Use with ADFS

Hi Keith,

There was a network issue between my ADFS machine and wordpress installation which took time to resolve. Now I can access the federation metadata directly in my ADFS box browser.

However, When I try to do step 14, it never gets past and I get this error-

“An error occurred during an attempt to read the federation metadata. Verify that the specified URL or host name is a valid federation metadata endpoint.

Verify your proxy server setting. For more information about how to verify your proxy server setting, see the AD FS 2.0 Troubleshooting Guide (https://go.microsoft.com/fwlink/?LinkId=182180).
Error message: The underlying connection was closed. An unexpected error occurred on a send.”

Do you think my Entity URL could be wrong? I can see the xml alright when I access the URL. How to make sure the URL is correct?

Many thanks.

Hi Guys,

I’m new to WordPress and would like to shoot you some questions regarding the setup that i’m currently doing. As of the moment, I have an identity provider and it is setup in salesforce, and would like to know if i needed to setup the Identity Provider in wordpress site or just the Service Provider?

Your prompt response is greatly appreciated.

Thank you.

You need to fill out both the Identity & Service Provider tab using the SAML 2.0 plugin.

Hi Markphipps,

ok. I have the certificate and metadata generated by Salesforce, however i’m not sure what value will fill in for the Indentity Provider and Service Provider tab. Will the certificate and metadata is enough to configure it? I’m not sure on the values that i’ll put in.

Thank you very much for your prompt response.

This didn’t work for me on a WordPress site hosted on Windows Azure Web Sites.

When I chose a certificate, or had one created automatically, the boxes on the general tab disappeared, and I got errors on the metadata page about not finding the key file. On the Service Provider tab, there is no link to download the key file, or any indication that a key file has been specified.

There is no apparent way to remove the certs and start clean.

After deleting the plugin and its upload directory and attempting again, I got a little closer. By using the /adfs/ls/IdpInitiatedSignOn.aspx page, I was able to select my service provider, was prompted for credentials, and then was redirected to the home page of the blog (not/wp-admin), in a logged out state. When attempting to change the url to /wp-admin, I get the error that my password is not correct for the account I am logging in with. I had precreated a WordPress user with the same username and email address as my AD account.

Yes, it sounds like the certs didn’t get generated correctly. If you can, delete the certs from the server. If openssl isn’t installed, the certs won’t get generated correctly. Also, file permissions are usually a problem.

First off, don’t pre-create the user. It will fail to create the user if an identical email address already exists in the system. Start without any users. Secondly, check to see that you’ve set the claim rules in your ADFS configuration. One I missed in the initial setup was the SAM Account Name -> NameId rule.

Hope this helps,
Mark

Greetings,

I’ve been trying to configure SSO between my blog and ADFS 2.1 on Server 2012 R2 (which Microsoft says should be fully compliant with SAML 2.0).

In the plugin configuration page, all checks are green, and everything appears to be configured properly.

When I try to log in to my blog, I am properly redirected to my SSO page. I am prompted again for credentials (which probably shouldn’t be happening), then redirected back to my blog. At this point, I’m getting an error message:

If you report this error, please also report this tracking number which makes it possible to locate your session in the logs available to the system administrator: b56e2410b0

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 /home/web/a/amerisurg.com/www/wp-content/plugins/saml-20-single-sign-on/saml/www/module.php:180 (N/A)
Caused by: sspmod_saml_Error: Responder
Backtrace:
3 /home/web/a/amerisurg.com/www/wp-content/plugins/saml-20-single-sign-on/saml/modules/saml/lib/Message.php:371 (sspmod_saml_Message::getResponseError)
2 /home/web/a/amerisurg.com/www/wp-content/plugins/saml-20-single-sign-on/saml/modules/saml/lib/Message.php:498 (sspmod_saml_Message::processResponse)
1 /home/web/a/amerisurg.com/www/wp-content/plugins/saml-20-single-sign-on/saml/modules/saml/www/sp/saml2-acs.php:75 (require)
0 /home/web/a/amerisurg.com/www/wp-content/plugins/saml-20-single-sign-on/saml/www/module.php:135 (N/A)

Any idea where I should go from here? I’m not terribly proficient with ADFS or any kind of PHP scripting, so I’m kindof at a loss here.

Thanks for any advice.

SimpleSAMLPHP has pretty atrocious error dumping. If you can inspect the network traffic of the whole process (I use Chrome’s built-in inspector), you should find a couple of Base64-encoded XML payloads. If your ADFS server is triggering an error, it would likely be indicated in one of those responses.

My ADFS server is throwing an error that includes the following:

Microsoft.Identity.Model.Protocols.XmlSignature.SignatureVerificationFailedException: MSIS0037: No signature verification certificate found for this issuer.

