7:14 a.m.
Hello,
I'm trying to authenticate Wordpress users with the help of the wp-saml-auth
plugin <https://wordpress.org/plugins/wp-saml-auth/> and the simplesamlphp
library. <https://simplesamlphp.org/> I'm not sure if this is an issue on
the Keycloak side or on the PHP side, hopefully someone can point me in the
right direction.
The redirect from the Wordpress login page to Keycloak is going fine, so I
login on the Keycloak page, but after the redirect back to Wordpress, I'm
getting this error:
"mail" attribute is expected, but missing, in SAML response. Attribute is
used to fetch existing user by "email". Please contact your administrator.
The user has an emailaddress and is coming from an AD federation. There is
a a user-attribute-ldap-mapper is setup that maps the User Model Attribute
'email' to LDAP attribute 'mail'. I tried setting up a User Property
mapper
in the client that maps the property 'email' to SAML Attribute name
'email'
(also tested with 'mail'), but it didn't make a difference in the error
message.
What am I missing? Does the application need to request the SAML-attributes
explicitly? Is there a way to intercept the SAML-response in the browser?
--
Tiemen Ruiten
Systems Engineer
R&D Media
7:43 a.m.
Most likely you need to set up attribute mapper for the SAML client
(Wordpress) in Keycloak [1]. That mapper would map the (Keycloak's) user
e-mail into SAML attribute named "mail".
If that does not help, check the contents SAML response via SAML Tracer or
similar tool.
--Hynek
[1]
http://www.keycloak.org/docs/latest/server_admin/topics/clients/protocol-...
On Mon, Oct 9, 2017 at 2:14 PM, Tiemen Ruiten <t.ruiten(a)rdmedia.com> wrote:
Hello,
I'm trying to authenticate Wordpress users with the help of the
wp-saml-auth
plugin <https://wordpress.org/plugins/wp-saml-auth/> and the simplesamlphp
library. <https://simplesamlphp.org/> I'm not sure if this is an issue on
the Keycloak side or on the PHP side, hopefully someone can point me in the
right direction.
The redirect from the Wordpress login page to Keycloak is going fine, so I
login on the Keycloak page, but after the redirect back to Wordpress, I'm
getting this error:
"mail" attribute is expected, but missing, in SAML response. Attribute is
used to fetch existing user by "email". Please contact your administrator.
The user has an emailaddress and is coming from an AD federation. There is
a a user-attribute-ldap-mapper is setup that maps the User Model Attribute
'email' to LDAP attribute 'mail'. I tried setting up a User Property
mapper
in the client that maps the property 'email' to SAML Attribute name
'email'
(also tested with 'mail'), but it didn't make a difference in the error
message.
What am I missing? Does the application need to request the SAML-attributes
explicitly? Is there a way to intercept the SAML-response in the browser?
--
Tiemen Ruiten
Systems Engineer
R&D Media
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
--Hynek
2656
days inactive
2656
days old
1 comments
2 participants
participants (2)
-
Hynek Mlnarik -
Tiemen Ruiten