The Support Forums will be in read-only mode for a scheduled maintenance window on 01 September 2016 14:00 UTC - 20:00 UTC. More information.

SAML 2.0 Single Sign-On
Use with ADFS (45 posts)

  1. AlexMc
    Posted 3 years ago #

    I am planning on using this plugin to provide an SSO solution using an existing ADFS implementation. However being new to wordpress have you any information on setting up the relying party in ADFS? Is there a URL that provides the federation metadata from my new wordpress site or a method of downloading this so it can be imported or would I have to specify the relying party service URL and relying party trust identifier manually?

    I'm a little unsure as to what this information would be when using this plugin.



  2. ktbartholomew
    Plugin Author

    Posted 3 years ago #

    Once you've installed the plugin on a WordPress site, you should be able to use metadata on both ends to simplify the setup process. Here is the complete setup process:

    1. Install and activate the plugin.
    2. Go to Settings -> Single Sign-On and click the Identity Provider tab.
    3. Under "Autofill using Metadata," enter your ADFS metadata URL and click Fetch Metadata. The default SAML 2.0 metadata URL for ADFS is https://your-idp.net/FederationMetadata/2007-06/FederationMetadata.xml
    4. Ensure that, at a minimum, the "URL Identifier", "Single Sign-On URL", and "Certificate Fingerprint" fields are populated.
    5. Go to the Service Provider tab.
    6. Upload your own certificate and private key or check the box to "Generate a new certificate and private key for me".
    7. Under "Attributes", click ADFS 2.0 to fill the attribute fields with attributes that are suitable for use with ADFS.
    8. Under "Groups", enter the names of security groups and the WordPress roles that their respective users should have. This should be the short form of the group name. For example, you might put "Domain Admins" in the Administrators field and "Domain Users" in the Subscribers field.
    9. Click Update Options.
    10. Go to the General tab.
    11. Copy the URL in the box labeled "Your Entity ID" to the clipboard.
    12. In the ADFS 2.0 Management console, under Trust Relationships/Relying Party Trusts, click Add Relying Party Trust.
    13. In the Add Relying Party Trust Wizard, click Start.
    14. Paste the URL you copied in step #11 to the "Federation metadata address" field. Click Next. You should see a message that some of the metadata is not supported by ADFS. Click OK to dismiss the message.
    15. Change the display name if you want to and click Next.
    16. Choose an Issuance Authorization Rule and click Next.
    17. Click Next again to add the data to the ADFS configuration database. Click Close to close the wizard.
    18. Right-click on the newly-added Relying Party Trust and click Properties.
    19. On the Monitoring tab, un-check the box to "Monitor the Relying Party" and click Apply. This will allow you to manually modify its settings.
    20. On the Encryption tab, click Remove to disable claims encryption. This plugin does not currently support encrypted claims.
    21. On the Advanced tab, set the secure hash algorithm to SHA-1. Click OK to save your changes.
    22. Back at your WordPress site, on the General tab, check the box to "Enable SAML authentication" and click Update Options.

    You should already be familiar with setting up Claim Rules in ADFS 2.0. Here are the claim rules that I typically use:

    Rule 1: (Using "Send LDAP Attributes as Claims" template)

    • SAM-Account-Name => Windows account name
    • Given-Name => Given Name
    • Surname => Surname
    • E-Mail-Addresses => E-Mail Address
    • Token-Groups - Unqualified Names => Group

    Rule language:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/claims/Group"), query = ";sAMAccountName,givenName,sn,mail,tokenGroups;{0}", param = c.Value);

    Rule 2: (Using "Transform an Incoming Claim" template)

    • Incoming claim type: E-Mail Address
    • Outgoing claim type: Name ID
    • Outgoing Name ID format: Email
    • Pass through all claim values

    Rule language:

    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
     => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/
  3. AlexMc
    Posted 3 years ago #


    Thanks for the detailed instructions. I have followed them but the General tab is not displaying any information for the "Your Entity ID". Some data was populated very briefly on this page but after accessing another page and going back the information was gone. I'm guessing the Entity ID URL will be https as ADFS will require the Federation metadata address to be https?

