I have the below SAML response and i need to map the UserLoginID to user_login. How do i do that in the settings UI? Thanks.

<?xml version="1.0" encoding="UTF-8" ?>
<saml2p:Response Destination="https://website.school/wp-login.php?saml_acs" ID="_933b0511-1f86-4dc4-8559-4a55faf1e48a" IssueInstant="2024-06-14T15:12:42.206Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xsd="https://www.w3.org/2001/XMLSchema">
	<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://test.website.nl/login/</saml2:Issuer>
	<ds:Signature xmlns:ds="https://www.w3.org/2000/09/xmldsig#">
		<ds:SignedInfo>
			<ds:CanonicalizationMethod Algorithm="https://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
			<ds:SignatureMethod Algorithm="https://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
			<ds:Reference URI="#_933b0511-1f86-4dc4-8559-4a55faf1e48a">
				<ds:Transforms>
					<ds:Transform Algorithm="https://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
					<ds:Transform Algorithm="https://www.w3.org/2001/10/xml-exc-c14n#">
						<ec:InclusiveNamespaces PrefixList="xsd" xmlns:ec="https://www.w3.org/2001/10/xml-exc-c14n#"/>
					</ds:Transform>
				</ds:Transforms>
				<ds:DigestMethod Algorithm="https://www.w3.org/2001/04/xmlenc#sha256"/>
				<ds:DigestValue>NjwjDeSYjx99JetZ/ThhgexrKE0tVDubdRQKLJBaq0I=</ds:DigestValue>
			</ds:Reference>
		</ds:SignedInfo>
		<ds:SignatureValue>mhqxmiYuNg1W+rcBvv/Xdz8UCqC62kW3T+PXS24uLsyjGTcwhZ7481cDIN2v4RSiH1k4v2XCZ5Il3/0ZKcOPj3FhyvTKsryhWDA1qTvDnIE701w74isV2nsyx0luQi5nSZC/50GnITxzLe5LDsMOppiMz0Ds/GeUUB6EzWYU8Dkj98poMRnmlNFPeVwlLw5OWCwBG7G2nrqVj1ihkhMWc1IpNqJkUzBVCt/9Y4F/RGO3TApjrD5aq+eWtxMM7Pn+kL1umbAVXWQTktitQKdWEvJNBHcG7OK5kHEV5SNSk5CPt/umN4gNFKeed3wg5FENyVb7xtq7hZ4atsaNrdTeAIEpqzVRjwBiDYi1GPMX2omP6MfoW7u6Vm7rC0BbN5ZzfoRcOGXqJ6OmusdfI6mW5dO9WJLrXLcxn9gO/PhkSUjSYZTKeYC0+z2CN45h8MMkwmrZYS/2neXurJAaYb5kRufwJMdoDv5NMolgHP/UoGEP0YgSWTb6M2SyKdrxFJV7VMISOXkhrrN0t5RNTND3OJuy2lkXHnzLJRVLAJF0FFbokY/jVVqnxkFcw8x99J8sZJTcBxOU5wBsMGnKg+Nd9aMwPMkk7eHqg4URLtE8ClLi2yPUnNNe4QloLjhk2Igi+d666xubDdIL5PR7fMXOnI2i213M6KTpLIKDUV12vEA=</ds:SignatureValue>
		<ds:KeyInfo>
			<ds:KeyValue>
				<ds:RSAKeyValue>
					<ds:Modulus>v/mQJ5UPHn9ma2iVSWfRRzRGlkXfop9Z+LOE16Qi51LuYec7ghfVyuu4n0+y80ZgfoN5xCO7+Puk/DvppQRxX8QybCb4KbXgp2Gir7S2zdC81e+35DrgSTv/pm3eHnmkf1K3q/+3Jv2VIY9NREbAWVBAk8y6SV38j+80jHwiT4C2kkdhMEFhCljYY43x2mxzKp9Y5MIqiZADMI7GQXf2QoknuY5tMkqDA0O9CQmuAjgaIcqnMpHHCMlpEJkgjfBL3wCxPxMLvfMsVvVzQbZFZFr5qnOdqZqT6950YgTYJNYZLFgVGHwpyqUauYe4qv7k+p+LM1IiXosbJ12ZNzXra0YSdr1nJUikv0kUioeNmEp7sU8c9Sc3p0+k488X7itCo/kUK6l/KNzMzKk9pKCWn0XtACzyD15U/70rL0refnHQkDQNZurBJRdpWo6tSM5w+WwnIVdaUuaLBzyWVhqaJ4vy9SrJjS4iuXgET7oi+++FJ36sBNZKz/4j4yqelnVj4T633oQ3OmFTUwS7DAmt4Gab1o9PlWx0SElqtBjOzeXr571IHcdMnoT6nLSyJXoFaWN4OrJSnMRi4tltyyLHhRRmnfny8+R/FHX68j7zvdQ9YJKGP+NAtia8TYgH+DCcE6iWXcI/Y7D60YYQ6T+uux2rkuGIGym4Mq3Nq0MLXjE=</ds:Modulus>
