Contributors: getpantheon, danielbachhuber, [Outlandish Josh](https://profiles.wordpress.org/Outlandish Josh)
Tags: authentication, SAML
Requires at least: 4.4
Tested up to: 5.8
Stable tag: 1.2.5
License: GPLv2 or later
License URI: http://www.gnu.org/licenses/gpl-2.0.html
SAML authentication for WordPress.
SAML authentication for WordPress, using the bundled OneLogin SAML library or optionally installed SimpleSAMLphp. OneLogin provides a SAML authentication bridge; SimpleSAMLphp provides SAML plus a variety of other authentication mechanisms. This plugin acts as a bridge between WordPress and the authentication library.
If your organization uses Google Apps, integrating Google Apps with WP SAML Auth takes just a few steps.
The standard user flow looks like this:
- User can log in via SAML using a button added to the standard WordPress login view.
- When the button is clicked, the user is handed off to the authentication library. With OneLogin, the user is redirected to the SAML identity provider. With SimpleSAMLphp, the user is redirected to the SimpleSAMLphp install.
- Once the user is authenticated with the identity provider, they're redirected back to WordPress and signed in to their account. A new WordPress user will be created if none exists (although this behavior can be disabled).
- When the user logs out of WordPress, they are also logged out of the identity provider.
A set of configuration options allow you to change the plugin's default behavior. For instance, permit_wp_login=>false
will force all authentication to go through the SAML identity provider, bypassing wp-login.php
. Similiarly, auto_provision=>false
will disable automatic creation of new WordPress users.
See installation instructions for full configuration details.
Once you've activated the plugin, and have access to a functioning SAML Identity Provider (IdP), there are a couple of ways WP SAML Auth can be configured.
If you're connecting directly to an existing IdP, you should use the bundled OneLogin SAML library. The settings can be configured through the WordPress backend under "Settings" -> "WP SAML Auth". Additional explanation of each setting can be found in the code snippet below.
If you have more complex authentication needs, then you can also use a SimpleSAMLphp installation running in the same environment. These settings are not configurable through the WordPress backend; they'll need to be defined with a filter. And, if you have a filter in place, the WordPress backend settings will be removed.
To install SimpleSAMLphp locally for testing purposes, the Identity Provider QuickStart is a good place to start. On Pantheon, the SimpleSAMLphp web directory needs to be symlinked to ~/code/simplesaml
to be properly handled by Nginx. Read the docs for more details about configuring SimpleSAMLphp on Pantheon.
Because SAML authentication is handled as a part of the login flow, your SAML identity provider will need to send responses back to wp-login.php
. For instance, if your domain is pantheon.io
, then you'd use http://pantheon.io/wp-login.php
as your AssertionConsumerService
configuration value.
To configure the plugin with a filter, or for additional detail on each setting, use this code snippet:
function wpsax_filter_option( $value, $option_name ) {
$defaults = array(
/**
* Type of SAML connection bridge to use.
*
* 'internal' uses OneLogin bundled library; 'simplesamlphp' uses SimpleSAMLphp.
*
* Defaults to SimpleSAMLphp for backwards compatibility.
*
* @param string
*/
'connection_type' => 'internal',
/**
* Configuration options for OneLogin library use.
*
* See comments with "Required:" for values you absolutely need to configure.
*
* @param array
*/
'internal_config' => array(
// Validation of SAML responses is required.
'strict' => true,
'debug' => defined( 'WP_DEBUG' ) && WP_DEBUG ? true : false,
'baseurl' => home_url(),
'sp' => array(
'entityId' => 'urn:' . parse_url( home_url(), PHP_URL_HOST ),
'assertionConsumerService' => array(
'url' => wp_login_url(),
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
),
),
'idp' => array(
// Required: Set based on provider's supplied value.
'entityId' => '',
'singleSignOnService' => array(
// Required: Set based on provider's supplied value.
'url' => '',
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
),
'singleLogoutService' => array(
// Required: Set based on provider's supplied value.
'url' => '',
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
),
// Required: Contents of the IDP's public x509 certificate.
// Use file_get_contents() to load certificate contents into scope.
'x509cert' => '',
// Optional: Instead of using the x509 cert, you can specify the fingerprint and algorithm.
'certFingerprint' => '',
'certFingerprintAlgorithm' => '',
),
),
/**
* Path to SimpleSAMLphp autoloader.
*
* Follow the standard implementation by installing SimpleSAMLphp
* alongside the plugin, and provide the path to its autoloader.
* Alternatively, this plugin will work if it can find the
* `SimpleSAML_Auth_Simple` class.
*
* @param string
*/
'simplesamlphp_autoload' => dirname( __FILE__ ) . '/simplesamlphp/lib/_autoload.php',
/**
* Authentication source to pass to SimpleSAMLphp
*
* This must be one of your configured identity providers in
* SimpleSAMLphp. If the identity provider isn't configured
* properly, the plugin will not work properly.
