Wordpress site setup SSO to support support SAML request signature

0
votes

I have WordPress based site need to setup sign sign on (Identity Provider is: Ping Identity), I'm use WordPress miniOrange plugin to configure the SSO, when test the configuration, get following error:

Error: Invalid SAML Response Status.
Causes: Identity Provider has sent 'Requester' status code in SAML Response.
Please check IdP logs.
Reason: The request could not be performed due to an error on the part of the requester.
Status Message in the SAML Response: Signature required

It (the error) looks like looks like the Identity provider require the SAML request to signed, and ask service provider (WordPress site) to share the public key with Identity provider, but I'm unable to find how to set signed SAML request on miniOrange plugin and don't know which folder to store the private key on WordPress.

Have two questions:

  1. Is WordPress miniOrange plugin support SAML request signature?

How Do I setup it up?

  1. Any other recommended WordPress plugin for SSO?
2
wordpresspluginssingle-sign-onsaml

2 Answers

1
votes

The answer for your first question is YES miniorange do support SAML request signature and you can send signed request with it but this functionality is not available in free plugin you can go for standard or premium plugin Miniorange Wordpress SAML Plugin.

Now for setting up signed request standard or premium plugin can be done by just checking the signed request the option. enter image description here

Now answer for your last question is there any other wordpress SSO plugin depends totally on your use case. If you want the plugin for any commercial use I will suggest you to go with miniorange they provide great support and lot of features in premium and standard plan at very low cost. Features available are:--

  1. Basic Attribute Mapping, Widget
  2. Shortcode to add IDP Login Link on your site,St
  3. Auto-Redirect to IDP from login page
  4. Options to select SAML Request binding type
  5. Customized Role Mapping
  6. Custom Attribute Mapping
  7. Store Multiple IdP Certificates
  8. Multi-Site Support
  9. Sub-site specific SSO for Multisite
  10. Multiple IDP's Supported

and various other features you can check it on the wordpress site.

Now second use case if you are looking for free plugin you can check this plugins Wordpress SAML Plugins

0
votes

Your partner, in the PingFederate console, can disable the requirement for AuthnRequests to be signed. This will be fine as long as your AuthnRequest is telling them to send the Response+Assertion to the same URL as what they have defined in their connection. For example, if your AuthnRequest has an AssertionConsumerServiceURL in it that does not match what the IdP has defined in Ping, then Ping will not honor the request and return a failure.

All that is to say that PingFed at the IdP is configurable for this issue. Have them turn off "Require Authentication Requests to be Signed".