					<ds:Exponent>AQAB</ds:Exponent>
				</ds:RSAKeyValue>
			</ds:KeyValue>
		</ds:KeyInfo>
	</ds:Signature>
	<saml2p:Status>
		<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
	</saml2p:Status>
	<saml2:Assertion ID="_9d5302b9-a20a-4890-aa3f-688e8943605f" IssueInstant="2024-06-14T15:12:42.206Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xsi:type="saml2:AssertionType">
		<saml2:Issuer>https://test.website.nl/login/</saml2:Issuer>
		<saml2:Subject>
			<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="UserLoginID">116924</saml2:NameID>
			<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
				<saml2:SubjectConfirmationData NotBefore="2024-06-14T15:12:22.206Z" NotOnOrAfter="2024-06-14T15:13:02.206Z" Recipient="https://website.school/wp-login.php?saml_acs"/>
			</saml2:SubjectConfirmation>
		</saml2:Subject>
		<saml2:Conditions NotBefore="2024-06-14T15:12:22.206Z" NotOnOrAfter="2024-06-14T15:13:02.206Z">
			<saml2:AudienceRestriction>
				<saml2:Audience>https://website.school/wp-login.php?saml_acs</saml2:Audience>
				<saml2:Audience>https://website.school/wp-login.php?saml_acs/</saml2:Audience>
			</saml2:AudienceRestriction>
		</saml2:Conditions>
		<saml2:AuthnStatement AuthnInstant="2024-06-14T15:12:42.206Z" SessionIndex="_9d5302b9-a20a-4890-aa3f-688e8943605f">
			<saml2:AuthnContext>
				<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
			</saml2:AuthnContext>
		</saml2:AuthnStatement>
		<saml2:AttributeStatement>
			<saml2:Attribute FriendlyName="employeeNumber" Name="employeeNumber" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
				<saml2:AttributeValue xsi:type="xsd:string">116924</saml2:AttributeValue>
			</saml2:Attribute>
		</saml2:AttributeStatement>
		<saml2:AttributeStatement>
			<saml2:Attribute FriendlyName="nlEduPersonHomeOrganizationId" Name="nlEduPersonHomeOrganizationId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
				<saml2:AttributeValue xsi:type="xsd:string">90LB00</saml2:AttributeValue>
			</saml2:Attribute>
		</saml2:AttributeStatement>
		<saml2:AttributeStatement>
			<saml2:Attribute FriendlyName="bpInstellingId" Name="bpInstellingId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
				<saml2:AttributeValue xsi:type="xsd:string">15415</saml2:AttributeValue>
			</saml2:Attribute>
		</saml2:AttributeStatement>
	</saml2:Assertion>
</saml2p:Response>

