Title: Use with ADFS
Last modified: August 21, 2016
---
# Use with ADFS
* [AlexMc](https://wordpress.org/support/users/alexmc/)
* (@alexmc)
* [13 years ago](https://wordpress.org/support/topic/use-with-adfs/)
* Hi,
I am planning on using this plugin to provide an SSO solution using an existing
ADFS implementation. However being new to wordpress have you any information
on setting up the relying party in ADFS? Is there a URL that provides the federation
metadata from my new wordpress site or a method of downloading this so it can
be imported or would I have to specify the relying party service URL and relying
party trust identifier manually?
* I’m a little unsure as to what this information would be when using this plugin.
* Thanks
* [http://wordpress.org/extend/plugins/saml-20-single-sign-on/](http://wordpress.org/extend/plugins/saml-20-single-sign-on/)
Viewing 15 replies - 1 through 15 (of 44 total)
1 [2](https://wordpress.org/support/topic/use-with-adfs/page/2/?output_format=md)
[3](https://wordpress.org/support/topic/use-with-adfs/page/3/?output_format=md)
[→](https://wordpress.org/support/topic/use-with-adfs/page/2/?output_format=md)
* Plugin Author [ktbartholomew](https://wordpress.org/support/users/ktbartholomew/)
* (@ktbartholomew)
* [13 years ago](https://wordpress.org/support/topic/use-with-adfs/#post-3845989)
* Once you’ve installed the plugin on a WordPress site, you should be able to use
metadata on both ends to simplify the setup process. Here is the complete setup
process:
1. Install and activate the plugin.
2. Go to Settings -> Single Sign-On and click the **Identity Provider** tab.
3. Under “Autofill using Metadata,” enter your ADFS metadata URL and click **Fetch
Metadata**. The default SAML 2.0 metadata URL for ADFS is [https://your-idp.net/FederationMetadata/2007-06/FederationMetadata.xml](https://your-idp.net/FederationMetadata/2007-06/FederationMetadata.xml)
4. Ensure that, at a minimum, the “URL Identifier”, “Single Sign-On URL”, and “
Certificate Fingerprint” fields are populated.
5. Go to the **Service Provider** tab.
6. Upload your own certificate and private key or check the box to “Generate a
new certificate and private key for me”.
7. Under “Attributes”, click **ADFS 2.0** to fill the attribute fields with attributes
that are suitable for use with ADFS.
8. Under “Groups”, enter the names of security groups and the WordPress roles
that their respective users should have. This should be the short form of the
group name. For example, you might put “Domain Admins” in the Administrators
field and “Domain Users” in the Subscribers field.
9. Click **Update Options**.
10. Go to the **General** tab.
11. Copy the URL in the box labeled “Your Entity ID” to the clipboard.
12. In the ADFS 2.0 Management console, under Trust Relationships/Relying Party
Trusts, click **Add Relying Party Trust**.
13. In the Add Relying Party Trust Wizard, click **Start**.
14. Paste the URL you copied in step #11 to the “Federation metadata address” field.
Click **Next**. You should see a message that some of the metadata is not supported
by ADFS. Click **OK** to dismiss the message.
15. Change the display name if you want to and click **Next**.
16. Choose an Issuance Authorization Rule and click **Next**.
17. Click **Next** again to add the data to the ADFS configuration database. Click**
Close** to close the wizard.
18. Right-click on the newly-added Relying Party Trust and click **Properties**.
19. On the **Monitoring** tab, un-check the box to “Monitor the Relying Party”
and click **Apply**. This will allow you to manually modify its settings.
20. On the **Encryption** tab, click **Remove** to disable claims encryption. This
plugin does not currently support encrypted claims.
21. On the **Advanced** tab, set the secure hash algorithm to **SHA-1**. Click **
OK** to save your changes.
22. Back at your WordPress site, on the **General** tab, check the box to “Enable
SAML authentication” and click **Update Options**.
* You should already be familiar with setting up Claim Rules in ADFS 2.0. Here
are the claim rules that I typically use:
* Rule 1: (Using “Send LDAP Attributes as Claims” template)
- SAM-Account-Name => Windows account name
- Given-Name => Given Name
- Surname => Surname
- E-Mail-Addresses => E-Mail Address
- Token-Groups – Unqualified Names => Group
* Rule language:
* ```
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/claims/Group"), query = ";sAMAccountName,givenName,sn,mail,tokenGroups;{0}", param = c.Value);
```
* Rule 2: (Using “Transform an Incoming Claim” template)
- Incoming claim type: E-Mail Address
- Outgoing claim type: Name ID
- Outgoing Name ID format: Email
- Pass through all claim values
* Rule language:
* ```
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/
```
* Thread Starter [AlexMc](https://wordpress.org/support/users/alexmc/)
* (@alexmc)
* [13 years ago](https://wordpress.org/support/topic/use-with-adfs/#post-3846150)
* Hi,
* Thanks for the detailed instructions. I have followed them but the General tab
is not displaying any information for the “Your Entity ID”. Some data was populated
very briefly on this page but after accessing another page and going back the
information was gone. I’m guessing the Entity ID URL will be https as ADFS will
require the Federation metadata address to be https?
