Configuration via code not generating expected SP Metadata

[theasteve]

I'm currently trying to use the Configuration via code settings to generated valid SP Metadata. I'm trying to get a similar SP Metadata to the one below:

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="XXXXXXXXX.doitt.nycnet-console"
entityID="XXXXXXXXX.doitt.nycnet-console"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#XXXXXXXXX.doitt.nycnet-console"><ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>XXXXXXXXXXXXXXXXXX</ds:DigestValue></ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>XXXXXXXXXXXXXX</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data><ds:X509Certificate>XXXXXXXXXXXXXXXXXXXX</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data><ds:X509Certificate>XXXXXXXXXXXXXXXXXX</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor>
<md:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data>
<ds:X509Certificate>XXXXXXXXXXXXXXXXX</ds:X509Certificate></ds:X509Data></ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://XXXXXXXXX.doitt.nycnet/console/saml/SingleLogout/alias/xxxxxx.doitt.nycnet-console"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://XXXXXXXXX.doitt.nycnet/console/saml/SingleLogout/alias/xxxxxx.doitt.nycnet-console"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://XXXXXXXXX.doitt.nycnet/console/saml/SSO/alias/xxxxxx.doitt.nycnet-console" index="0" isDefault="true"/>
</md:SPSSODescriptor></md:EntityDescriptor>

To achieve this I try to add the missing fields that were not being generated in the SP Metadata via the code configuration were I tried the following:

/**

• SIMPLE SAML PLUGIN CONFIGURATION
  */
  add_filter( 'wpsimplesaml_idp_metadata_xml_path', function(){
  return ABSPATH . '.private/sso/test.idp.xml';
  } );

add_filter( 'wpsimplesaml_config', function(){
        return  [
                'entityId'                 => 'https://example.com',
                'assertionConsumerService' => [
                        'url' => 'https://example.com/sso/verify',
                        'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
                ],
                'singleLogoutService'      => [
                        'url' => 'https:/example.com/sso/sls',
                        'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
                ],
                'AuthNRequest'       => true,
                'signatureAlgorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
                'NameIDFormat'       => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
                
        ];
} );

However, the SP Metadata does not change and the above fields such as 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent' stay the same as default. No change to the SP Metadata is made. What is the hook to configure the fields expected to be in the SP Metadata required by the idP? Can you provide some guidance please.

[shadyvb]

Hello!

So, the filter you used is the correct one you can use to alter what's being passed to OneLogin\Saml2\Auth class to initialize the SAML instance #. Then the actual generation happens within the SAML library's Settings class called here.

So my suggestion would be to:

1. Double check that your function is hooked at a higher priority than the one within the plugin, ie: go with 11, eg: add_filter( 'wpsimplesaml_config', function(){ .. }, 11 )
2. Have a read through the SAML library documentation ( the one used by this plugin ), maybe you'll find more info there.
3. If all else fails, you can always overtake the metadata endpoint by registering a lower priority callback instead, eg: add_action( 'wpsimplesaml_action_metadata', 'your_alt_metadata_endpoint_callback', 9 );. See the plugin's implementation here.

Hope one of these would help!