humanmade / wp-simple-saml Goto Github PK

When a user accesses their user profile in the admin area, they have the option to change their email address. If the account is an SSO account then changing this should be prevented.

Add a backdoor link (ie /?saml_sso=false) that will allow the Forced Redirect to be disabled.

@shadyvb Is there anything stopping us from open sourcing this repo? :) Happy to write up the readme/etc if you don't have time.

In an environment with the plugin network enabled, entering the network settings page to provide the SSO IdP Metadata provides a broken settings page, as the SSO Config validation field expects the metadata to exist already when viewing the page.

The outcome of this is that it is impossible to save the page, so you are unable to add the metadata to resolve the issue without manually adding the sso_idp_metadata meta key and value to the wp_sitemeta database.

• Setup CS linting
• Build status badges

When trying to log into a sub-directory site like:

https://www.example.com/subsite/wp-login.php?redirect_to=https://www.exmaple.com/subsite/

I'm getting an infinite loop. The base url is submitting to itself. That is the cross site form on www.example.com/sso/verify is submitting to www.example.com/sso/verify instead of submitting to www.example.com/subsite/sso/verify. The $sso_url here is being set incorrectly for sub-directory sites.

The parameter passed to the wpsimplesaml_config filter is documented as an array, but it can also be a WP_Error due to the return value of Admin\get_config().

In addition, there are two instances of this filter and only one is documented.

While I can currently include this plugin using Composer installers, it would be really nice to be able to include it as a first-class Composer dependency.

Will likely follow this up with a PR soon.

The PHP-SAML library currently uses the mcrypt library that was deprecated in PHP 7.1. This means that this plugin can't be used on WordPress VIP or, really, any modern web host.

PHP-SAML has a 3.0 version which will could change some of the integration, but allows the plugin to be usable on modern hosts. It is not officially tagged, however it can be tagged with 3.0.0.x-dev to at least prepare for the change.

Reference: SAML-Toolkits/php-saml#255

This might be the last piece of information that isn't available from settings screens.

ref wpsimplesaml_attribute_mapping

Recently I had to debug SSO errors where users were seeing 500 errors because of some infra configuration errors, but debugging this was very difficult as I had to figure out and spend some time to get some logging setup.

The way I did was to add logging into X-ray with more details for the error from $saml->getLastErrorReason() and $saml->getLastErrorException()

I am thinking about how we can make it easier to debug this, One of the simplest solutions I am thinking of is to also trigger WordPress actions with related information and let the application code handle different logging?

Add some personalization to the link that users will see at the login page.

Invalid header error after pressing activate plugin.

Could you explain this a bit better?

I've added this to sunrise.php

add_filter( 'wpsimplesaml_map_role ', function(){
	return[
		'student'	=> array('[email protected]','student'),
		'staff'	=> array('[email protected]','staff'),
		'faculty'	=> array('[email protected]','faculty'),
	];
});

How far off am I from actually mapping my SAML response values from the WordPress roles here?

I created a WP sandbox to implement SSO. When I add the XML medadata to the SSO Ido Metadata field I get the following error:

Invalid array settings: sp_entityId_not_found, sp_acs_url_invalid, sp_sls_url_invalid

Here is the format of the XML I add to the field:

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="XXXXXXX" cacheDuration="XXXXXX" entityID="XXXXX">
  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>XXXXXXXXXXXXXXXXXXX=</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>XXXXXXXXXXXX=</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://fidm.us1.gigya.com/saml/v2.0/XXXXXXXXXXXXXXXXXXX/idp/metadata"/>
  </md:IDPSSODescriptor>
</md:EntityDescriptor>

The plugins needs to support the SLS endpoint so users are logged out automatically once they're logged out through IdP authority.

