Generating Metadata for IDP

For not being able to log in:
Always keep another browser open and logged in to the WP dashboard while first testing the plugin. If SAML login isn’t working, you can use this session to disable it until you can figure out the problem.

For password not correct error:
You can’t have a SAML user with the same username as an existing WordPress user.

For new user error message:
You have to specify the permissions WP should assign SAML users. (I usually do this by group membership) You can also make SAML users that don’t match one of your prescribed groups subscribers.

unfortunately we forgot to keep session open. How do we salvage ??
Let me know ASAP

https://perishablepress.com/quickly-disable-or-enable-all-wordpress-plugins-via-the-database/

Does user (from SSO) needs to part of particular group to sign in by SAML ?

Hello

In Groups Section of “Service Provider”:

Administrator Group Name:
Editor Group Name:
Author Group Name:

Do we need fill this boxes with our LDAP Group name located on Identity Provider.
We will need to Group Attribute of users in SAML Assertion ?
Please advise ASAP.

Yes, most IdP’s support sending a list of groups as a claim. If you’re testing with one of your own accounts, enter the name of a group you belong to in the “Administrator Group Name” field.

Here is the error I am getting
The website administrator has not given you permission to log in.

Here are my SAML assertion:

[Moderator Note: Excessive code moderated. Please post code or markup between backticks or use the code button. Or better still – use a pastebin.]

The user “medhubsamltest” is member of the Group “MCIT-ISO-IDMT”

In Service Provider TAB, The Administrators Group Name “mcit-iso-idmt”

Still above issue. Please advise ASAP

The moderator removed your SAML assertion… You should heed their advice and post the code to pastebin or enclose it in the provided code tags.

However, your assertion contains the entire DN of the group, not just the CN. Your field in the plugin should read: “cn=MCIT-ISO-IDMT,ou=groups,dc=med,dc=umich,dc=edu”.

Your field in the plugin should read: “cn=MCIT-ISO-IDMT,ou=groups,dc=med,dc=umich,dc=edu”.

Please clarify this.

Am I suppose to edit Service Provider TAB in Single Sign-on in Web Interface
I added Administrator Group Name : cn=mcit-iso-idmt,ou=groups,dc=med,dc=umich,dc=edu

But no effect.
Please advise ASAP

That field is case sensitive. Stop lowercasing the group name. It should read “cn=MCIT-ISO-IDMT,ou=groups,dc=med,dc=umich,dc=edu” exactly.

It set as
cn=MCIT-ISO-IDMT,ou=groups,dc=med,dc=umich,dc=edu

I hope no quotes necessary. Please clarify

We got it working. Changed the attribute to be used for Groups “groupMembership” in Service Provider Tab.

How logout is causing the error
We logout by following URL

https://p-weblogin.med.umich.edu:8443/nidp/app/logout

How we can do it

We get following error after pressing logout button

Error:A request for logout could not be completed. (No binding set for LogoutResponse-31DE48E3C3946D8E)

Any advise ??

<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_9dde2f0c974408153b1224b79d25bb3b56c9df0194" Version="2.0" IssueInstant="2014-01-28T19:14:38Z" Destination="https://p-weblogin.med.umich.edu:8443/nidp/saml2/slo"><saml:Issuer>https://cworblog.med.umich.edu/wp-content/plugins/saml-20-single-sign-on/saml/www/module.php/saml/sp/metadata.php/1</saml:Issuer><saml:NameID NameQualifier="https://p-weblogin.med.umich.edu:8443/nidp/saml2/metadata" SPNameQualifier="https://cworblog.med.umich.edu/wp-content/plugins/saml-20-single-sign-on/saml/www/module.php/saml/sp/metadata.php/1" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">c4ihmV7u57qgzrvtmMqw7ZbBsOKfyrnnoN237A==</saml:NameID><samlp:SessionIndex>idt5h-P5vavMFH6hY5vDi.IDBFYVA</samlp:SessionIndex></samlp:LogoutRequest>

Any help with logout, not heard from you ??
Let me know.