    Any further help is much appreciated.


  4. ktbartholomew
    Plugin Author

    Posted 3 years ago #

    The 3 metadata boxes on the General tab use cURL to access your site's metadata via HTTP/HTTPS. If those boxes are blank, it is usually due to a failure in your server's ability to fetch that URL, or parse its contents.

    So your troubleshooting should revolve around that area. You might try to visit the metadata URL manually. Unless you've reorganized your WordPress directory structure, this is located at http(s)://example.com/wp-content/plugins/saml-20-single-sign-on/saml/www/module.php/saml/sp/metadata.php/1. There will usually be more helpful error messages when you visit that page in a browser. Let me know how that goes for you.

    Regarding HTTP vs. HTTPS: The plugin will work over either protocol, but yes, ADFS will require that all communications go over HTTPS.

  5. AlexMc
    Posted 3 years ago #

    I received the following error when accessing the metadata manually.


    0 C:\Inetpub\wwwroot\[mysite]\wp-content\plugins\saml-20-single-sign-on\saml\www\module.php:180 (N/A)
    Caused by: Exception: authsources['1']: Unable to load certificate/public key from file "C:\Inetpub\wwwroot\[mysite]\wp-content\plugins\saml-20-single-sign-on\saml/cert/C:\Inetpub\wwwroot\[mysite]/wp-content/uploads/saml-20-single-sign-on/etc/certs/1/1.cer".
    3 C:\Inetpub\wwwroot\[mysite]\wp-content\plugins\saml-20-single-sign-on\saml\lib\SimpleSAML\Configuration.php:1100 (SimpleSAML_Configuration::getPublicKeys)
    2 C:\Inetpub\wwwroot\[mysite]\wp-content\plugins\saml-20-single-sign-on\saml\lib\SimpleSAML\Utilities.php:1386 (SimpleSAML_Utilities::loadPublicKey)
    1 C:\Inetpub\wwwroot\[mysite]\wp-content\plugins\saml-20-single-sign-on\saml\modules\saml\www\sp\metadata.php:117 (require)
    0 C:\Inetpub\wwwroot\[mysite]\wp-content\plugins\saml-20-single-sign-on\saml\www\module.php:135 (N/A)

    This would suggest an issue with the cert or public key used, I have used these successfully on other systems without an issue.


  6. ktbartholomew
    Plugin Author

    Posted 3 years ago #

    It looks like the problem lies in the way the plugin is trying to find your certificate file. As you can see in this one line, there's a mix of Windows- and Linux-style paths:

    It will take me some time to test and fix this, as I don't currently have any systems running PHP on IIS. If I find any temporary fixes before issuing an update to the plugin, I'll let you know here.

  7. markphipps
    Posted 3 years ago #

    Here's a quick fix for Windows:

    Edit c:\inetpub\wwwroot\[mysite]\wp-content\plugins\saml-20-single-sign-on\saml\lib\SimpleSAML\Utilities.php (line 1348) (method resolveCert) and add a file_exists statement:

    public static function resolveCert($path) {
            if(file_exists($path)) { return $path; }
    	$globalConfig = SimpleSAML_Configuration::getInstance();


  8. Dalia
    Posted 3 years ago #

    Hi Guys,

    I'm trying to secure my wordpress internal office blog site with ADFS SSO and came across SAML. While going through this step by step configuration, I'm stuck at step 11 as the Your Entity ID, Single Logout URL and SAML Assertion Consumer URL are all blank.

