Closed cvanaxel closed 7 years ago
You need to review if the Identity Provider is sending user data to Wordpress SP. You can use SAMLTracer to record the SAMLResponse sent and review the user data inside the Assertion element.
Then be sure you configure the WP SAML settings properly, adding the right name in the Attribute Mapping section to the username attribute (the value there should be the same that the name of the attribute of the Assertion)
I tried everything and i'm lost. Here is the result of the SAML Tracer in Firefox.
<samlp:Response ID="_a30ffe19-2f14-46ba-8478-fa3f83f3e685"
Version="2.0"
IssueInstant="2017-08-08T09:55:16.916Z"
Destination="https://url/intranet/wp-login.php?saml_acs"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
InResponseTo="ONELOGIN_f66b1a54d33c46357b873be34e4846d2b67bd9bc"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.testdomain.com/adfs/services/trust</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<Assertion ID="_e5e41bbe-6561-4674-b39d-6e192147437d"
IssueInstant="2017-08-08T09:55:16.916Z"
Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
>
<Issuer>http://adfs.testdomain.com/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_e5e41bbe-6561-4674-b39d-6e192147437d">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>35UEiQKYSsa+92dzSCKnrLEh9t2yN9XEYLY9GCQnVgI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>EwCh46+UCR6frKVKbLwHMHJL9vZ+O8cDyHEaAL8usQI77rC6DlTtrx999/o453MmEaOFNaqQzunUjVK277SulDK5jOeY+DyL4y2W5HoAd887PLy6BbY+1pduBG/T9gN7Xt+oTIV12xWRnH6cmSKRvLTfjLIXu11m+bBwDNwZ85AN8yScX04XeinUOi4YmJVn5R0uFRt7YK6ZEfkcy5exSJneeDNk1kpQxdAmtIgvewgLwvZguo0Qm4HK29KU+v4RGmTK5Yv2QX9PH3xYw6oIddeMS6kNtZlYv7dhH6E8IsyqtfiPdGfqPTi+MTEDB26OpKYrbpF9jUjwVP60Qas76g==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC4DCCAcigAwIBAgIQH7S72PS4zY1EWTwnRRbEsjANBgkqhkiG9w0BAQsFADAsMSowKAYDVQQDEyFBREZTIFNpZ25pbmcgLSBhZGZzLmRlYmFzY3VsZS5jb20wHhcNMTYxMDA0MDkyMTQ1WhcNMTcxMDA0MDkyMTQ1WjAsMSowKAYDVQQDEyFBREZTIFNpZ25pbmcgLSBhZGZzLmRlYmFzY3VsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCjZSEfWJCkbHYHspYKnx/g4FYZ2FiJlRC0KZ/Q/2z57pCTB9eMrqcH+YxzOTsGt/eATHc7KD2bT+hfsfLKH15Gr/kfK/Rqy+/Mhr9dvdDRzHOeQ2xL0v4Mff5f9XZPB612EwRR9n4NfAj85RGLCw7G8k+Y8EnTPr2xItxKXKNBDn7RV/5LCwxD6pUn92pinoBwzPPNbmhZSwzmLG6xdsZBvmqnxZOyIbzvAJZc+39BZ1gEFD2d8ZLZjhbRZpVfG0GSOvP7plsD9AK+z+kONDidCBCWGQC9Y2A7MMoOe7ZWEQpS3MiLDEJzjdmgsyNIiI3+LFYCIECdLvtHuWkFlFcDAgMBAAEwDQYJKoZIhvcNAQELBQADggEBABmi56n12ZvPujvpurge1n++Fq+f6+waPu1VAg1gMHa0Oc/32yC2sgGP1hIu8MNpZ4B/UVi4votHPBi+C2bw2XW2Vx21vDEP9Bo6rqg1zL6OPatEAhfoIHbUzyZGku8A6nCYKxDnDCspbO8LZglhBcKpBiyzxdKmlfXfTZlb4Bvea+8MeqbcsPuHdeXN6o89BGIaLfic5cgDk0HJM6C3IQ1YVrkmx34uz3hSqJ8mEyUMEzTzXTnaQCVmR4PM1GgEc+MqSu/fZ+yJPMjya40d+y9ltSx0l7EDGgxGUze8QL8TVdxAOO37yZKqw/xDD622AkCHC6m2WdA4DTQtZ+9ITAQ=</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">c.test@testdomain.com</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="ONELOGIN_f66b1a54d33c46357b873be34e4846d2b67bd9bc"
NotOnOrAfter="2017-08-08T10:00:16.916Z"
Recipient="https://url/intranet/wp-login.php?saml_acs"
/>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2017-08-08T09:55:16.904Z"
NotOnOrAfter="2017-08-08T10:55:16.904Z"
>
<AudienceRestriction>
<Audience>php-saml</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>c.test@testdomain.com</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname">
<AttributeValue>c.test</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
<AttributeValue>Clint</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
<AttributeValue>Test</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn">
<AttributeValue>c.test@testdomain.com</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2017-08-08T08:58:27.902Z"
SessionIndex="_e5e41bbe-6561-4674-b39d-6e192147437d"
>
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>
Notice that in the Option section, you have a "Match Wordpress account by" field that you can configure to be "username" or "email". Based on the behavior you expect, set the appropiate value.
Based on your SAMLResponse.
At the Attribute mapping section, on the email set: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
At the Attribute mapping section, on the username set: http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
At the Attribute mapping section, on the firstname set: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
At the Attribute mapping section, on the lastname set: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Nope that did not work. Still the same error.
The username could not be retrieved from the IdP and is required
ATTRIBUTE MAPPING Sometimes the names of the attributes sent by the IdP do not match the names used by WordPress for the user accounts. In this section you can set the mapping between IdP fields and WordPress fields. Note: This mapping could be also set at Onelogin's IdP.
Username * windowsaccountname
E-mail * emailaddress
First Name givenname
Last Name surname
You need to put the whole string: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Not just emailaddress
Thank you very much. That did the job. 👍
what rule do i need to add to solve this: The username could not be retrieved from the IdP and is required and what attribute name for the username?