Setup:Installation Guide/Docker: Difference between revisions

No edit summary
Tag: 2017 source edit
 
(32 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{Textbox|boxtype=important|header=Migration from 4.4|text=With BlueSpice 4.5 there were important changes to the container portfolio:
{{Textbox
# There are no "all-in-one" containers anymore. Neither for FREE, not for PRO and FARM editions
|boxtype=important
# The "distributed-services" setup for PRO and FARM edition has been reworked
|header=Migration from 4.4
|text=With BlueSpice 4.5 there were some important changes to the container portfolio:
# There are no "all-in-one" containers anymore. Neither for FREE, nor for PRO and FARM editions
# The "distributed-services" setup for PRO and FARM edition has completely been reworked
If you are upgrading from one of the above-mentioned setups, please refer to the [[{{FULLPAGENAME}}/Migration_4.4 to 4.5|migration guide]]
|icon=yes
}}


If you are upgrading from one of the above-mentioned setups, please refer to the [[{{FULLPAGENAME}}/Migration_4.4 to 4.5|migration guide]]|icon=yes}}
__TOC__


== Overview ==
===Overview===
The  BlueSpice application consists of a number of different services. To ease installations, they are available as a pre-configured stack at [https://github.com/hallowelt/bluespice-deploy github.com/hallowelt/bluespice-deploy], but they also allow more flexibility, e.g. by providing a simple way to run several services on different machines or to re-use existing services.
Since version 4.5, BlueSpice MediaWiki can be easily installed using a stack of Docker container images. Everything is build in a modular way to allow different types of setups.
<drawio filename="Setup_Installation_Guide_Docker-01"></drawio>
 
{| class="wikitable"
The most common cases are
|+
# "All-in-one" (with and without Let's Encrypt)
!Service name
# Custom database and search service
!Description
# Custom load balancer / proxy
!FREE
!PRO
!FARM
|-
| style="" class="col-turquoise-bg" |<code>wiki</code>
|The main application. It features two main modes: "web", for the connection to the client and "task" for any background processing and administrative purposes. It comes in different editions (FREE, PRO and FARM).
|YES
|YES
|YES
|-
| style="" class="col-turquoise-bg" |<code>pdf</code>
|Allows to create PDF filesfrom wikipages
|YES
|YES
|YES
|-
| style="" class="col-red-bg" |<code>search</code>
|Allows to perform a fulltext search on the wiki content
|YES
|YES
|YES
|-
| style="" class="col-turquoise-bg" |<code>formula</code>
|Allows to show mathematical and chemical formulas in the wiki content
|NO
|YES
|YES
|-
| style="" class="col-turquoise-bg" |<code>collabpads</code>
|Allows for simultaneous editing of wikipages
|NO
|YES
|YES
|-
| style="" class="col-red-bg" |<code>collabpads-database</code>
|Stores the data for simultaneous editing sessions.
|NO
|YES
|YES
|-
| style="" class="col-red-bg" |<code>diagram</code>
|Allows to create and edit diagram  images in the wiki content
|NO
|YES
|YES
|-
| style="" class="col-turquoise-bg" |<code>pagepreview</code>
|Allows to show preview images of wikipages
|YES
|YES
|YES
|-
| style="" class="col-red-bg" |<code>cache</code>
|Supports application performance
|YES
|YES
|YES
|-
| style="" class="col-red-bg" |<code>database</code>
|Stores the application data
|YES
|YES
|YES
|-
| style="" class="col-turquoise-bg" |<code>proxy</code>
|Manages the clients's access to the different services. Provides SSL capabilities
|YES
|YES
|YES
|-
| style="" class="col-orange-bg" |<code>kerberos-proxy</code>
|Allows to set up a Kerberos-based authentication mechanism
|NO
|OPTIONAL
|OPTIONAL
|}
Generic services that can be substituted by already available ones are