    I saw in the previous posts that people have got issues and while trying to access this link - http(s)://example.com/wp-content/plugins/saml-20-single-sign-on/saml/www/module.php/saml/sp/metadata.php/1 - as mentioned by Keith, I saw this error - which is slightly different than the error posted above -

    0 /opt/wordpress-3.5.2-0/apps/wordpress/htdocs/wp-content/plugins/saml-20-single-sign-on/saml/www/module.php:180 (N/A)
    Caused by: SimpleSAML_Error_Exception: authsources['1']: Could not find PEM encoded certificate in "/opt/wordpress-3.5.2-0/apps/wordpress/htdocs/wp-content/uploads/saml-20-single-sign-on/etc/certs/1/1.cer".
    3 /opt/wordpress-3.5.2-0/apps/wordpress/htdocs/wp-content/plugins/saml-20-single-sign-on/saml/lib/SimpleSAML/Configuration.php:1106 (SimpleSAML_Configuration::getPublicKeys)
    2 /opt/wordpress-3.5.2-0/apps/wordpress/htdocs/wp-content/plugins/saml-20-single-sign-on/saml/lib/SimpleSAML/Utilities.php:1386 (SimpleSAML_Utilities::loadPublicKey)
    1 /opt/wordpress-3.5.2-0/apps/wordpress/htdocs/wp-content/plugins/saml-20-single-sign-on/saml/modules/saml/www/sp/metadata.php:117 (require)
    0 /opt/wordpress-3.5.2-0/apps/wordpress/htdocs/wp-content/plugins/saml-20-single-sign-on/saml/www/module.php:135 (N/A)

    Could anybody please help me with this? How can I proceed from here? My wordpress is hosted on a LAMP stack.

  9. markphipps
    Posted 3 years ago #

    Looking at the source code from where the error is generated, it appears to be thrown when the certificate data doesn't match what it expects:


    -> search for "Could not find PEM encoded certificate"

    Try regenerating your certificate.

  10. Dalia
    Posted 3 years ago #

    both my 1.cer and 1.key files are present in the stated folder. But both the files are of 0 size, i.e. empty file. Can that be the reason?

  11. markphipps
    Posted 3 years ago #

    Yes. Check permissions, ensure the web server has access to write to that folder.

  12. Dalia
    Posted 3 years ago #

    Some more debugging -

    On top of the General tab, I see these three lines -

    Notice: Undefined index: entityID in /opt/wordpress-3.5.2-0/apps/wordpress/htdocs/wp-content/plugins/saml-20-single-sign-on/lib/controllers/sso_general.php on line 46

    Notice: Undefined index: Logout in /opt/wordpress-3.5.2-0/apps/wordpress/htdocs/wp-content/plugins/saml-20-single-sign-on/lib/controllers/sso_general.php on line 47

    Notice: Undefined index: Consumer in /opt/wordpress-3.5.2-0/apps/wordpress/htdocs/wp-content/plugins/saml-20-single-sign-on/lib/controllers/sso_general.php on line 48

    When I look at the sso_general.php file, line 46, 47 and 48 are as following -

                    $saml_opts = get_option('saml_authentication_options');
            $response = wp_remote_get(<strong>constant('SAMLAUTH_URL') . '/saml/www/module.php/saml/sp/metadata.php/' . get_current_blog_id() , array('sslverify' => false)</strong> );
              $o = $response['body'];
                    preg_match('/(<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="(?P<Logout>.*)")/',$o,$Logout);
                    preg_match('/(<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="(?P<Consumer>.*)" index)/',$o,$Consumer);
                    <strong>$metadata['entityID'] = $entityID['entityID'];
                    $metadata['Logout'] = $Logout['Logout'];
                    $metadata['Consumer'] = $Consumer['Consumer'];</strong>
      include(constant('SAMLAUTH_ROOT') . '/lib/views/nav_tabs.php');
            include(constant('SAMLAUTH_ROOT') . '/lib/views/sso_general.php');

    now, in the line $response = wp_remote_get, the URL (/saml/www/module.php/saml/sp/metadata.php/) that is appended to SAMLAUTH_URL doesn't seem to exist?!

