This worked for me as well! Microsoft Entra was giving me this error:
AADSTS75011: Authentication method ‘MultiFactor, Fido’ by which the user authenticated with the service doesn’t match requested authentication method ‘Password, ProtectedTransport’. Contact the WordPress SSO (tekfused.com) application owner.
Error – AADSTS75011 Authentication method by which the user authenticated with the service doesn’t match requested authentication method AuthnContextClassRef. | Microsoft Learn
RequestedAuthnContext is an optional value. If possible, ask the application if the value could be removed.
This would be great if this was fixed in the core plugin.
Thread Starter
Cars10
(@shonu)
I’d like to hear the author on this. So far, silence, why?
Thanks for the report. We’re working on getting this some much-needed attention soon.
In the interim, we’ve had reports that this patch resolves the issue: https://github.com/pantheon-systems/wp-saml-auth/pull/351/files
Thread Starter
Cars10
(@shonu)
Thanks, I see this works, too, however the code is differently formatted for json like array:
'security' => [
'requestedAuthnContext' => false,
],
and any upcoming update will overwrite our code fixes so please at least provide a simple fix with an option for this flag and a reference to this ticket until you have a final fix, so updates dont break SAML.
-
This reply was modified 8 months, 1 week ago by
Cars10.
Hi @shonu, @tekfused, the new release is addressing this issue as mentioned above.
Let us know if this improves your experience with the plugin.
Thread Starter
Cars10
(@shonu)
I installed 2.3.0 over the old one and this still happens:
AADSTS75011: Authentication method ‘X509, MultiFactor, X509Device’ by which the user authenticated with the service doesn’t match requested authentication method ‘Password, ProtectedTransport’. Contact the Sites SAML SSO application owner.
Was I suppose to change any setting?
I re-added my patch to AuthnRequest.php. Frustrating
-
This reply was modified 4 months, 1 week ago by Cars10.
Hi @shonu, the plugin update may have overwritten your configuration.
If the change was made directly in /wp-saml-auth.php, then the above configuration got updated.
You definitely need to double check your existing configurations, wherever they were updated that: 'connection_type' => 'internal'
If not, please update.
Also, please check your requestedAuthnContext filter, it should look like this:
add_filter( 'wp_saml_auth_internal_config', function( $config ) {
$config['security']['requestedAuthnContext'] = false;
return $config;
} );
The added fix mentioned above should fix the requestedAuthnContext issue overall.
Let us know how it goes.
Thread Starter
Cars10
(@shonu)
function wpsa_filter_option( $value, $option_name ) {
$defaults = [
/**
* Type of SAML connection bridge to use.
*
* 'internal' uses OneLogin bundled library; 'simplesamlphp' uses SimpleSAMLphp.
*
* Defaults to SimpleSAMLphp for backwards compatibility.
*
* @param string
*/
'connection_type' => 'simplesamlphp',
/**
This above is currenlty set. I was not sure what value I should have. I expected that code will work as delivered after update.
The 2nd part: Do you mean I need to weite my own filter in a custom plugin? I am not sure I have this yet. But it can add a custom plugin for this.
So, my current take is, that a fresh installation will not work, I need to do still somebespoke changes in plugin + custom plugin whic get overridden every time your plugin updates. Idealy, I could cotrol all this via admin options in your plugin….a UI
Hi @shonu,
The functions wpsa_filter_option and wp_saml_auth_internal_config should be added to a custom mu-plugin (must-use plugin) to prevent them from being overwritten during updates. Alternatively, you can add these filters to your theme’s functions.php file, though they would also be at risk of being overwritten if the theme updates. While they could be added directly to our plugin files, they would be lost during our next plugin update.
The connection type is a matter of preference:
- OneLogin: This library is bundled with the plugin, configured via WordPress filters or the Settings page. This is the recommended one.
- SimpleSAMLphp: Requires a separate Composer installation and manual configuration files.
In your case, the RequestAuth issue can be resolved by adding the wp_saml_auth_internal_config filter to a mu-plugin (or similar). Just ensure it loads before our plugin to take full effect. This filter only works when connection_type is set to ‘internal’.
I apologize for any confusion, and I hope I’m not over-explaining or missing your point. We have updated the README to clarify these configuration steps. If you have any further questions, please let us know!
