coop-cloud/mediawiki
6
0
Fork 2
Code Issues 6 Pull Requests Releases Wiki Activity

Single Sign-On (SAML / OpenID) #3

New Issue
Closed
opened 2020-09-05 00:46:30 +00:00 by 3wordchant · 6 comments
3wordchant commented 2020-09-05 00:46:30 +00:00
Owner
Copy Link

OpenID is probably easier.

But, we've already done Ansible config for SAML, and it'd be useful for that project.

[OpenID](https://www.mediawiki.org/wiki/Extension:OpenID_Connect) is probably easier. But, we've already done Ansible config for [SAML](https://www.mediawiki.org/wiki/Extension:SimpleSAMLphp#Configuration), and it'd be useful for that project.
3wordchant commented 2020-09-05 15:04:27 +00:00
Author
Owner
Copy Link

Made a little progress on SAML in the simplesaml branch.

Currently stuck on how best to edit the mediawiki container Apache config to also serve SimpleSAMLPHP, or whether to have yet another HTTP server container in the stack.

Made a little progress on SAML [in the `simplesaml` branch](https://git.autonomic.zone/compose-stacks/mediawiki/src/branch/simplesaml). Currently stuck on how best to edit the `mediawiki` container Apache config to also serve SimpleSAMLPHP, or whether to have yet another HTTP server container in the stack.
3wordchant commented 2020-09-10 21:30:05 +00:00
Author
Owner
Copy Link

Maybe it's possible to route /simplesamlphp to another container without having to modify the Mediawiki container Apache config, using Traefik routing rules?

In that case, the only puzzle left for SAML is the best way to provide metadata to the container. At worst, making the metadata a volume and asking users to copy it over manually might be bearable.

Maybe it's possible to route `/simplesamlphp` to another container without having to modify the Mediawiki container Apache config, using [Traefik routing rules](https://docs.traefik.io/routing/routers/#rule)? In that case, the only puzzle left for SAML is the best way to provide metadata to the container. At worst, making the `metadata` a volume and asking users to copy it over manually might be bearable.
decentral1se commented 2020-09-11 08:13:34 +00:00
Owner
Copy Link

Yeah, the rules documentation kinda looks a bit scary but it was not that bad to manage. An example of it in use is for the SSH access for the Gitea instance, see https://git.autonomic.zone/autonomic-cooperative/git.autonomic.zone/src/branch/master/compose.yml#L52. I think it is a good approach and yes, very nice to avoid modifying the container config.

Yeah, the rules documentation kinda looks a bit scary but it was not that bad to manage. An example of it in use is for the SSH access for the Gitea instance, see https://git.autonomic.zone/autonomic-cooperative/git.autonomic.zone/src/branch/master/compose.yml#L52. I think it is a good approach and yes, very nice to avoid modifying the container config.
3wordchant commented 2020-09-14 00:53:49 +00:00
Author
Owner
Copy Link

I got the Traefik routing working (thanks!) and SimpleSAML is up'n'running on the same domain, now I just need to hack on the Mediawiki plugin side.

I got the Traefik routing working (thanks!) and SimpleSAML is up'n'running on the same domain, now I just need to hack on the Mediawiki plugin side.
3wordchant commented 2020-09-16 20:39:49 +00:00
Author
Owner
Copy Link

Working!

Statement of technical debt:

  1. /var/simplesamlphp is mounted as a volume to be able to share the SimpleSAML code with Mediawiki's SAML plugin. I think this is going to make SimpleSAML upgrades harder, because all the code lives on that volume
  2. I manually edited config/config.php after install, because SimpleSAML can't use the same phpsession store as Mediawiki, but venatorfox/simplesamlphp doesn't have an env var option to set store.sql.dsn. There's already a custom SimpleSAML entrypoint so we can probably swap it out with sed or something.
  3. /var/simplesamlphp/log is volume mounted - this might be fine, as not mounting it requires tty: true, and --raw when using abra logs, but it's worth making sure. If we want to set DOCKER_REDIRECT_LOGS, we'd need to special-case the SimpleSAML code when running in the Mediawiki container, because it can't access the /dev/console symlink that the simplesaml service sets up.
  4. Copying metadata and cert to the simplesaml container is currently manual, although it's not too bad with abra cp. We should at least document this.

