DokuWiki

It's better when it's simple

User Tools

Site Tools


plugin:adfs

adfs Plugin

Compatible with DokuWiki

  • 2018-04-22 "Greebo" yes
  • 2017-02-19 "Frusterick Manners" unknown
  • 2016-06-26 "Elenor Of Tsort" unknown
  • 2015-08-10 "Detritus" unknown

plugin Provides user authentication against Active Directory Federation Service via SAML 2.0

Last updated on
2018-05-30
Provides
Auth
Repository
Source

Similar to authad

Tagged with ad, adfs, saml, sso

The plugin was tested with Active Directory Federation Services on Windows Server 2008 and 2010. It might work with other SAML2 based Identity Providers, too. Users have reported it to work with SimpleSAMLphp.

The plugin makes use of the php-saml library version 2.13.0 (included in the download).

Installation

A CosmoCode Plugin

Search and install the plugin using the Extension Manager. Refer to Plugins on how to install plugins manually.

Setup ADFS with SAML 2.0

Before you start, make sure you have a SSL certificate for the Federation Server and the Wiki. ADFS requires SSL and will not without. Self-signed certificates will work, but a browser trusted ones is recommended for real-world usage.

Windows Server 2008: Download the updated Federation Services from Microsoft. Do not use the ones that come with the OS. Run the Installer and follow the wizard to set up the Federation Services, IIS and the needed certificate.

Windows Server 2010: Open the Server Manager, select “Add roles and Features” and select “Active Directory Federation Services” from the list of Server roles. IIS is no longer required!

Once the services are set up, add a new Relying Party Trust in the ADFS snap-in (AD FS Management):

For configuration use the following Federation metadata address: https://yourwiki/doku.php?do=adfs where yourwiki is your wiki server's address of course.

Enter any name and description, and select Permit all users to access this relying party.

Finally run the Edit Claim Rules dialog. Add a new “Issuance Transform Rule” and pick “Send LDAP Attributes as Claims”. Add the following:

  • Claim rule name: User Attributes
  • Attribute Store: Active Directory
  • Mapping of LDAP attributes 1):
    • User-Principal-Name → login
    • E-Mail-Addresses → email
    • Token-Groups - unqualified Names → groups
    • Display-Name → fullname

Configure the Plugin

There are multiple settings to configure in the Configuration Manager. The easiest way to figure out what values to set is to use the “ADFS Configuration Helper” in the Admin interface - feed it your ADFS' metadata file and it will show you the correct values. Alternatively use the descriptions below.

idPEntityID the EntityID your ADFS server identifies as. If you leave it at a random string, you will get an error telling you the correct ID
endpoint this is where your ADFS server provides the SAML 2.0 endpoint. It's usually https://<youradfs>/adfs/ls/
certificate this is the certificate you set up for the ADFS Server above. You can find the certificate in an XML file that is usually found under ''https://<youradfs>/FederationMetadata/2007-06/FederationMetadata.xml''. Look for <IDPSSODescriptor *><KeyDescriptor use=“signing”><X509Certificate>. It should be a long string of characters. Just paste that into the config. Make sure you use the signing key and not the encryption one.
lowercase ActiveDirectory is usually case insensitive, this means you can login as “Foo” or “foo”. To make administration in the Wiki easier, both instances will be converted to “foo”. Disable this option if your SAML provider is case-sensitive.
autoprovisioning By default the wiki will let in everyone who successfully authenticated via ADFS. When you disable this option you have to create the users manually in the wiki before they can login via ADFS.
*_attr_name These options configure the attributes where login, name, email and groups of users are read from. The correspondent to the names you set up in the Claim Rules above.

Please make sure your users have valid email addresses set in the Active Directory! Otherwise certain DokuWiki features may not work for them.

Once everything is set up, you can switch the authtype to adfs.

Be sure to configure a superuser from your Active Directory, so you can login as admin later on.

Important: make sure your Wiki and ADFS Server have the correct time! They may only drift apart by three minutes maximum or login will not work.

Usage

Clicking the login button will redirect users to your ADFS server. The server might automatically log in users using Single-Sign-On or simply provide a form where users can provide their Active Directory credentials.

1)
you have to type the right side, these names are not in the dropdown
plugin/adfs.txt · Last modified: 2018-12-07 10:51 by Barbara