Perhaps this is a certificate problem? I did have some trouble using the built-in “Generate a new certificate and private key for me” option: it only makes available the certificate for download, not the private key. Because I couldn’t get this to work, I created a self-signed cert using IIS, and converted it to the cer and key that your SSO plugin did appear to accept.

Should the certificate be the same as the one I use for my SSO portal?

With regards to the XML payload, I think this is what you’re looking for?

Request URL:https://www.XXXXX.com/wp-content/plugins/saml-20-single-sign-on/saml/www/module.php/saml/sp/saml2-acs.php/1
Request Method:POST
Status Code:500 Internal Server Error
Request Headersview source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Content-Length:3944
Content-Type:application/x-www-form-urlencoded
Cookie:PHPSESSID=38c3acb88c3e16cbee5ea8ffcd6b17bb; __utma=224854666.1380222335.1389383823.1389383823.1389383823.1; __utmb=224854666.3.10.1389383823; __utmc=224854666; __utmz=224854666.1389383823.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wordpress_test_cookie=WP+Cookie+check
Host:www.XXXXX.com
Origin:https://sso.XXXXX.com
Referer:https://sso.XXXXX.com/adfs/ls/?SAMLRequest=tVJBbtswEPyKwDtNilUtmbANuDGKGEhaI3ZyyKWgKNomQJEKl4za35eSUjTtwbecFhjuzM4OdwmiNR3fxHCxD%2BolKgjZz9ZY4OPDCkVvuROggVvRKuBB8sPm%2Fo6zGeWdd8FJZ9A7ynWGAFA%2BaGdRttuu0A9aiUWjFsUnWi%2FmZX1iFasKWc4%2Fs2LBTk0%2BL0tZ1YWsK5Q9KQ%2BJuUJJKNEBotpZCMKGBNG8wDTHOT0yyvOSU%2FaMsm3aRlsRRtYlhA44IQBulnx5DdGfZ9K1RDQnIAYIyjZ%2F7N04CzE1HZR%2F1VI9Ptz9Fej7%2Fj%2BBvsPS2aBsIJ2JZ22BDFFgRjFoezYqlbPFzo7wIEBa10SjZt2lmzCYKsNCwojmKNu%2FxftF2ybJXE%2B2npqA3x6Pe7z%2Ffjii9XKQ5GNSfv3R9lsVRCOCmNwvyfvZy%2BnKvqW5u%2B3eGS1%2FZV%2Bdb0W4vtSA6AafxlbeDQcAg8%2F0U8a4%2FsYrEdQKBR8VIutp5r%2FHvP4N&RelayState=https%3A%2F%2Fwww.amerisurg.com%2Fwp-content%2Fplugins%2Fsaml-20-single-sign-on%2Fsaml%2Fwww%2Fmodule.php%2Fcore%2Fpostredirect.php%3FRedirId%3D_39c4042587956ca428a96dfbf9a0e3add6ea05b998&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=CQF%2F3OjZJACNuD0UCchc%2FQQosfNeYW3%2Fkg2USuV2FOYnLkSALZVWNi%2BoYk1PGSJGhFqFYusGt9ADuT7lx3Knd6uYJoeGMOuiQrMEn5MMFFFQNCtH0zycSnb3dvomrhWiDPUjZrbDyV13IlOQaLKsVExrGNAZ%2FAaT3cwgg6bBUmhiQB8PrbSYp611uNjh6dMuHKTIn1BCAzxn83raO%2B5gkb7xn1FrEA%2Fn%2BmC%2FMNY0ZIz6TTE4uvFC94ZAjt6%2FzGcwniKtyzr8ihosA1h5%2FAZpkGxLXfMCsaJm4d4rYAcDlgwW6o704Uj%2FCJvhYZaYFMMQNq%2B2FEga5Q0dywwqQUpeeA%3D%3D
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Form Dataview sourceview URL encoded
SAMLResponse:PHNhbWxwOlJlc3BvbnNlIElEPSJfYTdlNTJiMzAtY2YzMS00OWE2LTk4MDEtMjFmOWQ2Mjc2MTE1IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNC0wMS0xMFQyMDoxNzowMi4wOThaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly93d3cuYW1lcmlzdXJnLmNvbS93cC1jb250ZW50L3BsdWdpbnMvc2FtbC0yMC1zaW5nbGUtc2lnbi1vbi9zYW1sL3d3dy9tb2R1bGUucGhwL3NhbWwvc3Avc2FtbDItYWNzLnBocC8xIiBDb25zZW50PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y29uc2VudDp1bnNwZWNpZmllZCIgSW5SZXNwb25zZVRvPSJfMDhhOWRlOTQzMGI5NjdiZjI4Mjg0Yzc2NTI0OTJmZDE2NzdjOGI0Y2I4IiB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj48SXNzdWVyIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwOi8vc3NvLmFtZXJpc3VyZy5jb20vYWRmcy9zZXJ2aWNlcy90cnVzdDwvSXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiIC8+PGRzOlJlZmVyZW5jZSBVUkk9IiNfYTdlNTJiMzAtY2YzMS00OWE2LTk4MDEtMjFmOWQ2Mjc2MTE1Ij48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiIC8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIiAvPjxkczpEaWdlc3RWYWx1ZT5WWVE1c2RoemNBRlU4ZlgxcEk5b1JtM1JEUUk9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+PGRzOlNpZ25hdHVyZVZhbHVlPlZoWXFEbnRRYlVTMlpEZGU2NDNDU2gzRktWQ2ZiRXpkUGVGc3JrZ3VhMEFKT2l6TGEzVUNDWWdqMG9uTFFocUE1QnhRNXVwWEVCUG1GRk5zRGthSEpxWkpiT3ZRWm5RSFBYaU5IRlh1eTlxVjBJOUkySTl6elVEZUxScFc5K3JrTVlsSENGaUFnUEJ1R2xhT3hQcFFnZ3V2OGFtcG1yd2ZXdTRxMVJNUzV0amliMExxN2ZzZUpVSDBtejRxaUtiMmhuM0dqWlhtVHp2R0NFbVhkZ3d4ejIvSnlIcys3V3RhWEdUTnlxejBlSGxHRnl6a1NsQURPVnNQKzN0V2JETmJYdzM3TmpwejFyUXArMTV5VzBhRFlqNGhlTGcvK29MeE04R3B6Zkpwb0ZOREtXZXd3YXlNdmV6dGYvTk1KM3oybnZtREoxdVVJSFF0SGMzcjFBMmRudz09PC9kczpTaWduYXR1cmVWYWx1ZT48S2V5SW5mbyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQzNqQ0NBY2FnQXdJQkFnSVFRRm56R3pubEZidEJ3d3EyZ0dxenV6QU5CZ2txaGtpRzl3MEJBUXNGQURBck1Ta3dKd1lEVlFRREV5QkJSRVpUSUZOcFoyNXBibWNnTFNCemMyOHVZVzFsY21semRYSm5MbU52YlRBZUZ3MHhOREF4TVRBd01ERTJNak5hRncweE5UQXhNVEF3TURFMk1qTmFNQ3N4S1RBbkJnTlZCQU1USUVGRVJsTWdVMmxuYm1sdVp5QXRJSE56Ynk1aGJXVnlhWE4xY21jdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXAveUZzem5pS29PTUh3YUd5cGZVUlp1U3NveXoyeDNRZUZCQU9yUjZuYVcxSzB3ZmpkZzcrVnpERmJQU0NMamtjV0FhQnVHd2oyd2V3SUd5UTg5WGdnckJTVktjTkpkNGxmQjVaTkEvK2tORWwxZ000aFNrWGRtSzJFR2FTU0E1ejYvc2FYZnZhNXdZYVN1aDNORitMNGZtWlJiaTdZUWRtYmIxNzhxSTE2cGczd2FlN1h5bE5NdG5RczdiQTNneTZrbkN6ai9hQ0lPUm5IWlloVEdmY01Gd2lZdGh2WGxHR2RDZElhN0xMRlRsdER0dDE3MFJ5bTZ6SkQ2cFp1QzlMSXc4dUdKTUFseVFiVjI3dGUxMkNhR1hGWU9GMmdNNUNrTkMrY1dseWlVeFJlOXF4TUpCOXdHZFg5MXBRNjE3STM3dmFnNnluUDZRaVorakVYbW00d0lEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ0I3RURWRUdlVnpYWlcvTDVBR0ZvbzBYVkJTN1JRNDJJNWFTTlc4Yyt1SDRBVUpRS2Uyem1Vb3lBNFlsdHo3K3dtazVjTGJ3SkQ0cEg0K0NETjVNdGpHc0RxeWtzTWJ2T0dYdGhndFRDWFhjaUpZNk5DejVGRjZ0ZnU2VmRxVHU5RTI4eUdhUkE3aW1RT2poVzJidW1MdHlhWkNMZzhGRldQVnlyZmlFb01kZG1SMFgvOTJLa1dXM24wNHhBUzBIWU8zOGNwdHQrOTErdG9GVkJXOWlvRkJSTVBpd1N6aGdrUnVjTWNtQ1EvSTVZUHBMQStWaW82MUlBTGpmU1N1bWdiQlVaQ2trdjR6Smw5SFE2NXJlc3RMdmJuUTdYclNlTkNpN0ZsdEtpTHpxeThRQ1Yrd1hackdsNXRLa3hjdkwrcDNIdmhCQzFOSklBbmdZU21GektEPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L0tleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpSZXNwb25kZXIiIC8+PC9zYW1scDpTdGF0dXM+PC9zYW1scDpSZXNwb25zZT4=
RelayState:https://www.XXXXX.com/wp-content/plugins/saml-20-single-sign-on/saml/www/module.php/core/postredirect.php?RedirId=_39c4042587956ca428a96dfbf9a0e3add6ea05b998
Response Headersview source
Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection:close
Content-Length:3647
Content-Type:text/html; charset=UTF-8
Date:Fri, 10 Jan 2014 20:17:02 GMT
Expires:Thu, 19 Nov 1981 08:52:00 GMT
Pragma:no-cache
Server:Apache
X-Frame-Options:SAMEORIGIN
X-Pingback:https://www.XXXXX.com/xmlrpc.php

