search

SAML-Toolkits / wordpress-saml

OneLogin SAML plugin for Wordpress
MIT License
65 stars 75 forks source link

Onelogin and Salesforce IDP problem #125

Closed ec2webdesign closed 2 years ago

ec2webdesign commented 2 years ago

Hello, I've configured the plugin to work with Salesforce IDP. During the response I got this error "The username could not be retrieved from the IdP and is required"

Below you can find the SAML response from IDP.

What's wrong from my IDP? Is there any adding configuration to do? I've tried with Miniorange IDP and the authentication works fine, but I need that it works with Salesforce.

Thanks in adv, E.

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                Destination="https://www.goldiretta.live/wp-login.php?saml_acs"
                ID="_35667d9878778de3d627db7ac0b921ba1634920485960"
                IssueInstant="2021-10-22T16:34:45.960Z"
                Version="2.0"
                >
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                 Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
                 >https://eurolinksrl.my.salesforce.com</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#_35667d9878778de3d627db7ac0b921ba1634920485960">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                                                PrefixList="ds saml samlp xs xsi"
                                                />
                    </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>fosv0a3mPM40NDNqtZ//B+CojBg=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
I9MuA068wpr1eBZD2Z3va5KTsOuuUdldyA7vGSRxKo/gd+taSqbEL+Ce2MZPBkd2G4cL/UhYzCmY
IqbuJDVx/q9Cb4Ch1aSOHFX9VFEFX0SI5CHI3UbssPKZ3ZRhbQai3Dbw3EnXJdgoQkIX0zlo3PQd
33RelhuJwUYMIFJOfhZbFEZI+Y6l2PMxwZXS58NG1EIaCjiES58+LlqVY5VV3uM6NYalhGrQ5kBJ
UYrlvMsarc3NWFwaoR0gD9aH+eMA53gXnfSoN4FDH3olh+H1RWuryKT3pAXtVDakyT7zEhis2gch
sklx3e4IYwmPZR4Bf9gHHq7TkdUHog090GEtEg==
</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIIErDCCA5SgAwIBAgIOAXymqODBAAAAAGV0s3swDQYJKoZIhvcNAQELBQAwgZAxKDAmBgNVBAMM
H1NlbGZTaWduZWRDZXJ0XzIyT2N0MjAyMV8wNjIwNTcxGDAWBgNVBAsMDzAwRDdRMDAwMDAwSlds
SjEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNV
BAgMAkNBMQwwCgYDVQQGEwNVU0EwHhcNMjExMDIyMDYyMDU3WhcNMjIxMDIyMDAwMDAwWjCBkDEo
MCYGA1UEAwwfU2VsZlNpZ25lZENlcnRfMjJPY3QyMDIxXzA2MjA1NzEYMBYGA1UECwwPMDBEN1Ew
MDAwMDBKV2xKMRcwFQYDVQQKDA5TYWxlc2ZvcmNlLmNvbTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNj
bzELMAkGA1UECAwCQ0ExDDAKBgNVBAYTA1VTQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAIMsRFQwQZefQarz99kADq5Cc7NDudEeWU9NLHNCdxgspGfAkAEfR5MkMgc8ev5+3FWrg1BS
oFdzUIfPDA7P3Pa/vsI3dJVAKsAD6kfg5zmlg/Ju4/pI2dYsFB1WZHLcVMxUwhmnTnGuNUYb5DGA
oAZaHZk/D4cXxgL7UVUiJzLf09C8xYJhx1o/m0qGBm1ALNfp1kvbyHOSihUznU/ERj+vAjl6mWAw
5WcKawaGWlwxGspmDhniJiV1KbazGD4Enc6g2WCxNEXTqrSEw3iNieXHlmT6m1byITUd0SsbqNVo
zMLzSY5fNzwJkbwd9JM+JssQlRmShsDGp1oR3FbJbWUCAwEAAaOCAQAwgf0wHQYDVR0OBBYEFBBi
IaAzk1sqmjlTCKfrBara6q18MA8GA1UdEwEB/wQFMAMBAf8wgcoGA1UdIwSBwjCBv4AUEGIhoDOT
WyqaOVMIp+sFqtrqrXyhgZakgZMwgZAxKDAmBgNVBAMMH1NlbGZTaWduZWRDZXJ0XzIyT2N0MjAy
MV8wNjIwNTcxGDAWBgNVBAsMDzAwRDdRMDAwMDAwSldsSjEXMBUGA1UECgwOU2FsZXNmb3JjZS5j
b20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0GCDgF8
pqjgwQAAAABldLN7MA0GCSqGSIb3DQEBCwUAA4IBAQAsJhA2YJWreataBTCaegy8PiRJ/YGS9eVI
QZ3tCDgKjZZZvG331crqStSFYPiy+/L4rM5FFBP64sD7nCN7oUlfR8lAsYnY4ZMrU2DJaRjVjqXQ
3+1E8N/nikiGEdt87j6UHV2oFUcX8zQdHA1osYgL0Cn/gfrVB7vX1KIP1nMUbb7bcgUuDeuh4lPm
gFTbDkc6uLaq/oUgTr9QtjaC7CfpqNW3q3nhVcDrxSPdv4Kwam1zEqk5clsOLv4VsT0sw7uMK1lF
EzEuNDRoRHm8hiEtP2SPJ1LVJz8ad2i/f4ISHmNJOJ3aVQe7EOzgPmDEYO0iM4OT9y9pKWUoBeFv
L6yx</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="_8b0ba17597aed6ff31afa101c6cf07341634920486004"
                    IssueInstant="2021-10-22T16:34:46.004Z"
                    Version="2.0"
                    >
        <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://eurolinksrl.my.salesforce.com</saml:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                <ds:Reference URI="#_8b0ba17597aed6ff31afa101c6cf07341634920486004">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                                                    PrefixList="ds saml xs xsi"
                                                    />
