Loading...
 
Mcrypt is no longer used by Tiki since 18.x LTS.

However, it is still used by the SAML feature which depends on php-saml, which is installed by Packages. Upcoming php-saml 3.x will no longer use Mcrypt. Tiki will update to php -saml 3.x as soon as it's released.



Tiki17 can be a SAML Service Provider (SP), thanks to the integration of OneLogin's SAML PHP Toolkit.



Option Description Default
Enable SAML Auth Disabled
IdP Entity Id Identifier of the IdP entity ("Issuer") None
Single sign-on service URL SSO endpoint info of the IdP, the URL target of the IdP where the SP will send the Authentication Request ("SAML 2.0 Endpoint (HTTP)") None
Single log-out service URL SLO endpoint info of the IdP, the URL target of the IdP where the SP will send the SLO Request ("SLO Endpoint (HTTP)") None
X.509 certificate Public x509 certificate of the IdP ("X.509 certificate") None
Create user if not registered in Tiki Auto-provisioning - if the user doesn't exist, Tiki will create a new user with the data provided by the IdP.
Review the Mapping section.
None
Sync user group with IdP data This should be enabled to sync groups with the IdP. None
Enable Single Logout Service The "logout" function logs out the user from the Tiki site, the identity provider and all connected service providers None
Use Tiki authentication for Admin log-in The user “admin” will be authenticated by only using Tiki’s user database. This option has no effect on users other than “admin”. Enabled
Account matcher Select the field to be used to find the user account. If the "email" field is selected, keep in mind that if users change their email address, then the link with the IdP account will be lost.
Username | Email
Email
Default group When provisioning a new user and not group found, assign that group Registered
Log-in link text The text that appears on the log-in page Log in through SAML2 IdP
SAML attribute that will be mapped to the Tiki username The SAML attribute that will be mapped to the Tiki username. None
SAML attribute that will be mapped to the Tiki email The SAML attribute that will be mapped to the Tiki email. None
SAML attribute that will be mapped to the Tiki group The SAML attribute that will be mapped to the Tiki email. For example the eduPersonAffiliation None
Admins Set here the values of the IdP related to the user group info that will be matched with the Admins group. None
Registered Set here the values of the IdP related to the user group info that will be matched with the Registered group. None
Debug Mode Enable debug mode when your are debugging the SAML workflow. Errors and warnings will be showed.. None
Strict Mode Always enable strict mode on production websites. When strict mode is enabled, then Tiki will reject unsigned or unencrypted messages if it expects them to be signed or encrypted. Also Tiki will reject messages that do not strictly follow the SAML standard: Destination, NameId, Conditions . . . are also validated. None
Service Provider Entity ID Set the Entity ID for the service provider. It is recommended to set as the SP Entity ID the URL where the metadata of the service provider is published. If not provided, the toolkit will use "php-saml" as the SP entityID. None
Requested NameIDFormat Specifies constraints on the name identifier to be used to represent the requested subject.
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress | urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName | urn:oasis:names:tc:SAML:2.0:nameid-format:entity | urn:oasis:names:tc:SAML:2.0:nameid-format:transient | urn:oasis:names:tc:SAML:2.0:nameid-format:persistent | urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted | urn:oasis:...
urn:oasis:names:tc:SAML:1.1...
Requested AuthnContext Authentication context: unselect all to accept any type, otherwise select the valid contexts.
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified | urn:oasis:names:tc:SAML:2.0:ac:classes:Password | urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport | urn:oasis:names:tc:SAML:2.0:ac:classes:X509 | urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard | urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos | urn:federation:authentication:windows
urn:oasis:names:tc:SAML:2.0...
Encrypt nameID None
Sign AuthnRequest The samlp:AuthnRequest messages sent by this SP will be signed None
Sign LogoutRequest The samlp:logoutRequest messages sent by this SP will be signed None
Sign LogoutResponse The samlp:logoutResponse messages sent by this SP will be signed None
Sign Metadata The Metadata published by this SP will be signed None
Reject Unsigned Messages Reject unsigned samlp:Response, samlp:LogoutRequest and samlp:LogoutResponse received None
Reject Unsigned Assertions Reject unsigned saml:Assertion received None
Reject Unencrypted Assertions Reject unencrypted saml:Assertion received None
Retrieve Parameters From Server Sometimes when the app is behind a firewall or proxy, the query parameters can be modified an this affects the signature validation process on HTTP-Redirect binding. Active this when you noticed signature validation failures, the plugin will try to extract the original query parameters. None
Service Provider X.509 certificate Public x509 certificate of the SP None
Service Provider Private Key Private key of the SP None
Signature Algorithm Algorithm that the toolkit will use on the signing process
http://www.w3.org/2000/09/xmldsig#rsa-sha1 | http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 | http://www.w3.org/2001/04/xmldsig-more#rsa-sha384 | http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 | http://www.w3.org/2000/09/xmldsig#dsa-sha1
http://www.w3.org/2000/09/x...

Option Description Default
IdP Entity Id Identifier of the IdP entity. (“Issuer”) None
Single Sign On Service Url SSO endpoint info of the IdP. URL target of the IdP where the SP will send the Authentication Request. (“SAML 2.0 Endpoint (HTTP)”) None
Single Log Out Service Url SLO endpoint info of the IdP. URL target of the IdP where the SP will send the SLO Request. (“SLO Endpoint (HTTP)”) None
X.509 Certificate Public x509 certificate of the IdP. (“X.509 certificate”) None
Create user if not registered in Tiki Auto-provisioning. If user not exists, Tiki will create a new user with the data provided by the IdP.
Review the Mapping section.
None
Sync user group with IdP data Enable it in order to sync groups with the IdP. None
Enable Single Logout Service When enable, the “logout” function will log out you from Tiki Wiki, identity provider and all conected service providers None
Use Tiki authentication for Admin login The user “admin” will be authenticated by only using Tiki’s user database. This option has no effect on users other than “admin”. Enabled
Account matcher Select what field will be used in order to find the user account. If you select the “email” fieldname take in mind that you should prevent that user changes its mail otherwise it will lose the link with the IdP account.
Username | Email
Email
Default group When provisioning a new user and not group found, assign that group Registered
Login link text The text that appears at the login page Log in through SAML2 IdP
SAML attribute that will be mapped to the Tiki username The SAML attribute that will be mapped to the Tiki username. None
SAML attribute that will be mapped to the Tiki email The SAML attribute that will be mapped to the Tiki email. None
SAML attribute that will be mapped to the Tiki group The SAML attribute that will be mapped to the Tiki email. For example the eduPersonAffiliation None
Admins Set here the values of the IdP related to the user group info that will be matched with the Admins group None
Registered Set here the values of the IdP related to the user group info that will be matched with the Registered group None
Debug Mode Enable it when your are debugging the SAML workflow. Errors and Warnigs will be showed. None
Strict Mode Enable it always on production environments!. If Strict mode is Enabled, then Tiki will reject unsigned or unencrypted messages if it expects them signed or encrypted. Also will reject the messages if not strictly follow the SAML standard: Destination, NameId, Conditions ... are validated too. None
Service Provider Entity Id Set the Entity ID for the Service Provider. We recommend to set as SP EntityID the URL where its metadata is published, If not provided, toolkit will use “php-saml” as SP entityID None
Requested NameIDFormat Specifies constraints on the name identifier to be used to represent the requested subject.
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress | urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName | urn:oasis:names:tc:SAML:2.0:nameid-format:entity | urn:oasis:names:tc:SAML:2.0:nameid-format:transient | urn:oasis:names:tc:SAML:2.0:nameid-format:persistent | urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted | urn:oasis:...
urn:oasis:names:tc:SAML:1.1...
Requested AuthnContext Authentication context. Unselect all to accept any type, otherwise select the valid contexts
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified | urn:oasis:names:tc:SAML:2.0:ac:classes:Password | urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport | urn:oasis:names:tc:SAML:2.0:ac:classes:X509 | urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard | urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos | urn:federation:authentication:windows
urn:oasis:names:tc:SAML:2.0...
Encrypt nameID None
Sign AuthnRequest The samlp:AuthnRequest messages sent by this SP will be signed None
Sign LogoutRequest The samlp:logoutRequest messages sent by this SP will be signed None
Sign LogoutResponse The samlp:logoutResponse messages sent by this SP will be signed None
Sign Metadata The Metadata published by this SP will be signed None
Reject Unsigned Messages Reject unsigned samlp:Response, samlp:LogoutRequest and samlp:LogoutResponse received None
Reject Unsigned Assertions Reject unsigned saml:Assertion received None
Reject Unencrypted Assertions Reject unencrypted saml:Assertion received None
Retrieve Parameters From Server Sometimes when the app is behind a firewall or proxy, the query parameters can be modified an this affects the signature validation process on HTTP-Redirect binding. Active this when you noticed signature validation failures, the plugin will try to extract the original query parameters. None
Service Provider X.509 Certificate Public x509 certificate of the SP. None
Service Provider Private Key Private Key of the SP. None
Signature Algorithm Algorithm that the toolkit will use on signing process.
http://www.w3.org/2000/09/xmldsig#rsa-sha1 | http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 | http://www.w3.org/2001/04/xmldsig-more#rsa-sha384 | http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 | http://www.w3.org/2000/09/xmldsig#dsa-sha1
http://www.w3.org/2000/09/x...




