Setup Single Sign On with AAD using SimpleSAMLphp

1 minute read | By Yi Wang

This blog provides step-by-step instruction on how to setup Single Sign On with Azure AD using SimpleSMPLphp API (apply to MediaWiki site as an example).

Install and configure SimpleSAMLphp

  1. To download SimpleSAMLphp, , extract the download to wwwroot/simplesamlphp

  2. Configure admin: Edit wwwroot/simplesamlphp/config/config.php,

    • Modify baseurlpath: ’baseurlpath’  => ‘simplesamlphp/www/’
  • Set admin login passwoed:      ’auth.adminpassword’  => ‘<your-admin-password>’

  • Browse to simplasamlphp admin page, <your-site-url>/simplesamlphp/www/, login with ‘admin’ and the password you set in config.php


  1. Generate metadata in XML: Click Federation tab, choose “XML to simpleSAMLphp metadata converter,


    paste to “XML metadata” area, and click “Parse”, you will see the PHP code populated in “Converted metadata” area.

    • Copy the PHP code into wwwroot/simplesamlphp/metadata/saml20-idp-remote.php
  2. Configure authsources: Add following PHP code in wwwroot/simplesamlphp/config/authsources.php:

     Find $config = array( 'default-sp' => array(...), );

    Add the code:

     'idp' => '',
  3. Check the default settings for php sessions, if session.phpsession.cookiename is ‘null’, set it to ‘PHPSESSID’.

Integrate with MediaWiki site

  1. Download SimpleSamlAuth extension from , extract to wwwroot/extensions/SimpleSamlAuth
  2. Modify LocalSettings.php to require authentication:

     require_once "$IP/extensions/mwSimpleSamlAuth/SimpleSamlAuth.php";
     $wgSamlRequirement = SAML_REQUIRED;
     $wgSamlCreateUser = true;
     $wgSamlUsernameAttr = '['](');
     $wgSamlRealnameAttr = '['](');
     $wgSamlMailAttr = '['](');
     $wgSamlSspRoot = '/libraries/simplesamlphp';
     $wgSamlAuthSource = 'default-sp';
     $wgSamlPostLogoutRedirect = NULL;


Configure authentication in Azure AD

  1. In Azure management portal (classic), select Active Directory from menu, choose Microsoft tenant
  2. Select Application tab, Add your application 
  3. Select a name for your application, keep “Web application and/or web API”, click next
  4. In “Sign on URL”, use home url of your site, for “App ID URL”, use the URL to default-sp, e.g. http://<your-site-url>/libraries/simplesamlphp/www/module.php/saml/sp/metadata.php/default-sp
  5. From Configure tab of your application, find “permission to other applications” section, check Enable “sign in and read users’ profiles” and “read directory data” under Delegated Permission,save the change.