cosmocode / dokuwiki-plugin-adfs Goto Github PK

A DokuWiki plugin to authenticate against Microsofts ADFS using SAML 2.0

Home Page: https://www.dokuwiki.org/plugin:adfs

PHP 100.00%

dokuwiki-plugin adfs saml authentication

dokuwiki-plugin-adfs's Introduction

adfs Plugin for DokuWiki

Provides user authentication against Active Directory Federation
Service via SAML 2.0

All documentation for this plugin can be found at
http://www.dokuwiki.org/plugin:adfs

If you install this plugin manually, make sure it is installed in
lib/plugins/adfs/ - if the folder is called different it
will not work!

Please refer to http://www.dokuwiki.org/plugins for additional info
on how to install plugins in DokuWiki.

----
Copyright (C) Andreas Gohr <[email protected]>

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

See the COPYING file in your DokuWiki folder for details

dokuwiki-plugin-adfs's People

Contributors

Stargazers

Watchers

Forkers

brenoarosa fschrempf poeticiron takuy alexandertse guilcy

dokuwiki-plugin-adfs's Issues

Upgrade of ADFS Plugin in Docuwiki breaks ADFS

Upgrading the plugin to the 2018-05-30 version seems to break our ADFS installation with the below error. Reverting the snapshot makes the site accessible again.

ADFS: Invalid issuer in the Assertion/Response (expected 'set me', got 'http://sample.domain.com/adfs/services/trust')

Require login

It would be great to have a login_required option. When this option is checked the user should be redirected to the adfs as soon as he enters the wiki without being logged-in.

Background: We publish the wiki with a ADFS based login anyway, so the user is already logged-in (into ADFS) but they still have to press the login button.

I know this could be fixed with a javascript in the template, but maybe other users would have the same problem. Not sure if this is easy to implement?

Is this plugin vulnerable due to use of the onelogin library?

I apologise if I am way off track with this. I'm by no means a PHP developer. I'm coming from a sysadmin perspective looking to implement SAML with dokuwiki in production.

This plugin works perfectly for my needs, however I noticed that this plugin seems to rely on a onelogin library and there seem to have been some vulnerabilities in that library reported since the last update to this plugin.
https://github.com/onelogin/php-saml#warning
Can anybody help me to understand why this plugin is or isn't vulnerable to know vulnerabilities?
Cheers,

Error message: MSIS7528

I'm using Windows Server 2012 R2. When I try to add a new Relying Party Trust, I get the following Error Message:

Error message: MSIS7528: The metadata does not contain the role descriptors needed for the entity to be configured as a claims provider trust.

Any ideas how to fix this?

Logout

Hi, thank for your plugin!

When i click on "Logout", nothing happen!
ADFS in Azure, and required Logout Endpoint but in your sources not include "Logout Request". Maybe problem in it?

Security Vulnerability - Outdated XMLSecLibs

The current version of XMLSecLibs referenced in the project has a major vulnerability and needs to be updated.

Vulnerability Advisory: https://nvd.nist.gov/vuln/detail/CVE-2019-3465
Short Form: Any versions of the XMLSecLibs library lower than 2.1.0/3.0.3 are vulnerable to an impersonation or privilege escalation attack.

This repository/extension currently uses version 2.0.0, updated 2015:
dokuwiki-plugin-adfs/phpsaml/extlib/xmlseclibs/xmlseclibs.php 37-40

 * @author     Robert Richards <[email protected]>
 * @copyright  2007-2015 Robert Richards <[email protected]>
 * @license    http://www.opensource.org/licenses/bsd-license.php  BSD License
 * @version    2.0.0 modified

Personal testing shows some promise in updating the OneLogin PHP-SAML library referenced in this project to the latest same-major-version patch; no immediate issues occurred.
The latest OneLogin PHP-SAML v2 release (v2.18.1) contains XMLSecLibs 3.0.4 which would resolve the vulnerability.

User with empty username gets created

Is this a problem?

And when I try to delete this user, it gives me a error "You cannot delete yourself"

AD FS contains multiple signing certificates in the XML, but only one can be specified for the plugin.

When updating the signing certificate, AD FS temporarily includes multiple certificates in the XML. The added certificate becomes Primary after 5 days have elapsed since it was created and is actually used by AD FS. This will happen automatically around 11 or 23 o'clock. However, since only one signing certificate can be specified for the plug-in, it is necessary to change the setting according to the timing when AD FS is updated.

Compatibility with upcoming release Igor

This plugin seems to make use of one or more form related action events that will be removed in the next DokuWiki release. Please have a look at https://www.patreon.com/posts/better-forms-58551930 for details.

My apologies if this has already been addressed in your code. If you have any questions on how to implement the needed changes please let me know.

Broken config when there are umlaute in the title of dokuwiki

the plugin generates xml files which are causing broken configs in ad fs. In my case the umlaut "ü" in the title was translated ü in ServiceName and OrganizationName in the metadata xml file. This caused the ad fs service to stop updating the corresponding relying party trust and as a user you could not login to this specific site.
It shows as an error: (in german) Error details: Verweis auf die nicht deklarierte Entität 'uuml'. Zeile XX, Position YY.

I solved the problem by removing the umlaut. Maybe the plugin could check whether the title is compliant to these specific tags in the xml file.

Groups defined as "Domain local" are missing

Hi,

we recently activated the ADFS plugin in our Dokuwiki installation. Authentication worked fine from the start on, but using a AD group for superusers by entering it with "@<groupname>" in the "superuser" field did not work. When looking at the user list in user management we realized that the group we wanted to use was missing in the "groups" field. After switching the type of the group from "Domain local" to "Universal" it appeared in the groups list and using it to define the superusers worked. Is this behaviour intentional?

kind regards,

Christoph

utf8_strtolower() is deprecated.

Issue Description

The following message appears in the "deprecated" log:

It was called from auth_plugin_adfs::cleanUser() in lib/plugins/adfs/auth.php:155 dokuwiki\Utf8\PhpString::strtolower() should be used instead!

Perhaps will need to fix this issue in the near future.

Admin page blank below header

Installed on: Release 2017-02-19e "Frusterick Manners"
PHP version: 5.4.16
Even before I configured ADFS authorization (which works great btw!), I found that when the extension is enabled the content area and sidebar on the admin page (mywiki.com/doku.php?id=home&do=admin) are blank. The page header shows up but everything below is blank.

Setup with SimpleSAMLphp?

On the dokuwiki page it says that this plugin is tested with simpleSAMLphp. I have set up a SimpleSAMLphp IDP server and used the https://idpserverurl/saml/saml2/idp/SSOService.php in the settings of this plugin.
I also changed the attribute names and supplied it with the certificate.

However when I click on the login button now it redirects me to the IDP page but with the error message:

Metadata not found
Unable to locate metadata for 'https://urlofmydokuwiki'

specificly:

SimpleSAML_Error_MetadataNotFound: METADATANOTFOUND('%ENTITYID%' => ''https://urlofmydokuwiki'')

Any ideas?

Also how can I access the settings of my dokuwiki easily again now as obviously I can't log in regularly.

Thanks!