SSO Delegation Whitelisted Hosts should support wildcards

In a comma separated list of hosts, only the first one is evaluated

On the Options page: https://mysite.com/wp-admin/options-general.php I see the following deprecated notice twice:

Deprecated: Function libxml_disable_entity_loader() is deprecated in /srv/www/wp-content/plugins/wp-simple-saml/vendor/onelogin/php-saml/src/Saml2/Utils.php on line 89

Deprecated: Function libxml_disable_entity_loader() is deprecated in /srv/www/wp-content/plugins/wp-simple-saml/vendor/onelogin/php-saml/src/Saml2/Utils.php on line 91

Recently updated the environment to php 8.0, WP version 5.7.6

Enabling it on a multisite servers gives the following error:
Fatal error: Uncaught Error: Call to undefined function HumanMade\SimpleSaml\is_plugin_active_for_network() in /var/www/html/wordpress/wp-content/plugins/wp-simple-saml/inc/namespace.php:682 Stack trace: #0 /var/www/html/wordpress/wp-content/plugins/wp-simple-saml/inc/admin/namespace.php(140): HumanMade\SimpleSaml\is_sso_enabled_network_wide() #1 /var/www/html/wordpress/wp-content/plugins/wp-simple-saml/inc/admin/namespace.php(370): HumanMade\SimpleSaml\Admin\get_sso_settings('sso_debug') #2 /var/www/html/wordpress/wp-includes/class-wp-hook.php(286): HumanMade\SimpleSaml\Admin\filter_forced_sso(false) #3 /var/www/html/wordpress/wp-includes/plugin.php(203): WP_Hook->apply_filters(false, Array) #4 /var/www/html/wordpress/wp-content/plugins/wp-simple-saml/inc/namespace.php(150): apply_filters('wpsimplesaml_fo...', false) #5 /var/www/html/wordpress/wp-includes/class-wp-hook.php(288): HumanMade\SimpleSaml\authenticate_with_sso(NULL) #6 /var/www/html/wordpress/wp-includes/class-wp-hook.php(310): WP_Hook->apply_filters('', Array in /var/www/html/wordpress/wp-content/plugins/wp-simple-saml/inc/namespace.php on line 682

This can be fixed by including ABSPATH . '/wp-admin/includes/plugin.php'.

This is documented in:
https://codex.wordpress.org/Function_Reference/is_plugin_active_for_network

Adding the piece of code above it fixed the issue for me.

I may be doing something wrong, but I cannot seem to force the SSO route with the wpsimplesaml_force filter.

I'm trying with this:
add_filter('wpsimplesaml_force', '__return_true');

But I'm still hitting the WP login screen.
If I change the SSO Status to "Force Redirect" it works fine.

Some IdPs might not be configured to send the email in the NameID field, even if the users log in using the email.

We changed our IdP to send the information in the NameID field, but it might be useful for others.

I'm currently trying to use the Configuration via code settings to generated valid SP Metadata. I'm trying to get a similar SP Metadata to the one below:

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="XXXXXXXXX.doitt.nycnet-console"
entityID="XXXXXXXXX.doitt.nycnet-console"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#XXXXXXXXX.doitt.nycnet-console"><ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>XXXXXXXXXXXXXXXXXX</ds:DigestValue></ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>XXXXXXXXXXXXXX</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data><ds:X509Certificate>XXXXXXXXXXXXXXXXXXXX</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data><ds:X509Certificate>XXXXXXXXXXXXXXXXXX</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor>
<md:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data>
<ds:X509Certificate>XXXXXXXXXXXXXXXXX</ds:X509Certificate></ds:X509Data></ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://XXXXXXXXX.doitt.nycnet/console/saml/SingleLogout/alias/xxxxxx.doitt.nycnet-console"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://XXXXXXXXX.doitt.nycnet/console/saml/SingleLogout/alias/xxxxxx.doitt.nycnet-console"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://XXXXXXXXX.doitt.nycnet/console/saml/SSO/alias/xxxxxx.doitt.nycnet-console" index="0" isDefault="true"/>
</md:SPSSODescriptor></md:EntityDescriptor>

To achieve this I try to add the missing fields that were not being generated in the SP Metadata via the code configuration were I tried the following:

