| Both sides previous revision Previous revision Next revision | Previous revision |
| en:2.0:single_sign_on:oidc_mediawiki [2025/05/06 21:34] – [Setting up the Client (SP) in Admidio] kainhofer | en:2.0:single_sign_on:oidc_mediawiki [2025/05/06 23:44] (current) – kainhofer |
|---|
| 'providerURL' => 'https://admidio.local/modules/sso/index.php/oidc', | 'providerURL' => 'https://admidio.local/modules/sso/index.php/oidc', |
| 'clientID' => 'https://mediawiki.local', | 'clientID' => 'https://mediawiki.local', |
| 'clientsecret' => 'LOcPD...WLaZ', | 'clientsecret' => 'RkMS+6tlpQQ5yow5PlQQTFRcOMC0XCU/', |
| 'scope' => ['openid', 'email', 'profile', 'address', 'phone', 'groups', 'custom'], | 'scope' => ['openid', 'email', 'profile', 'address', 'phone', 'groups', 'custom'], |
| 'authMethods' => ['client_secret_post'] | 'authMethods' => ['client_secret_post'] |
| |
| |
| ==== MediaWiki configuration as text ==== | To assign admin (sysop) rights to an OpenID account, the group 'sysop' should be assigned in Admidio's client config and MediaWiki's groupsyncs must exclude 'sysop' from the locally managed groups. |
| |
| The settings done above in the graphical interface could also be done in the ''conf/local.php'' config file of MediaWiki. The corresponding settings would look like this: | ==== Setup completed, test Single-Sign-On ==== |
| |
| <code php> | Admidio and MediaWiki should now be set up to use Admidio for logging in to MediaWiki. If you log out of MediaWiki (or open a new incognito browser window) and try to log in again, you will be shown the Admidio login screen and then redirected back to MediaWiki after successful login. If groups are properly set up and mapped, MediaWiki groups will also be assigned, even admin rights through the OIDC group 'sysop'. |
| $conf['authtype'] = 'oauth'; | |
| $conf['superuser'] = '@admin'; | |
| $conf['plugin']['oauth']['register-on-auth'] = 1; | |
| $conf['plugin']['oauth']['overwrite-groups'] = 1; | |
| $conf['plugin']['oauthgeneric']['key'] = 'https://mediawiki.local/'; | |
| $conf['plugin']['oauthgeneric']['secret'] = 'lWDQ......gU'; | |
| $conf['plugin']['oauthgeneric']['authurl'] = 'https://admidio.local/modules/sso/index.php/oidc/authorize'; | |
| $conf['plugin']['oauthgeneric']['tokenurl'] = 'https://admidio.local/modules/sso/index.php/oidc/token'; | |
| $conf['plugin']['oauthgeneric']['userurl'] = 'https://admidio.local/modules/sso/index.php/oidc/userinfo'; | |
| $conf['plugin']['oauthgeneric']['scopes'] = array('openid', 'profile', 'address', 'phone', 'email', 'custom', 'groups', 'roles'); | |
| $conf['plugin']['oauthgeneric']['json-user'] = 'username'; | |
| $conf['plugin']['oauthgeneric']['json-name'] = 'fullname'; | |
| $conf['plugin']['oauthgeneric']['json-mail'] = 'email'; | |
| $conf['plugin']['oauthgeneric']['json-grps'] = 'roles'; | |
| $conf['plugin']['oauthgeneric']['label'] = 'OIDC Login with Admidio'; | |
| </code> | |
| |
| ==== Setup completed, test Single-Sign-On ==== | {{:en:2.0:sso:sso_oidc_mediawiki_03_loginform.png?direct&200|}} {{:en:2.0:sso:sso_oidc_mediawiki_04_admidio_loginform.png?direct&400|}} {{:en:2.0:sso:sso_oidc_mediawiki_05_loginsuccess.png?direct&300|}} {{:en:2.0:sso:sso_oidc_mediawiki_06_loginsuccess_profile.png?direct&600|}} |
| |
| Admidio and MediaWiki should now be set up to use Admidio for logging in to MediaWiki. If you log out of MediaWiki and try to log in again, you will be shown the Admidio login screen and then redirected back to MediaWiki. | |
| |
| {{ :en:2.0:sso:sso_oidc_04-08_dw_login.png?direct&400 |}} | |
| {{ :en:2.0:sso:sso_oidc_04-09_dw_admidio_login.png?direct&400 |}} | |
| {{ :en:2.0:sso:sso_oidc_04-10_dw_login_success.png?direct&400 |}} | |
| |
| | ==== Caveats and Things to Consider ==== |
| |
| ==== Caveats and Things to Consider ==== | * MediaWiki allows **admin login** through OpenID by assigning the **group 'sysop'** in the group mapping. The 'groups' scope must be included in both Admidio's as well as MediaWiki's config, and Admidio's role must be included as an OIDC claim. |
| | * By default, MediaWiki will use basic http authentication for its calls to the authorization and token endpoints, which means that no special characters (in particular colons) are allowed. Unfortunately, the client ID will be used as username, which typically contains a colon in 'https://...'. The OpenID specification states that the colon is the separator between username and passphrase (client secret), so Admidio will incorrectly assume 'https' to be the username and everything else is the client secret... The two possible solutions are to (1) either not use the full URL, but any other unique identifier without a colon as clientID, or (2) switch MediaWiki to the 'client_secret_post' authMethod in the MediaWiki's ''LocalSettings.php'' configuration file (see the example above, which already contains this fix). |
| |
| * MediaWiki allows **admin login** through OpenID by assigning the **group 'admin'** in the group mapping. | |
| * MediaWiki will convert all group names to lowercase. This is a general restriction in MediaWiki and not specific to OpenID. | |
| * MediaWiki will match its accounts using the email provided in the OpenID token, even when a different user id field is selected. E.g. if a local user 'dale' with email 'dale@example.com' already exists, and a new OpenID login from user 'dale' with email 'dale.baade@example.com' occurs, MediaWiki will treat these as two separate users (and modify the username of the newly created user to 'dale1')! | |
| * MediaWiki controls **login permissions for OpenID** with a **group 'generic' assigned to a user**. If local accounts already exist, one needs to add them to the 'generic' group, otherwise login with OpenID is not possible and the following error message will be shown:{{ :en:2.0:sso:sso_oidc_04-10_dw_error_group.png?direct |}} To fix this, add the user to the 'generic' group: {{ :en:2.0:sso:sso_oidc_04-11_dw_generic_group.png?direct&600 |}} | |