  13. Dalia
    Posted 3 years ago #

    That's what I had checked first. Apache is running as user daemon.

    And the folders have owner and group set as daemon and have access rights drwxr-xr-x. So seems apache can access and write to them.

    I tried regenerating the certificates by clicking the 'generate a new certificate and private key for me' checkbox in the service provider tab, but that doesn't seem to create any new certificate.

  14. ktbartholomew
    Plugin Author

    Posted 3 years ago #


    Are you familiar with the process of generating a self-signed certificate? There's nothing magic about what the "Generate a certificate" button does, so if you're able to use openssl on the command line to generate a self-signed certificate, you can replace 1.key and 1.pem with your own private key and certificate, respectively.

    Some other users have been having issues with PHP and OpenSSL working together, and this may be the case for you, as well.

  15. Dalia
    Posted 3 years ago #

    Hi Keith,

    Thanks for that. I was exactly looking for that option over internet when I saw your reply. Just created my own certificate / key and it worked. I can now see all 3 URLs.

    However, even though I've uploaded them in service provider tab, the status block(5th row) in general tab says 'you have not provided a Certificate or Private Key for this site. Users may not be able to log in using the SP-first flow' with a warning sign.

  16. ktbartholomew
    Plugin Author

    Posted 3 years ago #

    Here's the expression for that error message (true is OK, false is your error message):
    if (file_exists(constant('SAMLAUTH_CONF') . '/certs/' . get_current_blog_id() . '/' . get_current_blog_id() . '.cer') && file_exists(constant('SAMLAUTH_CONF') . '/certs/' . get_current_blog_id() . '/' . get_current_blog_id() . '.key')

    There may be something weird happening with the SAMLAUTH_CONF constant, or the WP blog ID function, both of which could have contributed to your earlier issue.

    I suppose the larger question is: does it work?

  17. Dalia
    Posted 2 years ago #

    Hi Keith,

    There was a network issue between my ADFS machine and wordpress installation which took time to resolve. Now I can access the federation metadata directly in my ADFS box browser.

    However, When I try to do step 14, it never gets past and I get this error-

    "An error occurred during an attempt to read the federation metadata. Verify that the specified URL or host name is a valid federation metadata endpoint.

    Verify your proxy server setting. For more information about how to verify your proxy server setting, see the AD FS 2.0 Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=182180).
    Error message: The underlying connection was closed. An unexpected error occurred on a send."

    Do you think my Entity URL could be wrong? I can see the xml alright when I access the URL. How to make sure the URL is correct?

    Many thanks.

  18. euraisemeup
    Posted 2 years ago #

    Hi Guys,

    I'm new to WordPress and would like to shoot you some questions regarding the setup that i'm currently doing. As of the moment, I have an identity provider and it is setup in salesforce, and would like to know if i needed to setup the Identity Provider in wordpress site or just the Service Provider?

    Your prompt response is greatly appreciated.

    Thank you.

  19. markphipps
    Posted 2 years ago #

    You need to fill out both the Identity & Service Provider tab using the SAML 2.0 plugin.

  20. euraisemeup
    Posted 2 years ago #

    Hi Markphipps,

    ok. I have the certificate and metadata generated by Salesforce, however i'm not sure what value will fill in for the Indentity Provider and Service Provider tab. Will the certificate and metadata is enough to configure it? I'm not sure on the values that i'll put in.

    Thank you very much for your prompt response.

  21. adamtoth
    Posted 2 years ago #

    This didn't work for me on a WordPress site hosted on Windows Azure Web Sites.

    When I chose a certificate, or had one created automatically, the boxes on the general tab disappeared, and I got errors on the metadata page about not finding the key file. On the Service Provider tab, there is no link to download the key file, or any indication that a key file has been specified.

    There is no apparent way to remove the certs and start clean.

