Another EDIT: It may be that this updated Plug-in is messing with the Groups plugin feature of automatically adding a group upon creating a new user. Any idea if there is code updates here between this version and version 2.5.0 that may have changed the behavior when creating an user?

EDIT: Sorry, I think this has to do with the WordPress Plugin 'Groups'. I've used that in the past along with SSO and this plug-in and it has always added 'Registered' as the default group upon signing in. With WordPress 4.9.7 and this latest version of onelogin wordpress SAML, it does not do that anymore.

Hello, on a new integration, Successfully created wordpress users are no longer being assigned 'Registered' in the group with WordPress 4.9.7.

Any ideas?

I've followed the instructions here:
https://support.onelogin.com/hc/en-us/articles/204353160-Configuring-SAML-for-WordPress

and:
https://support.onelogin.com/hc/en-us/community/posts/115009793326-Mapping-Wordpress-Roles

However the roles do not sync across. I've applied the CN setting per Steve's post, and selected multiple roles (which there are).

Is there anything I have missed in the setup of role syncing with the free version of OneLogin?

Hello !

I have been using your plugin successfully for a while it's great but there is a minor issue that I can't address, the site requires login so if you are not connected you will get to the service provider page :

• user gets a link (email, slack) for https://myblog.example.com/2018/04/12/look-at-this-funny-cat-picture
• user is redirected to https://myserviceprovider.example.com/idP/startSSO?test
• user fills out the form and successfully logs in
• user gets redirected to https://myblog.example.com/

At that point, my user gives up or click on the link from slack or email again. They mostly click again but it's not the best experience. I couldn't find any setting that keep (in a cookie?) the referrer and redirect, or I wonder if it's an issue on my implementation with the service provider.

Maybe there is a companion plugin that takes care of that part, either way, guidance welcome.

thanks a lot !

Hi @pitbulk , if I used the SSO library 2.3.0 contain in this plugin, I will get the following error when using the strict mode:
The response was received at https://mysite.com:80/wp-login.php instead of https://mysite.com/wp-login.php?saml_acs
There was at least one error processing the SAML Response: invalid_response
Contact the administrator

But if I use library version 2.4.0, the above error disappear. Any chance you will update this plugin using the latest SSO library?

Hi,
I have installed plugin as a SP and unable to find a URL on plugin which will receive the Logout Response from my IDP. Like there is an ACS Url to consume Assertion, what is the Url to consume Logout response, and does it support POST.
Also how to set up SP private key in plugin, I have dumped it in certs folder but it doesn't work.
Thanks.
Sumit

Hi there, could you please put latest version on WordPress.org, thanks!

Hello,
I am passing an attribute that is a flag for wordpresses 'remember me' feature.

In addition to:
Username
E-mail
First Name
Last Name
Role

To have a 'remember me' field to enact WordPresses, 'rememeber me' cookie, (which I think is a default of 14 days).

I would be happy to be a test subject for this if anyone has an idea on how to accomplish it.

Currently I am passing the attribute: 'auth_rememberme' with a value of 'yes'.

With the "Prevent change mail" option enabled, the "email" field in the profile becomes disabled. This results in that field not being passed through with the rest of the form on saving the profile, then WordPress complains that no email has been set (which is required).

The field should instead be set to readonly (https://www.w3schools.com/TAGs/att_input_readonly.asp), which will also grey out the field but still pass it through the form.

Thank you for the great plugin, it allows me to login to my ADFS successfully. However, when it is logging out, it does not pass the nameID and session index to the Logout request. Am I missing any settings?

It looks like the $blog_id variable used on line 268 here hasn't been defined yet. Or am I missing something in the greater context?

https://github.com/onelogin/wordpress-saml/blob/d8690ff33aada4573198cdd633c9bbdbb1dfcba6/onelogin-saml-sso/php/functions.php#L267-L278

At method onelogin_saml_configuration_render( )

Notice: screen_icon is deprecated since version 3.8.0 with no alternative available. in /var/www/onelogindemo/wordpress/wp-includes/functions.php on line 3842

Notice: get_screen_icon is deprecated since version 3.8.0 with no alternative available. in /var/www/onelogindemo/wordpress/wp-includes/functions.php on line 3842

Hi,

In order to allow more customization and to better fit standard Wordpress plugin development, It could be great to add some filters/actions within the plugin.