/**

• SIMPLE SAML PLUGIN CONFIGURATION
  */
  add_filter( 'wpsimplesaml_idp_metadata_xml_path', function(){
  return ABSPATH . '.private/sso/test.idp.xml';
  } );

add_filter( 'wpsimplesaml_config', function(){
        return  [
                'entityId'                 => 'https://example.com',
                'assertionConsumerService' => [
                        'url' => 'https://example.com/sso/verify',
                        'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
                ],
                'singleLogoutService'      => [
                        'url' => 'https:/example.com/sso/sls',
                        'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
                ],
                'AuthNRequest'       => true,
                'signatureAlgorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
                'NameIDFormat'       => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
                
        ];
} );

However, the SP Metadata does not change and the above fields such as 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent' stay the same as default. No change to the SP Metadata is made. What is the hook to configure the fields expected to be in the SP Metadata required by the idP? Can you provide some guidance please.

Please can you Update Plugin Version to latest Tag/Release version

If SSO is not enforced, the password reset functionality should not be disabled as this allows an administrator to be locked out of their site while the plugin is active on a development site.

I'm currently trying to implement SSO into a wordpress application. I'm using wp-simple-saml, when I click on the SSO login link I'm not being redirected to the SSO idP. I have added the end point to where the redirection of the SSO base url endpoint. However, redirection sends me back to root.

It appears that we're passing an empty string if there is no XML file to pass to the PHP-SAML library. This is spilling PHP warnings.

Stack trace:

[13-Jul-2018 23:26:38 UTC] PHP Warning:  DOMDocument::loadXML(): Empty string supplied as input in /vagrant/content/plugins/wp-simple-saml/vendor/onelogin/php-saml/lib/Saml2/Utils.php on line 88
[13-Jul-2018 23:26:38 UTC] PHP Stack trace:
[13-Jul-2018 23:26:38 UTC] PHP   1. {main}() /vagrant/wp/wp-admin/options-general.php:0
[13-Jul-2018 23:26:38 UTC] PHP   2. do_settings_sections() /vagrant/wp/wp-admin/options-general.php:382
[13-Jul-2018 23:26:38 UTC] PHP   3. do_settings_fields() /vagrant/wp/wp-admin/includes/template.php:1337
[13-Jul-2018 23:26:38 UTC] PHP   4. HumanMade\SimpleSaml\Admin\{closure}() /vagrant/wp/wp-admin/includes/template.php:1378
[13-Jul-2018 23:26:38 UTC] PHP   5. HumanMade\SimpleSaml\instance() /vagrant/content/plugins/wp-simple-saml/inc/admin/namespace.php:268
[13-Jul-2018 23:26:38 UTC] PHP   6. apply_filters() /vagrant/content/plugins/wp-simple-saml/inc/namespace.php:191
[13-Jul-2018 23:26:38 UTC] PHP   7. WP_Hook->apply_filters() /vagrant/wp/wp-includes/plugin.php:203
[13-Jul-2018 23:26:38 UTC] PHP   8. HumanMade\SimpleSaml\Admin\get_config() /vagrant/wp/wp-includes/class-wp-hook.php:286
[13-Jul-2018 23:26:38 UTC] PHP   9. OneLogin_Saml2_IdPMetadataParser::parseXML() /vagrant/content/plugins/wp-simple-saml/inc/admin/namespace.php:57
[13-Jul-2018 23:26:38 UTC] PHP  10. OneLogin_Saml2_Utils::loadXML() /vagrant/content/plugins/wp-simple-saml/vendor/onelogin/php-saml/lib/Saml2/IdPMetadataParser.php:98
[13-Jul-2018 23:26:38 UTC] PHP  11. DOMDocument->loadXML() /vagrant/content/plugins/wp-simple-saml/vendor/onelogin/php-saml/lib/Saml2/Utils.php:88

SP Metadata URL in config throwing Invalid SSO settings. Contact your administrator. when IdP Metadata is empty

A few questions to assist in implementation:-

1. Why is the SP metadata generated with only a 48 hour validity timestamp, this does not appear to be a local limit?
2. How to automate IDP certificate change updates?
3. What precisely does wpsimplesaml_cross_sso_form_inputs do & are there examples of implementation.

Also if I may ask, why is this excellent plugin not available through wordpress.org?