* Any further help is much appreciated.
* Thanks
* Plugin Author [ktbartholomew](https://wordpress.org/support/users/ktbartholomew/)
* (@ktbartholomew)
* [13 years ago](https://wordpress.org/support/topic/use-with-adfs/#post-3846151)
* The 3 metadata boxes on the General tab use cURL to access your site’s metadata
via HTTP/HTTPS. If those boxes are blank, it is usually due to a failure in your
server’s ability to fetch that URL, or parse its contents.
* So your troubleshooting should revolve around that area. You might try to visit
the metadata URL manually. Unless you’ve reorganized your WordPress directory
structure, this is located at http(s)://example.com/wp-content/plugins/saml-20-
single-sign-on/saml/www/module.php/saml/sp/metadata.php/1. There will usually
be more helpful error messages when you visit that page in a browser. Let me
know how that goes for you.
* Regarding HTTP vs. HTTPS: The plugin will work over either protocol, but yes,
ADFS will require that all communications go over HTTPS.
* Thread Starter [AlexMc](https://wordpress.org/support/users/alexmc/)
* (@alexmc)
* [12 years, 11 months ago](https://wordpress.org/support/topic/use-with-adfs/#post-3846201)
* I received the following error when accessing the metadata manually.
* SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
* Backtrace:
0 C:\Inetpub\wwwroot\[mysite]\wp-content\plugins\saml-20-single-sign-
on\saml\www\module.php:180 (N/A) Caused by: Exception: authsources[‘1’]: Unable
to load certificate/public key from file “C:\Inetpub\wwwroot\[mysite]\wp-content\
plugins\saml-20-single-sign-on\saml/cert/C:\Inetpub\wwwroot\[mysite]/wp-content/
uploads/saml-20-single-sign-on/etc/certs/1/1.cer”. Backtrace: 3 C:\Inetpub\wwwroot\[
mysite]\wp-content\plugins\saml-20-single-sign-on\saml\lib\SimpleSAML\Configuration.
php:1100 (SimpleSAML_Configuration::getPublicKeys) 2 C:\Inetpub\wwwroot\[mysite]\
wp-content\plugins\saml-20-single-sign-on\saml\lib\SimpleSAML\Utilities.php:1386(
SimpleSAML_Utilities::loadPublicKey) 1 C:\Inetpub\wwwroot\[mysite]\wp-content\
plugins\saml-20-single-sign-on\saml\modules\saml\www\sp\metadata.php:117 (require)
0 C:\Inetpub\wwwroot\[mysite]\wp-content\plugins\saml-20-single-sign-on\saml\
www\module.php:135 (N/A)
* This would suggest an issue with the cert or public key used, I have used these
successfully on other systems without an issue.
* Thanks
* Plugin Author [ktbartholomew](https://wordpress.org/support/users/ktbartholomew/)
* (@ktbartholomew)
* [12 years, 11 months ago](https://wordpress.org/support/topic/use-with-adfs/#post-3846203)
* It looks like the problem lies in the way the plugin is trying to find your certificate
file. As you can see in this one line, there’s a mix of Windows- and Linux-style
paths:
`C:\Inetpub\wwwroot\[mysite]\wp-content\plugins\saml-20-single-sign-on\
saml/cert/C:\Inetpub\wwwroot\[mysite]/wp-content/uploads/saml-20-single-sign-
on/etc/certs/1/1.cer`
* It will take me some time to test and fix this, as I don’t currently have any
systems running PHP on IIS. If I find any temporary fixes before issuing an update
to the plugin, I’ll let you know here.
* [markphipps](https://wordpress.org/support/users/markphipps/)
* (@markphipps)
* [12 years, 11 months ago](https://wordpress.org/support/topic/use-with-adfs/#post-3846234)
* Here’s a quick fix for Windows:
* Edit c:\inetpub\wwwroot\[mysite]\wp-content\plugins\saml-20-single-sign-on\saml\
lib\SimpleSAML\Utilities.php (line 1348) (method resolveCert) and add a file_exists
statement:
* ```
public static function resolveCert($path) {
assert('is_string($path)');
if(file_exists($path)) { return $path; }
$globalConfig = SimpleSAML_Configuration::getInstance();
```
* Mark
* [Dalia](https://wordpress.org/support/users/daliabanerjeeinmarsatcom/)
* (@daliabanerjeeinmarsatcom)
* [12 years, 10 months ago](https://wordpress.org/support/topic/use-with-adfs/#post-3846243)
* Hi Guys,
* I’m trying to secure my wordpress internal office blog site with ADFS SSO and
came across SAML. While going through this step by step configuration, I’m stuck
at step 11 as the Your Entity ID, Single Logout URL and SAML Assertion Consumer
URL are all blank.
