cosmocode / dokuwiki-plugin-adfs Goto Github PK
View Code? Open in Web Editor NEWA DokuWiki plugin to authenticate against Microsofts ADFS using SAML 2.0
Home Page: https://www.dokuwiki.org/plugin:adfs
A DokuWiki plugin to authenticate against Microsofts ADFS using SAML 2.0
Home Page: https://www.dokuwiki.org/plugin:adfs
adfs Plugin for DokuWiki Provides user authentication against Active Directory Federation Service via SAML 2.0 All documentation for this plugin can be found at http://www.dokuwiki.org/plugin:adfs If you install this plugin manually, make sure it is installed in lib/plugins/adfs/ - if the folder is called different it will not work! Please refer to http://www.dokuwiki.org/plugins for additional info on how to install plugins in DokuWiki. ---- Copyright (C) Andreas Gohr <[email protected]> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 2 of the License This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. See the COPYING file in your DokuWiki folder for details
Upgrading the plugin to the 2018-05-30 version seems to break our ADFS installation with the below error. Reverting the snapshot makes the site accessible again.
ADFS: Invalid issuer in the Assertion/Response (expected 'set me', got 'http://sample.domain.com/adfs/services/trust')
It would be great to have a login_required
option. When this option is checked the user should be redirected to the adfs as soon as he enters the wiki without being logged-in.
Background: We publish the wiki with a ADFS based login anyway, so the user is already logged-in (into ADFS) but they still have to press the login button.
I know this could be fixed with a javascript in the template, but maybe other users would have the same problem. Not sure if this is easy to implement?
I apologise if I am way off track with this. I'm by no means a PHP developer. I'm coming from a sysadmin perspective looking to implement SAML with dokuwiki in production.
This plugin works perfectly for my needs, however I noticed that this plugin seems to rely on a onelogin library and there seem to have been some vulnerabilities in that library reported since the last update to this plugin.
https://github.com/onelogin/php-saml#warning
Can anybody help me to understand why this plugin is or isn't vulnerable to know vulnerabilities?
Cheers,
I'm using Windows Server 2012 R2. When I try to add a new Relying Party Trust, I get the following Error Message:
Error message: MSIS7528: The metadata does not contain the role descriptors needed for the entity to be configured as a claims provider trust.
Any ideas how to fix this?
Hi, thank for your plugin!
When i click on "Logout", nothing happen!
ADFS in Azure, and required Logout Endpoint but in your sources not include "Logout Request". Maybe problem in it?
The current version of XMLSecLibs referenced in the project has a major vulnerability and needs to be updated.
Vulnerability Advisory: https://nvd.nist.gov/vuln/detail/CVE-2019-3465
Short Form: Any versions of the XMLSecLibs library lower than 2.1.0/3.0.3 are vulnerable to an impersonation or privilege escalation attack.
This repository/extension currently uses version 2.0.0, updated 2015:
dokuwiki-plugin-adfs/phpsaml/extlib/xmlseclibs/xmlseclibs.php 37-40
* @author Robert Richards <[email protected]>
* @copyright 2007-2015 Robert Richards <[email protected]>
* @license http://www.opensource.org/licenses/bsd-license.php BSD License
* @version 2.0.0 modified
Personal testing shows some promise in updating the OneLogin PHP-SAML library referenced in this project to the latest same-major-version patch; no immediate issues occurred.
The latest OneLogin PHP-SAML v2 release (v2.18.1) contains XMLSecLibs 3.0.4 which would resolve the vulnerability.
When updating the signing certificate, AD FS temporarily includes multiple certificates in the XML. The added certificate becomes Primary after 5 days have elapsed since it was created and is actually used by AD FS. This will happen automatically around 11 or 23 o'clock. However, since only one signing certificate can be specified for the plug-in, it is necessary to change the setting according to the timing when AD FS is updated.
This plugin seems to make use of one or more form related action events that will be removed in the next DokuWiki release. Please have a look at https://www.patreon.com/posts/better-forms-58551930 for details.
My apologies if this has already been addressed in your code. If you have any questions on how to implement the needed changes please let me know.
the plugin generates xml files which are causing broken configs in ad fs. In my case the umlaut "ü" in the title was translated ü
in ServiceName and OrganizationName in the metadata xml file. This caused the ad fs service to stop updating the corresponding relying party trust and as a user you could not login to this specific site.
It shows as an error: (in german) Error details: Verweis auf die nicht deklarierte Entität 'uuml'. Zeile XX, Position YY.
I solved the problem by removing the umlaut. Maybe the plugin could check whether the title is compliant to these specific tags in the xml file.
Hi,
we recently activated the ADFS plugin in our Dokuwiki installation. Authentication worked fine from the start on, but using a AD group for superusers by entering it with "@<groupname>" in the "superuser" field did not work. When looking at the user list in user management we realized that the group we wanted to use was missing in the "groups" field. After switching the type of the group from "Domain local" to "Universal" it appeared in the groups list and using it to define the superusers worked. Is this behaviour intentional?
kind regards,
Christoph
The following message appears in the "deprecated" log:
It was called from auth_plugin_adfs::cleanUser() in lib/plugins/adfs/auth.php:155 dokuwiki\Utf8\PhpString::strtolower() should be used instead!
Perhaps will need to fix this issue in the near future.
Installed on: Release 2017-02-19e "Frusterick Manners"
PHP version: 5.4.16
Even before I configured ADFS authorization (which works great btw!), I found that when the extension is enabled the content area and sidebar on the admin page (mywiki.com/doku.php?id=home&do=admin) are blank. The page header shows up but everything below is blank.
On the dokuwiki page it says that this plugin is tested with simpleSAMLphp. I have set up a SimpleSAMLphp IDP server and used the https://idpserverurl/saml/saml2/idp/SSOService.php in the settings of this plugin.
I also changed the attribute names and supplied it with the certificate.
However when I click on the login button now it redirects me to the IDP page but with the error message:
Metadata not found
Unable to locate metadata for 'https://urlofmydokuwiki'
specificly:
SimpleSAML_Error_MetadataNotFound: METADATANOTFOUND('%ENTITYID%' => ''https://urlofmydokuwiki'')
Any ideas?
Also how can I access the settings of my dokuwiki easily again now as obviously I can't log in regularly.
Thanks!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.