I’ve used this plugin to successfully configure a connection between a private portal and an SSO service provided by a third party subject. Everything worked perfectly without flaws but due to a tech switch we moved from the apache-based environment to an nginx one.

Then the plugin stopped working properly. These are the steps that lead to the error:

• [my site] click on a “authenticate” button
• [third party service site] insert username and password
• [my site] correct fallback to the declared page but the authentication goes wrong with this weird message: User is not authenticated with SAML IdP. Reason: The response was received at https://www.my-portal.example/my-login.php instead of https://www.my-portal.example/my-login.php

Basically the system is telling me that the matching urls (for some reasons) are not matching! Is something related to NGINX port forwarding adjustments? Thanks

Hello,

I configured simplesamlphp as a sp to connect to our saml2 univ idp, the connection test is working.

Now I would just like to use WP SAML Auth to enable a reserved access to our wordpress website (just viewing) and leave the wp-admin access withour using sso (and just keep the local accounts). Can you tell me if it’s possible and how i can configure that? Because without plugin and just an autoload config in index.php is not working

Thank you very much

Since installing WP SAML Auth, our Events Calendar plug in can not verify the API in order to function properly. Is there an Allow list or known fix for this?

How can I replace the login for front end? Esp woocommerce? they have their woocommerce-esque “/my-account” page. Is there a way to attach this login to that page?

Project Requirement: Custom Redirect URL After Successful Login

For one of our projects, we aim to enhance user experience by allowing administrators to specify a custom redirect URL for users after a successful login.

Proposal: Add Custom Field to WordPress Settings

We propose adding a custom field to the WordPress Settings section. This field would enable administrators to define the URL to which users will be redirected upon successful login.

Current Implementation: Limitations

The existing documentation references a redirectTo parameter, which is promising. However, our investigation reveals that this parameter is not currently customizable by administrators.

Action Plan: Enhancing Administrator Control

Our objective is to empower administrators to determine the post-login redirect URL. To achieve this, we will explore avenues to make the redirectTo parameter configurable through WordPress Settings.

Next Steps: Development Considerations

1. Code Review: Examine the existing codebase, focusing on the redirectTo parameter and its implementation.
2. Custom Field Addition: Integrate a customizable field within the WordPress Settings interface to capture the desired redirect URL.
3. Backend Modification: Adjust the backend logic to utilize the administrator-defined redirect URL when processing successful logins.
4. Testing: Testing will be conducted to ensure seamless functionality and compatibility with various scenarios on our project site.

SimpleSAMLphp Documentation

ReturnTo (string) The URL the user should be returned to after authentication. The default is to return the user to the current page.

Note : The URL returned by this function is static, and will not change. You can easily create your own links without using this function. The URL should be:

…/simplesaml/module.php/core/login/?ReturnTo=

• This topic was modified 10 months ago by Rok Megli?.

Hello:

I am running a sub-directory based WP-Multisite with approx 300+ sub-sites. We are attempting to use the plugin with our Google SSO SAML login.

Would I require a separate .pem file in my root directory for each site I want to lock down with SAML, or would a .pem file from Google SSO have to contain information about the sites that need to be locked down?

Right now we have it working in the root directory, but if I activate the plugin in a sub-directory based subsite such as https://website.com/subdirectoy-site/ I get an error “Error: app_not_configured_for_user“.

Thanks for reading.

Hi,

We are using the WP SAML AUTH plugin to login to the application. In this plugin, we are getting the following error message when logging in to the application:

Fatal Error message: Uncaught Exception: Detected use of DOCTYPE/ENTITY in XML, disabled to prevent XXE/XEE attacks in wp-content\plugins\wp-saml-auth\vendor\onelogin\php-saml\src\Saml2\Utils.php:98

Application details:
WordPress Version: 6.3
Php Version: 8.1.24
Apache version: 2.4.56

Please help us to resolve this issue.

• This topic was modified 1 year ago by meenasekar.

Hi, is there a way to add another attribute under Attribute Mapping and have it populate from the user’s information? With their website for instance?

