search

SAML-Toolkits / wordpress-saml

OneLogin SAML plugin for Wordpress
MIT License
65 stars 74 forks source link

Transformer rules? #48

Closed cvanaxel closed 7 years ago

cvanaxel commented 7 years ago

what rule do i need to add to solve this: The username could not be retrieved from the IdP and is required and what attribute name for the username?

pitbulk commented 7 years ago

You need to review if the Identity Provider is sending user data to Wordpress SP. You can use SAMLTracer to record the SAMLResponse sent and review the user data inside the Assertion element.

Then be sure you configure the WP SAML settings properly, adding the right name in the Attribute Mapping section to the username attribute (the value there should be the same that the name of the attribute of the Assertion)

cvanaxel commented 7 years ago

I tried everything and i'm lost. Here is the result of the SAML Tracer in Firefox.

<samlp:Response ID="_a30ffe19-2f14-46ba-8478-fa3f83f3e685"
                Version="2.0"
                IssueInstant="2017-08-08T09:55:16.916Z"
                Destination="https://url/intranet/wp-login.php?saml_acs"
                Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                InResponseTo="ONELOGIN_f66b1a54d33c46357b873be34e4846d2b67bd9bc"
                xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                >
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.testdomain.com/adfs/services/trust</Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <Assertion ID="_e5e41bbe-6561-4674-b39d-6e192147437d"
               IssueInstant="2017-08-08T09:55:16.916Z"
               Version="2.0"
               xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
               >
        <Issuer>http://adfs.testdomain.com/adfs/services/trust</Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                <ds:Reference URI="#_e5e41bbe-6561-4674-b39d-6e192147437d">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <ds:DigestValue>35UEiQKYSsa+92dzSCKnrLEh9t2yN9XEYLY9GCQnVgI=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>EwCh46+UCR6frKVKbLwHMHJL9vZ+O8cDyHEaAL8usQI77rC6DlTtrx999/o453MmEaOFNaqQzunUjVK277SulDK5jOeY+DyL4y2W5HoAd887PLy6BbY+1pduBG/T9gN7Xt+oTIV12xWRnH6cmSKRvLTfjLIXu11m+bBwDNwZ85AN8yScX04XeinUOi4YmJVn5R0uFRt7YK6ZEfkcy5exSJneeDNk1kpQxdAmtIgvewgLwvZguo0Qm4HK29KU+v4RGmTK5Yv2QX9PH3xYw6oIddeMS6kNtZlYv7dhH6E8IsyqtfiPdGfqPTi+MTEDB26OpKYrbpF9jUjwVP60Qas76g==</ds:SignatureValue>
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>MIIC4DCCAcigAwIBAgIQH7S72PS4zY1EWTwnRRbEsjANBgkqhkiG9w0BAQsFADAsMSowKAYDVQQDEyFBREZTIFNpZ25pbmcgLSBhZGZzLmRlYmFzY3VsZS5jb20wHhcNMTYxMDA0MDkyMTQ1WhcNMTcxMDA0MDkyMTQ1WjAsMSowKAYDVQQDEyFBREZTIFNpZ25pbmcgLSBhZGZzLmRlYmFzY3VsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCjZSEfWJCkbHYHspYKnx/g4FYZ2FiJlRC0KZ/Q/2z57pCTB9eMrqcH+YxzOTsGt/eATHc7KD2bT+hfsfLKH15Gr/kfK/Rqy+/Mhr9dvdDRzHOeQ2xL0v4Mff5f9XZPB612EwRR9n4NfAj85RGLCw7G8k+Y8EnTPr2xItxKXKNBDn7RV/5LCwxD6pUn92pinoBwzPPNbmhZSwzmLG6xdsZBvmqnxZOyIbzvAJZc+39BZ1gEFD2d8ZLZjhbRZpVfG0GSOvP7plsD9AK+z+kONDidCBCWGQC9Y2A7MMoOe7ZWEQpS3MiLDEJzjdmgsyNIiI3+LFYCIECdLvtHuWkFlFcDAgMBAAEwDQYJKoZIhvcNAQELBQADggEBABmi56n12ZvPujvpurge1n++Fq+f6+waPu1VAg1gMHa0Oc/32yC2sgGP1hIu8MNpZ4B/UVi4votHPBi+C2bw2XW2Vx21vDEP9Bo6rqg1zL6OPatEAhfoIHbUzyZGku8A6nCYKxDnDCspbO8LZglhBcKpBiyzxdKmlfXfTZlb4Bvea+8MeqbcsPuHdeXN6o89BGIaLfic5cgDk0HJM6C3IQ1YVrkmx34uz3hSqJ8mEyUMEzTzXTnaQCVmR4PM1GgEc+MqSu/fZ+yJPMjya40d+y9ltSx0l7EDGgxGUze8QL8TVdxAOO37yZKqw/xDD622AkCHC6m2WdA4DTQtZ+9ITAQ=</ds:X509Certificate>
                </ds:X509Data>
            </KeyInfo>
        </ds:Signature>
        <Subject>
            <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">c.test@testdomain.com</NameID>
            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData InResponseTo="ONELOGIN_f66b1a54d33c46357b873be34e4846d2b67bd9bc"
                                         NotOnOrAfter="2017-08-08T10:00:16.916Z"
                                         Recipient="https://url/intranet/wp-login.php?saml_acs"
                                         />
            </SubjectConfirmation>
        </Subject>
        <Conditions NotBefore="2017-08-08T09:55:16.904Z"
                    NotOnOrAfter="2017-08-08T10:55:16.904Z"
                    >
            <AudienceRestriction>
                <Audience>php-saml</Audience>
            </AudienceRestriction>
        </Conditions>
        <AttributeStatement>
            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
                <AttributeValue>c.test@testdomain.com</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname">
                <AttributeValue>c.test</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
                <AttributeValue>Clint</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
                <AttributeValue>Test</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn">
                <AttributeValue>c.test@testdomain.com</AttributeValue>
            </Attribute>
        </AttributeStatement>
        <AuthnStatement AuthnInstant="2017-08-08T08:58:27.902Z"
                        SessionIndex="_e5e41bbe-6561-4674-b39d-6e192147437d"
                        >
            <AuthnContext>
                <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
            </AuthnContext>
        </AuthnStatement>
    </Assertion>
</samlp:Response>
pitbulk commented 7 years ago

Notice that in the Option section, you have a "Match Wordpress account by" field that you can configure to be "username" or "email". Based on the behavior you expect, set the appropiate value.

Based on your SAMLResponse.

At the Attribute mapping section, on the email set: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

At the Attribute mapping section, on the username set: http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname

At the Attribute mapping section, on the firstname set: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

At the Attribute mapping section, on the lastname set: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

cvanaxel commented 7 years ago

Nope that did not work. Still the same error.

The username could not be retrieved from the IdP and is required

ATTRIBUTE MAPPING Sometimes the names of the attributes sent by the IdP do not match the names used by WordPress for the user accounts. In this section you can set the mapping between IdP fields and WordPress fields. Note: This mapping could be also set at Onelogin's IdP.

Username * windowsaccountname

E-mail * emailaddress

First Name givenname

Last Name surname

pitbulk commented 7 years ago

You need to put the whole string: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Not just emailaddress

cvanaxel commented 7 years ago

Thank you very much. That did the job. 👍