Yes, “SAMLResponse” is the field of interest in what you pasted.

If you’re trying to do SP-first logins (which it seems that you are), then you need to provide the certificate that resides on the WordPress server to ADFS. You would do this on the “Signature” tab of the Relying Party Trust properties window. Without this certificate, ADFS can’t verify that login requests are coming from your WordPress server and not somebody else’s.

Well, setting the signature certificate seems to have addressed that particular error message. Now I’m getting this on my ADFS server:

The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format:urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: . Actual NameID properties: Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, NameQualifier: SPNameQualifier:, SPPProvidedID: .

SimpleSAMLPHP is giving me errors about:

Requester/InvalidNameIDPolicy

To me, this seems like my ADFS server is not responding properly, and is not sending the proper claims format in response to the request. But I find this strange, since I have the two rules you specified above both configured on my Relying Party Trust.

One thing is not clear to me: On the Service Provider tab of your plugin, there are three NameID Policies: SAML 1.1:emailaddress, SAML 2.0:transient and persistent. Which one should I be using?

Any other insights? Assuming that I can ever get this set up completely, I’ll definitely do up a how-to on my blog and post a link to it here.

Well, I’m making progress. With some hacky workarounds, I’m able to get logged in using some testing accounts. I’m going to keep debugging here, and I’ll post back if/when I get this fixed.

For the record, my problems appear to stem from the fact that my site has a built-in redirect to SSL on the login page. The problem I’m seeing is that the redirect is keeping WordPress from logging in completely after I return to my site from the SSO portal.

I’ve always used transient and this answer (https://social.msdn.microsoft.com/Forums/vstudio/en-US/ea5efcff-4221-4af1-b434-4be5245cb0fa/nameid-policy-could-not-be-satisfied) when interacting with ADFS. Let me know if that helps.

I have people trying to do something similar and think we might’ve run into the same problem as Roquefort. Here is the email thread between our development team and our IT administrator:
——————————————
Team:
Plugin SAML 2.0 Single Sign-On is already active on website:https://marketing.geneca.com/
It goes to ADFS server to authenticate and log in. The plugin took access control of the wp-admin.
We need your crendentials to access here:
adfs.geneca.com
Please send over that info.

IT Admin:
I am not able to login via ADFS either, since the other developers that were working on the SAML never provided me the url that contained the federation information for me to use to create the relying party on my ADFS server.
I have removed the plugin. Please reinstall the SAML plugin. Once you configure the site, please send me the “Your Entity ID” url.
Our ADFS federation url is https://adfs.geneca.com/FederationMetadata/2007-06/FederationMetadata.xml

Team:
Your Entity ID: https://marketing.geneca.com/wp-content/plugins/saml-20-single-sign-on_old/saml/www/module.php/saml/sp/metadata.php/1

IT Admin:
Tried the link, but it does not work. Looks like the plugin was associated to the old plugin that was scheduled to be removed.
Might need to redo the plugin.
————————————————

Any help you can offer would be greatly appreciated as we’ve been struggling with these issues for about a month now.

lissette.tuminello: the Entity ID you sent your IT team is broken, for the reason they presumed. I was able to find your metadata at this URL, however, which is the one registered in ADFS:
https://marketing.geneca.com/wp-content/plugins/saml-20-single-sign-on/saml/www/module.php/saml/sp/metadata.php/1

It sounds like you’re still having basic trouble getting ADFS and the WordPress site to be aware of one another, though. While you’re testing, I would recommend logging into WordPress using the IdP-initiated flow. That is, go to https://adfs.geneca.com/adfs/ls/IdpInitiatedSignon.aspx and sign in from there. This is a little less complicated from a SAML perspective, and can help you ensure that your basic configuration settings like claims and claims rules are being sent properly.