Search code examples
wordpresssingle-sign-onwindows-server-2012-r2simplesamlphpadfs3.0

WordPress Single Sign On using SSP and ADFS as IdP proxy

I have configured Windows 2012 r2 with ADFS 3.0, bitnami WordPress (4.2.2) with SAML 2.0 Single Sign on plugin and Ubuntu server with SimpleSAMLphp 1.13.

WordPress configuration looks like this:

WordPress NameID policy: WordPress NameID policy

WordPress attributes: WordPress attributes

For authentication source I am using SSP's file module. It has attributes:

User-Name for user id, mail for user's email-address and Filter-Id for user's group.

At ADFS side, I have configured claims provider trust as SSP and relying party's trust as WP.

Claim rules for those are:

SSP:

Rule 1: To transform name id policy. If this rule is not set WP's SSP gives NameIDPolicy invalid error.

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] == "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

Rule 2: Pass all the claims

c:[Type == "https://example.com/simplesamlphp/saml2/idp/metadata.php"] => issue(claim = c);

WordPress:

Rule 1: Convert name attribute to WP's attribute

c:[Type == "User-Name"] => add(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Value = c.Value);

Rule 2: Convert mail attribute

c:[Type == "mail"] => add(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/emailaddress", Value = c.Value);

Rule 3: Convert group attribute

c:[Type == "Filter-Id"] => add(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/Group", Value = c.Value);

Rule 4: Convert to Givenname attribute

c:[Type == "User-Name"] => add(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/givenname", Value = c.Value);

Rule 5: Convert to Surname attribute

c:[Type == "User-Name"] => add(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/surname", Value = c.Value);

Rule 6: Convert Name id policy & issue all claims

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

User gets authenticated fine (SP/IdP-Initiated). But at WP side I get error saying Username was not provided.

ADFS tracer log shows me SSO token is null or empty. Cannot write SSO token to Cookies.

I checked IdP for user login and it shows user logged in. Tracer log also shows Valid assertion returned from 'https://example.com/simplesamlphp/saml2/idp/metadata.php'

I guess there is something wrong with claims rules, but I am not sure because configuration looks and works fine.

Solution

  • So the chain is WP --> ADFS --> SSP

    Normally for NameID, you use a transform rule e.g.

    Transform email to NameID with a format of email.

    For the CP, you need pass-through rules for each attribute.

    This rule "c:[Type == "https://example.com/simplesamlphp/saml2/idp/metadata.php"] => issue(claim = c);" does not pass-through all rules - best to do them individually.

    The RP rules look right but the NameID rule has a format of email so it should be derived from email, not name.