SimpleSAMLphp IDP、SP、MediaWiki

Question

So, my next project. We have a custom made portal with an own user database. We wanted to use a Wiki, so I installed MediaWiki on a separate sub-domain. Having multiple accounts is so 1990, therefor integration was wished. That was not as easy as I hoped. Therefore, my solution was: Single Sign On.

IDP

Step 1, installed SimpleSAMLphp as an IDP on the sub-domain sso.myportal.nu Created my own Module which looks up users in my database. Logging in to the SimpleSAMLphp admin portal, to test/verify if it works, looks great (screenshot attached).

SP

Step2, installed SimpleSAMLphp as an SP on the sub-domain wiki.myportal.nu Hooked the SP up to my IDP. Logging in to the SimpleSAMLphp admin portal, to test/verify if it works, looks great. I get authenticated through the IDP in my user database (screenshot attached).

MediaWiki

Then installed two plugins into MediaWiki;

https://www.mediawiki.org/wiki/Extension:PluggableAuth https://www.mediawiki.org/wiki/Extension:SimpleSAMLphp

That should enable SSO.

When clicking on the Login link in MediaWiki, I get redirected to the logon page of SimpleSAMLphp on sso.myportal.nu – so far so good. But, contrary to my expectations.. Logging in, does not work. It seems that I get redirected between sso.myportal.nu and wiki.myportal.nu

I've enabled DEBUG mode, the only Warnings I see seem to be this:

Could not load state specified by InResponseTo: NOSTATE Processing response as unsolicited.

I have the config files and log files from both the SimpleSAMLphp installations attached below (a bit too much text to copy/paste here). config and log files After a day and a half looking through Google, I'm kind of stuck. Anyone here any ideas?

Answer 1

Well, after two very long nights, the solution has been found .

First of all, if the " Test configured authentication sources " option on the " Authentication "-tab of your SimpleSAMLphp works... That is no guarantee that it will actually work.

In my case, the IDP and SP were on the same server. Different sub-domains. I had every setting in the config.php adjusted, so there were no settings the same for the IDP and SP (cookie names, passwords, etc, etc).

The " Test configured authentication sources " option on the " Authentication "-tab of my SimpleSAMLphp worked! But MediaWiki still did not.

Apparently, this can also be caused by a mismatch of some settings in the config.php compared to php.ini

I found a link to this page in an old Google Forum , where they mentioned the solution. I could not believe it worked, but was desperate, so tried it.

The storage engine should be something else then the default. In my case I connected SimpleSAMLphp to a MySQL database (can be sqlite, or anything else, as well).

'store.type'         => 'sql',
'store.sql.dsn'      => 'mysql:host=localhost;dbname=simplesamlStuff',
'store.sql.username' => 'simplesamlUser',
'store.sql.password' => '1234567980',
'store.sql.prefix'   => 'sso_',

Both the IDP and the SP can use the same database, as long as the prefix is different. It will create the tables it needs automatically, it just needs to know where to connect to which database with which credentials.

The reason I'm not deleting my question, but answering myself... Is that I hope someone will find this post and find it helpful. Without spending so much time on this like myself.