Hello Team,
Once installed the plugin I got this error ” WP SAML Auth wasn’t able to find the SimpleSAML_Auth_Simple class. Please check the simplesamlphp_autoload configuration option, or visit the plugin page for more information.”

how can I fix it?

• This topic was modified 1 year, 3 months ago by priyankac.

We are trying to see if we can do SSO in conjunction with AzureAD. I have entered each value in the settings on the plugin and AzureAD side, but the button for login does not appear on the login screen.
When testing from AzureAD, there is no error, but the user page does not sign in and the login screen is displayed.
To begin with, is this plugin compatible with AzureAD?
Also, is it possible to investigate the cause?

Hi All,

We need a help with by passing the SSO .

The requirement is like this for a particular request we have to do it.

Flow is like this

1. We get the particular request X with a token Y, (The token is constant always)
2. When we get the Y token we need to bypass the SSO and wordpress login page so that the request can access the application directly. (The frontend mainly)

The above points should only be applicable for a particular request.

The SSO functionality should work as it should for other users and requests.

Do we have any specific hook or configuration settings which can help us achieve this?

Please let us know. Thanks.

Our SAML certificate expired and we are now not able to login to the WordPress Admin. How can we update the metadata file in the CMS?

• This topic was modified 1 year, 7 months ago by dejamnesia.

In Version 2.1.2, it appears that the vendor folder was not included, causing issues so that no login is possible.

Including vendor folder from version 2.1.1 solves the issue.

I’ve got this working to log users in but if I kill the session or it passes the session expire time set by SimpleSAML the WordPress session stays active. Is there a function I can call to check whether the SAML session has expired or has been revoked through SimpleSAML? If there is I can set a transient and check the session every 5 minutes or so.

I am using this plugin to login in to the admin page with the help of button. Now I am creating a login authentication API with the default username and password. Is it possible to use the default wordpress user name and password for login into the website.

I have tried to login into the website. But it is failing to get the success.

Trying to setup an ADFS as IDP using this plugin and saw that simplesaml has a SimpleSAMLphp adfs module but it seems the SimpleSAML usage is not straightforward and not yet well documented. We are wondering if it is possible to get it configured or if this might be a Feature Request?

Thanks!

I have an email alias. I’d like to use this to login into a WordPress site instead of my primary email.
Is it doable?
Thank you!

Recently simplesamlphp has been upgraded to 1.19.6 from 1.19.1, we placed all needed certs, metadata, config files and applied all folder permissions and it is not working at all. after entering login credentials site is giving following error.

Warning: require_once(/www/proj/simplesaml/lib/_autoload.php): failed to open stream: Permission denied in /www/proj/html/wp-content/plugins/wp-saml-auth/inc/class-wp-saml-auth.php on line 89

Fatal error: require_once(): Failed opening required '/www/proj/simplesaml/lib/_autoload.php' (include_path='.:/usr/share/pear:/usr/share/php') in /www/proj/html/wp-content/plugins/wp-saml-auth/inc/class-wp-saml-auth.php on line 89
There has been a critical error on this website. Please check your site admin email inbox for instructions.

Learn more about troubleshooting WordPress.

Also when I tried to open sites simplesaml/ page it is giving 403 forbidden access error.

Hi,

How do you give admin access to developers without creating an ID in Google?

I would like to avoid leaving the WP login active, but also I need to be able to login. Ideally, connecting 2 iDP (even though both Google) would work well as we are on GSuite too.

Any suggestions?

Hello,

does the Plugin generate an XML file with metadata for the idP?
I need this to ensure a safe connection or a connection at all.

The data I need are for example entityID, certificate and binding-URLs.

Or is it possible to get the information out of the plugin files?

Best regards
Michael

When activating this plugin, we get the following error:

WP SAML Auth wasn't able to find the SimpleSAML_Auth_Simple class. Please check the simplesamlphp_autoload configuration option, or visit the plugin page for more information.

Looking at the support tickets, whenever SimpleSAMLphp is mentioned, it is recommended to use the OneLogin bundled version which doesn’t have SimpleSAML_Auth_Simple.

