Related to internal ticket 142154

User found the issue with simpleSAMLphp on WP Site Networks has conflicts in their naming convention for their url structure with the Site Network rewrites (the issue at hand from Pantheon's documentation concerning Shibboleth-SSO).

Does not work:
https://example.com/simplesaml/module.php/core/frontpage_welcome.php

DOES work:
https://example.com/simplesaml/module.php/core/frontpage_welcome.php/

Analysis:
The default WordPress Rewrite Rules are looking for urls that end with .php albeit to prevent odd directory access for php files directly.

User modified the code on the Simplesaml library, however that is not ideal as a workaround.

OneLogin is also not ideal, as the bindings for the different methods are strictly only HTTP-Redirect of which the authentication expects otherwise.

Possible Solution:
Is there any way that any URL ending with .php under /simplesaml/ can be excused by that catch-all rule configured on NGINX? This would resolve the multisite issue with SimpleSAMLPHP. SOME directories under simplesaml worked just fine. Anything ending in .php (even though its not a directory to a direct php file, its the way the urls are parsed by simplesamlphp's library).

See this conversation for detailed information.

TL;DR : in non-apache servers,$_SERVER['REQUEST_URI'] contains both path components and arguments which causes the test at line 271 (in class-wp-saml-auth.php) to always evaluate to true. In this scenario a user is then returned to the login page after successfully authenticating, instead of the dashboard.

Pull request submitted #145

See README.md for usage: https://github.com/danielbachhuber/composer-lock-updater#composer-lock-updater

Heya,

Usually an IDP will offer a metadata link to their xml containing all the configuration parameters for a SAML library to use for quick configuration and incase something changes at the IDP level, it doesn't have to manually updated to the SPs.

I think it'd be a great idea to have the plugin take a metadata url and keep a copy locally that is refreshed every so often.

I'm thinking, a reference implementation could be the Moodle WP saml plugin

great library btw 👍

Hey there, not sure if this is a bug or a configuration problem, but...

I have the plugin configured to hit my Idp's (Keycloak) IDP initiated login URL:
https://example.com/auth/realms/master/protocol/saml/clients/wordpress

That redirect works as expected, but there is a URL mismatch:

Destination in response doesn't match the current URL. Destination is "https://example.com/wp/wp-admin", current URL is "https://example.com/wp".

This sorta makes sense because the Wordpress root is https://example.com/wp, but the homepage is at https://example.com/. I can simply tell Keycloak to use https://example.com/wp as the base URL and the error goes away, but then no login actually takes place.

Any ideas?

mcrypt is deprecated in PHP 7.1

Creating this issue to track the resolution of SAML-Toolkits/php-saml#255

You really ought to consider group to role mapping, and have the ability to deny access if no match was found.

Just because one have been authenticated (and got valid SAML ticket) does not mean you should automatically be granted access.

Looking at the ability to utilizing https://github.com/onelogin/php-saml/blob/master/lib/Saml2/Auth.php#L348

Perhaps a simple apply_filters() on https://github.com/pantheon-systems/wp-saml-auth/blob/master/inc/class-wp-saml-auth.php#L242 where we can override the method?

This is associated with #66

Heya,
What I'm trying to figure out is, lets say SAML gives back an array of roles and I'd like to map those roles to Wordpress roles, there doesn't seem to be a way of doing that currently.

For example:

public_user => subscriber
random_user => subscriber
admin_user => administrator
upgraded_user => administrator

I see there is a wp_saml_auth_pre_authentication filter, but it only lets us change whether the signup process continues or not

I suggest adding a facility where you can add a mapping object and use that during the creation of the user. I'm thinking, here passing a function that gives us the attributes before inserting, and we can add roles

        'last_name_attribute' => 'last_name',
        /**
         * Default WordPress role to grant when provisioning new users.
         *
         * @param string
         */
        'default_role'           => get_option( 'default_role' ),
    );
    $value = isset( $defaults[ $option_name ] ) ? $defaults[ $option_name ] : $value;
    return $value;

Perhaps, adding a filter before the user gets added with the attributes and user object available?

But it does work when installed to ~/code/simplesaml

See f71194d

Who knows why? I don't know why.

Currently the plugin has dependencies that require it to use the deprecated

onelogin/php-saml 2.10.7 requires ext-mcrypt * -> the requested PHP extension mcrypt is missing from your system

But mcrypt is deprecated:
http://php.net/manual/en/migration71.deprecated.php

and is replaced by: https://wiki.php.net/rfc/libsodium

It now appears that #29 was caused by a regression in SimpleSAMLphp. I think we should consider switching our tests to use whatever are the latest commits in SimpleSAMLphp rather than a fixed release. Doing so can allow us to catch regressions as soon as they happen.

