michaelryanmcneill / shibboleth Goto Github PK

Hello, I am reopening the issue I had posted before.

This time, I wiped everything and started from scratch. Installed WP 5.5, setup multisite. Created a single multisite to test. No custom theme nor other plugins running besides Shib 2.2.2. Shib was installed using the WP Add New Plugin interface, so everything was setup automatically.

https://comdev.org.ohio-state.edu/test1/ is the site in question.

I can provide login info privately through email for you to troubleshoot if you wish to see the behavior of the looping.

Below is what is in the .htaccess file currently:

# Force SSL
RewriteEngine On
RewriteCond %{HTTPS} ^off$ [NC]
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [L,R=301,NE,QSA]

# Shibboleth quick-exit
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/Shibboleth.sso($|/)
RewriteRule . - [L]

# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]

# add a trailing slash to /wp-admin
RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
RewriteRule . index.php [L]
</IfModule>

# END WordPress
# BEGIN Shibboleth
# The directives (lines) between "BEGIN Shibboleth" and "END Shibboleth" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_shib>
AuthType shibboleth
Require shibboleth
</IfModule>
# END Shibboleth

By default, when activated, the "Update User Roles" checkbox is already active. This can cause issues if not disabled. For new activations only, we should make the default behavior to not automatically update user roles.

It appears that the assets directory is missing in the WordPress.org packaged plugin version, resulting in problems with the "Login with Shibboleth" button. This should be resolved ASAP.

When I click the "Link Shibboleth Account" button at the bottom of a different user's profile page, I get a WordPress fatal error with "Invalid User ID".

If I click the button from a user's own profile page, it works fine.

I have the plugin network enabled, but I've tried this from both a network user profile page, as well as a single site's user profile page.

Some debugging information

Not sure if it's helpful, but the error in question comes from /wp-admin/user-edit.php:23

$user_id      = (int) $user_id;
$current_user = wp_get_current_user();
if ( ! defined( 'IS_PROFILE_PAGE' ) ) {
	define( 'IS_PROFILE_PAGE', ( $user_id == $current_user->ID ) );
}

if ( ! $user_id && IS_PROFILE_PAGE ) {
	$user_id = $current_user->ID;
} elseif ( ! $user_id && ! IS_PROFILE_PAGE ) {
	wp_die( __( 'Invalid user ID.' ) );
} elseif ( ! get_userdata( $user_id ) ) {
	wp_die( __( 'Invalid user ID.' ) );
}

And it's the second conditional that's true (! $user_id && ! IS_PROFILE_PAGE )

$user_id always seems to be 0.

This happens on PHP 7.2+.

This code doesn't seem to function properly (https://github.com/michaelryanmcneill/shibboleth/blob/master/options-user.php#L230-L232):

$initator_url = shibboleth_session_initiator_url( get_edit_user_link() . '?shibboleth=link' );
wp_redirect( $initiator_url );
exit;

Instead, the page returns blank and never gets redirected to the indicator URL.

It would be ideal to have automatic checks via GitHub Actions for Pull Requests and other committed code.

Currently, that will probably just be WordPress-Coding-Standards and PHPCompatibility, but if we end up with PHPUnit tests or something else, we could add it later.

If someone has a good basic template for this, that would at least get us started. I'll try and tackle the PHPCS items in a different PR.

I am supporting a legacy site that was using a combination of plugins to provide shib-auth and role mappings. One of the nice features of our setup is that each site in the network has a screen which allows you to map roles for that site. So, if I were in a site, I would navigate to Dashboard>Users>Shibboleth

The downside is that the plugins are orphaned by their developers and I'm having trouble finding a replacement that works with PHP 7.

I was hoping to ask if I am properly understanding this plugin. Does it offer per-site role mapping? It doesn't seem to. Are there any plugins that will add that feature to this plugin?

screenshot of site-based role mappings:
https://snag.gy/ELlnTq.jpg

Sometimes when I log into a WordPress installation with the Shibboleth plugin enabled, I receive one of these "Notice of Email Change" messages. I believe this is because the email address is being updated by shibboleth_update_user_data(); which is something that I fully expect if the field is being managed and has changed.