In https://github.com/humanmade/wp-simple-saml/wiki/Testing-SSO-locally
wpsimplesaml_idp_metadata_xml filter should be wpsimplesaml_idp_metadata_xml_path

Hi there,

Seem to hitting a brick wall with the configuration. I have had the same configuration running locally however when it's extended to the web, i receive a 404 after login to okta ( that parts working fine. )

My question is the issue perhaps related to my using a url like https://www.example.com/**radio**

im running my config programatically... app is activated and i see no issues especially as as said, i've run the configuration locally the only difference really being the url..

Any thoughts on this?

Steve

[23-Nov-2018 00:17:43] WARNING: [pool www] child 8 said into stderr: "NOTICE: PHP message: PHP Fatal error:  Uncaught Error: Call to undefined function HumanMade\SimpleSaml\get_site_by_path() in /var/www/sites/theshire.space/wp-content/plugins/wp-simple-saml-master/inc/namespace.php:622"
172.18.0.5 -  23/Nov/2018:00:17:43 +0000 "POST /index.php" 500
[23-Nov-2018 00:17:43] WARNING: [pool www] child 8 said into stderr: "Stack trace:"
[23-Nov-2018 00:17:43] WARNING: [pool www] child 8 said into stderr: "#0 /var/www/sites/theshire.space/wp-content/plugins/wp-simple-saml-master/inc/namespace.php(212): HumanMade\SimpleSaml\get_blog_id('https://shire.v...')"
[23-Nov-2018 00:17:43] WARNING: [pool www] child 8 said into stderr: "#1 /var/www/sites/theshire.space/wp-includes/class-wp-hook.php(286): HumanMade\SimpleSaml\cross_site_sso('')"
[23-Nov-2018 00:17:43] WARNING: [pool www] child 8 said into stderr: "#2 /var/www/sites/theshire.space/wp-includes/class-wp-hook.php(310): WP_Hook->apply_filters('', Array)"
[23-Nov-2018 00:17:43] WARNING: [pool www] child 8 said into stderr: "#3 /var/www/sites/theshire.space/wp-includes/plugin.php(453): WP_Hook->do_action(Array)"
[23-Nov-2018 00:17:43] WARNING: [pool www] child 8 said into stderr: "#4 /var/www/sites/theshire.space/wp-content/plugins/wp-simple-saml-master/inc/namespace.php(98): do_action('wpsimplesaml_ac...')"
[23-Nov-2018 00:17:43] WARNING: [pool www] child 8 said into stderr: "#5 /var/www/sites/theshire.space/wp-includes/class-wp-hook.php(286): HumanMade\SimpleSaml\endpoint('')"
[23-Nov-2018 00:17:43] WARNING: [pool www] child 8 said into stderr: "#6 /var/www/sites/theshire.space/wp-includes/class-wp-hook.php(310): WP_Hook->apply_filters(false, Array..."

Seems similar in issue to #15 where a wordpress function is not included properly.
https://developer.wordpress.org/reference/functions/get_site_by_path/

Because it's from multisite (ms-load.php), it won't work properly in singlesite.

Since two functions are called as actions and it's expected that one should fail,

	add_action( 'wpsimplesaml_action_login', __NAMESPACE__ . '\\cross_site_sso' );
	add_action( 'wpsimplesaml_action_verify', __NAMESPACE__ . '\\cross_site_sso' );
	add_action( 'wpsimplesaml_action_login', __NAMESPACE__ . '\\action_login' );
	add_action( 'wpsimplesaml_action_verify', __NAMESPACE__ . '\\action_verify' );

it would be prudent to modify

As is, a quick fix would be to do as @guequierre suggests and do a hard include:

include( ABSPATH . '/wp-includes/ms-load.php' );

However, that also fails since ms-load.php needs other functions inherent in multisite.

Added this to get_blog_id() but this resulted in an infinite redirect loop.

        if ( ! is_multisite() ) {
                return 0;
        }

Not sure what's going on other than it has to do with the site being a sub-domain.

Update: With the above addition of returning 0 on multisite and clearing out the 'SSO delegation whitelisted hosts' box, the function now works and my test user can log in. However, deleting the user in wordpress will cause an error that the site is not present in whitelisted sites.