Over in https://github.com/pantheon-systems/search_api_pantheon I use the HEAD of Search API modules for this reason.

After authenticating from a direct link of /wp-login.php, I am redirected back to /wp-login.php rather than /wp-admin.

As a WP SAML Auth user, I expect the post-authentication redirect behavior to mimic that of the WordPress login whereby a user who authenticates through a direct link of /wp-login.php will be redirected to /wp-admin after a successful authentication.

Consider adding a default value of /wp-admin for the redirect_to query parameter : https://github.com/pantheon-systems/wp-saml-auth/blob/master/inc/class-wp-saml-auth.php#L161

Thanks!

filter_authenticate() is our workhorse for interpreting responses from SimpleSAMLphp. We can mock SimpleSAML_Auth_Simple and write test coverage around how we handle the varying scenarios.

From #1

Currently, if no data are passed to the plugin (entityID, signonURL, key) it fails, throwing an error.
This should be handled and not give an error, just ignore the plugin.

Let's get it out the door!

• Do a pass through the readme.txt to make sure everything is solid.
• Tag the release on Github
• Tag the release on WordPress.org

Hello,

I have a WordPress site hosted on Pantheon, with SimpleSAML configured. SimpleSAML is working properly when I test it directly through the web interface.

I've installed and configured this plugin, including adjusting the path to point to the recommended SimpleSAML installation path (/code/private/simplesaml-1.xx.xx). However when I click to log in using it, I get the following error:

Fatal error: Uncaught PDOException: SQLSTATE[HY000] [2002] No such file or directory in /srv/bindings/43da63f89af94719b907b0f2e2974440/code/private/simplesamlphp-1.14.11/lib/SimpleSAML/Store/SQL.php:54 Stack trace: #0 /srv/bindings/43da63f89af94719b907b0f2e2974440/code/private/simplesamlphp-1.14.11/lib/SimpleSAML/Store/SQL.php(54): PDO->__construct('mysql:host=;por...', NULL, NULL) #1 /srv/bindings/43da63f89af94719b907b0f2e2974440/code/private/simplesamlphp-1.14.11/lib/SimpleSAML/Store.php(49): SimpleSAML_Store_SQL->__construct() #2 /srv/bindings/43da63f89af94719b907b0f2e2974440/code/private/simplesamlphp-1.14.11/lib/SimpleSAML/SessionHandler.php(121): SimpleSAML_Store::getInstance() #3 /srv/bindings/43da63f89af94719b907b0f2e2974440/code/private/simplesamlphp-1.14.11/lib/SimpleSAML/SessionHandler.php(39): SimpleSAML_SessionHandler::createSessionHandler() #4 /srv/bindings/43da63f89af94719b907b0f2e2974440/code/private/simplesamlphp-1.14.11/lib/SimpleSAML/Session.php(148): SimpleSAML_SessionHandler::getSessionHandler() #5 /s in /srv/bindings/43da63f89af94719b907b0f2e2974440/code/private/simplesamlphp-1.14.11/lib/SimpleSAML/Store/SQL.php on line 54

I also installed and enabled Native PHP Sessions for WordPress. Interestingly, when I add this line to my www/_include.php file

require_once dirname( dirname( dirname( dirname( __FILE__ ) ) ) ). '/wp-load.php';

I receive the above error trying to simply view my site.

Out of curiosity I tried setting the SimpleSAML store to phpsession, which fixed this error and allowed me to login, but attempted to redirect me back to port 18319 which I assume means some unrelated issue with trying to use phpsession.

Thank you!

In a multi web node environment, we should make sessions are persistent across those nodes.

See https://github.com/pantheon-systems/wp-native-php-sessions

It does't sound like this plugin supports deep links (i.e redirecting to the original requested page upon login).

We're using this plugin on a intranet site, and users must be logged in to view the site (it's under Restricted Site Access). The default behavior of the plugin is to just redirect user to home page, no matter what the url it is trying to access. By looking at the plugin code I didn't found a way to make deeps link works without modifying its code. Would you be open for a PR to add support for it? I already have this working on a fork of this plugin, basically this is what I'm doing:

$redirect_to = filter_input( INPUT_GET, 'redirect_to', FILTER_SANITIZE_URL );
			
if ( ! $redirect_to ) {
    $redirect_to = '/'
}

$this->provider->requireAuth(
	array(
	   'ReturnTo' => add_query_arg( array( 'redirect_to' => rawurlencode( $redirect_to ), $_SERVER['REQUEST_URI'] ) ),
	)
);

redirect_to is being forward to the plugin action's url if one is being set on wp-login.php.