* I saw in the previous posts that people have got issues and while trying to access
this link – http(s)://example.com/wp-content/plugins/saml-20-single-sign-on/saml/
www/module.php/saml/sp/metadata.php/1 – as mentioned by Keith, I saw this error–
which is slightly different than the error posted above –
* **SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace: 0 /opt/wordpress-3.5.2-
0/apps/wordpress/htdocs/wp-content/plugins/saml-20-single-sign-on/saml/www/module.
php:180 (N/A) Caused by: SimpleSAML_Error_Exception: authsources[‘1’]: Could
not find PEM encoded certificate in “/opt/wordpress-3.5.2-0/apps/wordpress/htdocs/
wp-content/uploads/saml-20-single-sign-on/etc/certs/1/1.cer”. Backtrace: 3 /opt/
wordpress-3.5.2-0/apps/wordpress/htdocs/wp-content/plugins/saml-20-single-sign-
on/saml/lib/SimpleSAML/Configuration.php:1106 (SimpleSAML_Configuration::getPublicKeys)
2 /opt/wordpress-3.5.2-0/apps/wordpress/htdocs/wp-content/plugins/saml-20-single-
sign-on/saml/lib/SimpleSAML/Utilities.php:1386 (SimpleSAML_Utilities::loadPublicKey)
1 /opt/wordpress-3.5.2-0/apps/wordpress/htdocs/wp-content/plugins/saml-20-single-
sign-on/saml/modules/saml/www/sp/metadata.php:117 (require) 0 /opt/wordpress-
3.5.2-0/apps/wordpress/htdocs/wp-content/plugins/saml-20-single-sign-on/saml/
www/module.php:135 (N/A)
* Could anybody please help me with this? How can I proceed from here? My wordpress
is hosted on a LAMP stack.
* [markphipps](https://wordpress.org/support/users/markphipps/)
* (@markphipps)
* [12 years, 10 months ago](https://wordpress.org/support/topic/use-with-adfs/#post-3846244)
* Looking at the source code from where the error is generated, it appears to be
thrown when the certificate data doesn’t match what it expects:
* [http://simplesamlphp.googlecode.com/svn/trunk/lib/SimpleSAML/Configuration.php](http://simplesamlphp.googlecode.com/svn/trunk/lib/SimpleSAML/Configuration.php)
* -> search for “Could not find PEM encoded certificate”
* Try regenerating your certificate.
* [Dalia](https://wordpress.org/support/users/daliabanerjeeinmarsatcom/)
* (@daliabanerjeeinmarsatcom)
* [12 years, 10 months ago](https://wordpress.org/support/topic/use-with-adfs/#post-3846245)
* both my 1.cer and 1.key files are present in the stated folder. But both the
files are of 0 size, i.e. empty file. Can that be the reason?
* [markphipps](https://wordpress.org/support/users/markphipps/)
* (@markphipps)
* [12 years, 10 months ago](https://wordpress.org/support/topic/use-with-adfs/#post-3846246)
* Yes. Check permissions, ensure the web server has access to write to that folder.
* [Dalia](https://wordpress.org/support/users/daliabanerjeeinmarsatcom/)
* (@daliabanerjeeinmarsatcom)
* [12 years, 10 months ago](https://wordpress.org/support/topic/use-with-adfs/#post-3846247)
* Some more debugging –
* On top of the General tab, I see these three lines –
* Notice: Undefined index: entityID in /opt/wordpress-3.5.2-0/apps/wordpress/htdocs/
wp-content/plugins/saml-20-single-sign-on/lib/controllers/sso_general.php on
line 46
* Notice: Undefined index: Logout in /opt/wordpress-3.5.2-0/apps/wordpress/htdocs/
wp-content/plugins/saml-20-single-sign-on/lib/controllers/sso_general.php on
line 47
* Notice: Undefined index: Consumer in /opt/wordpress-3.5.2-0/apps/wordpress/htdocs/
wp-content/plugins/saml-20-single-sign-on/lib/controllers/sso_general.php on
line 48
* When I look at the sso_general.php file, line 46, 47 and 48 are as following –
* ```
if(get_option('saml_authentication_options'))
{
$saml_opts = get_option('saml_authentication_options');
}
$response = wp_remote_get(constant('SAMLAUTH_URL') . '/saml/www/module.php/saml/sp/metadata.php/' . get_current_blog_id() , array('sslverify' => false) );
if(array_key_exists('body',$response))
{
$o = $response['body'];
preg_match('/(entityID="(?P.*)")/',$o,$entityID);
preg_match('/($metadata['entityID'] = $entityID['entityID'];
$metadata['Logout'] = $Logout['Logout'];
$metadata['Consumer'] = $Consumer['Consumer'];
}
include(constant('SAMLAUTH_ROOT') . '/lib/views/nav_tabs.php');
include(constant('SAMLAUTH_ROOT') . '/lib/views/sso_general.php');
```
* now, in the line $response = wp_remote_get, the URL (/saml/www/module.php/saml/
sp/metadata.php/) that is appended to SAMLAUTH_URL doesn’t seem to exist?!
