

If anyone face similar issue refer below.

modify below variables in the config.php of simplesamlphp. default config is to use 'phpsession'. This need to be changed to use sql/database to store session info.

'store.type'                    => 'sql',

'store.sql.dsn'                 => 'mysql:host=localhost;port=3306;dbname=mywiki',

store.sql.username' => 'sqluser', //SQL DB user name

'store.sql.password' => 'password', //SQL DB user password

received attributes as oid not name

2
Caslatcmu (talkcontribs)

The simplesaml/module.php/admin/test/default-sp URL shows my attributes with both "name" and "urn:oid..." values.

In the debug log, I see them only with urn:oid... values.

[SimpleSAMLphp] Received attributes: {"urn:oid:2.16.840.1.113730.3.1.241":["First M Last"],"urn:oid:0.9.2342.19200300.10 0.1.3":["email@domain"],"urn:oid:1.3.6.1.4.1.5923.1.1.1.9":["Staff@domain","Member@domain"],"urn:oid:2. 5.4.42":["First"],"urn:oid:1.3.6.1.4.1.5923.1.1.1.6":["user@domain"],"urn:oid:2.5.4.4":["Last"],"urn:oid:2.5.4.3 ":["First M Last"]}

And when I try to use these in $wgPluggableAuth_Config, only the urn:oid values seem to be valid.

I see the /var/simplesamlphp/attributemap/* files seem to have these defined, but they are not being propagated back to the SimpleSAMLphp and PluggableAuth extensions.

I'm not sure what I'm missing.

Osnard (talkcontribs)

So these are the attributes you receive:

{
  "urn:oid:2.16.840.1.113730.3.1.241": [
    "First M Last"
  ],
  "urn:oid:0.9.2342.19200300.10 0.1.3": [
    "email@domain"
  ],
  "urn:oid:1.3.6.1.4.1.5923.1.1.1.9": [
    "Staff@domain",
    "Member@domain"
  ],
  "urn:oid:2. 5.4.42": [
    "First"
  ],
  "urn:oid:1.3.6.1.4.1.5923.1.1.1.6": [
    "user@domain"
  ],
  "urn:oid:2.5.4.4": [
    "Last"
  ],
  "urn:oid:2.5.4.3 ": [
    "First M Last"
  ]
}

ATTENTION: The keys look a little bit odd. E.g. "urn:oid:0.9.2342.19200300.10 0.1.3", "urn:oid:2.5.4.3 " and "urn:oid:2. 5.4.42" contain spaces!

OIDRefs

Your config should looks something like this:

$wgPluggableAuth_Config['Log in using my SAML'] = [
	'plugin' => 'SimpleSAMLphp',
	'data' => [
		'authSourceId' => 'default-sp',
		'usernameAttribute' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6', //Acctually not used, see "myusername" below
		'realNameAttribute' => 'urn:oid:2.16.840.1.113730.3.1.241',
		'emailAttribute' => 'urn:oid:0.9.2342.19200300.10 0.1.3', //ATTENTION: SPACE!
		'userinfoProviders' => [
			'username' => 'myusername'
		]
	]
];

$wgSimpleSAMLphp_MandatoryUserInfoProviders['myusername'] = [
	'factory' => function() {
		return new \MediaWiki\Extension\SimpleSAMLphp\UserInfoProvider\GenericCallback( function( $attributes ) {
			if ( !isset( $attributes['urn:oid:1.3.6.1.4.1.5923.1.1.1.6'] ) ) {
				throw new Exception( 'No user ID!' );
			}
			$parts = explode( '@', $attributes['urn:oid:1.3.6.1.4.1.5923.1.1.1.6'][0] );
			return strtolower( $parts[0] );
		} );
	}
];

See also Extension:SimpleSAMLphp#Define_custom_user_info_provider.

Reply to "received attributes as oid not name"