* database →Can be replaced by any version compatible MariaDB / MySQL server
==== Architecture ====
* collabpads-database →Can be replaced by any version compatible MongoDB server
<drawio filename="Setup:Installation_Guide_Docker-Achitecture" alt="Diagram of BlueSpice Docker Stack Architecture" />
* cache →Can be replaced by any version compatible MemcacheD server
* search →Can be replaced by any version compatible OpenSearch server
* proxy -> Can be replaced by any appropriately configured Proxy server / Loadbalancer


'''Notes'''
* Internal HTTP connections may use non-standard ports. Those are noted next to the respective services.
** HTTP (in-secure) is only used for internal communication within the virtual network the stack is operated in. All connections to the client use TLS.
* Proprietary ports (esp. for database connections) are noted next to the respective services.
* There may be additional services and port in use, based on the setup. Some examples:
** When using LDAP based authentication an LDAPS connection (port 636) is used from the <code>bluespice/wiki</code> containers to the LDAP-Server
** When using Kerberos authentication, a connection (port 88) is used from the <code>bluespice/kerberos-proxy</code> containers to the Kerberos-Server
** When using DeepL or OpenAI services, a HTTPS connection (port 443) is used from the <code>bluespice/wiki</code> containers to to the respective service
** When using OpenIDConnect authentication, a HTTPS connection (port 443) is used from the <code>bluespice/wiki</code> "task" container to to the authentication provider
** When using "Let's Encrypt" Certbot, a HTTPS connection (port 443) is used from the <code>acme-companion</code> container to the "Let's Encrypt" service


=== Step 1: Get the stack ===
Get "docker-compose" files from https://bluespice.com/de/download/
wget <nowiki>https://bluespice.com/filebase/docker-deployment-script</nowiki> \
    && unzip docker-deployment-script \
    && cd docker-deployment-script/compose


=== Installation ===
The directory contains the following files:
Get actual docker-compose-Files from https://bluespice.com/de/download/
wget <nowiki>https://bluespice.com/filebase/docker-deployment-script</nowiki> && unzip docker-deployment-script && cd docker-deployment-script/compose
{| class="wikitable"
{| class="wikitable"
|+
|+
!Filename
! style="width:350px;" |Filename
!Type
!Type
!obligatory
!Mandatory
!Comment
!Comment
|-
|-
|bluespice-deploy
| style="width:350px;" |<code>bluespice-deploy</code>
|bash-script
|bash-script
|false
|false
|Wrapper for general start-up of needed Containers
|Wrapper for general start-up of needed containers
|-
|-
|bluespice-prepare
| style="width:350px;" |<code>bluespice-prepare</code>
|bash-script
|bash-script
|false
|false
|Prepare Folder and Permissions before first start also creates service
|Prepare Folder and Permissions before first start also registers the service at the operating system
|-
|-
|bluespice.service
| style="width:350px;" |<code>bluespice.service</code>
|service-script
|service-script
|false
|false
|Porper handling of the Containers on reboot
|Proper handling of the containers on reboot
|-
|-
|docker-compose.main.yml
| style="width:350px;" |<code>docker-compose.main.yml</code>
|yml
|yml
|true
|true
|Main Services/ run by bluespice-deploy
|Main application services/ run by <code>bluespice-deploy</code>
|-
|-
|docker-compose.persistent-data-services.yml
| style="width:350px;" |<code>docker-compose.persistent-data-services.yml</code>
|yml
|yml
|true
|false
|Database and Search/ run by bluespice-deploy
|Database and search/ run by <code>bluespice-deploy</code>
|-
|-
|docker-compose.stateless-services.yml
| style="width:350px;" |<code>docker-compose.stateless-services.yml</code>
|yml
|yml
|false but strongly recommended for full functionality
|true
|PDF-Renderer/Cache/Formula/Diagram-Service
|PDF-Renderer/Cache/Formula/Diagram-Service
|-
|-
|docker-compose.proxy.yml
| style="width:350px;" |<code>docker-compose.proxy.yml</code>
|yml
|yml
|false but recommended
|false, but recommended
|Proxy Service
|Proxy Service
|-
|-
|docker-compose.proxy-letsencrypt.yml
| style="width:350px;" |<code>docker-compose.proxy-letsencrypt.yml</code>
|yml
|yml
|false
|false
|Additional autorenewal service for LetsEncrypt-Certificates
|Additional auto-renewal service for "Let's Encrypt" certificates
|-
|-
|docker-compose.kerberos-proxy.yml
| style="width:350px;" |<code>docker-compose.kerberos-proxy.yml</code>
|yml
|yml
|false
|false
|Additional Proxy for Kerberos-Authenication
|Additional proxy for Kerberos based authenication
|}
|}
The bluespice-deploy script starts the first 4 yml-Files by default.
 