Example: Create /wp-content/mu-plugins/wp-saml-auth-config.php with:
<?php
// Set connection type to internal (bundled OneLogin library)
add_filter( 'wp_saml_auth_option', function( $value, $option_name ) {
if ( 'connection_type' === $option_name ) {
return 'internal';
}
return $value;
}, 10, 2 );
// Fix Azure AD requestedAuthnContext issue
add_filter( 'wp_saml_auth_internal_config', function( $config ) {
$config['security']['requestedAuthnContext'] = false;
return $config;
} );
Thread Starter
Cars10
(@shonu)
If I use your example code (I will need to debug) I get
<br />
<b>Fatal error</b>: Uncaught OneLogin\Saml2\Error: Invalid array settings: idp_entityId_not_found, idp_sso_not_found, idp_cert_or_fingerprint_not_found_and_required in /home/siteseumetsat/public_html/wp-content/plugins/wp-saml-auth/vendor/onelogin/php-saml/src/Saml2/Settings.php:139
Stack trace:
#0 /home/siteseumetsat/public_html/wp-content/plugins/wp-saml-auth/vendor/onelogin/php-saml/src/Saml2/Auth.php(176): OneLogin\Saml2\Settings->__construct(Array, false)
#1 /home/siteseumetsat/public_html/wp-content/plugins/wp-saml-auth/inc/class-wp-saml-auth.php(99): OneLogin\Saml2\Auth->__construct(Array)
#2 /home/siteseumetsat/public_html/wp-content/plugins/wp-saml-auth/inc/class-wp-saml-auth.php(73): WP_SAML_Auth->set_provider()
#3 /home/siteseumetsat/public_html/wp-content/plugins/wp-saml-auth/inc/class-wp-saml-auth.php(336): WP_SAML_Auth->get_provider()
#4 /home/siteseumetsat/public_html/wp-content/plugins/wp-saml-auth/inc/class-wp-saml-auth.php(307): WP_SAML_Auth->do_saml_authentication()
#5 /home/siteseumetsat/public_html/wp-includes/class-wp-hook.php(341): WP_SAML_Auth->filter_authenticate(Object(WP_Error), '', '')
#6 /home/siteseumetsat/public_html/wp-includes/plugin.php(205): WP_Hook->apply_filters(Object(WP_Error), Array)
#7 /home/siteseumetsat/public_html/wp-includes/pluggable.php(702): apply_filters('authenticate', NULL, '', '')
#8 /home/siteseumetsat/public_html/wp-includes/user.php(109): wp_authenticate('', Object(SensitiveParameterValue))
#9 /home/siteseumetsat/public_html/wp-login.php(1323): wp_signon(Array, true)
#10 {main}
thrown in <b>/home/siteseumetsat/public_html/wp-content/plugins/wp-saml-auth/vendor/onelogin/php-saml/src/Saml2/Settings.php</b> on line <b>139</b><br />
Hi @shonu, it looks like you have missing values in your configuration:
idp_entityId_not_found
idp_sso_not_found
idp_cert_or_fingerprint_not_found
Were they setup along with the other values?
Thread Starter
Cars10
(@shonu)
I will investigate tomorrow at work…but…our SSO DOES work….with IIdP settings but only as long as my hack is in place. I think it is some code error in the filter or the way settings are replaced.
Maybe I set up a seperate site and test carefully there as I cannot kill our user’s auth all the time, even if just for a few minutes – it is LIVE systems!
thanks
Thread Starter
Cars10
(@shonu)
Entity Id (Required): urn:sites.e…….. –> SET!
Single SignOn Service URL (Required): https://login.microsoft …..–> SET!
x509 Certificate Path: ABSPATH/wp-admin/cer/Sites_SAML_SSO.cer –> SET!
So, what missing? I am sure PHP had issue with all settings due to code mismatch/incompatibilty
Thread Starter
Cars10
(@shonu)
// Set connection type to internal (bundled OneLogin library)
add_filter( ‘wp_saml_auth_option’, function( $value, $option_name ){
if ( ‘connection_type’ === $option_name ) {
return ‘internal’;
}
return $value;
},
10,
2
);
// Fix Azure AD requestedAuthnContext issue
add_filter( ‘wp_saml_auth_internal_config’, function( $config ) {
$config[‘security’][‘requestedAuthnContext’] = false;
return $config;
}
);
(this block editor here makes me nuts)
Thread Starter
Cars10
(@shonu)
if(0)add_filter( 'wp_saml_auth_option', function( $value, $option_name ){
if ( 'connection_type' === $option_name ) {
return 'internal';
}
return $value;
},
10,
2
);
This had to be deactivated thewn it worked with the other filter…damn.
