WordPress SSO: How to Integrate SAML 2.0 with ADFS 3.0

Hello everyone,

Recently, we did SAML 2.0 integration with Active Directory Federation Services (ADFS) on a WordPress site for one of our clients. Even with using the plugins, it was not so simple, there were some issues we faced during the integration. In this blog, I will provide a guide of how this integration is carried out.

Security Assertion Markup Language (SAML 2.0) is an XML-based standard for exchanging authorization information between two parties. To read more about SAML, you can visit https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language and return back to this blog for better understanding.

We tried some popular plugins available for Single Sign On (SSO). But there were issues with some, and others were only functional after their paid version was purchased. Finally “OneLogin SAML SSO” a plugin by OneLogin Inc. [https://www.onelogin.com] gave all that was required.

First, you need to install OneLogin SAML SSO plugin to your wordpress and activate it. Go to Settings -> SSO/SAML Settings and then:

Fill in the IDP information (this is the information provided by your Identity Provider)

 

• Select the options you want for your site under Options heading or you can skip it if you like.
• Setting the Attribute Mapping is the tricky part. These mappings require specific structured values.

 

Username: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

First Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

Last Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

And so on…

For a complete list of claims visit docs by Microsoft: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/the-role-of-claims

• Fill in the Role Mapping/Precedence and check the Customize Actions and Links.
• Under the Advanced Settings you need to set “Service Provider Entity Id”. This will be your SP’s ID. It’s better to set your domain URL as SP Entity ID, like: https://xyz.com/. Accordingly, and the saml SP acs URL will become https://xyz.com/wp-login.php?saml_acs, you don’t need to worry about acs URL, the plugin will handle it.
• Tick “Sign AuthnRequest”, “Sign LogoutRequest” and “Sign LogoutResponse” parameters. These parameters will sign your requests using your SP certificate which we will configure in a minute.
• You can set the NameIDFormat to format:emailAddress. But be aware that if you set NameIDFormat to emailAddress, you’ll need to set the Username to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress as set above.
• Now you need to generate a certificate for your SP. You can use the following commands on a Linux console to produce a self-signed certificate:

/usr/bin/openssl req -new -x509 -sha256 -newkey rsa:2048 -keyout key.pem -days 1826 -subj “/CN=madeatcolgate.com” -out cert.pem

/usr/bin/openssl genrsa -out server.pem 2048

Generate CSR: (In the “Common Name” set the domain of your service provider app)

/usr/bin/openssl req -new -sha256 -key server.pem -out server.csr

Generate Self Signed Cert

/usr/bin/openssl x509 -req -sha256 -days 1825 -in server.csr -signkey server.pem -out server.crt

The above commands will provide you a self-signed certificate and a corresponding private key. You can place these values in the fields Service Provider X.509 Certificate and Service Provider Private Key respectively.

Now that you’ve configured your plugin, you’ll need to provide following information to your Identity Provider:

SP Entity Id: https://xyz.com/

ACS Url: https://xyz.com/wp-login.php?saml_acs

Service Provider X.509 Certificate file

Also, you can simply share the Metadata file with your Identity Provider. The Metadeta file link can be found at the top of plugin settings:

The Identity Provider will need to set the LDAP Rule and Tranform Rule for your application (SP) in the ADFS. In our case we are using emailAddress as NameIDFormat as shown in the settings above, so in our case the settings will be as follows.
LDAP Rule: (This rule will provide emailAddress and GivenName information only, to the SP)

Transform Rule: (Note that we have set the “Incoming claim type” and Outgoing name ID format to be email)

Setting this much would enable a working SSO integration.
You can configure further SAML/ADFS settings from here as per your needs.