However, given that it is being managed and the update is triggered by the user, it seems unhelpful to then send them an, often confusing, email that is completely unrelated to their login authentication method (because they will log in externally through Shibboleth).

Thus, I believe it is appropriate for the Shibboleth plugin itself to deactivate the sending of the email change email. This could be easily accomplished by adding the following line to the beginning of the shibboleth_update_user_data() function:

add_filter( 'send_email_change_email', '__return_false' );

There may be a better place to add this, but this seems like the most direct, understandable location. If this plan is agreeable, I would be happy to create a pull request.

Note: This issue was replicated from the original fork of the Shibboleth plugin located here: https://github.com/michaelryanmcneill/shibboleth-fork.

Replace get_userdatabylogin() with get_user_by(): https://github.com/michaelryanmcneill/shibboleth/blob/master/shibboleth.php#L229

/**
 * If a Shibboleth user requests a password reset, and the Shibboleth password
 * reset URL is set, redirect the user there.
 */
function shibboleth_retrieve_password( $user_login ) {
	$password_reset_url = shibboleth_get_option('shibboleth_password_reset_url');
	if ( !empty($password_reset_url) ) {
		$user = get_userdatabylogin($user_login);
		if ( $user && get_user_meta($user->ID, 'shibboleth_account') ) {
			wp_redirect($password_reset_url);
			exit;
		}
	}
}
add_action('retrieve_password', 'shibboleth_retrieve_password');

See more:
https://developer.wordpress.org/reference/functions/get_userdatabylogin/
https://developer.wordpress.org/reference/functions/get_user_by/

Our service provider adds an additional prefix (specifically UFShib_, in this situation), so in my case the entire prefix is REDIRECT_UFShib_.

Been using your plugin for a while and have always just edited the .php, but a textbox would be nice. I might be able to help w/ this sometime in the next month, but let me know your thoughts on the best way to incorporate this. (Override the dropdown list and hand input the prefix in a textbox? some other way?)

This Plugin's compliance is "tested up to WP4.9.3". We found it works with v5+ when doing a little modification to the central .htaccess file:

# commented for the following line, to ignore index.php AND Shibboleth.sso/* and from rewrite
# RewriteRule ^index\.php$ - [L]
RewriteRule ^index\.php|Shibboleth\.sso\/.*$ - [L,NC]

And of course, WP5 has more default groups which this Plugin still cannot serve.

Hello,

I never did it myself but maybe there was a way to transfer the ownership (and keeping valuable issue history / documentation) without moving to a new fork?

We had an issue reported on a multisite in which users who were using the More Privacy Options to require a network login were getting an error from the IdP after multiple redirects (I think the IdP was just failing the request after too many attempts). I suspect it may be due to a URL mismatch of some kind, when the user first logs in at the base site all private sites can then be accessed fine but a the subsites could not initiate a session. I rolled back to 2.0.2 and this issue is not present there so something must have changed on that front. Figured I would report it in case it's useful. Unfortunately I only had a temporary login from the school, I may be able to do some testing here in the very short term if they keep my access open. :)

Notes:

• Centos 7 with cPanel
• PHP 5.6
• Apache suPHP
• Shibboleth SP installed at server level
• WP 4.9.6

I upgraded the Shibboleth plugin to version 2.0.2 and it doesn’t seem to honor the redirect_to attribute anymore. The code below is at the top of the page.php template. Selected pages on the site require a Shibboleth login, and this code checks to see if the current page requires the login. The login piece works, but the user is not returned to the page that initiated the login. The user is instead directed to the wp-login page. This works fine in v1.8.1, which is why I suspected there was a change in v2. The code in part is as follows:

$prot1 = get_field('level_1_protected_pages', 'option');

if($prot1) {
	foreach($prot1 as $page_id) {
		if($page_id['page'] === $post->ID) {
			if (!shibboleth_session_active()) {
				header('Location: ' . home_url() . '/wp-login.php?redirect_to=' . get_the_permalink($post->ID) . '&reauth=1&action=shibboleth');
			}
			else {
				$emp_id = $_SERVER['HTTP_****'];
				$emp_cat = $_SERVER['HTTP_AFFILIATION'];
					
				//test if student but not employee
				if (strpos($emp_cat, 'student') !== false && strpos($emp_cat, 'employee') === false) {
					header('Location: ' . home_url() . '/access-denied');
				}
			}
		}
	}
}

For whatever reason adding the <IfModule mod_shib> block in b4ecfbb to resolve #60 sends some my installations into a situation where the SAMLPost loops back on itself.

Easy enough to avoid by adding define('SHIBBOLETH_DISALLOW_FILE_MODS', true); to wp-config.php but thought it was worth a mention.

These are on a cPanel shared webhost so it might be an edge case.

I just had this problem, I can reproduce it but I suspect it could be the fault of my own plugin but in the other hand I cannot reproduce it with the production server that is still using the previous version.

It seems to loop on Redirect and I can see the SAMLRequest changing.

I noticed the thread on WordPress https://wordpress.org/support/topic/login-loop-wp-4-9-5-apache-2-4/ so I'll check that first and also investigate logs.

Updated to 2.1 and it unchecked the Default Login Method. When trying to recheck the box and save, the box doesn't save.

Browser console gives me this error when I try to save:
Failed to set referrer policy: The value '' is not one of 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin', 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', or 'unsafe-url'. The referrer policy has been left unchanged.

When we turn on the Disable Local Authentication setting, and visit our siteurl.com/wp-login.php page, the shib button shows as expected, but the WordPress password field still shows up. That is confusing to say the least.

I’m using WordPress 5.7.2.

It looks like the default login input fields are being hidden with some css:

.login #loginform p {
      display: none;
}

But the password is not in a <p>. Its markup is like this:

<div class="user-pass-wrap">
	<label for="user_pass">Password</label>
	<div class="wp-pwd">
		<input type="password" name="pwd" id="user_pass" class="input password-input" value="" size="20">
		<button type="button" class="button button-secondary wp-hide-pw hide-if-no-js" data-toggle="0" aria-label="Show password">
			<span class="dashicons dashicons-visibility" aria-hidden="true"></span>
		</button>
	</div>
</div>

Hello,

I tentatively report this issue that I'm still investigating (and I still use the code from my fork as I didnt had the time yet to see if I could get back to the official repo).

So, Yoast in lastest version seems to have added new roles, from the readme.txt
* Introduces wpseo_manager and wpseo_editor roles.

Since this update I get a crash in Shibboleth

Notice: Undefined index: wpseo_manager in /var/www/html/wp-content/plugins/shibboleth/shibboleth.php

The problem occur in shibboleth_get_user_role, $wp_roles contains the new wpseo_manager role but it's not defined in $shib_roles.

$role_header = $shib_roles[$key]['header'];
$role_value = $shib_roles[$key]['value'];

Could be a plugin order activation issue (if shibboleth is registered before yoast?).

I will try to reproduce the issue in a vanilla Wordpress with only yoast and shibboleth.

To my knowledge there is no easy way to changer plugin activation order...

It's very minor. I think the pot file is not up to date.

I see the new login with Shibboleth button but the section title is displaying as "Or" (esc_html_e( 'Or', 'shibboleth' )) in our french screen but the string is not in the pot file.

I can surely help with the french translation (at least the few front-end text that I will have to fix anyway).

From the WordPress screen it looks like the plugin is not fully ready for WordPress translation? https://translate.wordpress.org/locale/fr-ca/default/wp-plugins/shibboleth

Where you planning to just add translation in Git repo?

