Use with ADFS

Thanks for sending that login link. It logs us in and redirects us to our marketing.geneca.com homepage, but how do we get it to take us to the WordPress administration site at marketing.geneca.com/wp-admin ? When we try to login to WordPress using the SAML plugin, we get stuck in a redirect loop.

Our metadata url has the following value for md:AssertionConsumerService
https://marketing.geneca.com/wp-content/plugins/saml-20-single-sign-on/saml/www/module.php/saml/sp/saml2-acs.php/1

That link produces an Unhandled exception error.

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 /mnt/stor17-wc2-dfw1/516086/519420/marketing.geneca.com/web/content/wp-content/plugins/saml-20-single-sign-on/saml/www/module.php:180 (N/A)
Caused by: Exception: Unable to find the current binding.
Backtrace:
2 /mnt/stor17-wc2-dfw1/516086/519420/marketing.geneca.com/web/content/wp-content/plugins/saml-20-single-sign-on/saml/lib/SAML2/Binding.php:95 (SAML2_Binding::getCurrentBinding)
1 /mnt/stor17-wc2-dfw1/516086/519420/marketing.geneca.com/web/content/wp-content/plugins/saml-20-single-sign-on/saml/modules/saml/www/sp/saml2-acs.php:11 (require)
0 /mnt/stor17-wc2-dfw1/516086/519420/marketing.geneca.com/web/content/wp-content/plugins/saml-20-single-sign-on/saml/www/module.php:135 (N/A)

Visiting the ACS URL alone won’t do anything. The “Unable to find current binding” message means the URL is expecting a payload of some sort, such as some POST data.

Currently, when the plugin attempts to sign you in, it will always return you to the admin URL (/wp-admin, usually). If this is not happening, check to make sure a “ReturnTo” parameter is being passed back and forth between WordPress and ADFS.

Do you know between which two (or more, I suppose) pages the redirect loop is occurring?

I’ve walked through all steps outlined in post 2 of this topic. I had some glitches here and there:
– Generating a certificate from the plugin didn’t work, so had to create and upload a certificate manually
– Had to implement the quick fix outlined by markphipps on a machine without shell access
– Couldn’t use the Federation metadata address URL in our ADFS environment, because it wouldn’t accept a http address (https required)

But in the end, I managed to perform every step ??

Unfortunately, signing on still doesn’t work. The WordPress login page redirects to our ADFS URL, but there I received this error:

This webpage has a redirect loop

When I look at the error in detail, this is what I see:

The webpage at https://<our adfs url>/adfs/ls/auth/integrated/?SAMLRequest=<lots of characters> has resulted in too many redirects. Clearing your cookies for this site or allowing third-party cookies may fix the problem. If not, it is possibly a server configuration issue and not a problem with your computer.

Error code: ERR_TOO_MANY_REDIRECTS

Anyone has an idea what’s going wrong here?

Do you know which 2 URLs are causing the redirect loop?

No, is there a way to tell? I browse to blog.portiva.nl/wp-admin. That page redirects me to fs.portiva.nl (our ADFS URL), and then I receive the error. The full URL in the error is:

https://fs.portiva.nl/adfs/ls/auth/integrated/?SAMLRequest=<garble>&RelayState=http%3a%2f%2fblog.portiva.nl%2fwp-login.php%3fredirect_to%3dhttp%253A%252F%252Fblog.portiva.nl%252Fwp-admin%252F&SigAlg=http%3a%2f%2fwww.w3.org%2f2000%2f09%2fxmldsig%23rsa-sha1&Signature=<garble&gt;

While I am by no means a pro at ADFS/SAML, I do have it working in a couple of my WordPress environments. My first thought is that not using SSL on your ADFS portal sounds like a really bad idea. You should investigate that first; I don’t think ADFS supports non-SSL scenarios.

I don’t have time at the moment, but I’ll see if I can get you some screenshots of my configuration to use as a point of reference.

Oh, but our ADFS environment is published through https. It’s just that our WordPress Blog site doesn’t have a certificate installed, so our federation metadata URL on the WordPress site is available in http only.