    After deleting the plugin and its upload directory and attempting again, I got a little closer. By using the /adfs/ls/IdpInitiatedSignOn.aspx page, I was able to select my service provider, was prompted for credentials, and then was redirected to the home page of the blog (not/wp-admin), in a logged out state. When attempting to change the url to /wp-admin, I get the error that my password is not correct for the account I am logging in with. I had precreated a WordPress user with the same username and email address as my AD account.

  22. markphipps
    Posted 2 years ago #

    Yes, it sounds like the certs didn't get generated correctly. If you can, delete the certs from the server. If openssl isn't installed, the certs won't get generated correctly. Also, file permissions are usually a problem.

    First off, don't pre-create the user. It will fail to create the user if an identical email address already exists in the system. Start without any users. Secondly, check to see that you've set the claim rules in your ADFS configuration. One I missed in the initial setup was the SAM Account Name -> NameId rule.

    Hope this helps,

  23. Roquefort
    Posted 2 years ago #


    I've been trying to configure SSO between my blog and ADFS 2.1 on Server 2012 R2 (which Microsoft says should be fully compliant with SAML 2.0).

    In the plugin configuration page, all checks are green, and everything appears to be configured properly.

    When I try to log in to my blog, I am properly redirected to my SSO page. I am prompted again for credentials (which probably shouldn't be happening), then redirected back to my blog. At this point, I'm getting an error message:

    If you report this error, please also report this tracking number which makes it possible to locate your session in the logs available to the system administrator: b56e2410b0

    0 /home/web/a/amerisurg.com/www/wp-content/plugins/saml-20-single-sign-on/saml/www/module.php:180 (N/A)
    Caused by: sspmod_saml_Error: Responder
    3 /home/web/a/amerisurg.com/www/wp-content/plugins/saml-20-single-sign-on/saml/modules/saml/lib/Message.php:371 (sspmod_saml_Message::getResponseError)
    2 /home/web/a/amerisurg.com/www/wp-content/plugins/saml-20-single-sign-on/saml/modules/saml/lib/Message.php:498 (sspmod_saml_Message::processResponse)
    1 /home/web/a/amerisurg.com/www/wp-content/plugins/saml-20-single-sign-on/saml/modules/saml/www/sp/saml2-acs.php:75 (require)
    0 /home/web/a/amerisurg.com/www/wp-content/plugins/saml-20-single-sign-on/saml/www/module.php:135 (N/A)

    Any idea where I should go from here? I'm not terribly proficient with ADFS or any kind of PHP scripting, so I'm kindof at a loss here.

    Thanks for any advice.

  24. ktbartholomew
    Plugin Author

    Posted 2 years ago #

    SimpleSAMLPHP has pretty atrocious error dumping. If you can inspect the network traffic of the whole process (I use Chrome's built-in inspector), you should find a couple of Base64-encoded XML payloads. If your ADFS server is triggering an error, it would likely be indicated in one of those responses.

  25. Roquefort
    Posted 2 years ago #

    My ADFS server is throwing an error that includes the following:

    Microsoft.Identity.Model.Protocols.XmlSignature.SignatureVerificationFailedException: MSIS0037: No signature verification certificate found for this issuer.

    Perhaps this is a certificate problem? I did have some trouble using the built-in "Generate a new certificate and private key for me" option: it only makes available the certificate for download, not the private key. Because I couldn't get this to work, I created a self-signed cert using IIS, and converted it to the cer and key that your SSO plugin did appear to accept.

    Should the certificate be the same as the one I use for my SSO portal?

    With regards to the XML payload, I think this is what you're looking for?

