Use with ADFS

Once you’ve installed the plugin on a WordPress site, you should be able to use metadata on both ends to simplify the setup process. Here is the complete setup process:

1. Install and activate the plugin.
2. Go to Settings -> Single Sign-On and click the Identity Provider tab.
3. Under “Autofill using Metadata,” enter your ADFS metadata URL and click Fetch Metadata. The default SAML 2.0 metadata URL for ADFS is https://your-idp.net/FederationMetadata/2007-06/FederationMetadata.xml
4. Ensure that, at a minimum, the “URL Identifier”, “Single Sign-On URL”, and “Certificate Fingerprint” fields are populated.
5. Go to the Service Provider tab.
6. Upload your own certificate and private key or check the box to “Generate a new certificate and private key for me”.
7. Under “Attributes”, click ADFS 2.0 to fill the attribute fields with attributes that are suitable for use with ADFS.
8. Under “Groups”, enter the names of security groups and the WordPress roles that their respective users should have. This should be the short form of the group name. For example, you might put “Domain Admins” in the Administrators field and “Domain Users” in the Subscribers field.
9. Click Update Options.
10. Go to the General tab.
11. Copy the URL in the box labeled “Your Entity ID” to the clipboard.
12. In the ADFS 2.0 Management console, under Trust Relationships/Relying Party Trusts, click Add Relying Party Trust.
13. In the Add Relying Party Trust Wizard, click Start.
14. Paste the URL you copied in step #11 to the “Federation metadata address” field. Click Next. You should see a message that some of the metadata is not supported by ADFS. Click OK to dismiss the message.
15. Change the display name if you want to and click Next.
16. Choose an Issuance Authorization Rule and click Next.
17. Click Next again to add the data to the ADFS configuration database. Click Close to close the wizard.
18. Right-click on the newly-added Relying Party Trust and click Properties.
19. On the Monitoring tab, un-check the box to “Monitor the Relying Party” and click Apply. This will allow you to manually modify its settings.
20. On the Encryption tab, click Remove to disable claims encryption. This plugin does not currently support encrypted claims.
21. On the Advanced tab, set the secure hash algorithm to SHA-1. Click OK to save your changes.
22. Back at your WordPress site, on the General tab, check the box to “Enable SAML authentication” and click Update Options.

You should already be familiar with setting up Claim Rules in ADFS 2.0. Here are the claim rules that I typically use:

Rule 1: (Using “Send LDAP Attributes as Claims” template)

• SAM-Account-Name => Windows account name
• Given-Name => Given Name
• Surname => Surname
• E-Mail-Addresses => E-Mail Address
• Token-Groups – Unqualified Names => Group

Rule language:

c:[Type == "https://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("https://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "https://schemas.xmlsoap.org/claims/Group"), query = ";sAMAccountName,givenName,sn,mail,tokenGroups;{0}", param = c.Value);

Rule 2: (Using “Transform an Incoming Claim” template)

• Incoming claim type: E-Mail Address
• Outgoing claim type: Name ID
• Outgoing Name ID format: Email
• Pass through all claim values

Rule language:

c:[Type == "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
 => issue(Type = "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/

Hi,

Thanks for the detailed instructions. I have followed them but the General tab is not displaying any information for the “Your Entity ID”. Some data was populated very briefly on this page but after accessing another page and going back the information was gone. I’m guessing the Entity ID URL will be https as ADFS will require the Federation metadata address to be https?

Any further help is much appreciated.

Thanks

The 3 metadata boxes on the General tab use cURL to access your site’s metadata via HTTP/HTTPS. If those boxes are blank, it is usually due to a failure in your server’s ability to fetch that URL, or parse its contents.

So your troubleshooting should revolve around that area. You might try to visit the metadata URL manually. Unless you’ve reorganized your WordPress directory structure, this is located at http(s)://example.com/wp-content/plugins/saml-20-single-sign-on/saml/www/module.php/saml/sp/metadata.php/1. There will usually be more helpful error messages when you visit that page in a browser. Let me know how that goes for you.

Regarding HTTP vs. HTTPS: The plugin will work over either protocol, but yes, ADFS will require that all communications go over HTTPS.

I received the following error when accessing the metadata manually.

