Configuring SSO on your wiki using SAML

MyWikis offers support for your organization's single sign on (SSO) using SAML. This supports common auth products such as Azure Active Directory, Okta, etc.

To set up, please ensure you have opened a support ticket with our tech team asking to integrate your wiki with SSO. You will need to provide us with sample credentials to test your integration. Then, follow the instructions depending on which auth product you use.

Don't want to set it up by yourself? We can help. Open a ticket and ask for our SSO configuration services, starting at $200.

Azure Active Directory

Note: This can also be achieved through OpenID or OAuth.

We will need your FederationMetadata.xml file. You can find this by logging on to the Azure portal, go to Azure Active Directory -> App Registrations -> Endpoints, then copy the URL where we can access the FederationMetadata.xml file and download it. Upload it to the support ticket.

Then, register a new application to allow your MyWikis wiki to send auth requests to Azure AD. Go to Azure Active Directory -> App Registrations -> View All Applications, then choose New Application Registration. The home page should be your wiki's URL, e.g. https://goodreads.mywikis.net/. Once you've registered the wiki on your Azure AD portal, note down the Application ID and send this to us on the support ticket.

Once our support team has been able to assign you, go back to App Registrations -> View All Applications, click on the app for your MyWikis wiki, then click Settings -> Reply URLs. Add the following as a reply URL:

https://saml.mywikis.com/module.php/saml/sp/saml2-acs.php/[default-sp], except replace [default-sp] with the value provided by the support team and without the brackets.

By default, if you do not provide us with schemas for your email address, full name, and username representations, we will use the following configuration:

$wgSimpleSAMLphp_UsernameAttribute = ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname','http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'];
$wgSimpleSAMLphp_EmailAttribute = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name';
$wgSimpleSAMLphp_RealNameAttribute = [
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname',
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'
];

For more information on the overall configuration process, visit https://medium.com/vivritiengineering/mediawiki-and-azure-single-sign-on-e3fbc13d1f46. Please note that the SimpleSAMLphp portion is for us to do, not you.

Google Workspace

Note: If you want to allow ALL Google accounts to log in to your wiki, not just ones in your Google Workspace, please contact support and ask for the GoogleLogin extension to be installed. You won't need to follow these instructions. Google Workspace users, please keep reading.

You will want to follow the instructions located on Google's documentation: https://support.google.com/a/answer/6087519

When Google says "get this info from your administrator", here is what you give them:

  1. Choose Download IdP metadata over Copy the SSO URL, entity ID, and certificate
  2. Take the XML file you are given, GoogleIDPMetadata.xml, and provide it to us, by uploading it to your ticket
  3. Your ACS URL will be provided by us, in the format of https://[wikiid].mywikis.wiki/simplesaml/module.php/saml/sp/saml2-acs.php/googleworkspace-[wikiid]
  4. Your entity ID will be provided by us, in the format of https://[wikiid].mywikis.wiki/simplesaml/module.php/saml/sp/metadata.php/googleworkspace-[wikiid]
  5. The start URL should be: https://[wikiid].mywikis.wiki/wiki/Special:PluggableAuthLogin
  6. For the SAML attribute mapping, add three attributes exactly as shown below (case sensitive and do not include spaces - do not replace these values with your personal name or email address):
    First name -> "FirstName"
    Last name -> "LastName"
    Primary email -> "Email"

JumpCloud

  1. First, open a ticket with us about installing SSO on your wiki. Tell us you're using JumpCloud, and ask us for our SP metadata XML file.
  2. Once you have the metadata XML file from us, go to the JumpCloud admin console.
  3. From the JumpCloud admin console, click on the SSO section on the left bar. Press the green + sign and add a "Custom SAML Integration".
  4. Under "Single Sign-On Configuration", first upload the XML file we gave you by clicking "Upload Metadata", then put the following values
    IdP Entity ID: jumpcloud-mywikis-WIKI_ID (where WIKI_ID is your wiki ID)
    SAMLSubject NameID: username
    SAMLSubject NameID format: urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified
    Signature algorithm: RSA-SHA256
    Default RelayState: https://WIKI_ID.mywikis.wiki/wiki/Main_Page (where WIKI_ID is your wiki ID)
    Login URL: https://WIKI_ID.mywikis.wiki/wiki/Special:PluggableAuthLogin (where WIKI_ID is your wiki ID)
    IdP URL: https://sso.jumpcloud.com/saml2/mywikisWIKI_ID (where WIKI_ID is your wiki ID)
    Don't check any of the checkboxes, except for "include group attribute". Once you check it, type "Groups" into the textbox that appears.
  5. For the SAML attribute mapping, add three attributes exactly as shown below (case sensitive and do not include spaces or double quotes - do not replace these values with your personal name or email address):
    Format: Service Provider Attribute Name <- JumpCloud Attribute Name
    "FirstName" <- firstname
    "LastName" <- lastname
    "Email" <- email
    "Username" <- username
  6. Press the green "Activate" button at the bottom. Then, you'll be sent back to your list of SSO integrations. Click the service you just created and go back to the "Single Sign-On Configuration". Under JumpCloud metadata, click the "Export Metadata" file.
  7. Go to the "User Groups" tab and be sure to enable the user groups you want to be able to use this SSO integration. (Note: It cannot be "All Users", it must be a specific group.)
  8. Give this metadata file to us on the support ticket.

Okta

We don't yet have a guide for Okta, but we hope to have one coming soon. Nonetheless, we support Okta. Contact support for more details.

 

  • 0 משתמשים שמצאו מאמר זה מועיל
?האם התשובה שקיבלתם הייתה מועילה

מאמרים קשורים

Modifying wiki CSS or JavaScript

To modify your wiki's general CSS and JavaScript, edit the MediaWiki:Common.css file or...

Adding or changing your wiki's logo

On all MyWikis wikis, the logo should be uploaded to the File:Wiki.png page on your wiki. If you...

Modifying your wiki's sidebar

Your wiki's sidebar is able to be changed. Go to the MediaWiki:Sidebar page of your wiki. A new...

Privacy levels

We offer many different privacy configurations. You're free to choose whichever one suits you the...

Changing your wiki's MediaWiki version

If you're on the MyWikis Basics plan, you'll always be on the latest LTS version of MediaWiki....