Skip to content

Commit

Permalink
Update saml integration
Browse files Browse the repository at this point in the history
  • Loading branch information
ndc-rkevans committed Sep 22, 2023
1 parent 3ea70e6 commit 231ae16
Show file tree
Hide file tree
Showing 5 changed files with 58 additions and 51 deletions.
2 changes: 2 additions & 0 deletions src/roles/configure-wiki/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@
with_items:
- preLocalSettings.d
- postLocalSettings.d
- samlAuthorizations.d

- name: Ensure base templates are present (but do not overwrite)
template:
Expand All @@ -71,5 +72,6 @@
- preLocalSettings.d/base.php
- preLocalSettings.d/README.md
- postLocalSettings.d/README.md
- samlAuthorizations.d/base.php
delegate_to: localhost
run_once: true
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
<?php

# // SAML Authorization (What the user can DO)
# // NOTE - this is only meaningful if the saml idp option being used
# // REF: https://www.mediawiki.org/wiki/Meza/Setup_SAML_authentication
# $wgPluggableAuth_Config['Log in using SAML']['data'] += [ 'mapGroups_Map' => [
# 'sysop' => ['memberOf' => ['abc123' ]],
# 'Viewer' => ['memberOf' => ['def456' ]],
# 'Contributor' => ['memberOf' => ['xyz789' ]]
# ]];

3 changes: 2 additions & 1 deletion src/roles/init-controller-config/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@
group: "{{ m_config_public_group }}"
mode: "{{ m_config_public_mode }}"

- name: Ensure pre/post settings directories exists in config
- name: Ensure pre/post/saml settings directories exists in config
file:
path: "{{ m_local_public }}/{{ item }}"
state: directory
Expand All @@ -82,6 +82,7 @@
with_items:
- preLocalSettings.d
- postLocalSettings.d
- samlAuthorizations.d


- name: "Ensure base files present, do NOT overwrite"
Expand Down
57 changes: 36 additions & 21 deletions src/roles/mediawiki/templates/LocalSettings.php.j2
Original file line number Diff line number Diff line change
Expand Up @@ -55,37 +55,52 @@ else {
* Perform authentication up front, immediately after $wikiId is setup.
*
**/
## This is commented out because we are no longer using Extension:SimpleSamlAuth
## Instead we will be using Extension:PluggableAuth with Extension:SimpleSamlphp
## which is configued as by the user in MezaLocalExtensions.yml
#require "{{ m_deploy }}/samlLocalSettings.php";

// Get the data needed to know if the server request is an external (remote) or internal (localhost) request
if (!empty($_SERVER['HTTP_CLIENT_IP'])) { $ip_address = $_SERVER['HTTP_CLIENT_IP']; }
elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { $ip_address = $_SERVER['HTTP_X_FORWARDED_FOR']; }
elseif (isset($_SERVER['REMOTE_ADDR'] ) ) { $ip_address = $_SERVER['REMOTE_ADDR']; }

// Allow exceptions of the PluggableAuth/SAML integration for specific wikis
// so that localhost maintenance script can create new bot accounts on the wikis
if ( in_array( $wikiId, array( 'mywiki1','mywiki2', ) ) )
{
# Skip "PluggableAuth" AND "SimpleSAMLphp" so that localhost bots can access the wikis
} else {
{ # SKIP "PluggableAuth" AND "SimpleSAMLphp"
} else {
# USE "PluggableAuth" AND "SimpleSAMLphp"as follows:

// Load and Configure PluggableAuth for SAML IDP/SSO
wfLoadExtension( "PluggableAuth" );
$wgPluggableAuth_EnableAutoLogin = true;
$wgPluggableAuth_EnableLocalProperties = false;
$wgPluggableAuth_EnableLocalLogin = false;
if (isset($ip_address) && $ip_address == '127.0.0.1')
{ $wgPluggableAuth_EnableLocalLogin = true; }
$wgGroupPermissions['*']['autocreateaccount'] = true;

if (!empty($_SERVER['HTTP_CLIENT_IP'])) { $ip_address = $_SERVER['HTTP_CLIENT_IP']; }
elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { $ip_address = $_SERVER['HTTP_X_FORWARDED_FOR']; }
elseif (isset($_SERVER['REMOTE_ADDR'] ) ) { $ip_address = $_SERVER['REMOTE_ADDR']; }
// Load and Configure SimpleSAMLphp for SAML IDP/SSO
wfLoadExtension( "SimpleSAMLphp" );
$wgSimpleSAMLphp_InstallDir = '/opt/simplesamlphp';

// SAML Authentication (Who the user IS)
$wgPluggableAuth_Config['Log in using SAML'] = [
'plugin' => 'SimpleSAMLphp',
'data' => [ 'authSourceId' => 'default-sp',
'usernameAttribute' => 'AUID',
'realNameAttribute' => 'displayName',
'emailAttribute' => 'Email'
]
];

if (isset($ip_address) && $ip_address == '127.0.0.1') { $wgPluggableAuth_EnableLocalLogin = true; }
else { $wgPluggableAuth_EnableLocalLogin = false; }
// Load all PHP files in samlAuthorizations.d for all wikis
foreach ( glob("$m_deploy/public/samlAuthorizations.d/*.php") as $filename) {
require_once $filename;
}

$wgPluggableAuth_EnableLocalProperties = false;
$wgPluggableAuth_ButtonLabel = 'Click Here for Auto-Logon';
// Load all PHP files in samlAuthorizations.d for this wiki
foreach ( glob("$m_deploy/public/wikis/$wikiId/samlAuthorizations.d/*.php") as $filename) {
require_once $filename;
}

wfLoadExtension( "SimpleSAMLphp" );
$wgSimpleSAMLphp_InstallDir = '/opt/simplesamlphp';
$wgSimpleSAMLphp_AuthSourceId = 'default-sp';
$wgSimpleSAMLphp_UsernameAttribute = 'AUID';
$wgSimpleSAMLphp_RealNameAttribute = 'displayName';
$wgSimpleSAMLphp_EmailAttribute = 'Email';
$wgGroupPermissions['*']['autocreateaccount'] = true;
}
{% endif %}

Expand Down
36 changes: 7 additions & 29 deletions src/roles/saml/templates/saml20-idp-remote.php.j2
Original file line number Diff line number Diff line change
Expand Up @@ -38,37 +38,15 @@ $metadata['{{ saml_public.idp_entity_id }}'] = array(
{% endif %}


{% if saml_secret.cert_fingerprint is defined %}
{% if saml_secret.cert_data is defined %}
'certData' => '{{ saml_secret.cert_data }}',

'certFingerprint' => array(
{% for fp in saml_secret.cert_fingerprint -%}
'{{ fp }}',
{%- endfor %}
),
{% elif saml_public.cert_data is defined %}
'certData' => '{{ saml_public.cert_data }}',

{% elif saml_public.cert_fingerprint is defined %}
{% else %}
// neither saml_secret.cert_data nor saml_public.cert_data is defined

'certFingerprint' => array(
{% for fp in saml_public.cert_fingerprint -%}
'{{ fp }}',
{%- endfor %}
),

{% else %}
// neither {{ saml_secret.cert_fingerprint }} nor {{ saml_public.cert_fingerprint }} is defined
{% endif %}


{% if saml_secret.cert_data is defined %}

'certData' => '{{ saml_secret.cert_data }}',

{% elif saml_public.cert_data is defined %}

'certData' => '{{ saml_public.cert_data }}',

{% else %}
// neither saml_secret.cert_data nor saml_public.cert_data is defined
{% endif %}
{% endif %}

);

0 comments on commit 231ae16

Please sign in to comment.