If a user was created through the SAML IDP, we may want to consider having a feature where user editing is disabled for SAML-provisioned users.

Similarly, we may want to update the details for a SAML-provisioned user each time they log in through their IDP.

Hello again,

When attempting to use this plugin, after authentication we were being redirected to port 18319. Looking at the code in class-wp-saml-auth.php we noticed line 132 was

$this->provider->requireAuth();

However in the Github repository it was

$this->provider->requireAuth( array( 'ReturnTo' => $_SERVER['REQUEST_URI'] ) );

Updating the code to that version fixed our issue, so it just seems like the WordPress code repository might need that same update.

I understand there is the cli option for configuring the plugin but I think the provision of the UI to edit the config/filters would enhance the usability of this module especially for saml admins not familiar with wordpress but required to enable the feature

After the fix for https://core.trac.wordpress.org/ticket/39367 is released, we need to revert 5beee9b

From #48

Test it and document it?

Follow the pattern in lcache/wp-lcache#110

@tessak22 and I are going to work on this at Agency Office Hours on Wednesday: https://pantheon.io/agencies/office-hours

I am using wp-saml-auth 0.3.8 and SimpleSAMLphp 1.15.4. When I run WP CLI commands, I see the warning in the title:

$ wp saml-auth scaffold-config
Mar 29 17:13:43 simplesamlphp WARNING [CLa66b21b6] The class or interface 'SimpleSAML_Auth_Simple' is now using namespaces, please use 'SimpleSAML\Auth\Simple'.
...

#118

Currently the .gitignore has the following line:
/vendor/
in it, making it ignore the autoload files that are autogenerated via composer update.
But this means that the plugin cannot be installed via composer (without adding an extra step of running composer update on the plugin directory itself).
This makes automatic deployment of the plugin more complicated.
I believe the solution would be to replace it with:

vendor/*
!vendor/composer
!vendor/autoload.php

(haven't tested it though)

When you setup google as SAML provider, google provides the 3 of the required info (entityID, signOnUrl, key) but does not provide the fourth (signOffUrl). If you try to setup the plugin (on the "internal" method) without the signOff url, you get an error when you logout.

This issue is similar to #62.

I am using WP SAML Auth 0.3.5 and simpleSAMLphp library. I have following configuration overrides:

  if ( 'simplesamlphp_autoload' === $option ) {
    $value = ABSPATH . '/private/simplesamlphp/lib/_autoload.php';
  }
  if ( 'display_name_attribute' === $option ) {
    $value = 'displayName';
  }
  if ( 'first_name_attribute' === $option ) {
    $value = 'givenName';
  }
  if ( 'last_name_attribute' === $option ) {
    $value = 'sn';
  }
  if ( 'permit_wp_login' === $option ) {
    $value = false;
  }
  if ( 'get_user_by' === $option ) {
    $value = 'login';
  }

When permit_wp_login is turned off (false) following issue occurs.

Steps to reproduce it:

1. Go to /wp-admin
2. Log in using SAML
3. You are redirected to https://<sitedomain>/wp-login.php?redirect_to=https%3A%2F%2F<sitedomain>%2Fwp-admin%2F&reauth=1 and following is shown:

If you remove &reauth=1 from the URL in the browser and hit enter. You are successfully logged in.

I recently upgraded the PHP version to 7.3 and this caused login via wp-saml-auth to fail. This was caused by the robrichards/xmlseclibs library required by onelogin/php-saml.

onelogin v3.1.1 includes version 3.0.3 of xmlseclibs which added PHP 7.3 support.
https://github.com/robrichards/xmlseclibs/releases/tag/3.0.3
https://github.com/onelogin/php-saml/releases/tag/3.1.1

Is the Google Apps setup outlined here: https://pantheon.io/docs/wordpress-google-sso/ in addition to or in lieu of the default setup outlined here: https://wordpress.org/plugins/wp-saml-auth/#installation ?

