Microsoft Azure Open Source Development Support Team Blog

Support for Open Source Technologies on Microsoft Azure App Service

Setup Single Sign On with AAD using SimpleSAMLphp

This blog provides step-by-step instruction on how to setup Single Sign On with Azure AD using SimpleSMPLphp API (apply to MediaWiki site as an example).

  • Install and configure SimpleSAMLphp
  1. To download SimpleSAMLphp, https://simplesamlphp.org/download , extract the download to wwwroot/simplesamlphp
  2. Configure admin: Edit wwwroot/simplesamlphp/config/config.php,

           – Modify baseurlpath:       ‘baseurlpath’  => ‘simplesamlphp/www/’

           – Set admin login passwoed:      ‘auth.adminpassword’  => ‘<your-admin-password>’
           – Browse to simplasamlphp admin page, <your-site-url>/simplesamlphp/www/, login with ‘admin’ and the password you set in config.php
01

3.  Generate metadata in XML: Click Federation tab, choose “XML to simpleSAMLphp metadata converter,

02
             paste to “XML metadata” area, and click “Parse”, you will see the PHP code populated in “Converted metadata” area.
             – Copy the PHP code into wwwroot/simplesamlphp/metadata/saml20-idp-remote.php

4.  Configure authsources: Add following PHP code in wwwroot/simplesamlphp/config/authsources.php:

             Find $config = array( ‘default-sp’ => array(…), );
             Add the code:
             ‘idp’ => ‘https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/’,

5. Check the default settings for php sessions, if session.phpsession.cookiename is ‘null’, set it to ‘PHPSESSID’.

  • Integrate with MediaWiki site:
  1. Download SimpleSamlAuth extension from https://github.com/jornane/mwSimpleSamlAuth/releases , extract to wwwroot/extensions/SimpleSamlAuth
  2. Modify LocalSettings.php to require authentication:
          require_once “$IP/extensions/mwSimpleSamlAuth/SimpleSamlAuth.php”;
          $wgSamlRequirement = SAML_REQUIRED;
          $wgSamlCreateUser = true;
          $wgSamlUsernameAttr = ‘http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name’;
          $wgSamlRealnameAttr = ‘http://schemas.microsoft.com/identity/claims/displayname’;
          $wgSamlMailAttr = ‘http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name’;
          $wgSamlSspRoot = ‘/libraries/simplesamlphp’;
          $wgSamlAuthSource = ‘default-sp’;
          $wgSamlPostLogoutRedirect = NULL;

 

  • Configure authentication in Azure AD:
  1. In Azure management portal (classic), select Active Directory from menu, choose Microsoft tenant
  2. Select Application tab, Add your application 
  3. Select a name for your application, keep “Web application and/or web API”, click next
  4. In “Sign on URL”, use home url of your site, for “App ID URL”, use the URL to default-sp, e.g. http://<your-site-url>/libraries/simplesamlphp/www/module.php/saml/sp/metadata.php/default-sp
  5. From Configure tab of your application, find “permission to other applications” section, check Enable “sign in and read users’ profiles” and “read directory data” under Delegated Permission,save the change.  

 

References: