Hello everyone,
Recently, we did SAML 2.0 integration with Active Directory Federation Services (ADFS) on a WordPress site for one of our clients. Even with using the plugins, it was not so simple, there were some issues we faced during the integration. In this blog, I will provide a guide of how this integration is carried out.
Security Assertion Markup Language (SAML 2.0) is an XML-based standard for exchanging authorization information between two parties. To read more about SAML, you can visit https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language and return back to this blog for better understanding.
We tried some popular plugins available for Single Sign On (SSO). But there were issues with some, and others were only functional after their paid version was purchased. Finally “OneLogin SAML SSO” a plugin by OneLogin Inc. [https://www.onelogin.com] gave all that was required.
First, you need to install OneLogin SAML SSO plugin to your wordpress and activate it. Go to Settings -> SSO/SAML Settings and then:
Fill in the IDP information (this is the information provided by your Identity Provider)
Username: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
First Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Last Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
And so on…
For a complete list of claims visit docs by Microsoft: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/the-role-of-claims
/usr/bin/openssl req -new -x509 -sha256 -newkey rsa:2048 -keyout key.pem -days 1826 -subj “/CN=madeatcolgate.com” -out cert.pem
/usr/bin/openssl genrsa -out server.pem 2048
Generate CSR: (In the “Common Name” set the domain of your service provider app)
/usr/bin/openssl req -new -sha256 -key server.pem -out server.csr
Generate Self Signed Cert
/usr/bin/openssl x509 -req -sha256 -days 1825 -in server.csr -signkey server.pem -out server.crt
The above commands will provide you a self-signed certificate and a corresponding private key. You can place these values in the fields Service Provider X.509 Certificate and Service Provider Private Key respectively.
Now that you’ve configured your plugin, you’ll need to provide following information to your Identity Provider:
SP Entity Id: https://xyz.com/
ACS Url: https://xyz.com/wp-login.php?saml_acs
Service Provider X.509 Certificate file
Also, you can simply share the Metadata file with your Identity Provider. The Metadeta file link can be found at the top of plugin settings:
The Identity Provider will need to set the LDAP Rule and Tranform Rule for your application (SP) in the ADFS. In our case we are using emailAddress as NameIDFormat as shown in the settings above, so in our case the settings will be as follows.
LDAP Rule: (This rule will provide emailAddress and GivenName information only, to the SP)
Transform Rule: (Note that we have set the “Incoming claim type” and Outgoing name ID format to be email)
Setting this much would enable a working SSO integration.
You can configure further SAML/ADFS settings from here as per your needs.
USA408 365 4638
1301 Shoreway Road, Suite 160,
Belmont, CA 94002
Whether you are a large enterprise looking to augment your teams with experts resources or an SME looking to scale your business or a startup looking to build something.
We are your digital growth partner.
Tel:
+1 408 365 4638
Support:
+1 (408) 512 1812
COMMENTS ()
Tweet