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:
0 C:\Inetpub\wwwroot\[mysite]\wp-content\plugins\saml-20-single-sign-on\saml\www\module.php:180 (N/A)
Caused by: Exception: authsources[‘1’]: Unable to load certificate/public key from file “C:\Inetpub\wwwroot\[mysite]\wp-content\plugins\saml-20-single-sign-on\saml/cert/C:\Inetpub\wwwroot\[mysite]/wp-content/uploads/saml-20-single-sign-on/etc/certs/1/1.cer”.
Backtrace:
3 C:\Inetpub\wwwroot\[mysite]\wp-content\plugins\saml-20-single-sign-on\saml\lib\SimpleSAML\Configuration.php:1100 (SimpleSAML_Configuration::getPublicKeys)
2 C:\Inetpub\wwwroot\[mysite]\wp-content\plugins\saml-20-single-sign-on\saml\lib\SimpleSAML\Utilities.php:1386 (SimpleSAML_Utilities::loadPublicKey)
1 C:\Inetpub\wwwroot\[mysite]\wp-content\plugins\saml-20-single-sign-on\saml\modules\saml\www\sp\metadata.php:117 (require)
0 C:\Inetpub\wwwroot\[mysite]\wp-content\plugins\saml-20-single-sign-on\saml\www\module.php:135 (N/A)

This would suggest an issue with the cert or public key used, I have used these successfully on other systems without an issue.

Thanks

It looks like the problem lies in the way the plugin is trying to find your certificate file. As you can see in this one line, there’s a mix of Windows- and Linux-style paths:
C:\Inetpub\wwwroot\[mysite]\wp-content\plugins\saml-20-single-sign-on\saml/cert/C:\Inetpub\wwwroot\[mysite]/wp-content/uploads/saml-20-single-sign-on/etc/certs/1/1.cer

It will take me some time to test and fix this, as I don’t currently have any systems running PHP on IIS. If I find any temporary fixes before issuing an update to the plugin, I’ll let you know here.

Here’s a quick fix for Windows:

Edit c:\inetpub\wwwroot\[mysite]\wp-content\plugins\saml-20-single-sign-on\saml\lib\SimpleSAML\Utilities.php (line 1348) (method resolveCert) and add a file_exists statement:

public static function resolveCert($path) {
	assert('is_string($path)');
        if(file_exists($path)) { return $path; }
	$globalConfig = SimpleSAML_Configuration::getInstance();

Mark

Hi Guys,

I’m trying to secure my wordpress internal office blog site with ADFS SSO and came across SAML. While going through this step by step configuration, I’m stuck at step 11 as the Your Entity ID, Single Logout URL and SAML Assertion Consumer URL are all blank.

I saw in the previous posts that people have got issues and while trying to access this link – http(s)://example.com/wp-content/plugins/saml-20-single-sign-on/saml/www/module.php/saml/sp/metadata.php/1 – as mentioned by Keith, I saw this error – which is slightly different than the error posted above –

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 /opt/wordpress-3.5.2-0/apps/wordpress/htdocs/wp-content/plugins/saml-20-single-sign-on/saml/www/module.php:180 (N/A)
Caused by: SimpleSAML_Error_Exception: authsources[‘1’]: Could not find PEM encoded certificate in “/opt/wordpress-3.5.2-0/apps/wordpress/htdocs/wp-content/uploads/saml-20-single-sign-on/etc/certs/1/1.cer”.
Backtrace:
3 /opt/wordpress-3.5.2-0/apps/wordpress/htdocs/wp-content/plugins/saml-20-single-sign-on/saml/lib/SimpleSAML/Configuration.php:1106 (SimpleSAML_Configuration::getPublicKeys)
2 /opt/wordpress-3.5.2-0/apps/wordpress/htdocs/wp-content/plugins/saml-20-single-sign-on/saml/lib/SimpleSAML/Utilities.php:1386 (SimpleSAML_Utilities::loadPublicKey)
1 /opt/wordpress-3.5.2-0/apps/wordpress/htdocs/wp-content/plugins/saml-20-single-sign-on/saml/modules/saml/www/sp/metadata.php:117 (require)
0 /opt/wordpress-3.5.2-0/apps/wordpress/htdocs/wp-content/plugins/saml-20-single-sign-on/saml/www/module.php:135 (N/A)

Could anybody please help me with this? How can I proceed from here? My wordpress is hosted on a LAMP stack.