*
* @param string
*/
'auth_source' => 'default-sp',
/**
* Whether or not to automatically provision new WordPress users.
*
* When WordPress is presented with a SAML user without a
* corresponding WordPress account, it can either create a new user
* or display an error that the user needs to contact the site
* administrator.
*
* @param bool
*/
'auto_provision' => true,
/**
* Whether or not to permit logging in with username and password.
*
* If this feature is disabled, all authentication requests will be
* channeled through SimpleSAMLphp.
*
* @param bool
*/
'permit_wp_login' => true,
/**
* Attribute by which to get a WordPress user for a SAML user.
*
* @param string Supported options are 'email' and 'login'.
*/
'get_user_by' => 'email',
/**
* SAML attribute which includes the user_login value for a user.
*
* @param string
*/
'user_login_attribute' => 'uid',
/**
* SAML attribute which includes the user_email value for a user.
*
* @param string
*/
'user_email_attribute' => 'mail',
/**
* SAML attribute which includes the display_name value for a user.
*
* @param string
*/
'display_name_attribute' => 'display_name',
/**
* SAML attribute which includes the first_name value for a user.
*
* @param string
*/
'first_name_attribute' => 'first_name',
/**
* SAML attribute which includes the last_name value for a user.
*
* @param string
*/
'last_name_attribute' => 'last_name',
/**
* Default WordPress role to grant when provisioning new users.
*
* @param string
*/
'default_role' => get_option( 'default_role' ),
);
$value = isset( $defaults[ $option_name ] ) ? $defaults[ $option_name ] : $value;
return $value;
}
add_filter( 'wp_saml_auth_option', 'wpsax_filter_option', 10, 2 );
If you need to adapt authentication behavior based on the SAML response, you can do so with the wp_saml_auth_pre_authentication
filter:
/**
* Reject authentication if $attributes doesn't include the authorized group.
*/
add_filter( 'wp_saml_auth_pre_authentication', function( $ret, $attributes ) {
if ( empty( $attributes['group'] ) || ! in_array( 'administrators', $attributes['group'] ) ) {
return new WP_Error( 'unauthorized-group', "Sorry, you're not a member of an authorized group." );
}
return $ret;
}, 10, 2 );
This plugin implements a variety of WP-CLI commands. All commands are grouped into the wp saml-auth
namespace.
$ wp help saml-auth
NAME
wp saml-auth
DESCRIPTION
Configure and manage the WP SAML Auth plugin.
SYNOPSIS
wp saml-auth <command>
SUBCOMMANDS
scaffold-config Scaffold a configuration filter to customize WP SAML Auth usage.
Use wp help saml-auth <command>
to learn more about each command.
The best way to contribute to the development of this plugin is by participating on the GitHub project:
https://github.com/pantheon-systems/wp-saml-auth
Pull requests and issues are welcome!
You may notice there are two sets of tests running, on two different services:
- Travis CI runs the PHPUnit test suite, which mocks interactions with SimpleSAMLphp.
- Circle CI runs the Behat test suite against a Pantheon site, to ensure the plugin's compatibility with the Pantheon platform. This includes configuring a fully-functional instance of SimpleSAMLphp.
Both of these test suites can be run locally, with a varying amount of setup.
PHPUnit requires the WordPress PHPUnit test suite, and access to a database with name wordpress_test
. If you haven't already configured the test suite locally, you can run bash bin/install-wp-tests.sh wordpress_test root '' localhost
.
Behat requires a Pantheon site. Once you've created the site, you'll need install Terminus, and set the TERMINUS_TOKEN
, TERMINUS_SITE
, and TERMINUS_ENV
environment variables. Then, you can run ./bin/behat-prepare.sh
to prepare the site for the test suite.
If you'd like to make sure the user's display name, first name, and last name are updated in WordPress when they log back in, you can use the following code snippet:
/**
* Update user attributes after a user has logged in via SAML.
*/
add_action( 'wp_saml_auth_existing_user_authenticated', function( $existing_user, $attributes ) {
$user_args = array(
'ID' => $existing_user->ID,
);
foreach ( array( 'display_name', 'first_name', 'last_name' ) as $type ) {
$attribute = \WP_SAML_Auth::get_option( "{$type}_attribute" );
$user_args[ $type ] = ! empty( $attributes[ $attribute ][0] ) ? $attributes[ $attribute ][0] : '';
}
wp_update_user( $user_args );
}, 10, 2 );
The wp_saml_auth_existing_user_authenticated
action fires after the user has successfully authenticated with the SAML IdP. The code snippet then uses a pattern similar to WP SAML Auth to fetch display name, first name, and last name from the SAML response. Lastly, the code snippet updates the existing WordPress user object.
Because SimpleSAMLphp uses PHP sessions to manage user authentication, it will work unreliably or not at all on a server configuration with multiple web nodes. This is because PHP's default session handler uses the filesystem, and each web node has a different filesystem. Fortunately, there's a way around this.