Post Update: Maybe I was confused on how blogIDs work and that they start at 0.
Using:

        if ( ! is_multisite() ) {
                return 1;
        }

Works and creates users correctly.

• We need to cache the contents of the XML so we don't hit it on each page load.
• There should be a way to refresh the cache, using UI or CLI.
• May use filemtime or detect changes to the XML file and refresh cache.
• Lazy load the metadata file?

This control will allow the Administrator whether all users can log in into the Wordpress instance or if they must create the accounts beforehand.

I have successfully been able to set-up wp-simple-saml on several projects; however, I have a particular project where wp-simple-saml 404's on all sso routes (e.g. sso/login, sso/verify, & sso/metadata). Is there something that might be blocking the creation of these URLs?

Thank you so much!

Hi, I need some help with the plugin.
I've installed and configured the plugin via the admin panel so that it should work with my custom IdP I made with the Flask SAML2 Library for Python.

When I click the link for SAML Login on my WordPress website it redirects me to my custom IdP and the authorization process is successful. Then it redirects me back to my WordPress site where a new user is created with the email it got from the IdP but as value for the username instead of the email field (see screenshot below).

In the following screenshot you can see a SAML packet i have captured with a Firefox extension. -> In the NameID field is the email of my IdP's user database so that works correct.

In this example I replaced my WordPress website link with https://test.com.

When I logout of the WordPress website and try to login again there is the following error message.

Then I had some research and found a similar issue here on GitHub and tried the code mentioned there but it didn't work for me.

So that's what I want to achieve:

• I have this custom IdP with a database where some users are stored in. (e.g. username: simon, email: [email protected] | username: tim, email: [email protected])
• Now I want that the user simon has access to the admin account of my WordPress website but the user tim shouldn't have access to and no account should be created when the user tim tries to access the page via SAML authentication.

I found the hook wpsimple_match_user in the documentation but I don't exactly know how I have to implement that code in the plugin.php file so that it works fine.

And the second thing I already tried is the following code but I think the syntax is somehow not correct.

//Disable adding users to site
add_filter( 'wpsimplesaml_add_users_to_site', function(){
    return false;
} );

Thanks for your help

I have installed the plugin and coordinated the metadata with my SAML provider. Everything seems to be working as expected, however when I attempt to log in for a second time I get an error: Sorry, that username already exists!

Any idea how this can be resolved?

Warning: DOMDocument::loadXML(): Start tag expected, '<' not found in Entity, line: 1 in C:\Users\Salim Hachemaoui\Local Sites\wei\app\public\wp-content\plugins\wp-simple-saml\vendor\onelogin\php-saml\src\Saml2\Utils.php on line 90

XML Path: No
XML: Yes
Passed config: No
Valid config: Invalid IdP XML metadata
Errors: No
SP Metadata: http://localhost:10011/sso/metadata

When using wp-simple-saml on multisite with subdomains, the plugins appears to be not working. This is due to how the cross-site sso redirect / forwarding works. With the scanario:

1. Assuming sso_sp_base is your main site url, like https://hmn.md/.
2. Try to login to updates.hmn.md, correctly you are passed to the SAML provider for auth
3. The SAML Idp will redirect back to your acs url (https://hmn.md/sso/verify)
4. wp-simple-saml will see the $redirect_url is from another site, so will do the cross-site sso hop, to re-POST the data to https://updates.hmn.md/sso/verify
5. On this request, wp-simple-saml will attempt to have onelogin $saml->processResponse(), which will fail, due to the current URL hostname not matching the Destination in the SAML XML response.

I.e. it's not possible to process a SAMLResponse payload on a hostname that doesn't match the Destination field in the SAML app registered in the Idp.

I'm not sure how this was meant to work. I think for this to work, there are two possible approaches:

1. Process the verify request at the main site, even when they are for sub-sites, so you essentially switch_to_blog() at https://hmn.md/sso/verify and create the user on the site of $redirect_uri (and the same for /login).
2. Change the behaviour of onelogin somehow to skip validation, or validate it against sso_sp_base rather than the current URL more likely.