How do you proceed with the scenario?

The OneLogin SAML library has two config exammples (in vendor/onelogin/php-saml) – a basic one, and an advanced one. This plugin exposes (most of) the basic settings, but before my current project goes to production I suspect I’ll need to enable a few of the advanced ones.

(advanced_settings_example.php has lots of additional security settings, including what looks like the ability to sign SAML requests, and to specify the location of a SP-side cert/key, which my identity team is likely to require.)

There’s a wp_saml_auth_option filter but I’m not sure if it only affects the config values specified in the wpsa_filter_option function right above it, or if I can use it to set other arbitrary configuration settings that aren’t part of the plugin’s GUI. i.e. I’m not sure where all the different configurations are collated and presumably handed off to some part of the OneLogin library. (Does that all live in internal_config?)

Is it even possible to add other/arbitrary OneLogin config settings via this plugin, or am I getting too crazy? I apologize for what is probably a beginner-level question, but I’ve been staring at code for hours and I’m still not “getting it”.

I feel like I am missing a step somewhere. I have simplesamlphp installed and confirmed I am able to go to the IDP, login and retrieve attributes through their interface. I have the filters set for the plugin correctly to use simplesamlphp (I believe).

But when I try to log in I get the invalid provider specified error code. I feel like I’m missing one small step, any ideas?

As part of a possible migration from the Shibboleth plugin to this one (which in turn is part of a possible hosting migration), I’m working on replicating functionality of the old Shibboleth plugin.

Right now, Shibboleth’s SAML implementation can handle whatever arbitrary data are included in the IdP’s response, and exposes them as elements under $_SERVER. (Example: My IdP’s SAML responses include not only names and email addresses, but some org-specific information like department, sometimes employee ID, sometimes AD group memberships, and so on.) Then I can just query $_SERVER[‘ADGroups’] or $_SERVER[‘PrimaryRole’] or whatever other arbitrary data are coming in.

(Part of that is the Shib daemon’s attribute map, so if this plugin can only get urn:oid: style field names instead of friendly names, that’s an understandable limitation. Probably depends on whether the IdP sends friendly names in its responses.)

In at least a few specific cases, this plugin can do that, since that’s what the “Attribute Mappings” settings are — you put in the ID of an element in the SAML response, and it’s used for a WordPress-specific thing (like first name or email address). But I’d like to be able to extend that to other fields that might be received in the response. My ideal would be that every attribute from the SAML response gets populated right into $_SERVER for compatibility, but I could be talked into a different implementation. Any suggestions on how to approach this?

I am trying to get the plugin configured to find my idP’s x509 certificate. I see that it needs to be not web accessible. Do I simply add the certificate to a www.ads-software.com directory somewhere? How and where do I add it so that it is findable by the plugin?

Thanks,
Matt

Hi team,

When users log out of our eCommerce store they get redirected to this URL starting with: https://deu.authpoint.watchguard.com/spInitiated?isLogout=true&accountId=

I’d like that they end up on our homepage. Could you please advise?

Thanks,

Elena

Hello,

Thank you for this plugin.

It seems that the composer requires PHP 7.4. The file wp-saml-auth/vendor/composer/platform_check.php contains this check:

if (!(PHP_VERSION_ID >= 70400)) {
    $issues[] = 'Your Composer dependencies require a PHP version ">= 7.4.0". You are running ' . PHP_VERSION . '.';
}

Is it possible to regenerate the file platform_check.php or disable it?

Thanks in advance.

Hi there,
awesome job with this plugin. I did the setup with Google Workspace and is working fine. I was wondering if there is a way to remove the sign in button from the wp-login page. I just want my google workspace users to login with the SAML app in their Google Dashboard.
Thank you so much
Have a great day

Has anyone successfully used this plugin with a Keycloak server? We’ve been spinning our wheels for a few weeks trying to get the settings right, with no luck.

Would love to chat with someone who’s made it work.