Author: Jan Papež (honyczek)

Single sign-on with ADFS for WordPress

wordpress-logo-simplified-rgbI’ve tried to run SAML 2.0 SSO plugin at WordPress 4.2.4 on IIS 8 (Windows Server 2012) with ADFS. The step-by-step post mostly helped me, but not in all cases. So I’ve decided to post here my research.

  1. On Service Provider configuration page you have to change NameID Policy to urn:oasis:names:tc:SAML:2.0:nameid-format:transient.
  2. After uploading Signing certificate, you can’t check it by clicking download button (URL https://server.example.org/wordpress/wp-content/uploads/saml-20-single-sign-on/etc/certs/1/1.cer), because IIS 8 blocks this type of file extension. The solution is to go to IIS Manager, Web site and select folder wp-content/uploads/saml-20-single-sign-on/etc/certs. Then in features view select MIME Types, click Add… in actions panel and fill: File name extension – cer, MIME type – application/pkix-cert. Then click OK.
  3. There is Your Entity ID blank on the General tab of the SAML plugin configuration. If you click on the metadata link above, you’ll get error page Unhandled exception:
    Caused by: Exception: authsources['1']: Unable to load certificate/public key from file "C:\inetpub\wwwroot\wordpress\wp-content\plugins\saml-20-single-sign-on\saml/cert/C:\inetpub\wwwroot\wordpress/wp-content/uploads/saml-20-single-sign-on/etc/certs/1/1.cer".

    To resolve this error, you have to edit path-to-wordpress\wp-content\plugins\saml-20-single-sign-on\saml\lib\SimpleSAML\Utilities.php file. Inside is resolveCert function, where you need to add one condition. Final result of resolveCert edit:

    public static function resolveCert($path) {
    		assert('is_string($path)');
    		if(file_exists($path)) { return $path; }
    
    		$globalConfig = SimpleSAML_Configuration::getInstance();
    		$base = $globalConfig->getPathValue('certdir', 'cert/');
    		return SimpleSAML_Utilities::resolvePath($path, $base);
    	}

    Then the metadata link become reachable.

  4. There was an error with displaying blank page, when I enabled SAML authentication. What helped me was correction of file system permission by reseting them. (WordPress directory Properties – Security – Advanced – Change permissions – check option Replace all child object permission entries with inheritable permission entries from this object.)
  5. In ADFS – Relying Party Trusts – your trust – properties you have to add signing certificate to Signature tab. If don’t add it, ADFS goes to error MSIS0037: No signature verification certificate found for this issuer.
  6. Claim Rule (Using “Transform an Incoming Claim” template) described in mentioned step-by-step post need some corrections: Incoming claim type: E-Mail Address change to Windows account name and Outgoing Name ID format: Email change to Transient Identifier.

LogMeIn Free can be replaced by TeamViewer

TeamViewer LogoLast week I occasionally logged into my LogMeIn Free account to give remote support for my friend. But there was an unexpected surprise – LogMeIn Free is ending. So I had to look for another service with the same functionality. I googled for some comparative articles, but it didn’t help me enough. The offer of free support services is quite limited. I don’t want pay for support service, if I use it quite rarely.

So I decided to try TeamViewer, which I knew it is very easy to get at every computer, where has been started it’s client. I knew only way with ID and PIN. But now I found out, that there is possibility to install client and setup unattended access to it with adding it’s ID to my computer list. On the top of that you don’t have to install TeamViewer on your management computer to give a support. You can use TeamViewer web management console and Adobe Flash viewer to do a support everywhere you go!

There is additional thing that is in opposite of LogMeIn, that TeamViewer supports Linux! It sounds very good. So I tried to install it on my openSUSE box with KDE. It works well! Although client looks quite ugly. Because it runs in WINE. But the important is that it runs including unattended access!

So I’m contended I found very good replacement for LogMeIn Free and that it even runs on Linux.

A new personal site – about my blogging choices

ImageThe time came when I’m leaving my old site so I must choose where to publish my articles. I have created a blog at blogger.com, but I’m not still decided, which place is the best for me. My requirements are:

  • have third level blog domain name (honyczek.domain.tld),
  • can make backup of my articles,
  • site without advertisements,
  • enough of disk space (although there is a time of Google Drive, Rapidshare, etc. it is not so necessary),
  • nice design,
  • option to publish articles from my cell phone’s browser/app.

There are some popular local blogging services like webnode.com, blog.cz or idnes.cz, but I wasn’t sure with communities around them. They doesn’t fit to my site topics.

For example, I’m fan of Free and Open Source Software and Linux, so I could to choose one of (local) linux communities like root.cz, abclinuxu.cz. But sometimes I write about Microsoft world too. So it would not be ideal. The next thing is that I would have a tendency to lead myself to have a perfect form of articles. So it would end with a lot of drafts and none articles. (I’ve been still writing an article for linuxexpres.cz for more than one year)

Now I’m trying to choose by publishing some articles on a few blogging platfoms and collect my impressions and tips from my readers.

Do you have any recommendations or tips  for me?