Wikipedia wrote:
Security Assertion Markup Language (SAML) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.

The single most important requirement that SAML addresses is web browser single sign-on (SSO). Single sign-on is common at the intranet level (using cookies, for example) but extending it beyond the intranet has been problematic and has led to the proliferation of non-interoperable proprietary technologies. (Another more recent approach to addressing the browser SSO problem is the OpenID Connect protocol.)



Click to expand
Click to expand



If you require Tiki to be an Identity provider (IdP): It has been done but it's not properly documented. The general idea is to install SimpleSAMLphp and let SimpleSAMLphp access Tiki's database. Please see: https://github.com/pitbulk/tiki-saml/blob/master/doc/tiki_wiki_as_idp.rst

If you need this feature and would like this to be streamlined, documented and future-proof (as was done for Tiki as a Service Provider ), please contact Marc Laporte so we can make this happen together.


doc.tiki.org


Bootstrap

AdminGuide

UserGuide

Keywords

Keywords serve as "hubs" for navigation within the Tiki documentation. They correspond to development keywords (bug reports and feature requests):

Accessibility (WAI and 508)
Accounting (7.x)
Articles and Submissions
Backlinks
Banners
Batch (6.x)
BigBlueButton audio/video/chat/screensharing (5.x)
Blog
Bookmark
Browser Compatibility
Link Cache
Calendar
Category
Chat
Clean URLs
Comments
Communication Center
Compression (gzip)
Contacts (Address Book)
Contact us
Content Templates
Contribution (2.x)
Cookie
Copyright
Credit (6.x)
Custom Home and Group Home Page
Date and Time
Debugger Console
Directory of hyperlinks
Documentation link from Tiki to doc.tiki.org (Help System)
Docs 8.x
Draw 7.x
Dynamic Content
Dynamic Variable
External Authentication
FAQ
Featured links
File Gallery
Forum
Friendship Network (Community)
Gmap Google maps
Groups
Hotword
HTML Page
i18n (Multilingual, l10n, Babelfish)
Image Gallery
Import-Export
Install
Integrator
Interoperability
Inter-User Messages
InterTiki
Kaltura video management (4.x)
Karma
Live Support
Login
Logs (system & action)
Look and Feel
Lost edit protection
Mail-in
Map with Mapserver
Menu
Meta Tags
Mobile Tiki and Voice Tiki
Mods
Module
MultiTiki
MyTiki
Newsletter
Notepad
Payment
Performance Speed / Load
Permissions
Platform independence (Linux-Apache, Windows/IIS, Mac, BSD)
Polls
Profiles
Profile Manager
Report
Toolbar
Quiz
Rating
Feeds
Score
Search engine optimization
Search
Search and Replace
Security
Semantic links (3.x)
Shadowbox
Shadow Layers
Share
Shopping cart
Shoutbox
Slideshow
Smiley
Social Networks
Spam protection (Anti-bot CATPCHA)
Spellcheck
Spreadsheet
Stats
Surveys
Tags (2.x)
Task
Tell a Friend, alert + Social Bookmarking
TikiTests (2.x)
Theme CSS & Smarty
Trackers
Transitions (5.x)
TRIM
User Administration including registration and banning
User Files
User Menu
Watch
WebHelp
WebDAV (5.x)
Webmail
Web Services
Wiki 3D
Wiki History, page rename, etc
Wiki Page Staging and Approval (2.x)
Wiki Plugin extends basic syntax
Wiki Syntax
Wiki structure (book and table of content)
Workspace
WSOD
WYSIWYCA
WYSIWYG (2.x)
XMLRPC


Tiki Newsletter

Delivered fresh to your email inbox!
Newsletter subscribe icon
Don't miss major announcements and other news!
Contribute to Tiki
Show php error messages