In my personal use, I needed to add filters before sending SAML request to configure the RelayState (in my case the relaystate is dynamic to handle redirection) and I add actions in the case of an authenticated user who can't access the app instead of getting a basic error.

If you think this issue is relevant, I can do the job.

Thanks for your work,

Sommy

Due to security reason, we normally store the sensitive information, such as private/public keys in environment variables, and not in the file nor database.

Are you able to extend the code to allow a developer to hook in to set the private/public keys?

I was considering submitting a pull request for a composer.json, which would make version.json obsolete and bring proper attribution to composer based builds including this plugin.

But I see the plugin is in a subfolder rather than the root, is this due to a build process or continuous integration system at onelogin? Or a custom dependency manager?

Hi,

Thanks for the plugin, it's very useful. But I have one problem while using this plugin. it doesn't login when you try it for the first time. We need to close the window twice or thrice and reopen it similar number of times to make it work. Please provide suitable suggestion on how to resolve this issue. Is there some configuration that i need to make on the WordPress code or is it issue with the SSO provider? need help urgently.

Thanks in advance.
Regards,

URLs to plugin files should use WordPress's plugins_url() function
instead of assuming the plugin is in the wp-content directory.

Paths to plugin files should be relative to the plugin directory, no
absolute paths that assume the plugin is in the wp-content directory.

Reported by Steelcase dev team.

Reported: https://wordpress.org/support/topic/nameidpolicy-always-set-to-urnoasisnamestcsaml11nameid-formatemailaddres

When using Query Monitor plugin a suppressed notice is displayed in the event log as follows:

add_contextual_help is deprecated since version 3.3.0! Use get_current_screen()->add_help_tab() instead.

Relevant file is here.

hi,

prerequisites:

1. the plugin is configured and working. SLO url ist set and SLO is enabled.

expected behavior:

1. user logs in via SSO
2. user is logged in the respective wordpress account
3. user logs out using the wordpress logout link
4. user gets logged out of the SSO
5. user returns to the wordpress page
6. user is also logged out from the wordpress account

observed behavior:

SSO service logout is performed, yet the user is still logged in the wordpress account. clicking on "logout" once more does not do the trick because it simply tries to log out again at the SSO provider.

Hi,
I have selected the option to Sign Auth request on the plugin and have dumped key and crt in the certs folder. But the plugin is sending the Signature as a Query parameter and not signing the Authn Request. I believe Signature should be present in the Authn request. Please suggest.
Thanks,
Sumit

The keys sent for the signature & digest algorithm are not in the correct format.

See pull-request #39 for details.

Any chance you can tag a new release with the latest code and push to WordPress's SVN for the repo https://wordpress.org/plugins/onelogin-saml-sso/

My IdP (Ipsilon attached to FreeIPA) doesn't provide an attribute for the username. Instead, the username is only transmitted as the NameID.

I'm currently using this hack, and it works for me:

diff --git a/onelogin-saml-sso/php/functions.php b/onelogin-saml-sso/php/functions.php
index 088d571..6fb95c8 100644
--- a/onelogin-saml-sso/php/functions.php
+++ b/onelogin-saml-sso/php/functions.php
@@ -165,9 +165,9 @@ function saml_acs() {
        setcookie(SAML_NAMEID_FORMAT_COOKIE, $auth->getNameIdFormat(), time() + YEAR_IN_SECONDS, SITECOOKIEPATH );
 
        $attrs = $auth->getAttributes();
+       $nameid = $auth->getNameId();
 
        if (empty($attrs)) {
-               $nameid = $auth->getNameId();
                if (empty($nameid)) {
                        echo __("The SAMLResponse may contain NameID or AttributeStatement");
                        exit();
@@ -186,6 +186,10 @@ function saml_acs() {
                }
        }
 
