search

SAML-Toolkits / wordpress-saml

OneLogin SAML plugin for Wordpress
MIT License
65 stars 75 forks source link

Error doing login with SAML. #95

Closed egvinaspre closed 4 years ago

egvinaspre commented 4 years ago

Greetings!!!

Wordpress 5.4 OneLogin SAML Plugin 3.2.1

In the following image we can see the error received: image

The plugin is configured as follows:

option_id option_name option_value autoload
254 onelogin_saml_account_matcher username yes
297 onelogin_saml_advanced_digestalgorithm http://www.w3.org/2000/09/xmldsig#sha1 yes
283 onelogin_saml_advanced_idp_lowercase_url_encoding   yes
292 onelogin_saml_advanced_nameidformat transient yes
293 onelogin_saml_advanced_requestedauthncontext   yes
285 onelogin_saml_advanced_settings_authn_request_signed   yes
280 onelogin_saml_advanced_settings_debug on yes
286 onelogin_saml_advanced_settings_logout_request_signed   yes
287 onelogin_saml_advanced_settings_logout_response_signed   yes
284 onelogin_saml_advanced_settings_nameid_encrypted   yes
291 onelogin_saml_advanced_settings_retrieve_parameters_from_server   yes
282 onelogin_saml_advanced_settings_sp_entity_id xxxxx-xxxxxxxxxxxxxx-xxx yes
295 onelogin_saml_advanced_settings_sp_privatekey   yes
294 onelogin_saml_advanced_settings_sp_x509cert   yes
281 onelogin_saml_advanced_settings_strict_mode   yes
290 onelogin_saml_advanced_settings_want_assertion_encrypted   yes
289 onelogin_saml_advanced_settings_want_assertion_signed   yes
288 onelogin_saml_advanced_settings_want_message_signed   yes
296 onelogin_saml_advanced_signaturealgorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1 yes
253 onelogin_saml_alternative_acs   yes
257 onelogin_saml_attr_mapping_firstname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname yes
258 onelogin_saml_attr_mapping_lastname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname yes
256 onelogin_saml_attr_mapping_mail http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress yes
3286 onelogin_saml_attr_mapping_rememberme   yes
259 onelogin_saml_attr_mapping_role   yes
255 onelogin_saml_attr_mapping_username http://schemas.xmlsoap.org/claims/CommonName yes
248 onelogin_saml_autocreate on yes
275 onelogin_saml_customize_action_prevent_change_mail on yes
274 onelogin_saml_customize_action_prevent_change_password on yes
272 onelogin_saml_customize_action_prevent_local_login   yes
273 onelogin_saml_customize_action_prevent_reset_password on yes
278 onelogin_saml_customize_links_lost_password   yes
279 onelogin_saml_customize_links_saml_login   yes
277 onelogin_saml_customize_links_user_registration   yes
276 onelogin_saml_customize_stay_in_wordpress_after_slo   yes
3285 onelogin_saml_enabled on yes
250 onelogin_saml_forcelogin on yes
244 onelogin_saml_idp_entityid https://ibfs.xxxxxxxx.xxx/adfs/services/trust yes
246 onelogin_saml_idp_slo https://ibfs.xxxxxxxx.xxx/adfs/ls/ yes
245 onelogin_saml_idp_sso https://ibfs.xxxxxxxx.xxx/adfs/ls/ yes
247 onelogin_saml_idp_x509cert -----BEGIN CERTIFICATE----- BLA BLA BLA yes
252 onelogin_saml_keep_local_login on yes
260 onelogin_saml_role_mapping_administrator   yes
264 onelogin_saml_role_mapping_author   yes
266 onelogin_saml_role_mapping_contributor   yes
262 onelogin_saml_role_mapping_editor   yes
270 onelogin_saml_role_mapping_multivalued_in_one_attribute_value   yes
271 onelogin_saml_role_mapping_multivalued_pattern   yes
268 onelogin_saml_role_mapping_subscriber   yes
261 onelogin_saml_role_order_administrator   yes
265 onelogin_saml_role_order_author   yes
267 onelogin_saml_role_order_contributor   yes
263 onelogin_saml_role_order_editor   yes
269 onelogin_saml_role_order_subscriber   yes
251 onelogin_saml_slo   yes
249 onelogin_saml_updateuser on yes

