Support » Plugin: WP SAML Auth » reauth=1

  • Hi,

    I configured a plugin to make authorization via simplesaml, but at the last redirect I land at the URL containign reauth=1 at the end. When I truncate the URL up to https://mysite.com/wp-login.php, I’m redirected to admin console.
    This issue happens only when permit_wp_login is set to false, otherwise after successeful authentification via SAML I get directly to admin console.

    I’ve already tried deleting cookies, session_tokens, chainging salt – but it didn’t help to solve the problem.

    What could be the issue?

    Thank you!

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Daniel Bachhuber

    (@danielbachhuber)

    @drazumovskiy I think you’re experiencing this issue: https://github.com/pantheon-systems/wp-saml-auth/issues/62

    It hasn’t landed in a release yet because it’s included in https://github.com/pantheon-systems/wp-saml-auth/pull/68

    Can you try that branch to see if your issue is fixed? Also, with that branch, you can use the OneLogin SAML library instead of maintaining a separate SimpleSAMLphp installation

    Thread Starter DRazumovskiy

    (@drazumovskiy)

    Hi Daniel,

    Thank you for a prompt responce!
    Your solution might work if I find out how to properly configure OneLogin library using functions.php of my theme.
    Currently I stopped on message validation, coming from OneLogin.
    On the side of IdP (which is also built on pure SimpleSAMLphp) I have this error message:

    Caused by: SimpleSAML_Error_Exception: Validation of received messages enabled, but no signature found on message

    When yesterday I was using simplesaml version of auth library I set:

    'sign.authnrequest' => TRUE,
    'sign.logout' => TRUE

    in saml20-idp-remote.php to fix this error.

    Now, with OneLogin, I don’t know how to force the library to sign the request.

    Can you suggest a parameter that switch on request signing?

    • This reply was modified 3 years, 10 months ago by DRazumovskiy.
    Plugin Author Daniel Bachhuber

    (@danielbachhuber)

    It’s hard to say what the issue is without being able to debug directly.

    One suggestion I have is to look at the configuration script for the Behat integration tests, which provision a SimpleSAMLphp instance in IdP mode.

    Notably, behat-prepare.sh and the fixtures it uses. Those are all settings for a functional SimpleSAMLphp IdP, so maybe there’s some obvious difference between that and what you have.

    For the error message itself, the first thing I’d debug is whether the signing cert is being picked up on both sides. It seems like misconfiguration of the cert might lead to that sort of message. The x509cert argument for OneLogin requires reading the cert into PHP memory with file_get_contents() or similar, not specifying the file path.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘reauth=1’ is closed to new replies.