not able to map AD groups in a 'memberOf' attribute to roles

[caver01]

With a configuration that is otherwise working (using 3.1.0), we are auto-provisioning users successfully. I am now trying to map wordpress roles based on AD group membership. For this example, trying to map a group being sent in the SAML response from my IdP to WP Editor. We have the attribute "memberOf" which is recursively sending all applicable AD groups for the user, each on a new attribute value line as follows:

...
            <saml2:Attribute Name="memberOf"
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">CN=Group.one,OU=Managed,OU=All Lists,DC=ad,DC=company,DC=com</saml2:AttributeValue>
                    <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">CN=Group.two,OU=Managed,OU=All Lists,DC=ad,DC=company,DC=com</saml2:AttributeValue>
                    <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">CN=Group.three,OU=Managed,OU=All Lists,DC=ad,DC=company,DC=com</saml2:AttributeValue>
            </saml2:Attribute>
...

In the plugin settings I have:

Update User Data: Checked Role: memberOf Editor: CN=Group.two Multiple Values: checked Regular expression: /CN=([^,;]*)/

According to my research, testing this regex against the above SAML response results in a list as follows:

CN=Group.one
CN=Group.two
CN=Group.three

So, I was expecting my mapping of "CN=Group.two" to have the affect of updating a subscriber to Editor. However, it appeared not to do anything at next login. Later, I discovered that it has been RESETTING my user back to the default Subscriber no matter what (I can manually assign ADMIN, let the user login, and they get pushed to subscriber. I need to turn off Update User Data). Found Issue #86 that says the forced default is fixed in v3.1.1, but that version is not yet appearing in the Wordpress plugins repo. Is it stil in beta? Regardless, I am thinking it is not finding a value match to do the mapping properly.

So my question is, What should I try next? Is my SAML response an odd one? Do I need a better regex? Should I ask my IdP admin to reconfigure and supply the AD groups in just a single, comma-delimited value expression? should I have them strip out the CN=? What is the best way to set this up? Should I wait until I have 3.1.1 installed?

I turned on debugging in the plugin, but I cannot see messages. Where do logs go? I am using a Chrome plugin to view the SAML responses.

Thanks

[pitbulk]

logs go to the log file used by WP, there is no special log. I gonna publish 3.1.1 now, so you can verify the fx works for you.

[caver01]

I appreciate that, but are you suggesting that what I have above SHOULD work?

[caver01]

With an update to 3.1.1, I am no longer getting reset to SUBSCRIBER role , so thanks for that. However, I am also not getting anything in my debug.log (debugging IS enabled). I have my server team looking into that--but is it possible nothing is getting logged?

My configuration has each AD group listed on a separate attribute value in the SAML response as noted above. Do I have the right regex? It is not assigning the role where I have the AD group listed. Would it be better to configure my IdP to put all groups into ONE value statement for the memberOf attribute like:. . .>Group.one,Group.two,Group.three< . . . so they are comma delimited? Not sure how to proceed. Thanks for advice.

[pitbulk]

I guess that you better add some logs to the code to figure out what is really happening.

[caver01]

Agreed, and we have. We enabled logging to DISPLAY. There are no log notices coming from the OneLogin plugin. In other words, I cannot tell why it is failing to map roles. Can you offer a suggestion for how the plugin could succeed with multiple AD groups in the SAML response? As I mentioned earlier, ours are in a series of 'memberOf' attribute values such that a typical user logs in, and their SAML response has 20-50 memberOf strings in the SAML response, each as a separate line item like this:

<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">CN=Group.two,OU=Managed,OU=All Lists,DC=ad,DC=company,DC=com</saml2:AttributeValue>

So there are dozens of these. I am expecting the role mapping to find "Group.two" out of these strings if present and map the user to the Wordpress EDITOR role, but I am not even getting any log messages. Is it preferred to have each AD group we are passing in SAML to appear comma-delimited in a single attribute value? I could request that from my IdP, but shooting in the dark here.

[caver01]

Following up on this issue. . . We were able to "unite" our 'memberOf' attribute values to get them into a SINGLE attribute value string, comma-delimited. Then, using the example/suggested regex, it parses the AD groups out of this single, long string value.

So, the answer for us was to have ALL AD groups listed together as a single value string.

[FEAS-IT]

@caver01 - How did you go about turning the multi-entry memberOf into a SINGLE attribute value string? Can you provide your IdP filter/definition?

[caver01]

Sorry, the idp configuration was handled by another department, but they were able to do it. I know that does not help you. There are other attributes comma-delimited in the response string (so not perfect) but I was still able to pull the matching group name for a given role, so it worked.