+       if(empty($username) && !empty($nameid)) {
+               $username = $nameid;
+       }
+
        if (empty($username)) {
                echo __("The username could not be retrieved from the IdP and is required");
                exit();

A sample SAML Response from my IdP looks like this:

<saml:Subject>
	<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="https://auth1.foo.de/idp/saml2/metadata">felix</saml:NameID>
	<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
		<saml:SubjectConfirmationData NotOnOrAfter="2018-07-21T23:29:03Z" Recipient="https://foo.de/wp-login.php?saml_acs"/>
	</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2018-07-21T23:27:03Z" NotOnOrAfter="2018-07-21T23:29:03Z">
	<saml:AudienceRestriction>
		<saml:Audience>php-saml</saml:Audience>
	</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2018-07-21T23:28:03Z" SessionIndex="_175871E9A671BF9518663375DFD78E04">
	<saml:AuthnContext>
		<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
	</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
	<saml:Attribute Name="surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
		<saml:AttributeValue>Kaechele</saml:AttributeValue>
	</saml:Attribute>
	<saml:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
		<saml:AttributeValue>ipausers</saml:AttributeValue>
		<saml:AttributeValue>superadmins</saml:AttributeValue>
		<saml:AttributeValue>trust admins</saml:AttributeValue>
		<saml:AttributeValue>admins</saml:AttributeValue>
		<saml:AttributeValue>serveradmins</saml:AttributeValue>
	</saml:Attribute>
	<saml:Attribute Name="givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
		<saml:AttributeValue>Felix</saml:AttributeValue>
	</saml:Attribute>
	<saml:Attribute Name="gecos" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
		<saml:AttributeValue>Felix Kaechele</saml:AttributeValue>
	</saml:Attribute>
	<saml:Attribute Name="sn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
		<saml:AttributeValue>Kaechele</saml:AttributeValue>
	</saml:Attribute>
	<saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
		<saml:AttributeValue>[email protected]</saml:AttributeValue>
	</saml:Attribute>
	<saml:Attribute Name="fullname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
		<saml:AttributeValue>Felix Kaechele</saml:AttributeValue>
	</saml:Attribute>
	<saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
		<saml:AttributeValue>[email protected]</saml:AttributeValue>
	</saml:Attribute>
</saml:AttributeStatement>

There is probably a nicer and more correct way of doing this. Maybe someone has an idea?

what rule do i need to add to solve this: The username could not be retrieved from the IdP and is required
and what attribute name for the username?

Pull requests are showing failed tests as the travis builds are missing a travis.yml, triggering the default run which looks for a missing rake file

Hi guys, thank you again for this plugin. We've just upgraded to 2.4.2 and got this error: Reference validation failed in xmlseclibs.php line 923. I reverted it back to 2.4.1 and it works perfectly. Could you please help? Looks like it has something to do with this commit:

SAML-Toolkits/php-saml@39878dd

Hello guys, trying to integrate onelogin WP SAML plugin to F5 APM IDP. Working fine except the SLO method used when logout from WP is a GET and our IDP expect a POST. Anyway to change it ?

thanks for your help
arnaud

I may be doing something wrong in set up. I followed the Onelogin instructions for setting this plugin up

and am hitting the error

"That ACS endpoint expects a SAMLResponse value sent using HTTP-POST binding. Nothing was found"

when trying to hit the domain/wp-login.php?saml_acs endpoint. Turning on debug doesn't provide any further info. Please let me know what further info I can provide or if there's a better venue for solving this.

Thank you!

The Auth Validation page /wp-login.php?saml_validate_config when not authenticated leaks information about the plugin configuration because the initial page content is sent before the 401 HEADER is marked.

https://github.com/onelogin/wordpress-saml/blob/master/onelogin-saml-sso/php/validate.php

Warning: Cannot modify header information - headers already sent by (output started at /var/www/html/wp-content/plugins/onelogin-saml-sso/php/validate.php:17) in /var/www/html/wp-content/plugins/onelogin-saml-sso/php/validate.php on line 20 Access Forbidden!