I am seeing an error when trying to configure with the Google Apps setup here: https://pantheon.io/docs/wordpress-google-sso/ the error reads Fatal error: Uncaught ArgumentCountError: Too few arguments to function {closure}(), 1 passed and exactly 2 expected

My configuration is as follows:

add_filter( 'wp_saml_auth_option', function( $value, $option_name ) {
  // Use the OneLogin bundled library to connect to Google Apps
  if ( 'connection_type' === $option_name ) {
    return 'internal';
  }

  // Configuration details OneLogin uses to connect to Google Apps
  if ( 'internal_config' === $option_name ) {
    // ID for the service provider (e.g. your WordPress site)
    $value['sp']['entityId'] = 'urn:saml.sandbox.dev';
    // URL that Google Apps will redirect back to after authenticating.
    $value['sp']['assertionConsumerService']['url'] = 'https://saml.sandbox.dev';
    // ID provided for the Google Apps account.
    // 'abc123' will be something specific to your account.
    $value['idp']['entityId'] = 'https://accounts.google.com/o/saml2?idpid=t92lkw3o1';
    // URL that WordPress will redirect to for authentication.
    // 'abc123' will be a unique value specific to your account.
    $value['idp']['singleSignOnService']['url'] = 'https://accounts.google.com/o/saml2/idp?idpid=t92lkw3o1';
    // x509 certificate provided by Google Apps
    // Make sure to keep the file_get_contents because the entire certificate needs to be read into memory.
    $value['idp']['x509cert'] = file_get_contents( ABSPATH . 'wp-content/themes/renegade/private/GoogleIDPCertificate-wp-saml-auth.dev.pem' );
    return $value;
  }

  return $value;
});

Thank you for your help

First some background

1. WP site Running on Pantheon
2. SimpleSAMLphp installed in ~/code/private/simplesamlphp-x.y.z/
   with a symlink in ~/code/simplesaml/ pointing to ~/code/private/simplesamlphp-x.y.z/www
3. WP SAML Auth plugin and WP Native PHP installed (in ~/code/wp-content/plugins/) and active
4. Tiny custom plugin for configuring WP SAML Auth installed in ~/code/wp-content/mu-plugins/wp-saml-auth-config.php

Here's what happens

1. Visit /wp-login.php
2. Click the "one-click authentication" "Sign In" button
   ( goes to /wp-login.php?action=simplesamlphp)
3. SimpleSAMLphp kicks in and sends me off to our organization's SSO system,
   and here's the problem: when SSP redirects to our IdP, the URL it includes in the RelayState parameter, the URL to come back to, is something like:
   https://sitename.pantheonsite.io//srv/bindings/<biglongstring>/code/wp-login.php?action=simplesamlphp
4. So I log into our SSO, and get redirected back to that URL, and get a 404.

I followed the SSP code, starting with SimpleSAML_Auth_Simple::requireAuth (called from do-saml-authentication() in class-wp-saml-auth.php). Because no return URL is specified when calling requireAuth, SSP tries to figure out the return URL .. and it eventually calls \SimpleSAML\Utils\HTTP::getSelfURL() which is what returns the problematic /srv/bindings/.... URL.

My fix was to have WP SAML Auth specify a ReturnTo URL when calling requireAuth (PR coming soon). It works for me, but I'd like to try to run it through the tests too.

OneLogin has a Simple SAML toolkit for PHP, which looks robust. We may be able to package this directly with the plugin, instead of requiring SimpleSAMLphp to be installed separately.

Kinda new to SimpleSAMLPHP but I got everything working, however when WP redirects to SimpleSAMLPHP it shows this page, even though I only have 1 SP configured and I want to force WP to use ONLY that IDP, is there a way to specify this?

From the docs it says you can specify the IDP to use in the code that calls SimpleSAMLPHP but I can't seem to figure out how to do that using this plugin

https://simplesamlphp.org/docs/stable/simplesamlphp-sp

Relevant part:

Example code:

We start off with loading a file which registers the SimpleSAMLphp classes with the autoloader.

require_once('../../lib/_autoload.php');

We select our authentication source:

$as = new SimpleSAML_Auth_Simple('default-sp');

We then require authentication:

$as->requireAuth();

And print the attributes:

$attributes = $as->getAttributes();
print_r($attributes);

Each attribute name can be used as an index into $attributes to obtain the value. Every attribute value is an array - a single-valued attribute is an array of a single element.