% cat bluespice-deploy                                               
For convenience, the <code>bluespice-deploy</code> script wraps the first four <code>yml</code> files by default. This includes the main wiki application and also required backend services, like a database, search and application cache.
 
docker compose \
Additional services can be loaded by adding <code>-f <filename> </code>.
-f docker-compose.main.yml \
 
-f docker-compose.persistent-data-services.yml \
Example:  
-f docker-compose.stateless-services.yml \
  bluespice-deploy \
-f docker-compose.proxy.yml \
    -f docker-compose.proxy-letsencrypt.yml \
$@
    up -d
To add additional Services either change script or just add them by hand:
 
  bluespice-deploy -f docker-compose.proxy-letsencrypt.yml up -d
This will start the stack with "Let's Encrypt" certificates. For details, please refer to section [[#SSL certificates| SSL certificates]].
for bluespice.service please do also either expand the line in the etc/systemd/system/bluespice.service:
 
[Unit]
===Step 2: Set up environment variables===
Description=BlueSpice-Docker startup routinie
Create <code>.env</code> file according to existing or state-to-be installation.
Requires=docker.service
 
After=docker.service
Example:
[Service]
WorkingDirectory=<WORKDIR>
ExecStart=<WORKDIR>/bluespice-deploy -f docker-compose.proxy-letsencrypt.yml up -f -d --remove-orphans
ExecStop=bluespice-deploy down
TimeoutStartSec=0
Restart=on-failure
StartLimitInterval=120
StartLimitBurst=2
[Install]
WantedBy=multi-user.target%
Create .env file according to existing or state-to-be Installation:
  DATADIR=/data/bluespice
  DATADIR=/data/bluespice
  VERSION=4.5
  VERSION=4.5
Line 189: Line 115:
  WIKI_NAME=BlueSpice
  WIKI_NAME=BlueSpice
  WIKI_LANG=en
  WIKI_LANG=en
  WIKI_PASSWORDSENDER=wiki@localhost
  WIKI_PASSWORDSENDER=no-reply@wiki.company.local
  WIKI_EMERGENCYCONTACT=wiki@localhost
  WIKI_EMERGENCYCONTACT=no-reply@wiki.company.local
  WIKI_HOST=wiki.company.local
  WIKI_HOST=wiki.company.local
  WIKI_PORT=443
  WIKI_PORT=443
  WIKI_PROTOCOL=https
  WIKI_PROTOCOL=https
   
   
  DB_USER=
  DB_USER=bluespice
  DB_PASS=
  DB_PASS=...
  DB_HOST=database
  DB_HOST=database
  DB_NAME=bluespice
  DB_NAME=bluespice
  DB_PREFIX=
  DB_PREFIX=
   
   
  SMTP_HOST=
  SMTP_HOST=mail.company.local
  SMTP_PORT=
  SMTP_PORT=25
  SMTP_USER=
  SMTP_USER=...
  SMTP_PASS=
  SMTP_PASS=...
  SMTP_ID_HOST=
  SMTP_ID_HOST=...
Run bluespice-prepare script, helping you set up correct Foder-Structure and Permissions. Also Installing a Service for proper handling of the containers on reboots.
{{Textbox|boxtype=note|header=Different editions|text=The example shows <code>EDITION=pro</code>. Be aware that for <code>pro</code> and <code>farm</code> you need to be logged into <code>docker.bluspice.com</code>.|icon=yes}}
 
=== Step 3: Prepare data directories===
Run <code>bluespice-prepare</code> script, helping you set up correct folder structure and permissions. Also installing a service for proper handling of the containers on reboots. Make sure to run this command with in a privileged user context (like <code>root</code>), as it will set permissions on the newly created directories.
 
=== Step 4: Start the stack ===
{{Textbox
|boxtype=important
|header=Initial installation
|text=When starting the stack the first time, the <code>wiki-task</code> container will automatically perform the installation. It may take a couple of minutes for the process to set up the database and complete. Once it is finished, the password for the default <code>Admin</code> user can be found in <code>$DATADIR/wiki/adminPasssword</code>.
|icon=yes
}}
Use <code>bluespice-deploy up -d</code> to start the stack, once the <code>.env</code> file and the "data directories" are ready. Once all containers are shown as "ready" you can navigate to <code>$WIKI_PROTOCOL://$WIKI_HOST:$WIKI_PORT</code> (e.g. <code><nowiki>https://wiki.company.local</nowiki></code>) in your favorite web browser and start using the application.
 
=== Additional options ===
 
==== SSL certificates ====
For using Let's Encrypt certificates just add <code>docker-compose.proxy-letsencrypt.yml</code> in your <code>bluespice-deploy</code> file.
 
{{Textbox
|boxtype=tip
|header=Self-signed certificates
|text=For using self-signend Certificates please put <code><bluespice-wiki.com>.crt</code> and <code><bluespice-wiki.com>.key</code> with the exact name of your Wikis URL in <code>${VOLUMES_DIR}/nginx/certs</code>
|icon=yes
}}
 
====Operating system level service====
 
{{Textbox
|boxtype=tip
|header=Adding additional services
|text=expand the <code>ExecStart</code> parameter in the <code>/etc/systemd/system/bluespice.service</code>
Example:
ExecStart=<WORKDIR>/bluespice-deploy -f docker-compose.proxy-letsencrypt.yml up -f -d --remove-orphans
|icon=yes
}}
 
==== Custom wiki application configuration ====
After the initial installation, the <code>${DATADIR}/wiki/bluespice/</code> contains two files that can be used to set custom application configuration as it may be found on [https://www.mediawiki.org mediawiki.org]:
 
* <code>pre-init-settings.php</code>  - Can be used to set config that can be picked up by  the init process
* <code>post-init-settings.php</code> - Can be used to manipulate configs that have been set by the init process
 
==== Custom database and search ====
If you have a MySQL/MariaDB and an OpenSearch server running in your local network, you can remove <code>docker-compose.persistent-data-services.yml</code> entirely from your <code>bluespice-deploy</code>  file. Make sure to set the proper variables in the <code>.env</code> file.
 
====Kerberos proxy====
For implicit authenticationusing Kerberos, an additional proxy must be used: <code>bluespice/kerberos-proxy</code> . The file <code>docker-compose.kerberos-proxy.yml</code> contains a common configuration. It can be used '''instead of''' the regular <code>docker-compose.proxy.yml</code> file inside <code>bluespice-deploy</code> .
 
Make sure to have the files
 
* <code>${DATADIR}/kerberos/krb5.conf</code>
* <code>${DATADIR}/kerberos/kerberos.keytab</code>
 
set up properly.
 
The file <code>${DATADIR}/wiki/bluespice/pre-init-settings.php</code> can then be used to set up [[mediawikiwiki:LDAP_hub|"Extension:Auth_remoteuser" and the LDAP stack extensions]].
 
====SAML authentication====
 
During the initial installation a certificate for message signing will automatically be created. It can be found in <code>${DATADIR}/wiki/simplesamlphp/certs/</code>.
 
In order to configure a remote IdP, one must copy the IdP metadata XML to a file called <code>${DATADIR}/wiki/simplesamlphp/saml_idp_metadata.xml</code>. The SP metadata can then be obtained via <code><nowiki>https://{{$WIKI_HOST}}/_sp/module.php/saml/sp/metadata.php/default-sp</nowiki></code>. It must be configured in the remote IdP.
 
{{Textbox
|boxtype=tip
|header=Test authentication
|text= You can test authentication directly within the SimpleSAMLphp application. To do so, navigate to <code><nowiki>https://{{$WIKI_HOST}}/_sp/module.php/admin</nowiki></code> and log in with <code>admin</code> and the <code>INTERNAL_SIMPLESAMLPHP_ADMIN_PASS</code> found in <code>${DATADIR}/wiki/.wikienv</code>
|icon=yes
}}
 
Next, the extensions "PluggableAuth" and "SimpleSAMLphp" must be enabled on the wiki. To do so, add
 
<syntaxhighlight lang="php">
wfLoadExtensions( [
    'PluggableAuth',
    'SimpleSAMLphp'
] );
</syntaxhighlight>[[File:Setup:SAML ConfigManager EN 01.png|thumb|300x300px]]to the <code>${DATADIR}/wiki/bluespice/post-init-settings.php</code>. Run
 
./bluespice-deploy exec wiki-task /app/bluespice/w/maintenance/update.php --quick


=== Options: ===
to complete the installation.


===== SSL-Certificates =====
After that, the authentication plugin configuration can be applied in [[Manual:Extension/BlueSpiceConfigManager|Special:BlueSpiceConfigManager]] under "Authentication".
For using Let's Encrypt Certificates just adddocker-compose.proxy-letsencrypt.yml in your bluespice-deploy file


For using self-signend Certificates please put<code><bluespice-wiki.com>.crt</code> and <code><bluespice-wiki.com>.key</code> with the exact name of your Wikis URL in <code>${VOLUMES_DIR}/nginx/certs</code>
==== OpenID Connect authentication ====


If Activating SSL after first creation of Wiki please change <code>$wgServer</code> in <code>${VOLUMES_DIR}/bluespice-data/LocalSettings.php</code>
The extensions "PluggableAuth" and "OpenIDConnect" must be enabled on the wiki. To do so, add<syntaxhighlight lang="php">
wfLoadExtensions( [
    'PluggableAuth',
    'OpenIDConnect'
] );
</syntaxhighlight>to the <code>${DATADIR}/wiki/bluespice/post-init-settings.php</code>. Run


to <code><nowiki>https://bluespice-wiki.com</nowiki></code>
./bluespice-deploy exec wiki-task /app/bluespice/w/maintenance/update.php --quick


also link your certificate to the bluespice-container in your docker-compose.yaml-File:
to complete the installation.


<code>- ${VOLUMES_DIR}/nginx/certs/<FQDNofyourWiki>.crt:/usr/local/share/ca-certificates/<FQDNofyourWiki>.crt:ro</code>
After that, the authentication plugin configuration can be applied in [[Manual:Extension/BlueSpiceConfigManager|Special:BlueSpiceConfigManager]] under "Authentication".


Please restart Containers after changing/adding SSL-Files
[[de:Setup:Installationsanleitung/Docker]]

Latest revision as of 13:47, 10 December 2024

Migration from 4.4With BlueSpice 4.5 there were some important changes to the container portfolio:
  1. There are no "all-in-one" containers anymore. Neither for FREE, nor for PRO and FARM editions
  2. The "distributed-services" setup for PRO and FARM edition has completely been reworked

If you are upgrading from one of the above-mentioned setups, please refer to the migration guide


Overview

Since version 4.5, BlueSpice MediaWiki can be easily installed using a stack of Docker container images. Everything is build in a modular way to allow different types of setups.

The most common cases are

  1. "All-in-one" (with and without Let's Encrypt)
  2. Custom database and search service
  3. Custom load balancer / proxy

Architecture

Diagram of BlueSpice Docker Stack Architecture

Notes

  • Internal HTTP connections may use non-standard ports. Those are noted next to the respective services.
    • HTTP (in-secure) is only used for internal communication within the virtual network the stack is operated in. All connections to the client use TLS.
  • Proprietary ports (esp. for database connections) are noted next to the respective services.
  • There may be additional services and port in use, based on the setup. Some examples:
    • When using LDAP based authentication an LDAPS connection (port 636) is used from the bluespice/wiki containers to the LDAP-Server
    • When using Kerberos authentication, a connection (port 88) is used from the bluespice/kerberos-proxy containers to the Kerberos-Server
    • When using DeepL or OpenAI services, a HTTPS connection (port 443) is used from the bluespice/wiki containers to to the respective service
    • When using OpenIDConnect authentication, a HTTPS connection (port 443) is used from the bluespice/wiki "task" container to to the authentication provider
    • When using "Let's Encrypt" Certbot, a HTTPS connection (port 443) is used from the acme-companion container to the "Let's Encrypt" service

Step 1: Get the stack

Get "docker-compose" files from https://bluespice.com/de/download/

wget https://bluespice.com/filebase/docker-deployment-script \
    && unzip docker-deployment-script \
    && cd docker-deployment-script/compose

The directory contains the following files:

Filename Type Mandatory Comment
bluespice-deploy bash-script false Wrapper for general start-up of needed containers
bluespice-prepare bash-script false Prepare Folder and Permissions before first start also registers the service at the operating system
bluespice.service service-script false Proper handling of the containers on reboot
docker-compose.main.yml yml true Main application services/ run by bluespice-deploy
docker-compose.persistent-data-services.yml yml false Database and search/ run by bluespice-deploy
docker-compose.stateless-services.yml yml true PDF-Renderer/Cache/Formula/Diagram-Service
docker-compose.proxy.yml yml false, but recommended Proxy Service
docker-compose.proxy-letsencrypt.yml yml false Additional auto-renewal service for "Let's Encrypt" certificates
docker-compose.kerberos-proxy.yml yml false Additional proxy for Kerberos based authenication

For convenience, the bluespice-deploy script wraps the first four yml files by default. This includes the main wiki application and also required backend services, like a database, search and application cache.

Additional services can be loaded by adding -f <filename> .

Example:

bluespice-deploy \
    -f docker-compose.proxy-letsencrypt.yml \
    up -d

This will start the stack with "Let's Encrypt" certificates. For details, please refer to section SSL certificates.

Step 2: Set up environment variables

Create .env file according to existing or state-to-be installation.

Example:

DATADIR=/data/bluespice
VERSION=4.5
EDITION=pro
BACKUP_HOUR=04

WIKI_NAME=BlueSpice
WIKI_LANG=en
WIKI_PASSWORDSENDER=no-reply@wiki.company.local
WIKI_EMERGENCYCONTACT=no-reply@wiki.company.local
WIKI_HOST=wiki.company.local
WIKI_PORT=443
WIKI_PROTOCOL=https

DB_USER=bluespice
DB_PASS=...
DB_HOST=database
DB_NAME=bluespice
DB_PREFIX=

SMTP_HOST=mail.company.local
SMTP_PORT=25
SMTP_USER=...
SMTP_PASS=...
SMTP_ID_HOST=...
Different editionsThe example shows EDITION=pro. Be aware that for pro and farm you need to be logged into docker.bluspice.com.


Step 3: Prepare data directories

Run bluespice-prepare script, helping you set up correct folder structure and permissions. Also installing a service for proper handling of the containers on reboots. Make sure to run this command with in a privileged user context (like root), as it will set permissions on the newly created directories.

Step 4: Start the stack

Initial installationWhen starting the stack the first time, the wiki-task container will automatically perform the installation. It may take a couple of minutes for the process to set up the database and complete. Once it is finished, the password for the default Admin user can be found in $DATADIR/wiki/adminPasssword.

Use bluespice-deploy up -d to start the stack, once the .env file and the "data directories" are ready. Once all containers are shown as "ready" you can navigate to $WIKI_PROTOCOL://$WIKI_HOST:$WIKI_PORT (e.g. https://wiki.company.local) in your favorite web browser and start using the application.

Additional options

SSL certificates

For using Let's Encrypt certificates just add docker-compose.proxy-letsencrypt.yml in your bluespice-deploy file.

Self-signed certificatesFor using self-signend Certificates please put <bluespice-wiki.com>.crt and <bluespice-wiki.com>.key with the exact name of your Wikis URL in ${VOLUMES_DIR}/nginx/certs


Operating system level service

Adding additional servicesexpand the ExecStart parameter in the /etc/systemd/system/bluespice.service

Example:

ExecStart=<WORKDIR>/bluespice-deploy -f docker-compose.proxy-letsencrypt.yml up -f -d --remove-orphans


Custom wiki application configuration

After the initial installation, the ${DATADIR}/wiki/bluespice/ contains two files that can be used to set custom application configuration as it may be found on mediawiki.org:

  • pre-init-settings.php - Can be used to set config that can be picked up by the init process
  • post-init-settings.php - Can be used to manipulate configs that have been set by the init process

Custom database and search

If you have a MySQL/MariaDB and an OpenSearch server running in your local network, you can remove docker-compose.persistent-data-services.yml entirely from your bluespice-deploy file. Make sure to set the proper variables in the .env file.

Kerberos proxy

For implicit authenticationusing Kerberos, an additional proxy must be used: bluespice/kerberos-proxy . The file docker-compose.kerberos-proxy.yml contains a common configuration. It can be used instead of the regular docker-compose.proxy.yml file inside bluespice-deploy .

Make sure to have the files

  • ${DATADIR}/kerberos/krb5.conf
  • ${DATADIR}/kerberos/kerberos.keytab

set up properly.

The file ${DATADIR}/wiki/bluespice/pre-init-settings.php can then be used to set up "Extension:Auth_remoteuser" and the LDAP stack extensions.

SAML authentication

During the initial installation a certificate for message signing will automatically be created. It can be found in ${DATADIR}/wiki/simplesamlphp/certs/.

In order to configure a remote IdP, one must copy the IdP metadata XML to a file called ${DATADIR}/wiki/simplesamlphp/saml_idp_metadata.xml. The SP metadata can then be obtained via https://{{$WIKI_HOST}}/_sp/module.php/saml/sp/metadata.php/default-sp. It must be configured in the remote IdP.

Test authenticationYou can test authentication directly within the SimpleSAMLphp application. To do so, navigate to https://{{$WIKI_HOST}}/_sp/module.php/admin and log in with admin and the INTERNAL_SIMPLESAMLPHP_ADMIN_PASS found in ${DATADIR}/wiki/.wikienv


Next, the extensions "PluggableAuth" and "SimpleSAMLphp" must be enabled on the wiki. To do so, add

wfLoadExtensions( [
    'PluggableAuth',
    'SimpleSAMLphp'
] );
Setup:SAML ConfigManager EN 01.png

to the ${DATADIR}/wiki/bluespice/post-init-settings.php. Run

./bluespice-deploy exec wiki-task /app/bluespice/w/maintenance/update.php --quick

to complete the installation.

After that, the authentication plugin configuration can be applied in Special:BlueSpiceConfigManager under "Authentication".

OpenID Connect authentication

The extensions "PluggableAuth" and "OpenIDConnect" must be enabled on the wiki. To do so, add

wfLoadExtensions( [
    'PluggableAuth',
    'OpenIDConnect'
] );

to the ${DATADIR}/wiki/bluespice/post-init-settings.php. Run

./bluespice-deploy exec wiki-task /app/bluespice/w/maintenance/update.php --quick

to complete the installation.

After that, the authentication plugin configuration can be applied in Special:BlueSpiceConfigManager under "Authentication".



To submit feedback about this documentation, visit our community forum.