The plugin looks for the gettext library on the system rather than
using WP's translation mechanism. This adds an unnecessary dependency
and makes it more difficult to localize.

Reported by Steelcase dev team.

Hi,
according to Release Notes in Version 2.3.0:
= 2.3.0 =

• Add 'Keep Local login' functionality in order to prompt the normal login form + a SAML link instead of directly execute the SP-initiaited SSO flow

I enabled this setting but cannot see in Wordpress any SAML Link.
Where should this link be in /wp-admin.php?

It's not really appropriate, in the WP context, to load a separate
file first and then bootstrap WordPress from that file. In the
plugin's php/settings.php:

require_once(dirname(dirname(dirname(dirname(dirname(FILE))))) .
'/wp-load.php');

That's making a huge assumption about where to find the WP code. And
this file is included in multiple places in the plugin (validate.php,
metadata.php, functions.php, et al.).

Reported by Steelcase dev team.

My Idp returns xml without prefixes. The xml is still valid since the namespaces are declared.

The logout process is returning: SLS endpoint found an error.logout_not_success

The following seems to be the problem (LogoutResponse.php line 94) for the xml below:

$entries = $this->_query('/samlp:LogoutResponse/samlp:Status/samlp:StatusCode');

<LogoutResponse xmlns:samlp="urn:oasis:names:tc:saml:2.0:protocol" Destination="http://10.10.10.187/wp-login.php?saml_sls" ID="idb95d0f01f6cb4162909f8adc250c757e" InResponseTo="ONELOGIN_d53020fa00911a4035127612a86db7d981c0dd79" IssueInstant="2017-07-07T14:14:59.9824189Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
   <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">MySts</Issuer>
   <Status>
   <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
   </Status>
   </LogoutResponse>

Shouldn't this work? Seems to work for other SPs

Thanks

When trying to access the saml login, /wp-login.php?saml_acs, I keep getting a HTTP 500 error.
When coming from ADFS, I am able to login to the site but when trying to login via WordPress and saml, I cannot due to the error.

I am proving the error log below. Any help is greatly appreciated.

Error Log:
PHP Fatal error: Uncaught Exception: Failure Signing Data: - 1 in /wp-content/plugins/onelogin-saml-sso/php/extlib/xmlseclibs/src/XMLSecurityKey.php:500\nStack trace:\n#0 /wp-content/plugins/onelogin-saml-sso/php/extlib/xmlseclibs/src/XMLSecurityKey.php(580): RobRichards\XMLSecLibs\XMLSecurityKey->signOpenSSL('SAMLRequest=hZJ...')\n#1 /wp-content/plugins/onelogin-saml-sso/php/lib/Saml2/Auth.php(722): RobRichards\XMLSecLibs\XMLSecurityKey->signData('SAMLRequest=hZJ...')\n#2 /wp-content/plugins/onelogin-saml-sso/php/lib/Saml2/Auth.php(659): OneLogin\Saml2\Auth->buildMessageSignature('hZJbj9owEIXf+RU...', 'https://trbnnew...', 'http://www.w3.o...', 'SAMLRequest')\n#3 /wp-content/plugins/onelogin-saml-sso/php/lib/Saml2/Auth.php(546): OneLogin\Saml2\Auth->buildRequestSignature('hZJbj9owEIXf+RU...', 'https://trbnnew...', 'http://www.w3.o...')\n#4/wp-content/plugins in /wp-content/plugins/onelogin-saml-sso/php/extlib/xmlseclibs/src/XMLSecurityKey.php on line 500

This branch is out-dated respect the main branch 2.5.0. I may update it.

Let decide on the SAML settings panel the signature Algorithm to be used when signing AuthNRequest, LogoutRequest, LogoutResponses or Metadata.

Hi!
Is there any chance to send AuthnRequest with HTTP-POST rather than HTTP-GET, which seems to be default plugins behavior?