With this configuration, when we are going to log in to the website there two communications:

A GET call with SAML AuthnRequest sended:

    <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                        ID="ONELOGIN_f87531100614825df3216b77e79d405391d6292e"
                        Version="2.0"
                        IssueInstant="2020-04-08T06:14:50Z"
                        Destination="https://ibfs.xxxxxxxxx.xxx/adfs/ls/"
                        ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                        AssertionConsumerServiceURL="https://xxxxx.xxxxxxxxxxxxx.xxx/wp-login.php?saml_acs"
                        > <saml:Issuer>xxxxx-xxxxxxxxxxxxx-xxx</saml:Issuer> <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                            AllowCreate="true"
    /> </samlp:AuthnRequest>

A POST SAML Response received from the ADFS: 

    <samlp:Response ID="_e1ddc659-904a-459c-9432-d6b113fa790d"
                    Version="2.0"
                    IssueInstant="2020-04-08T06:14:51.071Z"
                    Destination="https://xxxxx.xxxxxxxxxxxxxx.xxx/wp-login.php?saml_acs"
                    Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                    InResponseTo="ONELOGIN_f87531100614825df3216b77e79d405391d6292e"
                    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    >
        <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://ibfs.xxxxxxxxx.xxx/adfs/services/trust</Issuer>
        <samlp:Status>
            <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
        </samlp:Status>
        <Assertion ID="_3b66e38a-cbd8-4f9d-93e5-081ebb9c34d7"
                   IssueInstant="2020-04-08T06:14:51.071Z"
                   Version="2.0"
                   xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
                   >
            <Issuer>http://xxxx.xxxxxxxxx.xxx/adfs/services/trust</Issuer>
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:SignedInfo>
                    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                    <ds:Reference URI="#_3b66e38a-cbd8-4f9d-93e5-081ebb9c34d7">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                        <ds:DigestValue>IztHmoiGOdygdlHDkMphjJel7ivkiSrAdKyjjWEPMSQ=</ds:DigestValue>
                    </ds:Reference>
                </ds:SignedInfo>
                <ds:SignatureValue>BLA BLA BLA</ds:SignatureValue>
                <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                    <ds:X509Data>
                        <ds:X509Certificate>BLA BLA BLA</ds:X509Certificate>
                    </ds:X509Data>
                </KeyInfo>
            </ds:Signature>
            <Subject>
                <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">XXXXXXX</NameID>
                <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                    <SubjectConfirmationData InResponseTo="ONELOGIN_f87531100614825df3216b77e79d405391d6292e"
                                             NotOnOrAfter="2020-04-08T06:19:51.071Z"
                                             Recipient="https://xxxxx.xxxxxxxxxxxxx.xxx/wp-login.php?saml_acs"
                                             />
                </SubjectConfirmation>
            </Subject>
            <Conditions NotBefore="2020-04-08T06:14:51.071Z"
                        NotOnOrAfter="2020-04-08T07:14:51.071Z"
                        >
                <AudienceRestriction>
                    <Audience>xxxxx-xxxxxxxxxxxxx-xxx</Audience>
                </AudienceRestriction>
            </Conditions>
            <AttributeStatement>
                <Attribute Name="http://schemas.xmlsoap.org/claims/CommonName">
                    <AttributeValue>XXXXXXX</AttributeValue>
                </Attribute>
                <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
                    <AttributeValue>XXXXXXXX</AttributeValue>
                </Attribute>
                <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
                    <AttributeValue>XXXXXXXXX XX XXXXXXXX XXXXXX</AttributeValue>
                </Attribute>
                <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
                    <AttributeValue>x.xxxxxxxxxxxxx@xxxxxxxxxxx.com</AttributeValue>
                </Attribute>
            </AttributeStatement>
            <AuthnStatement AuthnInstant="2020-04-08T05:14:09.419Z"
                            SessionIndex="_3b66e38a-cbd8-4f9d-93e5-081ebb9c34d7"
                            >
                <AuthnContext>
                    <AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>
                </AuthnContext>
            </AuthnStatement>
        </Assertion>
    </samlp:Response>

I tried to activate the debug in wordpress and also in the plugin, but in the debug file i can't see anything. There are only few lines referencing other plugin. I paste here:

[08-Apr-2020 06:14:52 UTC] PHP Notice:  Undefined property: wpdb::$actionscheduler_actions in D:\home\site\wwwroot\wp-includes\wp-db.php on line 647
[08-Apr-2020 06:14:52 UTC] WordPress database error Incorrect table name '' for query SHOW FULL COLUMNS FROM `` made by require('wp-load.php'), require_once('wp-config.php'), require_once('wp-settings.php'), do_action('init'), WP_Hook->do_action, WP_Hook->apply_filters, saml_checker, saml_acs, wp_update_user, wp_insert_user, do_action('profile_update'), WP_Hook->do_action, WP_Hook->apply_filters, ES_Trigger_User_Updated->handle_user_updated, ES_Workflow_Trigger->maybe_run, ES_Workflow->schedule, as_schedule_single_action, ActionScheduler_ActionFactory->single, ActionScheduler_ActionFactory->store, ActionScheduler_DBStore->save_action
[08-Apr-2020 06:14:52 UTC] PHP Fatal error:  Uncaught RuntimeException: Error saving action: Incorrect table name '' in D:\home\site\wwwroot\wp-content\plugins\email-subscribers-premium\lite\includes\libraries\action-scheduler\classes\data-stores\ActionScheduler_DBStore.php:74
Stack trace:
#0 D:\home\site\wwwroot\wp-content\plugins\email-subscribers-premium\lite\includes\libraries\action-scheduler\classes\ActionScheduler_ActionFactory.php(177): ActionScheduler_DBStore->save_action(Object(ActionScheduler_Action))
#1 D:\home\site\wwwroot\wp-content\plugins\email-subscribers-premium\lite\includes\libraries\action-scheduler\classes\ActionScheduler_ActionFactory.php(84): ActionScheduler_ActionFactory->store(Object(ActionScheduler_Action))
#2 D:\home\site\wwwroot\wp-content\plugins\email-subscribers-premium\lite\includes\libraries\action-scheduler\functions.php(30): ActionScheduler_ActionFactory->single('ig_es_process_w...', Array, Object(DateTime), '')
#3 D:\home\site\wwwroot\wp-content\plugins\email-subscribers-premium\lite\includes\workflows\class-es-workf in D:\home\site\wwwroot\wp-content\plugins\email-subscribers-premium\lite\includes\libraries\action-scheduler\classes\data-stores\ActionScheduler_DBStore.php on line 74

I don't see anything else. I have activated the logs as follows: 

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 *
 * For information on other constants that can be used for debugging,
 * visit the Codex.
 *
 * @link https://codex.wordpress.org/Debugging_in_WordPress
 */
// define('WP_DEBUG', false);
define('WP_DEBUG', true);

// Enable Debug logging to the /wp-content/debug.log file
define('WP_DEBUG_LOG', true);

// Disable display of errors and warnings
define( 'WP_DEBUG_DISPLAY', false );
@ini_set( 'display_errors', 0 );

// Use dev versions of core JS and CSS files (only needed if you are modifying these core files)
define( 'SCRIPT_DEBUG', true );

// The constant defined as true causes each query to be saved, how long that query took to execute, and what function called it.
// The array is stored in the global $wpdb->queries.
// Performance impact. Use carefully. 
define('SAVEQUERIES', false);

What could be happening? Any ideas? If you need more information, ask for it.

Thank you very much!!!

Eduardo

pitbulk commented 4 years ago

The error

[08-Apr-2020 06:14:52 UTC] PHP Fatal error:  Uncaught RuntimeException: Error saving action: Incorrect table name '' in D:\home\site\wwwroot\wp-content\plugins\email-subscribers-premium\lite\includes\libraries\action-scheduler\classes\data-stores\ActionScheduler_DBStore.php:74

seems not related with the SAML extension.

If there is no error on the PHP error log, you should debug deeper, maybe with [Xdebug](maybe you can add)

or by adding on the code to figure out if the error is raised on the saml_acs web.

echo "it arrives here";
exit();

That said, you should not directly access the saml_acs page since this page expects a $_POST['SAMLResponse'] param.

egvinaspre commented 4 years ago

Thank you very much for your response.

I deactivate the plugin what is referenced in the log (email-subscribers-premium) and the login is working again.

I already suspected that the problem wasn't in the SAML plugin, because of the SAML request and response were correct.

Thank you very much for your advices. To share the problems always helps to resolve them.

I close the comment by myself. Thank you again.