In a multi-site setup the plugin seems to always use the main blog (#1) as the selected site. This causes problems in my setup (we use domain names for subsites) and always redirects users logging in to the admin section of the main site.The issue seems to stem from the use of $GLOBALS[‘current_site’]->blog_id in the shibboleth_session_initiator_url function. This has been happening for quite some time now (Since at least version 1.6) and I had to create my own function (See below) to get around the problem. I was wondering if a more permanent resolution could be put in place. Thank you.

function shibboleth_select_current_site() {
    if ( !empty( $GLOBALS[‘current_blog’]->blog_id ) && $GLOBALS[‘current_blog’]->blog_id > 1 ) {
        return $GLOBALS[‘current_blog’]->blog_id;
    } else {
        return $GLOBALS[‘current_site’]->blog_id;
    }
}

Issue was originally reported on wordpress.org

It would be good to style the "Login With Shibboleth" button to look like a button instead of just a randomly placed link. I'd like to style it the same (or similar) to Jetpack's "Login with WordPress.com" option (see example).

Typically, the HTTP_ prefixed keys within the $_SERVER superglobal come from the headers sent by the client. Unless support for this prefix is required, I would propose removing it to limit the potential security risk.

Based on https://wordpress.org/support/topic/update-user-roles/

Right now the Shibboleth plugin uses set_role() which removes all roles, even those that were added by other methods. The request is to only update the primary role, but I'm thinking an easier and safer way to define this is: "The Shibboleth plugin should only only update the role(s) that the Shibboleth plugin has granted."

Here’s my idea:

1. Create a new usermeta that contains the “Shibboleth managed roles” for a user.
2. Use the current set of “Shibboleth mapped roles” and the differences with the existing “Shibboleth managed roles” to determine whether to add or remove roles from a user.
   • This will require switching from set_role() to add_role() and remove_role()
3. If we made changes to their role, we update the “Shibboleth managed roles” usermeta for that user.
   • Initially the value will not exist, but that’s okay because we only care when we are calling the “update roles” code. Thus: if blank, set to current “mapped roles” value; if not blank, compare to current “mapped roles” value and update if we make changes.

Thoughts? Worthwhile?

Many times, especially in enterprise environments, administrators would rather set critical configuration options (such as those that surround authentication) via wp-config.php instead of via an options page. When this happens, the options page should have the inputs greyed out and explain that they are configured via wp-config.php.

As I understand when I read the config page in "If there is no default role, the user will not be able to log in with Shibboleth.", unmapped roles should deny access when default role is set to "None". But it's not the case : an account is still created with no role and the user is logged in, which can be a security issue in some structures, like ours.

To solve this, I temporarily edited the code in the function shibboleth_create_new_user, moving "$user_role = shibboleth_get_user_role();" from line 636 to line 617 and adding " || empty( $user_role )" to the condition at line 619.

Is it possible to implement a fix in the next release ? I actually use the latest version (2.1.1).

I am still trying to figure out a fix for the issues we are having with with Shibboleth 2 doing infinite loop when ANY user logs in to the sites on the network. It does not appear to loop on the "main" site. But anything that is the "multisite" network, the loop happens, even with super-admin login.

Put in correct username password, it just loop through https://webauth.service.ohio-state.edu/idp/profile/SAML2/Redirect/SSO?execution=e3s1 until it eventually times out.

Any help is greatly appreciated!

Here are the files I thought might be helpful for you to review for me.

.htaccess file

RewriteEngine On

# Force SSL
# I think this is doing the same thing as the next block
#RewriteEngine On
#RewriteCond %{HTTPS} ^off$ [NC]
#RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [L,R=301,NE,QSA]

# Force HTTPS
RewriteCond %{SERVER_NAME} ^www\. [NC,OR]
RewriteCond %{HTTPS} ^off$ [NC]
RewriteCond %{SERVER_NAME} ^(www\.)?(.*) [NC]
RewriteRule ^/?(.*) https://%2/$1 [L,R=301,NE,QSA]

