Table of Contents
SAML Plugin
Compatible with DokuWiki
- 2024-02-06 "Kaos" unknown
- 2023-04-04 "Jack Jackrum" unknown
- 2022-07-31 "Igor" unknown
- 2020-07-29 "Hogfather" yes
Provides user authentication via SAML 2.0
The plugin is a fork of adfs tested with ADFS, SimpleSAMLphp, Keycloak and Okta. Should work with other SAML 2.0 providers.
The plugin makes use of the php-saml library version 2.13.0 (included in the download).
Installation
Search and install the plugin using the Extension Manager. Refer to Plugins on how to install plugins manually.
Configure the Plugin
There are multiple settings to configure in the Configuration Manager. The easiest way to figure out what values to set is to use the “SAML Configuration Helper” in the Admin interface - feed it your SAML metadata file and it will show you the correct values. Alternatively use the descriptions below.
idPEntityID | the EntityID your SAML server identifies as. If you leave it at a random string, you will get an error telling you the correct ID |
endpoint | this is where your IdP server provides the SAML 2.0 endpoint. ' |
certificate | this is the certificate you set up for SAML IdP above. You can find the certificate in your IdP metadata. Look for <IDPSSODescriptor *> → <KeyDescriptor use=“signing”> → <X509Certificate>. It should be a long string of characters. Just paste that into the config. Make sure you use the signing key and not the encryption one. |
lowercase | ActiveDirectory is usually case insensitive, this means you can login as “Foo” or “foo”. To make administration in the Wiki easier, both instances will be converted to “foo”. Disable this option if your SAML provider is case-sensitive. |
autoprovisioning | By default the wiki will let in everyone who successfully authenticated via SAML. When you disable this option you have to create the users manually in the wiki before they can login via SAML. |
*_attr_name | These options configure the attributes where login, name, email and groups of users are read from. The correspondent to the names you set up in the Claim Rules above. |
Please make sure your users have valid email addresses set in your IdP! Otherwise certain DokuWiki features may not work for them.
Once everything is set up, you can switch the authtype to saml.
Be sure to configure a superuser from your IdP, so you can login as admin later on.
Important: make sure your Wiki and IdP have the correct time! They may only drift apart by three minutes maximum or login will not work.
Usage
Clicking the login button will redirect users to your IdP. The server might automatically log in users using Single-Sign-On or simply provide a form where users can provide their credentials.