Open squild-mtinnemeier opened 3 years ago
I will be also interested in this feature, we have similar requirement.
For this specific case, there is already a solution. I think you missed a setting available at the SAML Settings at the Options section: "Regular expression for multiple role values":
Regular expression that extract roles from complex multivalued data (required to active the previous option).
E.g. If the SAMLResponse has a role attribute like: CN=admin;CN=superuser;CN=europe-admin; , use the regular expression /CN=([A-Z0-9\s _-]*);/i to retrieve the values. Or use /CN=([^,;]*)/
So basically at the Role Mapping you may set:
Administrator | Wordpress-Administrators
Editor | Wordpress-Editors
Author | Wordpress-Authors
and set as "Regular expression for multiple role values" the one able to extract those values. https://regex101.com/ can help you to find it
@pitbulk Are you really sure about that? As I understood this option, it is usable for the situation where all SAML-Roles are returned as a String separated by a specific separator. An Array of SAML-Roles as SAML-Response is not accepted (see https://github.com/onelogin/wordpress-saml/blob/666380d4b92178a6f08eb502b51b1dface940761/onelogin-saml-sso/php/functions.php#L331). But in my case the SAML-Response is not a String but an Array of SAML-Roles - as it should be usual in an Active Directory Context.
You are right, the pattern feature was designed to work when all role data is provided in a single string.
Discussion / Issue
We encountered the following problem when we tried to connect a WordPress Instance to our internal Active Directory using ADFS as IdP in a scenario, where a User's Wordpress-Role(s) should be mapped against a subset of the User's Active Directory Groups.
Expected behavior
Configured "memberOf" Groups should be mapped to Wordpress Roles when using a Common Name as a mapping value.
Actual behavior
Group-Mapping does not work.
Steps to reproduce the behavior
Active Directory Structure
A user object has several groups in an Active Directory. Groups can be structured in different OUs. Only some of there Groups are Wordpress-relevant and will be used for role mapping.
Example User Object:
ADFS - Claim Issuance Policy
We configured a "Send LDAP Attributes as Claims" Rule with some Attributes from our Active Directory Attribute Store. The relevant one for this case is out mapping of the
memberOf
LDAP Attribute to thehttp://schemas.microsoft.com/ws/2008/06/identity/claims/role
Claim:SAML Response
With this configuration, the SAML response looks like this after successful authentication:
SSO/SAML Settings - Wordpress Plugin Configuration
Relevant subset of the Plugin's settings page:
Attribute Mapping
[...] Role | http://schemas.microsoft.com/ws/2008/06/identity/claims/role
Role Mapping
[...] Multiple role values in one saml attribute value | [ ] (unchecked) Regular expression for multiple role values | [ ] (empty)
Suspected source of error in the code
We suspect the source of the problem is, that the string of the "Role Mapping" value gets splitted by the comma seperator. In cases, where the string itself includes multiple commas, that doesn't work out:
https://github.com/onelogin/wordpress-saml/blob/666380d4b92178a6f08eb502b51b1dface940761/onelogin-saml-sso/php/functions.php#L356
As it is mentioned on the Plugin's Settings Page, there should be the option to map multiple IdP roles to one Wordpress role: "Accepts comma separated values. Example: admin,owner,superuser"
A comma as string seperator may not be the best option here.
We suppose there are lot's of scenarios where another Separator for this purpose would be a better solution, even when it comes to Active Directory based IdP Deployments. One Option could be to provide the possibility to use a user-defined string seperator, in our case, we changed it simply to a semicolon in the
explode
-Function.