Wrong redirect after login if SAML_LOGIN_ONLY

Question

Wrong redirect after login if SAML_LOGIN_ONLY

Closed this issue 8 years ago · 6 comments

Mediawiki 1.27 is configured as SP and session is handled via Memcached.
All works fine if $wgSamlRequirement = SAML_OPTIONAL.
But if I set $wgSamlRequirement = SAML_LOGIN_ONLY, then after login on IdP I have redirected to wrong url http://wiki.oldsaratov.ru/saml//home/wiki1/www/index.phpD0%BB%D0%B0%D0%B2%D0%BD%D0%B0%D1%8F_%D1%81%D1%82%D1%80%D0%B0%D0%BD%D0%B8%D1%86%D0%B0 instead of redirecting to main page http://wiki.oldsaratov.ru/wiki/%D0%97%D0%B0%D0%B3%D0%BB%D0%B0%D0%B2%D0%BD%D0%B0%D1%8F_%D1%81%D1%82%D1%80%D0%B0%D0%BD%D0%B8%D1%86%D0%B0.

Answer 1 · 2016-11-27T12:49:29.000Z

Hmm, I need to check that out. MediaWiki 1.27 has made a lot of changes in key components that this plugin uses, and I haven't tested this use-case on MediaWiki 1.27 yet.

Answer 2 · 2016-11-27T18:38:45.000Z

I've tried on a test-instance, but I was not able to reproduce this. I'll do another attempt later. If you have any other information in the meantime, please let me know.

Answer 3 · 2016-11-28T18:37:50.000Z

My configuration is Drupal 7 with drupalauth4ssp module as IdP and Mediawiki 1.27 as SP. Both on same server and SimpleSAMLphp version 1.14.5.

LocalSettings.php code:

require_once "$IP/extensions/SimpleSamlAuth/SimpleSamlAuth.php";
// SAML_OPTIONAL // SAML_LOGIN_ONLY // SAML_REQUIRED //
$wgSamlRequirement = SAML_OPTIONAL;
// Should users be created if they don't exist in the database yet?
$wgSamlCreateUser = false;

// SAML attributes
$wgSamlUsernameAttr = 'cn';
$wgSamlRealnameAttr = 'cn';
$wgSamlMailAttr = 'mail';

// SimpleSamlPhp settings
$wgSamlSspRoot = '/var/www/simplesamlphp-sp';
$wgSamlAuthSource = 'default-sp';
$wgSamlPostLogoutRedirect = NULL;

Config files from both SimpleSAMLphp installations
configs.zip

Answer 4 · 2016-12-01T23:03:45.000Z

I'm sorry, but I still haven't been able to reproduce this with MediaWiki 1.27 and SimpleSamlPhp. I didn't find anything weird in your configuration either. Maybe the Drupal-integration is the problem?

I do however have a hunch: Try setting a full URL as baseurlpath in your SP config.php. In some setups, SimpleSamlPhp can't correctly detect what kind of URL it should generate. This typically happens if you're behind a reverse proxy.

Answer 5 · 2016-12-10T10:44:01.000Z

Nothing helps.

Thank you for your time, I will try to use SAML_OPTIONAL mode

Answer 6 · 2016-12-10T14:23:09.000Z

The problem lies probably somewhere in here, in case you'd like to get your hands dirty:

https://github.com/jornane/mwSimpleSamlAuth/blob/8729e27/SimpleSamlAuth.class.php#L287-L342