Looking at the source code from where the error is generated, it appears to be thrown when the certificate data doesn’t match what it expects:

https://simplesamlphp.googlecode.com/svn/trunk/lib/SimpleSAML/Configuration.php

-> search for “Could not find PEM encoded certificate”

Try regenerating your certificate.

both my 1.cer and 1.key files are present in the stated folder. But both the files are of 0 size, i.e. empty file. Can that be the reason?

Yes. Check permissions, ensure the web server has access to write to that folder.

Some more debugging –

On top of the General tab, I see these three lines –

Notice: Undefined index: entityID in /opt/wordpress-3.5.2-0/apps/wordpress/htdocs/wp-content/plugins/saml-20-single-sign-on/lib/controllers/sso_general.php on line 46

Notice: Undefined index: Logout in /opt/wordpress-3.5.2-0/apps/wordpress/htdocs/wp-content/plugins/saml-20-single-sign-on/lib/controllers/sso_general.php on line 47

Notice: Undefined index: Consumer in /opt/wordpress-3.5.2-0/apps/wordpress/htdocs/wp-content/plugins/saml-20-single-sign-on/lib/controllers/sso_general.php on line 48

When I look at the sso_general.php file, line 46, 47 and 48 are as following –

if(get_option('saml_authentication_options'))
  {
                $saml_opts = get_option('saml_authentication_options');
        }

        $response = wp_remote_get(<strong>constant('SAMLAUTH_URL') . '/saml/www/module.php/saml/sp/metadata.php/' . get_current_blog_id() , array('sslverify' => false)</strong> );

        if(array_key_exists('body',$response))
        {
          $o = $response['body'];

          preg_match('/(entityID="(?P<entityID>.*)")/',$o,$entityID);
                preg_match('/(<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="(?P<Logout>.*)")/',$o,$Logout);
                preg_match('/(<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="(?P<Consumer>.*)" index)/',$o,$Consumer);

                <strong>$metadata['entityID'] = $entityID['entityID'];
                $metadata['Logout'] = $Logout['Logout'];
                $metadata['Consumer'] = $Consumer['Consumer'];</strong>
        }

  include(constant('SAMLAUTH_ROOT') . '/lib/views/nav_tabs.php');
        include(constant('SAMLAUTH_ROOT') . '/lib/views/sso_general.php');

now, in the line $response = wp_remote_get, the URL (/saml/www/module.php/saml/sp/metadata.php/) that is appended to SAMLAUTH_URL doesn’t seem to exist?!

That’s what I had checked first. Apache is running as user daemon.

And the folders have owner and group set as daemon and have access rights drwxr-xr-x. So seems apache can access and write to them.

I tried regenerating the certificates by clicking the ‘generate a new certificate and private key for me’ checkbox in the service provider tab, but that doesn’t seem to create any new certificate.

Dalia,

Are you familiar with the process of generating a self-signed certificate? There’s nothing magic about what the “Generate a certificate” button does, so if you’re able to use openssl on the command line to generate a self-signed certificate, you can replace 1.key and 1.pem with your own private key and certificate, respectively.

Some other users have been having issues with PHP and OpenSSL working together, and this may be the case for you, as well.

Hi Keith,

Thanks for that. I was exactly looking for that option over internet when I saw your reply. Just created my own certificate / key and it worked. I can now see all 3 URLs.

However, even though I’ve uploaded them in service provider tab, the status block(5th row) in general tab says ‘you have not provided a Certificate or Private Key for this site. Users may not be able to log in using the SP-first flow’ with a warning sign.

Here’s the expression for that error message (true is OK, false is your error message):
if (file_exists(constant('SAMLAUTH_CONF') . '/certs/' . get_current_blog_id() . '/' . get_current_blog_id() . '.cer') && file_exists(constant('SAMLAUTH_CONF') . '/certs/' . get_current_blog_id() . '/' . get_current_blog_id() . '.key')

There may be something weird happening with the SAMLAUTH_CONF constant, or the WP blog ID function, both of which could have contributed to your earlier issue.

I suppose the larger question is: does it work?