First, install and activate the WP Native PHP Sessions plugin, which registers a database-based PHP session handler for WordPress to use.
Next, modify SimpleSAMLphp's www/_include.php
file to require wp-load.php
. If you installed SimpleSAMLphp within the wp-saml-auth
directory, you'd edit wp-saml-auth/simplesamlphp/www/_include.php
to include:
<?php
require_once dirname( dirname( dirname( dirname( dirname( dirname( __FILE__ ) ) ) ) ) ) . '/wp-load.php';
Note: the declaration does need to be at the top of _include.php
, to ensure WordPress (and thus the session handling) is loaded before SimpleSAMLphp.
There is no third step. Because SimpleSAMLphp loads WordPress, which has WP Native PHP Sessions active, SimpleSAMLphp and WP SAML Auth will be able to communicate to one another on a multi web node environment.
- Fixes undefined index notice introduced in 1.2.4 [#257].
- Adds a
wp_saml_auth_internal_logout_args
filter to allow the internal logout args to be filterable [#255].
- Adds a
wp_saml_auth_force_authn
filter to allow forceAuthn="true" to be enabled [#248].
- Ensures SAML button and explanations are only added to the login screen [#242].
- Updates
onelogin/php-saml
tov3.6.1
[#236].
- Updates
onelogin/php-saml
tov3.6.0
[#233].
- Updates French localization and ensures localizations are loaded [#230].
- Updates
onelogin/php-saml
tov3.5.0
[#218].
- Avoid undesired
session_start()
when using SimpleSAMLphp [#196].
- Allows redirecting back to
wp-login.php
while avoiding redirect loop [#192].
- Plugin is stable.
- Removes unused
placeholder
value that's causing PHP notices [#178].
- Fixes method declaration for methods used statically [#176].
- Updates
onelogin/php-saml
tov3.4.1
[#174].
- Updates
onelogin/php-saml
tov3.4.0
[#173].
- Updates
onelogin/php-saml
tov3.3.1
[#172].
- Fixes issue where an empty required settings field would throw load Exception [#170].
- Fixes typo on the settings page [#163].
- Updates
onelogin/php-saml
tov3.3.0
[#160].
- Adds a settings page for configuring WP SAML Auth [#151].
- Fixes issue when processing SimpleSAMLphp response [#145].
- Updates
onelogin/php-saml
tov3.1.1
for PHP 7.3 support [#139].
- Introduces a
wp_saml_auth_attributes
filter to permit modifying SAML response attributes before they're processed by WordPress [#136].
- Updates
onelogin/php-saml
tov3.0.0
for PHP 7.2 support [#133].
- Updates
onelogin/php-saml
fromv2.13.0
tov2.14.0
[#127].
- Provides an error message explicitly for when SAML response attributes are missing [#125].
- Ensures
redirect_to
URLs don't lose query parameters by encoding withrawurlencode()
[#124]. - Adds French localization.
- Fixes PHP notice by using namespaced SimpleSAMLphp class if available [#118].
- Updates
onelogin/php-saml
fromv2.12.0
tov2.13.0
- Redirects to
action=wp-saml-auth
whenredirect_to
is persisted, to ensure authentication is handled [#115].
- Persists
redirect_to
value in a more accurate manner, as a follow up to the change in v0.3.6 [#113].
- Prevents WordPress from dropping authentication cookie when user is redirected to login from
/wp-admin/
URLs [#112].
- Substitutes
wp-login.php
string withparse_url( wp_login_url(), PHP_URL_PATH )
for compatibility with plugins and functions that alter the standard login url [#109].
- Permits
internal
connection type to be used without signout URL, for integration with Google Apps [#106].
- Forwards 'redirect_to' parameter to SAML Authentication to enable deep links [#103].
- Passes
$attributes
towp_saml_auth_insert_user
filter, so user creation behavior can be modified based on SAML response.
- Includes OneLogin's PHP SAML library for SAML auth without SimpleSAMLphp. See "Installation" for configuration instructions.
- Fixes handling of SAMLResponse when
permit_wp_login=true
.
- Introduces a
wp_saml_auth_login_strings
filter to permit login text strings to be filterable. - Introduces a
wp_saml_auth_pre_authentication
filter to allow authentication behavior to be adapted based on SAML response. - Improves error message when required SAML response attribute is missing.
- Corrects project name in
composer.json
.
- Introduces
wp_saml_auth_new_user_authenticated
andwp_saml_auth_existing_user_authenticated
actions to permit themes / plugins to run a callback post-authentication. - Runs Behat test suite against latest stable SimpleSAMLphp, instead of a pinned version.
- Introduces
wp saml-auth scaffold-config
, a WP-CLI command to scaffold a configuration filter to customize WP SAML Auth usage. - Redirects back to WordPress after SimpleSAMLPHP authentication.
- Variety of test suite improvements.
- Initial release.