pitbulk
commented
8 years ago Have you asked WPEngine to disable the cache for this plugin and to allow HTTP POST to wp-login.php as mentioned at the README.md of this repository?
Closed micah-uber closed 8 years ago
pitbulk
commented
8 years ago Have you asked WPEngine to disable the cache for this plugin and to allow HTTP POST to wp-login.php as mentioned at the README.md of this repository?
micah-uber
commented
8 years ago Why would we want to allow a post to wp-login? I would imagine that would open us up to potential security vulnerabilities.
micah-uber
commented
8 years ago Talked to Wpengine. They do not want to allow the POSTs. Here is their response.
Our nginx configuration returns an invalid response if they try to POST to wp-login.php without the query string ?wpe-login=SITENAME Where SITENAME is the install name We really prefer not to disable that that feature mostly just prevents someone from trying to brute force every site under the sun
I would also prefer not to do this.
pitbulk
commented
8 years ago So use the ?wpe-login=SITENAME is neither a solution...I will try to figure out how move the acs to a different location.
micah-uber
commented
8 years ago We can try that.Let me know where to add it. and I can test locally.
pitbulk
commented
8 years ago Ok, I'm currently working on it. I will keep you updated
pitbulk
commented
8 years ago Right now when the saml plugin is loaded.
We call saml_checker,
// Check if exists SAML Messages
add_action('init', 'saml_checker', 1);this method checks any GET/POST SAML Messages on login.php
function saml_checker() {
if (isset($_GET['saml_acs'])) {
saml_acs();
}
else if (isset($_GET['saml_sls'])) {
saml_sls();
} else if (isset($_GET['saml_metadata'])) {
saml_metadata();
} else if (isset($_GET['saml_validate_config'])) {
saml_validate_config();
}
}and as you can see, at the plugin we define as ACS
'assertionConsumerService' => array (
'url' => get_site_url().'/wp-login.php?saml_acs'
),I plan to create an alternative php file alternative_acs.php so if you check an option on the setting, this endpoint will be used instead the login.php?saml_acs
pitbulk
commented
8 years ago Edit settings.php and replace
'assertionConsumerService' => array (
'url' => get_site_url().'/wp-login.php?saml_acs'
),by
'assertionConsumerService' => array (
'url' => get_site_url().'/wp-content/plugins/onelogin-saml-sso/alternative_acs.php'
),I gonna test in my local machine, and let you know.
pitbulk
commented
8 years ago @micah-uber It worked on my local, can you try at your environment?
meanwhile, I gonna implement now the option on the settings panel and release a new version of the plugin.
(remember to update the ACS endpoint to the new URL on the IdP settings)
micah-uber
commented
8 years ago No errors. But infinite looping assertion requests....
pitbulk
commented
8 years ago maybe because force_login is active so alternative_acs.php is protected
micah-uber
commented
8 years ago Turned off force_login and get this error.
There was at least one error processing the SAML Response: invalid_response Contact the administrator
pitbulk
commented
8 years ago ok, I will fix the force login issue later, but let's focus on the reason for the invalid_response. Can you turn on the debug mode? (there is a check at the advanced settings)
micah-uber
commented
8 years ago Invalid issuer in the Assertion/Response There was at least one error processing the SAML Response: invalid_response Contact the administrator
pitbulk
commented
8 years ago So if you use the SAML Tracer you will be able to record the SAMLResponse and see what Issuer contains.
The issuer should be the IdP Entity ID, so make sure that value is correct at the SAML setting panel.
In order to debug, you can also edit onelogin-saml-sso/php/lib/Saml2/Response.php and set print_r to see the values of the $issuers and $idPEntityId. $idPEntityId should be included on the $issuers array.
micah-uber
commented
8 years ago Where do i add that?
micah-uber
commented
8 years ago So not sure what happened... But now it will drop me to the wordpress login page after successfully getting through onelogin
pitbulk
commented
8 years ago At the Wordpress SAML setting panel, at the IDENTITY PROVIDER SETTINGS, the IdP Entity Id must match the value of the related SAML connector.
At OneLogin SAML connector, at the SSO tab you will be able to find the IdP Metadata where is defined that EntityID (also available at the "Issuer URL" field).
Check also the Configuration tab, if you are using a genral connector, you will fill: Audience => Service Provider EntityID (if you review the SAML metadata of the Service Provider you will find that value. Recipient & ACS URL => Service Provider ACS ACS URL validator => A regular expression that matches the SP ACS Single Logout URL => Service Provider SLS
but if you are using a custom Wordpress connector, you will find less parameters.
Check documentation
micah-uber
commented
8 years ago Yes that is all correct. Sorry. Forgot to reply to that question.
FWIW: Christian and I are on Skype. Can you join us? Will be faster to work this there.
pitbulk
commented
8 years ago Here is a new release: https://github.com/pitbulk/wordpress-onelogin/releases/tag/v2.4.0
You will find on the SAML Settings, at the Option section an "Alternative ACS Endpoint" option.
I tested it on wordpress 4.5.1 and 4.0 and worked. Let me know if works on your environments and then I will publish an official release on Wordpress.
I am forced to use 2.0.2.
I get the following error message when trying to access the site.
Service Unavailable
The service is temporarily unavailable. Please try again later.
The associated connector has the following consumer URL in order to allow us to use the staging instances.
((http|https):\/\/domain.example.com\/|(http|https):\/\/domain.staging.wpengine.com\/)
I have also tried the new URL that is in the consumer service.
Old: https://domain.example.com/wp-content/plugins/onelogin-saml-sso/onelogin_saml.php?acs
New: http://domain.example.com/wp-login.php?saml_acs