Setup Single Sign On with AAD using SimpleSAMLphp

This blog provides step-by-step instruction on how to setup Single Sign On with Azure AD using SimpleSMPLphp API (apply to MediaWiki site as an example).

Install and configure SimpleSAMLphp

1. To download SimpleSAMLphp, https://simplesamlphp.org/download , extract the download to wwwroot/simplesamlphp

2. Configure admin: Edit wwwroot/simplesamlphp/config/config.php,

   • Modify baseurlpath: ’baseurlpath’  => ‘simplesamlphp/www/’

• Set admin login passwoed:      ’auth.adminpassword’  => ‘<your-admin-password>’

• Browse to simplasamlphp admin page, <your-site-url>/simplesamlphp/www/, login with ‘admin’ and the password you set in config.php

  

1. Generate metadata in XML: Click Federation tab, choose “XML to simpleSAMLphp metadata converter,

   

   • Copy raw XML from  https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/FederationMetadata/2007-06/FederationMetadata.xml 

   paste to “XML metadata” area, and click “Parse”, you will see the PHP code populated in “Converted metadata” area.

   • Copy the PHP code into wwwroot/simplesamlphp/metadata/saml20-idp-remote.php

2. Configure authsources: Add following PHP code in wwwroot/simplesamlphp/config/authsources.php:

    Find $config = array( 'default-sp' => array(...), );
   

   Add the code:

    'idp' => 'https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/',
   

3. Check the default settings for php sessions, if session.phpsession.cookiename is ‘null’, set it to ‘PHPSESSID’.

Integrate with MediaWiki site

1. Download SimpleSamlAuth extension from https://github.com/jornane/mwSimpleSamlAuth/releases , extract to wwwroot/extensions/SimpleSamlAuth

2. Modify LocalSettings.php to require authentication:

    require_once "$IP/extensions/mwSimpleSamlAuth/SimpleSamlAuth.php";
   
    $wgSamlRequirement = SAML_REQUIRED;
   
    $wgSamlCreateUser = true;
   
    $wgSamlUsernameAttr = '[http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'](http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name');
   
    $wgSamlRealnameAttr = '[http://schemas.microsoft.com/identity/claims/displayname'](http://schemas.microsoft.com/identity/claims/displayname');
   
    $wgSamlMailAttr = '[http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'](http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name');
   
    $wgSamlSspRoot = '/libraries/simplesamlphp';
   
    $wgSamlAuthSource = 'default-sp';
   
    $wgSamlPostLogoutRedirect = NULL;
   

 

Configure authentication in Azure AD

1. In Azure management portal (classic), select Active Directory from menu, choose Microsoft tenant
2. Select Application tab, Add your application 
3. Select a name for your application, keep “Web application and/or web API”, click next
4. In “Sign on URL”, use home url of your site, for “App ID URL”, use the URL to default-sp, e.g. http://<your-site-url>/libraries/simplesamlphp/www/module.php/saml/sp/metadata.php/default-sp
5. From Configure tab of your application, find “permission to other applications” section, check Enable “sign in and read users’ profiles” and “read directory data” under Delegated Permission,save the change.  

 

References:

https://simplesamlphp.org/

https://www.mediawiki.org/wiki/Extension:SimpleSamlAuth