~~The worst bit, and what's blocking me merging this into main, is that I'm not sure how to selectively disable adding the simplesaml volume to the mediawiki service if SAML_ENABLED=0. @decentral1se any ideas on that? ~~

Otherwise we could have alternative, manually-synced compose files for SAML / non-SAML..

Working! Statement of technical debt: 1. `/var/simplesamlphp` is mounted as a volume to be able to share the SimpleSAML code with Mediawiki's SAML plugin. I think this is going to make SimpleSAML upgrades harder, because all the code lives on that volume 2. I manually edited `config/config.php` after install, because SimpleSAML can't use the same `phpsession` store as Mediawiki, but [`venatorfox/simplesamlphp`](https://hub.docker.com/r/venatorfox/simplesamlphp) doesn't have an env var option to set `store.sql.dsn`. There's already a [custom SimpleSAML entrypoint](https://git.autonomic.zone/compose-stacks/mediawiki/src/branch/simplesaml/entrypoint.simplesaml.sh.tmpl) so we can probably swap it out with `sed` or something. 3. `/var/simplesamlphp/log` is volume mounted - this might be fine, as not mounting it requires `tty: true`, and `--raw` when using `abra logs`, but it's worth making sure. If we want to set `DOCKER_REDIRECT_LOGS`, we'd need to special-case the SimpleSAML code when running in the Mediawiki container, because it can't access the `/dev/console` symlink that the `simplesaml` service sets up. 4. ~~Copying `metadata` and `cert` to the `simplesaml` container is currently manual, although it's not too bad with `abra cp`. We should at least document this.~~ ~~The worst bit, and what's blocking me merging this into `main`, is that I'm not sure how to selectively disable [adding the `simplesaml` volume to the `mediawiki` service](https://git.autonomic.zone/compose-stacks/mediawiki/src/branch/simplesaml/compose.yml#L44) if `SAML_ENABLED=0`. @decentral1se any ideas on that? ~~ ~~Otherwise we could have alternative, manually-synced compose files for SAML / non-SAML..~~
decentral1se commented 2020-09-17 08:05:12 +00:00
Owner
Copy Link

The worst bit, and what’s blocking me merging this into main, is that I’m not sure how to selectively disable adding the simplesaml volume to the mediawiki service if SAML_ENABLED=0. @decentral1se any ideas on that?

I think your best best is to go with another compose file for this. You can override them easily with something like docker stack deploy -c compose.yml -c compose.saml.yml or something like that. In your compose.saml.yml you only need to write the high-level service key and the volumes + the new volume. This might mean you need to abstract SAML_ENABLED=0 out of your config in some way? I hope that is clear...

> The worst bit, and what’s blocking me merging this into main, is that I’m not sure how to selectively disable adding the simplesaml volume to the mediawiki service if SAML_ENABLED=0. @decentral1se any ideas on that? I think your best best is to go with another compose file for this. You can override them easily with something like `docker stack deploy -c compose.yml -c compose.saml.yml` or something like that. In your `compose.saml.yml` you only need to write the high-level service key and the volumes + the new volume. This might mean you need to abstract `SAML_ENABLED=0` out of your config in some way? I hope that is clear...
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Assignees
Clear assignees
3wordchant aadil abra-bot ammaratef45 Apfelwurm appletalk arjan basebuilder Brooke carla cas codegod100 coopcloud cyrnel decentral1se fauno flancian Frando iexos javielico jmakdah2 joe-irving kawaiipunk knoflook kolaente lambdabundesverband linnealovespie marlon mayel mirsal moritz nicksellen notplants p4u1 pau pharaohgraphy renovate-bot ripclap rix rscmbbng sef simon sixsmith stevensting tobias trav val virtualboys wolcen wykwit xynosis yksflip
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: coop-cloud/mediawiki#3
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?