Unhandled Exception

An error like this is typically caused by a failure of your IdP (ADFS) to respond to the SP’s authentication request successfully. ADFS by default sends its NameID with the format “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified,” which is not acceptable by SimpleSAMLPHP. It sounds like your plugin is configured correctly, but isn’t playing nicely with ADFS.

I’m not looking at an ADFS server right now, but from memory you need to use the “Transform an Incoming Claim” filter on ADFS to convert the user’s email address from the “unspecified” format into the “emailAddress” NameID format. You could also use transient or persistent identifiers, but those are even more complicated to set up because they require custom rules.

Some things to try:
1. Do an IdP-initiated login. If this works, then it’s likely a problem with the NameID format.
2. Capture the SAML requests/responses and decode them using the debugger at https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php. I usually capture them in Chrome with the following method:
a. Press F12 on Windows or Cmd + Option + I on a Mac to open the Developer Tools
b. Switch to the Network tab.
c. In the very bottom toolbar, click the record button (solid circle) to capture all traffic across redirects.
d. Do an SP-initiated login.
e. Look through the generated traffic for the request to your IdP and to your WordPress site’s assertion consumer URL. Click the Headers tab for these requests, and you will see a long, Base64-encodeded form field called SAMLRequest or SAMLResponse.
f. Copy the entire Base64-encoded string and paste it into the SAML Debugger (link above). You may choose to do this multiple times to capture both the SAML request and response.
g. Redact sensitive info such as email addresses or full names and paste here for analysis & help.

awonglk, I finally got ADFS 2.0 up and running in my test lab and have been able to replicate the error you get.

Solution:
You need to change the secure hash algorithm used by ADFS when sending SAML responses. Follow these steps:

1. Open the ADFS 2.0 Management console
2. Under “Trust Relationships/Relying Party Trusts”, find your WordPress site. Right-click the site and choose Properties.
3. Switch to the Advanced tab.
4. Ensure that Secure Hash Algorithm is set to SHA-1

Wow.. yes you are right. That worked, and that exception is gone. Thanks so much!!

My next problem is now “A username was not provided.” post authentication.

Do you mind supplying the claim and transformation rule you are using at the ADFS end? I suspect I am not passing the attributes that the plugin is expecting.

Right now, it is a simple get ‘Email Address’ and pass that as outgoing claim, and then transforming incoming ‘Email Address’ and Outgoing Claim type of Name ID, as Email format.

Never mind.. worked it out..

Just needed to have all 4 LDAP attributes mapped to each claim type
And the fifth one mapped groups.

Thanks heaps for this. Fantastic plugin!!

Glad to hear you got it working! I would greatly appreciate you rating or reviewing the plugin if you like it.

For the record, and for the benefit of others, here are the claim rules I typically use with ADFS:

Rule 1: (Using “Send LDAP Attributes as Claims” template)

• SAM-Account-Name => Windows account name
• Given-Name => Given Name
• Surname => Surname
• E-Mail-Addresses => E-Mail Address
• Token-Groups – Unqualified Names => Group

Rule language:

c:[Type == "https://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("https://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "https://schemas.xmlsoap.org/claims/Group"), query = ";sAMAccountName,givenName,sn,mail,tokenGroups;{0}", param = c.Value);

Rule 2: (Using “Transform an Incoming Claim” template)

• Incoming claim type: E-Mail Address
• Outgoing claim type: Name ID
• Outgoing Name ID format: Email
• Pass through all claim values

Rule language:

c:[Type == "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
 => issue(Type = "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["https://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");