    Request URL:https://www.XXXXX.com/wp-content/plugins/saml-20-single-sign-on/saml/www/module.php/saml/sp/saml2-acs.php/1
    Request Method:POST
    Status Code:500 Internal Server Error
    Request Headersview source
    Cookie:PHPSESSID=38c3acb88c3e16cbee5ea8ffcd6b17bb; __utma=224854666.1380222335.1389383823.1389383823.1389383823.1; __utmb=224854666.3.10.1389383823; __utmc=224854666; __utmz=224854666.1389383823.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wordpress_test_cookie=WP+Cookie+check
    User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
    Form Dataview sourceview URL encoded
    Response Headersview source
    Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Content-Type:text/html; charset=UTF-8
    Date:Fri, 10 Jan 2014 20:17:02 GMT
    Expires:Thu, 19 Nov 1981 08:52:00 GMT
  26. ktbartholomew
    Plugin Author

    Posted 2 years ago #

    Yes, "SAMLResponse" is the field of interest in what you pasted.

    If you're trying to do SP-first logins (which it seems that you are), then you need to provide the certificate that resides on the WordPress server to ADFS. You would do this on the "Signature" tab of the Relying Party Trust properties window. Without this certificate, ADFS can't verify that login requests are coming from your WordPress server and not somebody else's.

  27. Roquefort
    Posted 2 years ago #

    Well, setting the signature certificate seems to have addressed that particular error message. Now I'm getting this on my ADFS server:

    The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format:urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: . Actual NameID properties: Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, NameQualifier: SPNameQualifier:, SPPProvidedID: .

    SimpleSAMLPHP is giving me errors about:


    To me, this seems like my ADFS server is not responding properly, and is not sending the proper claims format in response to the request. But I find this strange, since I have the two rules you specified above both configured on my Relying Party Trust.

    One thing is not clear to me: On the Service Provider tab of your plugin, there are three NameID Policies: SAML 1.1:emailaddress, SAML 2.0:transient and persistent. Which one should I be using?

    Any other insights? Assuming that I can ever get this set up completely, I'll definitely do up a how-to on my blog and post a link to it here.

  28. Roquefort
    Posted 2 years ago #

    Well, I'm making progress. With some hacky workarounds, I'm able to get logged in using some testing accounts. I'm going to keep debugging here, and I'll post back if/when I get this fixed.

    For the record, my problems appear to stem from the fact that my site has a built-in redirect to SSL on the login page. The problem I'm seeing is that the redirect is keeping WordPress from logging in completely after I return to my site from the SSO portal.

  29. ktbartholomew
    Plugin Author

    Posted 2 years ago #

    I've always used transient and this answer (http://social.msdn.microsoft.com/Forums/vstudio/en-US/ea5efcff-4221-4af1-b434-4be5245cb0fa/nameid-policy-could-not-be-satisfied) when interacting with ADFS. Let me know if that helps.

  30. lissette.tuminello
    Posted 2 years ago #

    I have people trying to do something similar and think we might've run into the same problem as Roquefort. Here is the email thread between our development team and our IT administrator:
    Plugin SAML 2.0 Single Sign-On is already active on website:http://marketing.geneca.com/
    It goes to ADFS server to authenticate and log in. The plugin took access control of the wp-admin.
    We need your crendentials to access here:
    Please send over that info.

    IT Admin:
    I am not able to login via ADFS either, since the other developers that were working on the SAML never provided me the url that contained the federation information for me to use to create the relying party on my ADFS server.
    I have removed the plugin. Please reinstall the SAML plugin. Once you configure the site, please send me the "Your Entity ID" url.
    Our ADFS federation url is https://adfs.geneca.com/FederationMetadata/2007-06/FederationMetadata.xml

    Your Entity ID: https://marketing.geneca.com/wp-content/plugins/saml-20-single-sign-on_old/saml/www/module.php/saml/sp/metadata.php/1

    IT Admin:
    Tried the link, but it does not work. Looks like the plugin was associated to the old plugin that was scheduled to be removed.
    Might need to redo the plugin.

    Any help you can offer would be greatly appreciated as we've been struggling with these issues for about a month now.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • SAML 2.0 Single Sign-On
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic


No tags yet.