wp-simple-saml
wp-simple-saml copied to clipboard
humanmade
Compatibility with Flask SAML2 custom IdP
Hi, I need some help with the plugin. I've installed and configured the plugin via the admin panel so that it should work with my custom IdP I made with the Flask SAML2 Library for Python.
When I click the link for SAML Login on my WordPress website it redirects me to my custom IdP and the authorization process is successful. Then it redirects me back to my WordPress site where a new user is created with the email it got from the IdP but as value for the username instead of the email field (see screenshot below).
In the following screenshot you can see a SAML packet i have captured with a Firefox extension. -> In the NameID field is the email of my IdP's user database so that works correct.
In this example I replaced my WordPress website link with https://test.com.
When I logout of the WordPress website and try to login again there is the following error message.
Then I had some research and found a similar issue here on GitHub and tried the code mentioned there but it didn't work for me.
So that's what I want to achieve:
- I have this custom IdP with a database where some users are stored in. (e.g. username: simon, email: [email protected] | username: tim, email: [email protected])
- Now I want that the user simon has access to the admin account of my WordPress website but the user tim shouldn't have access to and no account should be created when the user tim tries to access the page via SAML authentication.
I found the hook wpsimple_match_user in the documentation but I don't exactly know how I have to implement that code in the plugin.php file so that it works fine.
And the second thing I already tried is the following code but I think the syntax is somehow not correct.
//Disable adding users to site
add_filter( 'wpsimplesaml_add_users_to_site', function(){
return false;
} );
Thanks for your help
These are two different issues:
- Empty emails
SAML IdP configuration doesn't seem to use emailAddress as the nameid-format attribute as expected, it uses email instead ( from your screenshot ). AND, the SAML response may not include the field email as expected, hence why you have empty email addresses in your user data.
To solve that, use wpsimplesaml_attribute_mapping to filter the attribute mapping to let the plugin know what field to look for the email address at, depending on your SAML response format, eg:
add_filter( 'wpsimplesaml_attribute_mapping', function( array $map ) : array {
$map['user_email'] = 'SAML_RESPONSE_FIELD_NAME_HERE';
return $map;
} );
- Restricting creation of users
This is typically done at the IdP level, so the plugin doesn't have a mechanism to do this at the moment. However, you can use wpsimplesaml_match_user to do the checks your need and return an error object if you don't want the user to be created.
