Search code examples
wordpresssingle-sign-onsimplesamlphpadfs3.0

Invalid NameID policy for wordpress

I have following setup:

Windows 2012 r2 with ADFS 3.0. WordPress setup as SP (relying party trust) and SimpleSAMLphp as IdP (claims party trust).

I want to authenticate WordPress users with help of SSP. Control flow is like: User logs in to WordPress. The page then takes to number of IdP providers configured on ADFS server. User chooses SSP. User is authenticated with SSP and response is sent to ADFS which in turn passes information to WordPress.

I have configured all the relying & claims party & it works well individually (WP-ADFS, ADFS-SSP) but when I try to authenticate WP with SSP, it gives me error: The SAML authentication request had a NameID Policy that could not be satisfied.

I have rules setup as: Claims party rule:

Transform an incoming rule: NameID transient to Windows account name

Relying party rule:

Rule 1:

LDAP rules: SAM-Account-Name->Windows account name, E-Mail-Addresses-> Email Address

Rule 2:

Transform an incoming claim: Windows account name-> NameID Transient Identifier

I have just started working with SSO on windows server so don't know much about claims rule & I guess that there might be something wrong with it as individually all the modules are working fine. (for e.g.: WP as SP and ADFS as IdP, ADFS as SP and SSP as IdP).

What exactly I am doing wrong.

Please also let me know if I have missed out on any details.

Thanks!

Solution

  • The first step is to figure out what NameID Policy is being requested. Install SAML Tracer in FireFox and run through your flow. You'll see the AuthnRequest may have a NameIDPolicy listed ( example <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress").

    Once you know what NameID is needed you can try to configure Wordpress to accept a different type (SSP uses urn:oasis:names:tc:SAML:2.0:nameid-format:transient by default) or configure SSP to release NameID in the expected format.

    Here is an example of using authproc in SSP to use the mail attribute for NameId

    'authproc' => array(
             60 => array(
                    'class' => 'saml:AttributeNameID',
                    'attribute' => 'mail',
                    'Format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
            ),
    ),

    There are other NameID generation filters documented.