Single sign-on with ADFS for WordPress

wordpress-logo-simplified-rgbI’ve tried to run SAML 2.0 SSO plugin at WordPress 4.2.4 on IIS 8 (Windows Server 2012) with ADFS. The step-by-step post mostly helped me, but not in all cases. So I’ve decided to post here my research.

  1. On Service Provider configuration page you have to change NameID Policy to urn:oasis:names:tc:SAML:2.0:nameid-format:transient.
  2. After uploading Signing certificate, you can’t check it by clicking download button (URL, because IIS 8 blocks this type of file extension. The solution is to go to IIS Manager, Web site and select folder wp-content/uploads/saml-20-single-sign-on/etc/certs. Then in features view select MIME Types, click Add… in actions panel and fill: File name extension – cer, MIME type – application/pkix-cert. Then click OK.
  3. There is Your Entity ID blank on the General tab of the SAML plugin configuration. If you click on the metadata link above, you’ll get error page Unhandled exception:
    Caused by: Exception: authsources['1']: Unable to load certificate/public key from file "C:\inetpub\wwwroot\wordpress\wp-content\plugins\saml-20-single-sign-on\saml/cert/C:\inetpub\wwwroot\wordpress/wp-content/uploads/saml-20-single-sign-on/etc/certs/1/1.cer".

    To resolve this error, you have to edit path-to-wordpress\wp-content\plugins\saml-20-single-sign-on\saml\lib\SimpleSAML\Utilities.php file. Inside is resolveCert function, where you need to add one condition. Final result of resolveCert edit:

    public static function resolveCert($path) {
    		if(file_exists($path)) { return $path; }
    		$globalConfig = SimpleSAML_Configuration::getInstance();
    		$base = $globalConfig->getPathValue('certdir', 'cert/');
    		return SimpleSAML_Utilities::resolvePath($path, $base);

    Then the metadata link become reachable.

  4. There was an error with displaying blank page, when I enabled SAML authentication. What helped me was correction of file system permission by reseting them. (WordPress directory Properties – Security – Advanced – Change permissions – check option Replace all child object permission entries with inheritable permission entries from this object.)
  5. In ADFS – Relying Party Trusts – your trust – properties you have to add signing certificate to Signature tab. If don’t add it, ADFS goes to error MSIS0037: No signature verification certificate found for this issuer.
  6. Claim Rule (Using “Transform an Incoming Claim” template) described in mentioned step-by-step post need some corrections: Incoming claim type: E-Mail Address change to Windows account name and Outgoing Name ID format: Email change to Transient Identifier.

LogMeIn Free can be replaced by TeamViewer

TeamViewer LogoLast week I occasionally logged into my LogMeIn Free account to give remote support for my friend. But there was an unexpected surprise – LogMeIn Free is ending. So I had to look for another service with the same functionality. I googled for some comparative articles, but it didn’t help me enough. The offer of free support services is quite limited. I don’t want pay for support service, if I use it quite rarely.

So I decided to try TeamViewer, which I knew it is very easy to get at every computer, where has been started it’s client. I knew only way with ID and PIN. But now I found out, that there is possibility to install client and setup unattended access to it with adding it’s ID to my computer list. On the top of that you don’t have to install TeamViewer on your management computer to give a support. You can use TeamViewer web management console and Adobe Flash viewer to do a support everywhere you go!

There is additional thing that is in opposite of LogMeIn, that TeamViewer supports Linux! It sounds very good. So I tried to install it on my openSUSE box with KDE. It works well! Although client looks quite ugly. Because it runs in WINE. But the important is that it runs including unattended access!

So I’m contended I found very good replacement for LogMeIn Free and that it even runs on Linux.