Loading...
 

SAML SSO Authentication

After a couple of years the maintenance of Tikis implementation of SSO/SAML has been reactivated. As recently stated on doc.tiki.org by Marc Laporte, SAML gets more relevance from Tiki 17/18 and soon (Tiki 18) will be installable via the upcoming Composer Web Installer as OneLogin’s SAML PHP Toolkit.

SAML is installable as free open source php-saml by onelogin.com through the Packages feature in Tiki18. This page will be used to figure out how to get minimum 2 Tikis running as an IdP (Identity Provider) serving the user data and one or more SPs (Service Providers) which athenticates users against the IdP. Once this is done, we can continue with the doc page or write a HowTo on doc.tiki.org.

0. Base URLS


Given the base url of the IdP would be https://idp.example.com
and the base url of the SP would be https://sp.example.com

1. IdP Identity Provider

Prerequesites

  • Use a fresh checked out Tiki 18 as an IdP
  • Install php-saml through Packages (2 minutes)
  • Activate SAML Authentication in tiki-admin.php?page=login in the dropdown in the first tab "General Settings" and the tick box in the SAML tab
  • Get a x509 certificate for the IdP

Findings:

  • The SAML autoinstallation puts files in tikiroot/files and tikiroot/vendor/onelogin
  • Some of the necessary data to put into the configuration fields seem to be automatically added to the setting file in tikiroot/vendor/onelogin/php-saml/settings.php
  • There seem to be some reference to tikiroot/files/php-saml/settings.php at some point, but therin the above mentioned data is missing apart from an automatically added baseurl ... which apparently uses to the sites domain in conjunction withe respective path in tikiroot/vendors : https://idp.example.com/vendor/onelogin/php-saml
  • The doubling of the directory "php-saml" in tikiroot/vendor/onelogin and in tikiroot/files seems a bit confusing and it needs to be clarified which directory to be used and why and how.
    At the first view it looks like that Tiki writes relevant data into the vendor directory, but tries to use the files directory, where the data seems to be missing.
  • In tiki-admin.php?page=login there is a first section called "Identity provider settings" which seems to be the part to define the IdP, whilst it is not clear, if further options are necessary to define / fill in. In this section there are 4 settings: IdP Entity Id, Single Sign On Service Url, Single Log Out Service Url and X.509 Certificate
  • The default setting in Tiki for the IdP's 'Entity ID' seems to be "1" (found in https://idp.example.com/vendor/onelogin/php-saml/settings.php)

Questions:

  • What has to be set as 'Entity ID', which might be digits, characters or a domain. See also: https://spaces.internet2.edu/display/InCFederation/Entity+IDs
  • What are the correct Single Sign On Service Url and Single Log Out Service Url? In https://idp.example.com/vendor/onelogin/php-saml/settings.php they are simply set as https://saml.example.com/login and https://saml.example.com/logout where https://saml.example.com/ represents the actual domain or subdomain used on your installation, respectively the actual base domain.
  • Where (and how) to get a x509 certificate for the IdP and the SP, where the SP's certificate seems to additionally need a signature

2. SP Service Provider

Prerequsites

  • Have a SAML IdP Identity Provider setup and running: see above Tiki 18 with
  • Set the SP that the user admin still logs in/out Tiki way


Problems

After the IdP is setup including a LetsEncrypt certificate and the SP is setup including a LetsEncrypt certificate plus a public key (belongig to the SP's certificate) logging out as user admin provides the following error message whilst not logging out:

There is a problem with the SAML settings, review them: Invalid array settings: idp_entityId_not_found, idp_sso_not_found, idp_cert_or_fingerprint_not_found_and_required



feel free to add thoughts and comments here

Related

SAML
Login-Config
External-Authentication
External-Authentication

Further Information

http://arge.ph-noe.ac.at/fileadmin/inf/AG_2017/SAML-Auth.pdf (German lecture slides)
https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
https://de.wikipedia.org/wiki/Security_Assertion_Markup_Language
https://www.oasis-open.org/
http://www.projectliberty.org/
https://kantarainitiative.org/what-we-do/

Alias

SAML Authentication


Contributors to this page: Marc Laporte and Torsten Fabricius ☺️ .
Page last modified on Thursday 23 July, 2020 11:30:10 GMT-0000 by Marc Laporte.

Keywords

The following is a list of keywords that should serve as hubs for navigation within the Tiki development and should correspond to documentation keywords.

Each feature in Tiki has a wiki page which regroups all the bugs, requests for enhancements, etc. It is somewhat a form of wiki-based project management. You can also express your interest in a feature by adding it to your profile. You can also try out the Dynamic filter.

Accessibility (WAI & 508)
Accounting
Administration
Ajax
Articles & Submissions
Backlinks
Banner
Batch
BigBlueButton audio/video/chat/screensharing
Blog
Bookmark
Browser Compatibility
Calendar
Category
Chat
Comment
Communication Center
Consistency
Contacts Address book
Contact us
Content template
Contribution
Cookie
Copyright
Credits
Custom Home (and Group Home Page)
Database MySQL - MyISAM
Database MySQL - InnoDB
Date and Time
Debugger Console
Diagram
Directory (of hyperlinks)
Documentation link from Tiki to doc.tiki.org (Help System)
Docs
DogFood
Draw -superseded by Diagram
Dynamic Content
Preferences
Dynamic Variable
External Authentication
FAQ
Featured links
Feeds (RSS)
File Gallery
Forum
Friendship Network (Community)
Gantt
Group
Groupmail
Help
History
Hotword
HTML Page
i18n (Multilingual, l10n, Babelfish)
Image Gallery
Import-Export
Install
Integrator
Interoperability
Inter-User Messages
InterTiki
jQuery
Kaltura video management
Karma
Live Support
Logs (system & action)
Lost edit protection
Mail-in
Map
Menu
Meta Tag
Missing features
Visual Mapping
Mobile
Mods
Modules
MultiTiki
MyTiki
Newsletter
Notepad
OS independence (Non-Linux, Windows/IIS, Mac, BSD)
Organic Groups (Self-managed Teams)
Packages
Payment
PDF
Performance Speed / Load / Compression / Cache
Permission
Poll
Profiles
Quiz
Rating
Realname
Report
Revision Approval
Scheduler
Score
Search engine optimization (SEO)
Search
Security
Semantic links
Share
Shopping Cart
Shoutbox
Site Identity
Slideshow
Smarty Template
Social Networking
Spam protection (Anti-bot CATPCHA)
Spellcheck
Spreadsheet
Staging and Approval
Stats
Survey
Syntax Highlighter (Codemirror)
Tablesorter
Tags
Task
Tell a Friend
Terms and Conditions
Theme
TikiTests
Timesheet
Token Access
Toolbar (Quicktags)
Tours
Trackers
TRIM
User Administration
User Files
User Menu
Watch
Webmail and Groupmail
WebServices
Wiki History, page rename, etc
Wiki plugins extends basic syntax
Wiki syntax text area, parser, etc
Wiki structure (book and table of content)
Workspace and perspectives
WYSIWTSN
WYSIWYCA
WYSIWYG
XMLRPC
XMPP




Useful Tools