1. Lorenzo Gil Sánchez
  2. moinmoinsaml

Overview

HTTPS SSH
MoiMoin SAML
============

This MoinMoin plugin adds support for SAML authentication.


Dependencies
------------

This MoinMoin plugin uses the pysaml2 library to handle SAML2 requests
and responses. You will need it and its own dependencies, which you
can read at http://packages.python.org/pysaml2/install.html


Installation
------------

Copy the saml.py file to the MoinMoin/auth directory. This may be located in
the Python site-packages directory or on a local directory depending on the
way you have installed MoinMoin.

Then copy the SAMLMetadata.py file to wiki/data/plugin/action/ directory of
your wiki instance.

Finally, edit the wikiconfig.py MoinMoin configuration file to add the
following directives:

import os
import saml2

from MoinMoin.auth.saml import SAMLAuth


class LocalConfig(multiconfig.DefaultConfig):

    wikiconfig_dir = os.path.abspath(os.path.dirname(__file__))

    # lots of directives

    auth = [SAMLAuth()]
    cookie_lifetime = (1, 12)

    saml_config = {
        # basic, mandatory stuff
        'xmlsec_binary': '/usr/bin/xmlsec1',
        'entityid': 'http://localhost:8080/?action=SAMLMetadata',
        'attribute_map_dir': os.path.join(wikiconfig_dir, 'attribute-maps'),

        # this block states what services we provide
        'service': {
            'sp' : {  # we are just a lonely SP
                'name': 'MoinMoin sample SP',
                'endpoints': {
                    'assertion_consumer_service': [
                        ('http://localhost:8080/?action=login&login=1&stage=saml',
                         saml2.BINDING_HTTP_POST),
                        ],
                    'single_logout_service': [
                        ('http://localhost:8080/?action=logout&logout=1&stage=saml',
                         saml2.BINDING_HTTP_REDIRECT),
                        ],
                    },
                'required_attributes': ['uid'],
                'optional_attributes': ['eduPersonAffiliation'],
                'idp': {
                    # we do not need a WAYF service since there is
                    # only an IdP defined here. This IdP should be
                    # present in our metadata
                    'https://localhost/simplesaml/saml2/idp/metadata.php': {
                        'single_sign_on_service': {
                            saml2.BINDING_HTTP_REDIRECT: 'https://localhost/simplesaml/saml2/idp/SSOService.php',
                            },
                        'single_logout_service': {
                            saml2.BINDING_HTTP_REDIRECT: 'https://localhost/simplesaml/saml2/idp/SingleLogoutService.php',
                            },
                        },
                    },
                },
            },
        'metadata': {
            'local': [os.path.join(wikiconfig_dir, 'remote_metadata.xml')],
            },

        'debug': 1,

        # certificates
        'key_file': os.path.join(wikiconfig_dir, 'mycert.key'),
        'cert_file': os.path.join(wikiconfig_dir, 'mycert.pem'),

        # These fields are only used when generating the metadata
        'contact_person': [
            {'given_name': 'Lorenzo',
             'sur_name': 'Gil',
             'company': 'Yaco Sistemas',
             'email_address': 'lgs@yaco.es',
             'contact_type': 'technical'},
            {'given_name': 'Lorenzo',
             'sur_name': 'Gil',
             'company': 'Yaco Sistemas',
             'email_address': 'lgs@yaco.es',
             'contact_type': 'administrative'},
            ],
        'organization': {
            'name': [('Yaco Sistemas', 'es'), ('Yaco Systems', 'en')],
            'display_name': [('Yaco', 'es'), ('Yaco', 'en')],
            'url': [('http://www.yaco.es', 'es'), ('http://www.yaco.com', 'en')],
            },
        'valid_for': 24,  # hours
        }


The saml_config dictionary is passed to Pysaml. Read its docs for more
information.