MediaWiki

miniOrange provides secure access to MediaWiki for enterprises and full control over access of applications, Single Sign On (SSO) into MediaWiki with one set of login credentials.

miniOrange supports SAML based Single Sign On into MediaWiki. This guide explains SAML based Single Sign On into MediaWiki.

In SAML SSO, miniOrange supports both IdP (Identity Provider) and SP (Service Provider) initiated Single Sign On (SSO) for MediaWiki.

• IdP Initiated Single Sign On (SSO)

  In IdP Initiated Login, SAML request is initiated from miniOrange IdP.

• Enduser first authenticates through miniOrange Idp by login in to miniOrange Self Service Console.
• On landing page, there is a MediaWiki icon, when the enduser clicks on the icon he will be redirected to his MediaWiki account – there is no need to login again.

• SP Initiated Single Sign On (SSO)

  In SP Initiated Login, SAML request is initiated from MediaWiki server.

• An enduser can login to MediaWiki Account by going to your login page. Eg. http://<YOUR_MEDIAWIKI_DOMAIN>/index.php/Special:UserLogin
• They will be redirected to miniOrange Self Service Console.
• Here he can enter the login credentials and login to his MediaWiki Account.

In order to setup SSO, you need to follow these 7 steps:

• Configure Single Sign-On Settings in Identity Provider (miniOrange is used as Identity Provider for this guide. All IDPs are supported.)
• Create a policy for MediaWiki app in miniOrange
• Onboard users into our system
• Register users into our system (End Users)
• Installing and Configuring the extension

Follow the Step-by-Step Guide given below for MediaWiki Single Sign On (SSO) using SAML

Step 1: Configure Single Sign-On Settings in Identity Provider

• We will be using miniOrange as Identity Provider for this guide. For your IDP specific guides, contact us at info@xecurify.com.
• Login as a customer from Admin Console of miniOrange's Administrator Console, now go to Apps tab from menu and select Configure Apps.
• In SAML tab, search for MediaWiki (SAML), select it and click on Add App.



• Provide a name for this application.
• Enter the SP Entity ID as <YOUR_MEDIAWIKI_BASE_URL>/extensions/SamlSingleSignOnAuth/. Example, https://mediawiki.example.com/extensions/SamlSingleSignOnAuth/
• Enter the ACS URL as <YOUR_MEDIAWIKI_BASE_URL>. Example, https://mediawiki.example.com/



• Go to the Add Policy and select DEFAULT from the Group Name dropdown.
• Now enter MediaWiki in the Policy Name field.
• Select PASSWORD from the First Factor Type dropdown.
• Click on Save button to configure MediaWiki.




• Once the App is added, click on the Metadata link, download metadata file and keep with you which you will require later.



• Now click on Onboard users into our system from View Policy Tab.

Step 2: Onboard users into our system

• Click on Users >> Add User.



• Here, fill the user details without the password and then click on the Create User button.



• Click on On Boarding Status tab. Check the email, with the registered e-mail id and select action Send Activation Mail with Password Reset Link from Select Action dropdown list and then click on Apply button.



• Now, Open your email id. Open the mail you get from miniOrange and then click on the link to set your account password.
• On the next screen, enter the password and confirm password and then click on the Reset Password button.



• Now, you can log in into miniOrange account by entering your credentials.

Step 3: Login to miniOrange Account

• Go to miniOrange dashboard and select the User Dashboard from the right side menu.



• Click on the application which you added, to verify your sso configuration.

Step 4: Installing and Configuring the extension

• Download the miniOrange SAML 2.0 SSO extension zip for MediaWiki.
• In your MediaWiki FTP under extensions directory, extract the extension zip.
• Add the following code at the bottom of LocalSettings.php (root folder of MediaWiki)

			# miniOrange SAML Extension settings
			# Loads SAML extension
			# For 1.25 and above
			wfLoadExtension( 'SamlSingleSignOnAuth' );

			# For 1.24 and below
			require_once "extensions/SamlSingleSignOnAuth/SamlSingleSignOnAuth.php";

			# Enter IDP Name
			$wgMoSamlIdpName = 'miniOrange';

			# Enter SAML Issuer URL or Entity ID
			$wgMoSamlIssuer = 'https://login.xecurify.com/moas';

			# Enter SAML Login URL or ACS(Assertion Consumer Service) URL here 
			$wgMoSamlLoginURL = 'https://login.xecurify.com/moas/idp/samlsso';

			# Set binding type for login. Two possible values - HttpRedirect and HttpPost
			$wgMoSamlLoginBindingType = 'HttpRedirect';

			# Enter certificate information.
			$wgMoSamlX509CertDesc = '-----BEGIN CERTIFICATE-----
			. . . . 
			. . . . 
			. . . .
			-----END CERTIFICATE-----';

			# Only set to true if SAML is brokered through miniOrange
			$wgMoSamlIsBrokerOn = false;

			# OPTIONAL - Enter Relay State if applicable
			$wgMoSamlRelayState = '';

			# Set true if Response is signed, set false by default
			$wgMoSamlIsResponseSigned = false;

			# Set true if Assertion is signed, set true by default
			$wgMoSamlIsAssertionSigned = true;

			# Set this to true if you want to update user with incoming attributes whenever user logs in
			$wgMoSamlUpdateUser = true;

			# Auto create user if the user does not exist
			$wgMoSamlCreateUser = true;

			# Map attributes
			$wgMoSamlEmailAttr = 'email';
			$wgMoSamlUsernameAttr = 'username';
			$wgMoSamlFNameAttr = 'fname';
			$wgMoSamlLNameAttr = 'lname';
			$wgMoSamlGroupAttr = 'role';

			# Set default group for users
			$wgMoSamlDefaultGroup = 'user';

			# OPTIONAL - Set this to override $wgServer as site URL in the extension. Please make sure this is 
			# the URL where MediaWiki is hosted and '/extensions/SamlSingleSignOnAuth/' can be appended to it.
			$wgMoSamlServer = 'https://<MEDIAWIKI_DOMAIN>/mediawiki';		
		




• Provide the required settings (i.e. Entity ID, Single SignOn Service Url, Certificate Fingerprint) and save it.

  wgMoSamlIdpName	Enter the name of the IDP here. Eg. miniOrange
  wgMoSamlIssuer	Enter the Issuer/Entity ID of IDP here. Eg. https://login.xecurify.com/moas
  wgMoSamlLoginURL	Enter the SAML Login URL or ACS(Assertion Consumer Service) URL of IDP here. Eg. https://login.xecurify.com/moas/idp/samlsso
  wgMoSamlX509CertDesc	Open the certificate in Notepad and copy/paste the entire content here.
  wgMoSamlIsBrokerOn	Set to true if miniOrange is broker for another IDP. Set to false by default.
  wgMoSamlRelayState	Enter the Relay State URL of IDP here.
  wgMoSamlIsResponseSigned	Set true if Response is signed by IDP. Set false by default.
  wgMoSamlIsAssertionSigned	Set true if Response is signed by IDP. Set true by default.
  wgMoSamlUpdateUser	Set this to true if you want to update user with incoming attributes whenever user logs in
  wgMoSamlCreateUser	Set this to true if you want to auto create users. If you want to restrict access to only registered users, set this to false.
  wgMoSamlEmailAttr	Enter the Attribute Name that contains MediaWiki Email. Use NameID if Email is in Subject element.
  wgMoSamlUsernameAttr	Enter the Attribute Name that contains MediaWiki Username. Use NameID if Username is in Subject element.
  wgMoSamlFNameAttr	OPTIONAL - Enter the Attribute Name that contains MediaWiki First Name.
  wgMoSamlUsernameAttr	OPTIONAL - Enter the Attribute Name that contains MediaWiki Last Name.
  wgMoSamlGroupAttr	Enter the Attribute Name that contains MediaWiki Group/Role.
  wgMoSamlDefaultGroup	This is the MediaWiki default group/role name to which users will be mapped.
  wgMoSamlServer	OPTIONAL - This is the URL where MediaWiki is hosted and '/extensions/SamlSingleSignOnAuth/' can be appended to it. Eg. https://<MEDIAWIKI_DOMAIN>/mediawiki

To test the authentication, open a new Private browsing window (Incognito window) and go to http://<YOUR_MEDIAWIKI_DOMAIN>/index.php/Special:UserLogin and click on Login with miniOrange button. Eg. http://mediawiki.example.com/index.php/Special:UserLogin