| Next revision | Previous revision |
| en:2.0:single_sign_on:oidc_dokuwiki [2025/05/05 19:24] – created kainhofer | en:2.0:single_sign_on:oidc_dokuwiki [2025/05/05 20:19] (current) – kainhofer |
|---|
| |
| First, one has to copy over the OpenID endpoint URLs from Admidio's OpenID preferences (each URL has a copy button). You can find them here: | First, one has to copy over the OpenID endpoint URLs from Admidio's OpenID preferences (each URL has a copy button). You can find them here: |
| {{ :en:2.0:single_sign_on:sso_oidc_01-01_setup_admidio_endpoints.png?direct&600 |}} | {{ :en:2.0:sso:sso_oidc_01-01_setup_admidio_endpoints.png?direct&600 |}} |
| |
| ==== Setting up the Client (SP) in Admidio ==== | ==== Setting up the Client (SP) in Admidio ==== |
| To use Admidio's group memberships as Dokuwiki groups, make sure to include the "Roles" field and provide the correct field name in Dokuwiki. DokuWiki even provides a setting to overwrite all groups with the groups received from Admidio. | To use Admidio's group memberships as Dokuwiki groups, make sure to include the "Roles" field and provide the correct field name in Dokuwiki. DokuWiki even provides a setting to overwrite all groups with the groups received from Admidio. |
| |
| Make sure to use the same SAML field names as the ones mapped in Dokuwiki's Saml configuration (circled red in the configuration screenshot above). | Make sure to use the same OpenID claim names as the ones mapped in Dokuwiki's OpenID configuration (circled red in the configuration screenshot above). |
| |
| Once all settings are done, it is time to enable the saml plugin for login to DokuWiki in the "Configuration Settings": | Once all settings are done, it is time to enable the saml plugin for login to DokuWiki in the "Configuration Settings": |
| {{ :en:2.0:sso:sso_saml_04-07_dw_saml_enable.png?direct&400 |}} | {{ :en:2.0:sso:sso_oidc_04-07_dw_enable.png?direct&400 |}} |
| |
| | ==== DokuWiki configuration as text ==== |
| | |
| | The settings done above in the graphical interface could also be done in the ''conf/local.php'' config file of DokuWiki. The corresponding settings would look like this: |
| | |
| | <code php> |
| | $conf['authtype'] = 'oauth'; |
| | $conf['superuser'] = '@admin'; |
| | $conf['plugin']['oauth']['register-on-auth'] = 1; |
| | $conf['plugin']['oauth']['overwrite-groups'] = 1; |
| | $conf['plugin']['oauthgeneric']['key'] = 'https://dokuwiki.local/'; |
| | $conf['plugin']['oauthgeneric']['secret'] = 'lWDQ......gU'; |
| | $conf['plugin']['oauthgeneric']['authurl'] = 'https://admidio.local/modules/sso/index.php/oidc/authorize'; |
| | $conf['plugin']['oauthgeneric']['tokenurl'] = 'https://admidio.local/modules/sso/index.php/oidc/token'; |
| | $conf['plugin']['oauthgeneric']['userurl'] = 'https://admidio.local/modules/sso/index.php/oidc/userinfo'; |
| | $conf['plugin']['oauthgeneric']['scopes'] = array('openid', 'profile', 'address', 'phone', 'email', 'custom', 'groups', 'roles'); |
| | $conf['plugin']['oauthgeneric']['json-user'] = 'username'; |
| | $conf['plugin']['oauthgeneric']['json-name'] = 'fullname'; |
| | $conf['plugin']['oauthgeneric']['json-mail'] = 'email'; |
| | $conf['plugin']['oauthgeneric']['json-grps'] = 'roles'; |
| | $conf['plugin']['oauthgeneric']['label'] = 'OIDC Login with Admidio'; |
| | </code> |
| |
| ==== Setup completed, test Single-Sign-On ==== | ==== Setup completed, test Single-Sign-On ==== |
| |
| Admidio and DokuWiki should now be set up to use Admidio for logging in to Dokuwiki. If you log out of DokuWiki and try to log in again, you will be shown the Admidio login screen and then redirected back to Dokuwiki. | Admidio and DokuWiki should now be set up to use Admidio for logging in to Dokuwiki. If you log out of DokuWiki and try to log in again, you will be shown the Admidio login screen and then redirected back to Dokuwiki. |
| {{ :en:2.0:sso:sso_saml_04-08_dw_saml_login.png?direct&400 |}} | |
| {{ :en:2.0:sso:sso_saml_04-09_dw_admidio_login.png?direct&400 |}} | |
| {{ :en:2.0:sso:sso_saml_04-10_dw_login_success.png?direct&400 |}} | |
| {{ :en:2.0:sso:sso_saml_04-11_dw_login_success_groups.png?direct&400 |}} | |
| |
| | {{ :en:2.0:sso:sso_oidc_04-08_dw_login.png?direct&400 |}} |
| | {{ :en:2.0:sso:sso_oidc_04-09_dw_admidio_login.png?direct&400 |}} |
| | {{ :en:2.0:sso:sso_oidc_04-10_dw_login_success.png?direct&400 |}} |
| |
| |
| ==== Caveats and Things to Consider ==== | ==== Caveats and Things to Consider ==== |
| |
| * Dokuwiki is picky about signatures. If a SAML response is not signed, login will not be possible, but no corresponding error message will be shown. After an apparent login, the user will arrive at dokuwiki with no user logged in (actually, DokuWiki even silently triggers a logout!). Make sure that in Admidio's client setting for the Dokuwiki SAML client the checkbox "Sign assertions sent to the client (SP)" is checked! | * DokuWiki allows **admin login** through OpenID by assigning the **group 'admin'** in the group mapping. |
| | * DokuWiki will convert all group names to lowercase. This is a general restriction in DokuWiki and not specific to OpenID. |
| | * DokuWiki will match its accounts using the email provided in the OpenID token, even when a different user id field is selected. E.g. if a local user 'dale' with email 'dale@example.com' already exists, and a new OpenID login from user 'dale' with email 'dale.baade@example.com' occurs, DokuWiki will treat these as two separate users (and modify the username of the newly created user to 'dale1')! |
| | * DokuWiki controls **login permissions for OpenID** with a **group 'generic' assigned to a user**. If local accounts already exist, one needs to add them to the 'generic' group, otherwise login with OpenID is not possible and the following error message will be shown:{{ :en:2.0:sso:sso_oidc_04-10_dw_error_group.png?direct |}} To fix this, add the user to the 'generic' group: {{ :en:2.0:sso:sso_oidc_04-11_dw_generic_group.png?direct&600 |}} |