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <ds:DigestValue>3Vr/kWK9h6wkb8ahcmqr7IUgvXU=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>
bIvX0K2NjEjI5k1yShs7a+OBk3nZ1gC9M5z4dffbQyEUic1EoKpLMvqAqsmIh74zp1mGqWWdWDpI
JwjGY9YAxetUXEp1q3DMo2lBvY5Bor9ZQJibDeAuOun8jRryainUMe2+87xeBktznkPAr2sA9TCK
X1UT7NVAVKb2MkJW3y+CmXfqq+9KvZnC1PfcqFoACHbctf0nIb3jR2Y42AgtEw+okfeMdkf/4mXb
4cMP8mrhVpvjZjy9GD0wqJ8P59KP2ly26/CfSkTcPH0PN3fhRqT0ok6sWE+MgGkwd4XtJcwo3cg2
Dq8o1KH32kd6QY/9y9yIF58JT2PrPMg2e3tuLQ==
</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIIErDCCA5SgAwIBAgIOAXymqODBAAAAAGV0s3swDQYJKoZIhvcNAQELBQAwgZAxKDAmBgNVBAMM
H1NlbGZTaWduZWRDZXJ0XzIyT2N0MjAyMV8wNjIwNTcxGDAWBgNVBAsMDzAwRDdRMDAwMDAwSlds
SjEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNV
BAgMAkNBMQwwCgYDVQQGEwNVU0EwHhcNMjExMDIyMDYyMDU3WhcNMjIxMDIyMDAwMDAwWjCBkDEo
MCYGA1UEAwwfU2VsZlNpZ25lZENlcnRfMjJPY3QyMDIxXzA2MjA1NzEYMBYGA1UECwwPMDBEN1Ew
MDAwMDBKV2xKMRcwFQYDVQQKDA5TYWxlc2ZvcmNlLmNvbTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNj
bzELMAkGA1UECAwCQ0ExDDAKBgNVBAYTA1VTQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAIMsRFQwQZefQarz99kADq5Cc7NDudEeWU9NLHNCdxgspGfAkAEfR5MkMgc8ev5+3FWrg1BS
oFdzUIfPDA7P3Pa/vsI3dJVAKsAD6kfg5zmlg/Ju4/pI2dYsFB1WZHLcVMxUwhmnTnGuNUYb5DGA
oAZaHZk/D4cXxgL7UVUiJzLf09C8xYJhx1o/m0qGBm1ALNfp1kvbyHOSihUznU/ERj+vAjl6mWAw
5WcKawaGWlwxGspmDhniJiV1KbazGD4Enc6g2WCxNEXTqrSEw3iNieXHlmT6m1byITUd0SsbqNVo
zMLzSY5fNzwJkbwd9JM+JssQlRmShsDGp1oR3FbJbWUCAwEAAaOCAQAwgf0wHQYDVR0OBBYEFBBi
IaAzk1sqmjlTCKfrBara6q18MA8GA1UdEwEB/wQFMAMBAf8wgcoGA1UdIwSBwjCBv4AUEGIhoDOT
WyqaOVMIp+sFqtrqrXyhgZakgZMwgZAxKDAmBgNVBAMMH1NlbGZTaWduZWRDZXJ0XzIyT2N0MjAy
MV8wNjIwNTcxGDAWBgNVBAsMDzAwRDdRMDAwMDAwSldsSjEXMBUGA1UECgwOU2FsZXNmb3JjZS5j
b20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0GCDgF8
pqjgwQAAAABldLN7MA0GCSqGSIb3DQEBCwUAA4IBAQAsJhA2YJWreataBTCaegy8PiRJ/YGS9eVI
QZ3tCDgKjZZZvG331crqStSFYPiy+/L4rM5FFBP64sD7nCN7oUlfR8lAsYnY4ZMrU2DJaRjVjqXQ
3+1E8N/nikiGEdt87j6UHV2oFUcX8zQdHA1osYgL0Cn/gfrVB7vX1KIP1nMUbb7bcgUuDeuh4lPm
gFTbDkc6uLaq/oUgTr9QtjaC7CfpqNW3q3nhVcDrxSPdv4Kwam1zEqk5clsOLv4VsT0sw7uMK1lF
EzEuNDRoRHm8hiEtP2SPJ1LVJz8ad2i/f4ISHmNJOJ3aVQe7EOzgPmDEYO0iM4OT9y9pKWUoBeFv
L6yx</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">ec2webdesign-ww2w@force.com</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData NotOnOrAfter="2021-10-22T16:39:46.076Z"
                                              Recipient="https://www.goldiretta.live/wp-login.php?saml_acs"
                                              />
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2021-10-22T16:34:16.076Z"
                         NotOnOrAfter="2021-10-22T16:39:46.076Z"
                         >
            <saml:AudienceRestriction>
                <saml:Audience>php-saml</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2021-10-22T16:34:46.069Z"
                             SessionIndex="00D7Q000000JWlJ0Ak7Q000003y59p"
                             >
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement>
            <saml:Attribute Name="userId"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                            >
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:anyType"
                                     >0057Q000000uAT4</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="username"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                            >
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:anyType"
                                     >ec2webdesign-ww2w@force.com</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="email"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                            >
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:anyType"
                                     >ec2webdesign@gmail.com</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="is_portal_user"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                            >
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:anyType"
                                     >false</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>
pitbulk commented 2 years ago

I see the IdP provides userId, username and email.

What is wrong is the Wordpress SAML extension settings, check the Attribute Mapping section and verify the names of the Wordpress User attributes matches the name provided in the SAMLResponse.