MoiMoin SAML

This MoinMoin plugin adds support for SAML authentication.


This MoinMoin plugin uses the pysaml2 library to handle SAML2 requests
and responses. You will need it and its own dependencies, which you
can read at


Copy the file to the MoinMoin/auth directory. This may be located in
the Python site-packages directory or on a local directory depending on the
way you have installed MoinMoin.

Then copy the file to wiki/data/plugin/action/ directory of
your wiki instance.

Finally, edit the MoinMoin configuration file to add the
following directives:

import os
import saml2

from MoinMoin.auth.saml import SAMLAuth

class LocalConfig(multiconfig.DefaultConfig):

    wikiconfig_dir = os.path.abspath(os.path.dirname(__file__))

    # lots of directives

    auth = [SAMLAuth()]
    cookie_lifetime = (1, 12)

    saml_config = {
        # basic, mandatory stuff
        'xmlsec_binary': '/usr/bin/xmlsec1',
        'entityid': 'http://localhost:8080/?action=SAMLMetadata',
        'attribute_map_dir': os.path.join(wikiconfig_dir, 'attribute-maps'),

        # this block states what services we provide
        'service': {
            'sp' : {  # we are just a lonely SP
                'name': 'MoinMoin sample SP',
                'endpoints': {
                    'assertion_consumer_service': [
                    'single_logout_service': [
                'required_attributes': ['uid'],
                'optional_attributes': ['eduPersonAffiliation'],
                'idp': {
                    # we do not need a WAYF service since there is
                    # only an IdP defined here. This IdP should be
                    # present in our metadata
                    'https://localhost/simplesaml/saml2/idp/metadata.php': {
                        'single_sign_on_service': {
                            saml2.BINDING_HTTP_REDIRECT: 'https://localhost/simplesaml/saml2/idp/SSOService.php',
                        'single_logout_service': {
                            saml2.BINDING_HTTP_REDIRECT: 'https://localhost/simplesaml/saml2/idp/SingleLogoutService.php',
        'metadata': {
            'local': [os.path.join(wikiconfig_dir, 'remote_metadata.xml')],

        'debug': 1,

        # certificates
        'key_file': os.path.join(wikiconfig_dir, 'mycert.key'),
        'cert_file': os.path.join(wikiconfig_dir, 'mycert.pem'),

        # These fields are only used when generating the metadata
        'contact_person': [
            {'given_name': 'Lorenzo',
             'sur_name': 'Gil',
             'company': 'Yaco Sistemas',
             'email_address': '',
             'contact_type': 'technical'},
            {'given_name': 'Lorenzo',
             'sur_name': 'Gil',
             'company': 'Yaco Sistemas',
             'email_address': '',
             'contact_type': 'administrative'},
        'organization': {
            'name': [('Yaco Sistemas', 'es'), ('Yaco Systems', 'en')],
            'display_name': [('Yaco', 'es'), ('Yaco', 'en')],
            'url': [('', 'es'), ('', 'en')],
        'valid_for': 24,  # hours

The saml_config dictionary is passed to Pysaml. Read its docs for more