Warning: in_array() expects parameter 2 to be array, string given' in /xxx/wp-content/plugins/onelogin-saml-sso/php/configuration.php:481

And the configuration form stops at:

requestedAuthnContext

showing no options in the multi-select.

Right now the SAML WP plugin works with multisites, but each site need to set its SAML settings.

We need to figure out how can be set a configuration on the network admin, and then let every site to use the settings set on network admin or use custom SAML settings, but is not implemented

Trying to use this onelogin plugin with a MiniOrange identity provider.

The connection does not work. I think the issue is not having the right SP Entity ID or Issuer.

The metadata for the onelogin plugin (service provider) has just a short string for this. Is that correct? Isn't is usually a whole URL? What is it supposed to be?

I am forced to use 2.0.2.

I get the following error message when trying to access the site.

Service Unavailable

The service is temporarily unavailable. Please try again later.

The associated connector has the following consumer URL in order to allow us to use the staging instances.

((http|https)://domain.example.com/|(http|https)://domain.staging.wpengine.com/)

I have also tried the new URL that is in the consumer service.

Old:
https://domain.example.com/wp-content/plugins/onelogin-saml-sso/onelogin_saml.php?acs

New:
http://domain.example.com/wp-login.php?saml_acs

When entering a custom "SAML Link Message" text and saving, the page will reload with the value prefixed with "http://". The issue is that the plugin escapes the value using esc_url() function instead of esc_attr(). The value itself is not a url, but regular text.

L372 is the line in question:
https://github.com/onelogin/wordpress-saml/blob/050a9e952369235c1da0702a2829231e836e52c2/onelogin-saml-sso/php/configuration.php#L370-L374

Wordpress version: 4.9.4

Hey folks,

Thanks so much for creating this plugin. I'm currently using it for a client project at the moment and I was wondering if you'd be open to me adding a Pull Request that add some optional PHP constants for the following settings:

• IdP Entity Id
• Single Sign On Service Url
• Single Log Out Service Url
• X.509 Certificate

If those constants are defined then those settings would be automatically added and I'd also change those fields to read only and have a message saying that those constants have been defined. This would enable developers to keep those constants in version control and not have to set them up manually across multiple environments.

Let me know what you think of the idea. Thanks!

Hello!

I always get stuck in the url: /wp-login.php?saml_acs when redirected back from keycloak login. I keep receiving error 500 when returning the POST from IdP.

I am following the steps in "Wordpress SAML OneLogin plugin" from https://wiki.communecter.org/en/keycloak-_-configuration.html

Here is the steps to reproduce the problem in our dev environment:
https://we.tl/PQRr9L7dZK

What can I do to make saml_acs work?

after i upgraded to the new version of the plugin and because it did not work I had to reinstall the old version, all works now.

Can we look into why the new version of the plugin does not work? I use wpengine as my hosting provider and have to use version 2.0.2

We've been receiving 500 error notifications when Google bot browses to: wp-login.php?saml_acs using a non-POST request.

As we only support HTTP POST Binding, I believe it would be best to just skip if saml_acs is presented and the request is non-POST methods.

What do you think @pitbulk?

Hello,

I use wordpress-saml to connect WordPress with ADFS 3.0. I can get SSO and SP-initiated logout work (logout in WordPress). But fail in IDP-initiated Logout.

SLO and Retrieve Parameters From Server option is enabled in configuration.

Base on the suggestion in SAML-Toolkits/php-saml#136. I modify the code and get ride of ADFS certificate error. But I encounter other errors.

• When User logout in ADFS, User can't logout in WordPress. I refresh the page or go to other page, user is still login WordPress.
• After User logout in ADFS, when User click logout button in WordPress, the error message "SLS endpoint found an error" is shown in https://xxxxxx.xxxx.xxx/wp-login.php?saml_sls&SAMLResponse=xxxxxxxxxxx. I go to WordPress again, and user is still logged in.

Described here:
https://wordpress.org/support/topic/onelogin-configuration-1

We have a need to SAML protect all URLs including media.