Can't get roles to sync

[adevapp]

I've followed the instructions here: https://support.onelogin.com/hc/en-us/articles/204353160-Configuring-SAML-for-WordPress

and: https://support.onelogin.com/hc/en-us/community/posts/115009793326-Mapping-Wordpress-Roles

However the roles do not sync across. I've applied the CN setting per Steve's post, and selected multiple roles (which there are).

Is there anything I have missed in the setup of role syncing with the free version of OneLogin?

[pitbulk]

Have you reviewed that the regex you added to the settings is correct?

Can you share your current settings and examples of the SAML Attributes?

[adevapp]

Create user if not exists TRUE Update user data TRUE Match Wordpress account by Username

Regular expression for multiple role values: /CN=([^,;]*)/

Mappings:

Other:

[pitbulk]

What about the Attributes included on the SAMLResponse? (You can record SAMLResponse with SAML Tracer or Chrome SAML panel

[adevapp]

I assuming you mean these mappings in OneLogin?

[pitbulk]

No, I need the SAMLResponse OneLogin is sending to Wordpress in order to verify that the expected "member of" attribute contains a value and verify if the regex matches that value.

[adevapp]

I assume I would put a var_dump($var) and then exit() somewhere in the plugin code - Then attempt the login to dump this info?

[pitbulk]

I suggested you to use plugins that you install on browsers (SAML Tracer or Chrome SAML Panel) that are able to record the SAMLResponse.

But you can edit the functions.php file of the SAML plugin and print the $_POST['SAMLResponse'] on the acs method.

[adevapp]

Response is: (Have changed name and email to xxx).

    <saml:Conditions NotBefore="2018-05-14T08:48:18Z" NotOnOrAfter="2018-05-14T08:54:18Z">
        <saml:AudienceRestriction>
            <saml:Audience>php-saml</saml:Audience>
        </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2018-05-14T08:51:17Z"
        SessionIndex="xxx-3981-0136-790d-0a1b22056132" SessionNotOnOrAfter="2018-05-15T08:51:18Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
        <saml:Attribute Name="memberOf" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">administrators</saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="User.email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">xxx@xxx.com</saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="User.FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">xxx</saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="User.LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">xxx</saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="User.Username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">xxx.xxx</saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
</saml:Assertion>

[pitbulk]

As you can see in the SAMLResponse, OneLogin is right now providing as member of the value "administrators" so no regex is required at all.

So remove the regular expression value, uncheck the "Multiple role values in one saml attribute value.

[adevapp]

Thanks. Works now. I had to set the memberOf value using rules, so it updates when the role is set. Otherwise it comes out blank in the debug log, even though the role is active (the memberOf remains blank without the rule).