Single-Sign-On into DokuWiki using Admidio as an OpenID Provider

Starting with version 5.0, Admidio can be used by other applications to authenticate users against Admidios user base. These instructions will guide you through the process of connecting DokuWiki to Admidio to use Admidio's login. For general instructions, and other apps, please visit the general Single-Sign-On overview page.

Throughout the document we will assume you have both Admidio and DokuWiki already set up properly at https://admidio.local/ and https://dokuwiki.local/. Please modify these URLs to your actual installation.

As a first step, one needs to configure Admidio to act as an OpenID Provider (OP). This has to be done once and is not specific to DokuWiki. Please follow this guide: #a_basic_setup_for_admidio_as_an_oidc_id_provider

Basically, one (1) needs to create a cryptographic key to sign message and choose a unique EntityID. The page https://admidio.local/adm_program/modules/preferences.php?panel=sso also provides the link to the metadata xml, and the individual settings in case a client does not support auto-configuration via metadata.

Setting up a client (OpenID “Relying Party” - short RP) to use Admidio's user accounts for logging in consists of two steps: (1) The client (RP, DokuWiki in our case) needs to be set up with the data about the OpenID Provider (OP). Typically this is done via the metadata provided in the discovery URL of the provider. Otherwise one has to manually paste the endpoint URLs of the OpenID provider. Since Admidio provides those URLs with copy buttons in the preferences screen, even the manual configuration is rather straigtforward. (2) Admidio needs to be told about the client. In particular, the entity ID and the redirect URL must be given, and a custom-generated (random) secret must be copied to the client configuration.

The concrete steps are:

• At the Relying Party (RP) - DokuWiki in our case - install the extension to support OpenID login.
  • Configure it either with Admidio's discovery URL (if supported), or enter the EntityID and the URL endpoints for authentication, token and userinfo.
  • Also, choose which scopes (groups of profile fields) should be requested from Admidio (“openid” is required; If Admidio's groups/roles should be mapped to the client's groups, the “groups” scope is also required).
• In Admidio, create a new OpenID client.
  • Choose an easily understood label for the client (only used in Admidio's list of clients, but has no technical use)
  • Enter the ClientID from the RP, Copy the created Client Secret (you will later need to paste it indo DokuWiki's configuration), and enter the Redirect URI for the RP. Typically the latter can be found either on the RP's configuration page or in the documentation.
• Optionally select (both in Admidio and the RP) which profile fields should be mapped to OpenID claims (attributes) and sent to the client, and configure which group memberships should be transmitted.

OpenID Connect login in DokuWiki is provided by the "oauth plugin" and the connected "oauth generic Service" extension.

After installation it can be configured in DokuWiki's Configuration Settings, near the bottom in the “Oauth” and “Oauthgeneric” sections.

First, one has to copy over the OpenID endpoint URLs from Admidio's OpenID preferences (each URL has a copy button). You can find them here:

It is now a good idea to keep two browser windows open so one can easily select and copy the settings. Admidio even provides little “copy” buttons/icons to copy the various settings to the clipboard for easy pasting into DokuWiki's configuration.

Now, return to Admidio's SSO preferences page, go to the “Single-Sign-On Client Administration” (the button right below the endpoint URLs and above the “Save” button), and create a new client.

1. The Client Name is the label of the client in Admidio's client list, it can be anything you like.
2. The “Client ID” and “Client Secret” in Admidio have to match exactly the “Application UID” and “Application Secret” in DokuWiki's configuration. The ID is typically the client's URL, although some clients allow any unique identifier, while others (most notably MediaWiki) require it to be the base of the OpenID endpoint (up until the 'index.php/oidc/'). The Client Secret should a random string and will serve like a password. Admidio will create one and allow it to be copied to the client. Afterwards it is only stored as a hash in the database and not be recovered any more. However, one can create a new Client Secret in Admidio and copy that to the client's configuration.
3. DokuWiki will display its Redirect URL, which needs to be copied to Admidio.
4. Enter the scopes you desire in DokuWiki's config and make sure that Admidio's config matches it. At least openid must be included (Admidio will implicitly add it). If groups/roles are supposed to be used for access permissions, the “groups” scope also must be included in both DokuWiki's and Admidio's scope setting and the roles included as an OpenID claim. (The groups mapping that Admidio offers is optional, one can also send all groups verbatim without mapping. This can be achieved by checking the checkbox below the mapping table in Admidio).

This is a typical configuration of the DokuWiki Oauth extensions for Admidio as an OpenID provider:

To use Admidio's group memberships as Dokuwiki groups, make sure to include the “Roles” field and provide the correct field name in Dokuwiki. DokuWiki even provides a setting to overwrite all groups with the groups received from Admidio.

Make sure to use the same OpenID claim names as the ones mapped in Dokuwiki's OpenID configuration (circled red in the configuration screenshot above).

Once all settings are done, it is time to enable the saml plugin for login to DokuWiki in the “Configuration Settings”:

The settings done above in the graphical interface could also be done in the conf/local.php config file of DokuWiki. The corresponding settings would look like this:

$conf['authtype'] = 'oauth';
$conf['superuser'] = '@admin';
$conf['plugin']['oauth']['register-on-auth'] = 1;
$conf['plugin']['oauth']['overwrite-groups'] = 1;
$conf['plugin']['oauthgeneric']['key'] = 'https://dokuwiki.local/';
$conf['plugin']['oauthgeneric']['secret'] = 'lWDQ......gU';
$conf['plugin']['oauthgeneric']['authurl'] = 'https://admidio.local/modules/sso/index.php/oidc/authorize';
$conf['plugin']['oauthgeneric']['tokenurl'] = 'https://admidio.local/modules/sso/index.php/oidc/token';
$conf['plugin']['oauthgeneric']['userurl'] = 'https://admidio.local/modules/sso/index.php/oidc/userinfo';
$conf['plugin']['oauthgeneric']['scopes'] = array('openid', 'profile', 'address', 'phone', 'email', 'custom', 'groups', 'roles');
$conf['plugin']['oauthgeneric']['json-user'] = 'username';
$conf['plugin']['oauthgeneric']['json-name'] = 'fullname';
$conf['plugin']['oauthgeneric']['json-mail'] = 'email';
$conf['plugin']['oauthgeneric']['json-grps'] = 'roles';
$conf['plugin']['oauthgeneric']['label'] = 'OIDC Login with Admidio';

Admidio and DokuWiki should now be set up to use Admidio for logging in to Dokuwiki. If you log out of DokuWiki and try to log in again, you will be shown the Admidio login screen and then redirected back to Dokuwiki.

• DokuWiki allows admin login through OpenID by assigning the group 'admin' in the group mapping.
• DokuWiki will convert all group names to lowercase. This is a general restriction in DokuWiki and not specific to OpenID.
• DokuWiki will match its accounts using the email provided in the OpenID token, even when a different user id field is selected. E.g. if a local user 'dale' with email 'dale@example.com' already exists, and a new OpenID login from user 'dale' with email 'dale.baade@example.com' occurs, DokuWiki will treat these as two separate users (and modify the username of the newly created user to 'dale1')!
• DokuWiki controls login permissions for OpenID with a group 'generic' assigned to a user. If local accounts already exist, one needs to add them to the 'generic' group, otherwise login with OpenID is not possible and the following error message will be shown: To fix this, add the user to the 'generic' group: