WordPress Single Sign On using SSP and ADFS as IdP proxy
I have configured Windows 2012 r2 with ADFS 3.0, bitnami WordPress (4.2.2) with SAML 2.0 Single Sign on plugin and Ubuntu server with SimpleSAMLphp 1.13.
WordPress configuration looks like this:
WordPress NameID policy:
WordPress attributes:
For authentication source I am using SSP's file module. It has attributes:
User-Name for user id, mail for user's email-address and Filter-Id for user's group.
At ADFS side, I have configured claims provider trust as SSP and relying party's trust as WP.
Claim rules for those are:
SSP:
Rule 1: To transform name id policy. If this rule is not set WP's SSP gives NameIDPolicy invalid error.
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] == "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
Rule 2: Pass all the claims
c:[Type == "https://example.com/simplesamlphp/saml2/idp/metadata.php"] => issue(claim = c);
WordPress:
Rule 1: Convert name attribute to WP's attribute
c:[Type == "User-Name"] => add(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Value = c.Value);
Rule 2: Convert mail attribute
c:[Type == "mail"] => add(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/emailaddress", Value = c.Value);
Rule 3: Convert group attribute
c:[Type == "Filter-Id"] => add(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/Group", Value = c.Value);
Rule 4: Convert to Givenname attribute
c:[Type == "User-Name"] => add(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/givenname", Value = c.Value);
Rule 5: Convert to Surname attribute
c:[Type == "User-Name"] => add(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/surname", Value = c.Value);
Rule 6: Convert Name id policy & issue all claims
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
User gets authenticated fine (SP/IdP-Initiated). But at WP side I get error saying Username was not provided.
ADFS tracer log shows me SSO token is null or empty. Cannot write SSO token to Cookies.
I checked IdP for user login and it shows user logged in. Tracer log also shows Valid assertion returned from 'https://example.com/simplesamlphp/saml2/idp/metadata.php'
I guess there is something wrong with claims rules, but I am not sure because configuration looks and works fine.
So the chain is WP --> ADFS --> SSP
Normally for NameID, you use a transform rule e.g.
Transform email to NameID with a format of email.
For the CP, you need pass-through rules for each attribute.
This rule "c:[Type == "https://example.com/simplesamlphp/saml2/idp/metadata.php"] => issue(claim = c);" does not pass-through all rules - best to do them individually.
The RP rules look right but the NameID rule has a format of email so it should be derived from email, not name.
- Why does bootstrap break wordpress admin?
- How to hide a div class in woocommerce?
- Add a line break to Woocommerce cart item names and order item names
- WordPress paginate_links - how to use it?
- How to include pagination in a Wordpress Custom Post Type Query
- Starting content container over bottom section of image
- Import attributes using CSV with woocommerce
- How to redirect using a custom wordpress api endpoint after form submission?
- Wordpress site in subdirectory, logout function failing
- Wordpress - Filtering post content before publishing
- dont allow PO BOX shipping woocommerce not working
- Get post IDs that contain a search term in wp_posts or in the custom_fields for the ID
- how i can solve this problem on wordpress
- Wordpress: Conditionally show stripped tag or post title. "Array" gets printed
- custom category tree in wordpress
- How to access custom functions defined in functions.php from a single post template file
- Custom Field Options Price Update Issue on WooCommerce Variation Change
- jQuery AJAX - Redirect to 404 page when load method fails
- Woocommerce Simple Type Product Trial Feature
- NGINX / wordpress container in docker returns 403 error on load
- How Display All Posts from the "Services" Taxonomy on the Service page?
- WooCommerce - Shop page More Details button Instead of Add-to-Cart
- Products dropdown from same category inside Woocommerce product short description
- Woocommerce Empty Cart Issue with Request a Quote plugin and Woocommerce sample
- Enqueuing some javaScript for a shortcode in a custom WordPress plugin
- Force specific WooCommerce product to be sold in separate order
- I'm looking for a way to integrate CSS in my Plugin
- Auto apply a predefined coupon code for any imputted 5 character coupon code in WooCommerce
- How redirect to mobile version of site without changing URL?
- Attribute values in variable products on shop/categories WooCommerce pages