Single sign-on with ADFS for WordPress

wordpress-logo-simplified-rgbI’ve tried to run SAML 2.0 SSO plugin at WordPress 4.2.4 on IIS 8 (Windows Server 2012) with ADFS. The step-by-step post mostly helped me, but not in all cases. So I’ve decided to post here my research.

  1. On Service Provider configuration page you have to change NameID Policy to urn:oasis:names:tc:SAML:2.0:nameid-format:transient.
  2. After uploading Signing certificate, you can’t check it by clicking download button (URL, because IIS 8 blocks this type of file extension. The solution is to go to IIS Manager, Web site and select folder wp-content/uploads/saml-20-single-sign-on/etc/certs. Then in features view select MIME Types, click Add… in actions panel and fill: File name extension – cer, MIME type – application/pkix-cert. Then click OK.
  3. There is Your Entity ID blank on the General tab of the SAML plugin configuration. If you click on the metadata link above, you’ll get error page Unhandled exception:
    Caused by: Exception: authsources['1']: Unable to load certificate/public key from file "C:\inetpub\wwwroot\wordpress\wp-content\plugins\saml-20-single-sign-on\saml/cert/C:\inetpub\wwwroot\wordpress/wp-content/uploads/saml-20-single-sign-on/etc/certs/1/1.cer".

    To resolve this error, you have to edit path-to-wordpress\wp-content\plugins\saml-20-single-sign-on\saml\lib\SimpleSAML\Utilities.php file. Inside is resolveCert function, where you need to add one condition. Final result of resolveCert edit:

    public static function resolveCert($path) {
    		if(file_exists($path)) { return $path; }
    		$globalConfig = SimpleSAML_Configuration::getInstance();
    		$base = $globalConfig->getPathValue('certdir', 'cert/');
    		return SimpleSAML_Utilities::resolvePath($path, $base);

    Then the metadata link become reachable.

  4. There was an error with displaying blank page, when I enabled SAML authentication. What helped me was correction of file system permission by reseting them. (WordPress directory Properties – Security – Advanced – Change permissions – check option Replace all child object permission entries with inheritable permission entries from this object.)
  5. In ADFS – Relying Party Trusts – your trust – properties you have to add signing certificate to Signature tab. If don’t add it, ADFS goes to error MSIS0037: No signature verification certificate found for this issuer.
  6. Claim Rule (Using “Transform an Incoming Claim” template) described in mentioned step-by-step post need some corrections: Incoming claim type: E-Mail Address change to Windows account name and Outgoing Name ID format: Email change to Transient Identifier.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s