Differences

This shows you the differences between two versions of the page.

--- plugin:adfs [2016-12-09 13:11] – doc for customizable attributes and autoprovisioning option 2001:a18:1:8::136
+++ plugin:adfs [2024-03-12 14:27] (current) – question added asheenlevrai
@@ Line 1: / Line 1: @@
-====== adfs Plugin ======
+====== ADFS Plugin ======
 ---- plugin ----
@@ Line 6: / Line 6: @@
 email      : andi@splitbrain.org
 type       : auth
-lastupdate : 2016-12-09
+lastupdate : 2020-10-22
-compatible : hrun
+compatible : Hrun, Greebo, Hogfather
 depends    :
 conflicts  :
@@ Line 15: / Line 15: @@
 downloadurl: https://github.com/cosmocode/dokuwiki-plugin-adfs/zipball/master
 bugtracker : https://github.com/cosmocode/dokuwiki-plugin-adfs/issues
-sourcerepo : https://github.com/cosmocode/dokuwiki-plugin-adfs/
+sourcerepo : https://github.com/cosmocode/dokuwiki-plugin-adfs
 donationurl:
 screenshot_img :
 ----
+The plugin was tested with Active Directory Federation Services on Windows Server 2008 and 2010. It might work with other SAML2 based Identity Providers, too. Users have reported it to work with SimpleSAMLphp and Okta.
+The plugin makes use of the [[https://github.com/onelogin/php-saml|php-saml]] library version 2.13.0 (included in the download).
 ===== Installation =====
-[[http://www.cosmocode.de/en/open-source/dokuwiki-plugins/|{{ http://cosmocode.de/static/img/dokuwiki/dwplugins.png?recache|A CosmoCode Plugin}}]]
+[[https://www.cosmocode.de/en/open-source/dokuwiki-plugins/|{{ http://cosmocode.de/static/img/dokuwiki/dwplugins.png?recache|A CosmoCode Plugin}}]]
-Install the plugin using the [[plugin:plugin|Plugin Manager]] and the download URL above, which points to latest version of the plugin. Refer to [[:Plugins]] on how to install plugins manually.
+Search and install the plugin using the [[plugin:extension|Extension Manager]]. Refer to [[:Plugins]] on how to install plugins manually.
 ==== Setup ADFS with SAML 2.0 ====
-The plugin was tested with Windows Server 2008. Please note that there is an updated version of the Federation Services for Windows Server 2008 that have to be **downloaded separately**: [[http://www.microsoft.com/en-us/download/details.aspx?id=10909|Download them from Microsoft]].
+Before you start, make sure you have a SSL certificate for the Federation Server and the Wiki. ADFS requires SSL and will not without. Self-signed certificates will work, but a browser trusted ones is recommended for real-world usage.
-Run the installer and follow the wizard to set up the Federation Services, IIS and the needed certificate. For real world use a certificate signed by a well-known Authority is recommended but not needed. A self-signed one will work too.
+**Windows Server 2008**: [[http://www.microsoft.com/en-us/download/details.aspx?id=10909|Download the updated Federation Services]] from Microsoft. Do not use the ones that come with the OS. Run the Installer and follow the wizard to set up the Federation Services, IIS and the needed certificate.
-Your wiki has to be SSL secured as well! ADFS will refuse to work without SSL! A browser accepted certificate is highly recommended.
+**Windows Server 2010**: Open the Server Manager, select "Add roles and Features" and select "Active Directory Federation Services" from the list of Server roles. IIS is no longer required!
-Once the services are set up, add a new **Relying Party Trust** in the ADFS snap-in.
+Once the services are set up, add a new **Relying Party Trust** in the ADFS snap-in (AD FS Management):
 For configuration use the following **Federation metadata address**: ''%%https://yourwiki/doku.php?do=adfs%%'' where ''yourwiki'' is your wiki server's address of course.
@@ Line 53: / Line 57: @@
 ==== Configure the Plugin ====
-There are two settings to configure in the [[plugin:config|Configuration Manager]]:
+There are multiple settings to configure in the [[plugin:config|Configuration Manager]]. The easiest way to figure out what values to set is to use the "ADFS Configuration Helper" in the Admin interface - feed it your ADFS' metadata file and it will show you the correct values. Alternatively use the descriptions below.
-  * ''endpoint'' this is where your ADFS server provides the SAML 2.0 endpoint. It's usually ''%%https://<youradfs>/adfs/ls/%%''
+| ''idPEntityID'' | the EntityID your ADFS server identifies as. If you leave it at a random string, you will get an error telling you the correct ID |
-  * ''certificate'' this is the certificate you set up for the ADFS Server above
+| ''endpoint'' | this is where your ADFS server provides the SAML 2.0 endpoint. It's usually ''%%https://<youradfs>/adfs/ls/%%'' |
+| ''certificate'' | this is the certificate you set up for the ADFS Server above. You can find the certificate in an XML file that is usually found under %%''https://<youradfs>/FederationMetadata/2007-06/FederationMetadata.xml''%%. Look for ''<IDPSSODescriptor *>'' -> ''<KeyDescriptor use="signing">'' -> ''<X509Certificate>''. It should be a long string of characters. Just paste that into the config. Make sure you use the signing key and not the encryption one. |
+| ''lowercase'' | ActiveDirectory is usually case insensitive, this means you can login as "Foo" or "foo". To make administration in the Wiki easier, both instances will be converted to "foo". Disable this option if your SAML provider is case-sensitive. |
+| ''autoprovisioning'' | By default the wiki will let in everyone who successfully authenticated via ADFS. When you disable this option you have to create the users manually in the wiki before they can login via ADFS. |
+| ''*_attr_name'' | These options configure the attributes where login, name, email and groups of users are read from. The correspondent to the names you set up in the //Claim Rules// above. |
-You can find the certificate in an XML file that is usually found under %%''https://<youradfs>/FederationMetadata/2007-06/FederationMetadata.xml''%%. Look for ''<IDPSSODescriptor *>'' -> ''<KeyDescriptor use="signing">'' -> ''<X509Certificate>''. It should be a long string of characters. Just paste that into the config. Make sure you use the signing key and not the encryption one.
+Please make sure your users have valid email addresses set in the Active Directory! Otherwise certain DokuWiki features may not work for them.
-The attribute names above (login, email, fullname and groups) are the default. In case you idP is not using these names, you can override the defaults by configuring the keys: "userid|fullname|email|groups attr name".
-Once everything is set up you can switch the [[config:authtype|authtype]] to ''adfs''.
+Once everything is set up, you can switch the [[config:authtype|authtype]] to ''adfs''.
+Be sure to configure a [[config:superuser]] from your Active Directory, so you can login as admin later on.
+Important: make sure your Wiki and ADFS Server have the correct time! They may only drift apart by three minutes maximum or login will not work.
 ===== Usage =====
-Clicking the login button will bring up the ADFS login form. Users can login with their Active Directory user name there and will be redirected to the wiki. If setup correctly, the ADFS form will use Single-Sign-On to log users in automatically.
+Clicking the login button will redirect users to your ADFS server. The server might automatically log in users using Single-Sign-On or simply provide a form where users can provide their Active Directory credentials.
-The login will be remembered by the wiki. Unless they log out explicitly subsequent visits will trigger the login process automatically.
-Please make sure your users have valid email addresses set in the Active Directory! Otherwise certain DokuWiki features may not work for them.
+===== Questions =====
+-03-12 : Is this plugin still currently maintained?
-By default, new accounts are created during the first time login.
-If you prefer to reject unknown users and want to manually manage the user accounts you can untick the option "autoprovisioning" in the configuration screen.