Hi ktbartholomew,

I keep getting this error: i am using adfs

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 /home/wp_hsg4u2/mywebsite.com/wp-content/plugins/saml-20-single-sign-on/saml/www/module.php:180 (N/A)
Caused by: SimpleSAML_Error_Exception: Cannot retrieve metadata for IdP ‘https://mywebsite.com/adfs/services/trust&#8217; because it isn’t a valid IdP for this SP.
Backtrace:
2 /home/wp_hsg4u2/engineering.tunein.com/wp-content/plugins/saml-20-single-sign-on/saml/modules/saml/lib/Auth/Source/SP.php:112 (sspmod_saml_Auth_Source_SP::getIdPMetadata)
1 /home/wp_hsg4u2/engineering.tunein.com/wp-content/plugins/saml-20-single-sign-on/saml/modules/saml/www/sp/saml2-acs.php:72 (require)
0 /home/wp_hsg4u2/engineering.tunein.com/wp-content/plugins/saml-20-single-sign-on/saml/www/module.php:135 (N/A)

I edited saml_settings.php and corrected the url but im still getting the same error.

private function _use_defaults()
{
$defaults = array(
‘option_version’ => $this->current_version,
‘enabled’ => false,
‘idp’ => ‘https://mywebsite/wp-content/plugins/saml-20-single-sign-on/saml/www/module.php/saml/sp/metadata.php/1&#8217;,
‘nameidpolicy’ => ‘urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress’,
‘attributes’ => array(
‘username’ => ”,
‘firstname’ => ”,
‘lastname’ => ”,
’email’ => ”,
‘groups’ => ”,
),
‘groups’ => array(
‘super_admin’ => ”,
‘admin’ => ”,
‘editor’ => ”,
‘author’ => ”,
‘contributor’ => ”,
‘subscriber’ => ”,
),
‘allow_unlisted_users’ => true,

@meekels: I agree with Roquefort, I would recommend getting HTTPS running on the SP. I think you might be able to create plain HTTP endpoints in ADFS, but the POST from an HTTPS IdP to an HTTP SP will make a lot of browsers throw security warnings. Using a self-signed certificate should work just fine until you get things working.

@renperez01: Your IdP is sending a big hint here. The EntityID for the IdP is https://mywebsite.com/adfs/services/trust so you need to enter that URL in the IdP tab of the WP control panel page.

Hi Keith,

@ktbartholomew: Thanks for the response. I did what you told me to do. and now I am getting a different error.

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 /home/wp_hsg4u2/engineering.tunein.com/wp-content/plugins/saml-20-single-sign-on/saml/www/module.php:180 (N/A)
Caused by: sspmod_saml_Error: Responder
Backtrace:
3 /home/wp_hsg4u2/engineering.tunein.com/wp-content/plugins/saml-20-single-sign-on/saml/modules/saml/lib/Message.php:371 (sspmod_saml_Message::getResponseError)
2 /home/wp_hsg4u2/engineering.tunein.com/wp-content/plugins/saml-20-single-sign-on/saml/modules/saml/lib/Message.php:498 (sspmod_saml_Message::processResponse)
1 /home/wp_hsg4u2/engineering.tunein.com/wp-content/plugins/saml-20-single-sign-on/saml/modules/saml/www/sp/saml2-acs.php:75 (require)
0 /home/wp_hsg4u2/engineering.tunein.com/wp-content/plugins/saml-20-single-sign-on/saml/www/module.php:135 (N/A)

That’s an error from the IdP itself. Decode the SAMLResponse (https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php) to see what’s up.

@ktbartholomew: Where would I find the SAMLResponse? Sorry im new to this.

@ktbartholomew: this is what I get:

<?xml version=”1.0″ encoding=”UTF-8″?>
<samlp:AuthnRequest xmlns:samlp=”urn:oasis:names:tc:SAML:2.0:protocol” ID=”agdobjcfikneommfjamdclenjcpcjmgdgbmpgjmo” Version=”2.0″ IssueInstant=”2007-04-26T13:51:56Z” ProtocolBinding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” ProviderName=”google.com” AssertionConsumerServiceURL=”https://www.google.com/a/solweb.no/acs&#8221; IsPassive=”true”><saml:Issuer xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion”>google.com</saml:Issuer><samlp:NameIDPolicy AllowCreate=”true” Format=”urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified” /></samlp:AuthnRequest>

I’ve completed the detailed setup instructions (thank you by the way). However, I still cannot access the site.

The ADFS server shows the following error:

Event 364, AD FS 2.0

Encountered error during federation passive request.

Additional Data

Exception details:
Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. —> System.ServiceModel.FaultException: The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.CreateErrorMessage(HttpSamlMessage httpSamlMessage, SamlStatus status)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status)
— End of inner exception stack trace —
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status)

System.ServiceModel.FaultException: The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.CreateErrorMessage(HttpSamlMessage httpSamlMessage, SamlStatus status)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status)