We can also request authentication with a specific IdP:

$as->login(array(
'saml:idp' => 'https://idp.example.org/',
));

Currently blocked by pantheon-systems/terminus#1219

When a user logs out of WordPress, they should also be logged out of SimpleSAMLphp

For the next time I need to set this up locally:

$ cat ~/projects/wp-saml-auth/LocalValetDriver.php
<?php

class LocalValetDriver extends BasicValetDriver
{
    /**
     * Determine if the driver serves the request.
     *
     * @param  string  $sitePath
     * @param  string  $siteName
     * @param  string  $uri
     * @return bool
     */
    public function serves($sitePath, $siteName, $uri)
    {
        return 0 === stripos( $uri, '/simplesaml/' );
    }

    /**
     * Get the fully resolved path to the application's front controller.
     *
     * @param  string  $sitePath
     * @param  string  $siteName
     * @param  string  $uri
     * @return string
     */
    public function frontControllerPath($sitePath, $siteName, $uri)
    {
        $_SERVER['PHP_SELF']    = $uri;
        $_SERVER['SERVER_ADDR'] = '127.0.0.1';
        $_SERVER['SERVER_NAME'] = $_SERVER['HTTP_HOST'];
        preg_match( '#(^/simplesaml/[^\.]+\.php)(.+)#', $uri, $matches );
        $_SERVER['PATH_INFO'] = $matches[2];
        return $sitePath . $matches[1];
    }

}

Only applies for URIs with /simplesaml/; otherwise falls back to WordPressValetDriver

Can you add this repo to Packagist so we can use the version here rather than wp.org to use features like 8c4641b

Thanks, so much

Both the bundled OneLogin SAML library and this plugin require an array of settings. There's some overlap between these two settings arrays — it looks like this plugin's $defaults['internal_config'] array that you set in your WP filter function matches up with the OneLogin $settings array here.

Is there a recommendation/best practice for how to set these up in order to only define your internal config in one place?

Without the OneLogin settings file in place, we hit a fatal error from wp-content/plugins/wp-saml-auth/vendor/onelogin/php-saml/endpoints/metadata.php when attempting to view published metadata from that endpoint.

Thanks!

I am running into an issue after clicking the one-click authentication, I am redirected back to my site /wp-login.php path but with a 502 error and I am not logged in.

In SAML Chrome panel I see:

<saml2:AttributeStatement>
            <saml2:Attribute Name="first_name">
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">Firstname</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="last_name">
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">Lastname</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="user_login">
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">[email protected]</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="user_email">
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">[email protected]</saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
        <saml2:AuthnStatement AuthnInstant="2019-05-12T13:17:00.000Z"
            SessionIndex=“_839f029qhd92h0j0j9hd83hd9”>
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>

Just like WP Redis (pantheon-systems/wp-redis@11f4632), we should make sure there's documentation on how the tests work.

For the "internal" method, currently to install the plugin you need to do code changes (to pass the required data).
This presents various problems:

• You cannot deploy using publicly open repositories (because then you would expose the entityID, signonURL etc to the public).
• You cannot deploy multipe environments with the same code

Solution would be to have that data pass from the administration (settings of the plugin).

The last successful build was https://circleci.com/gh/pantheon-systems/wp-saml-auth/470

The first failed build was https://circleci.com/gh/pantheon-systems/wp-saml-auth/471

This timeout seems to correlate with the release of SimpleSAMLphp 1.14.13 https://github.com/simplesamlphp/simplesamlphp/releases/tag/v1.14.13

Does this plugin support IdP-First authentication?

If so, what would the Assertion Consumer Service URL be that the IdP would post login requests to?

WordPress version: 4.9.4
wp-saml-auth version: 0.3.7
PHP version: 7.0

I am using the wp-saml-auth plugin in order to protect content on my site from non-authenticated users.

After updating the plugin to version 0.3.7 I am having issues with the redirection after authenticating:

• A user is prompted to login to view content on a page. This is the structure of the link I use to send the user to the login page: /wp-login.php?redirect_to=https://some-example-redirect-url
• When on the login page a user can click the "Sign In" button, and the user can authenticate with the IdP.
• Once authenticated, however, the user is sent back to the login page (/wp-login.php?redirect_to=https://some-example-redirect-url) . I expect the user to be sent to the redirect url (https://some-example-redirect-url)
• If the user clicks the "Sign In" button on the login page again, it is only then that the user will be redirected to the page from where they were originally prompted to log in (i.e. the redirect_to query var value).

I noticed this issue is resolved if I fallback to version 0.3.6 of the wp-saml-auth plugin.

Because we're creating new users, we should make sure this plugin works as expected on multisite.

I've installed the plugin and its detected my simplesaml setup. My question is whether its possible to customise the login details to change "Use one-click authentication" to something else?

Hi guys,
When I change "permit_wp_login" => false, I have redirected to my idp login page, have success login but after them I cant login to wp-admin, all time I redirected to
"wp-login.php?redirect_to=https%3A%2F%2Fblog_name%2Fwp-admin%2F&reauth=1"
When I set permit_wp_login => true and iniciate saml login by click on button - all works fine...can you please help?