* [Dalia](https://wordpress.org/support/users/daliabanerjeeinmarsatcom/)
* (@daliabanerjeeinmarsatcom)
* [12 years, 10 months ago](https://wordpress.org/support/topic/use-with-adfs/#post-3846248)
* That’s what I had checked first. Apache is running as user daemon.
* And the folders have owner and group set as daemon and have access rights drwxr-
xr-x. So seems apache can access and write to them.
* I tried regenerating the certificates by clicking the ‘generate a new certificate
and private key for me’ checkbox in the service provider tab, but that doesn’t
seem to create any new certificate.
* Plugin Author [ktbartholomew](https://wordpress.org/support/users/ktbartholomew/)
* (@ktbartholomew)
* [12 years, 10 months ago](https://wordpress.org/support/topic/use-with-adfs/#post-3846249)
* Dalia,
* Are you familiar with the process of generating a self-signed certificate? There’s
nothing magic about what the “Generate a certificate” button does, so if you’re
able to use openssl on the command line to generate a self-signed certificate,
you can replace 1.key and 1.pem with your own private key and certificate, respectively.
* Some other users have been having issues with PHP and OpenSSL working together,
and this may be the case for you, as well.
* [Dalia](https://wordpress.org/support/users/daliabanerjeeinmarsatcom/)
* (@daliabanerjeeinmarsatcom)
* [12 years, 10 months ago](https://wordpress.org/support/topic/use-with-adfs/#post-3846250)
* Hi Keith,
* Thanks for that. I was exactly looking for that option over internet when I saw
your reply. Just created my own certificate / key and it worked. I can now see
all 3 URLs.
* However, even though I’ve uploaded them in service provider tab, the status block(
5th row) in general tab says ‘you have not provided a Certificate or Private
Key for this site. Users may not be able to log in using the SP-first flow’ with
a warning sign.
* Plugin Author [ktbartholomew](https://wordpress.org/support/users/ktbartholomew/)
* (@ktbartholomew)
* [12 years, 10 months ago](https://wordpress.org/support/topic/use-with-adfs/#post-3846251)
* Here’s the expression for that error message (true is OK, false is your error
message):
`if (file_exists(constant('SAMLAUTH_CONF') . '/certs/' . get_current_blog_id().'/'.
get_current_blog_id() . '.cer') && file_exists(constant('SAMLAUTH_CONF') . '/
certs/' . get_current_blog_id() . '/' . get_current_blog_id() . '.key')`
* There may be something weird happening with the SAMLAUTH_CONF constant, or the
WP blog ID function, both of which could have contributed to your earlier issue.
* I suppose the larger question is: does it work?
Viewing 15 replies - 1 through 15 (of 44 total)
1 [2](https://wordpress.org/support/topic/use-with-adfs/page/2/?output_format=md)
[3](https://wordpress.org/support/topic/use-with-adfs/page/3/?output_format=md)
[→](https://wordpress.org/support/topic/use-with-adfs/page/2/?output_format=md)
The topic ‘Use with ADFS’ is closed to new replies.
* 
* [SAML 2.0 Single Sign-On](https://wordpress.org/plugins/saml-20-single-sign-on/)
* [Frequently Asked Questions](https://wordpress.org/plugins/saml-20-single-sign-on/#faq)
* [Support Threads](https://wordpress.org/support/plugin/saml-20-single-sign-on/)
* [Active Topics](https://wordpress.org/support/plugin/saml-20-single-sign-on/active/)
* [Unresolved Topics](https://wordpress.org/support/plugin/saml-20-single-sign-on/unresolved/)
* [Reviews](https://wordpress.org/support/plugin/saml-20-single-sign-on/reviews/)
* 44 replies
* 11 participants
* Last reply from: [mclement](https://wordpress.org/support/users/mclement/)
* Last activity: [12 years ago](https://wordpress.org/support/topic/use-with-adfs/page/3/#post-3846298)
* Status: not resolved