# Allow Shib urls
RewriteCond %{REQUEST_URI} ^/Shibboleth.sso($|/)
RewriteRule . - [L]

#Shib
AuthType shibboleth
ShibRequestSetting redirectToSSL 443
ShibRequestSetting requireSession 1
Require shib-session

# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]

# add a trailing slash to /wp-admin
RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
RewriteRule . index.php [L]

# END WordPress

This might be completely messed up, but I tried to adjust code to work on PHP 7 and the new WordPress version.

shibboleth-mu.php

<?php

// include regular Shibboleth plugin file
require_once dirname(__FILE__) . '/shibboleth/shibboleth.php';

function shibboleth_muplugins_loaded() {
	add_filter('shibboleth_plugin_path', function($p) {
		echo($p);
		return WPMU_PLUGIN_URL . "/shibboleth";} );
}
add_action('muplugins_loaded', 'shibboleth_muplugins_loaded');
?>

Under the new 2.0 version of the plugin, the account creation behavior has changed and it has created a security issue.

In the previous version, accounts would be automatically created if the credentials logging into the site were mapped to a role. If they were not mapped to a role, even if their credentials were accepted by the SSO authority, the account would not be created and they would be denied access to the site.

Under the current version, accounts are not created by default, even if they map to a role, unless the option is enabled; something we have to go and retroactively enable across about 100 websites. Further, once enabled, all accounts will be created, even if they do not map to a role, and it automatically maps to subscriber. This is an issue because on all our sites, we manage the roles externally in LDAP, and granting subscriber access by default gives everybody who attempts a login, access to the site. This is a big security flaw for those who do not want to grant arbitrary access to their site.

This fix is that we either have to create a custom role called “none”, push that out to all the sites, and then configure all the sites to default to that role within your plugin. (a big huge mess / hack)

…or, instead of a binary choice on that option, you can make it a drop-down choice.

– Create Account if mapped to Role, Deny Access if no mapped Role (previous behavior)
– Create Account if mapped to Role, Assign to default Role if no mapped Role (current behavior option)
– Do not create accounts (current behavior option)

Hello,

One of the feature I had added to my fork was the handling of account without email https://github.com/devanonyme/shibboleth/commit/cedf49875751ca7f315a008e2c84104acbc958f7 (The comments in code are in french, sorry).

• When we started the project there was not much experience in house for Wordpress (me included) but we had alot of people worrying about the hackable reputation of Wordpress. Also, there was at the time a rule that clients email had to be sent throught the CRM (no true anymore). So at the time, to reduce any risk, I had decided to not import the emails in wordpress account and just generate a fake email to complete registration (ex. shibolethid@oursite) so any breach of our server would not expose our user data (that specific site is adressed to minor users, so it was a little bit more important).

• The use case that could be more common is that we actually have accounts without email (are not required at (physical / in person) registration (ie. public library services) and also duplicates (a parent could have subscribed to it's childs accounts using the same email (to receive late book notification by exemple) which is not allowed by Wordpress either (If I remember well we can create account without email through the api but I think I had other problems later with such accounts (I would have to check my notes).

The problems I had technically was that the existing filter hook was not providing enough context information and also another field synchronisation bug that was fixed since, so I had added this :

$email_managed = isset($shib_headers['email']['managed']) ? $shib_headers['email']['managed'] : false;
if ($force_update && !$email_managed) {
$user_data['user_email'] = apply_filters('shibboleth_override_email', $user_data);
}

And using this hook (always replace the email).

public function on_filter_shibboleth_override_email( $user_data ) {
	$urlparts	 = parse_url( site_url() );
	$domain		 = $urlparts[ 'host' ];
	// Define a fake email using current domain and user_login

	$email		 = $user_data[ 'user_login' ] . '@' . $domain; 

	return $email;
}

It this something that could be considered an acceptable extension or maybe there would be a better way to handle this in a more generic way? ( I will have the same problem if we use other integration like ldap plugin (if other organisation want to integrate our site with another identity provider), so I'm not sure I can go around and ask for this.

Thinking about it, another solution would be to generate the fake emails higher up (in the ldap accounts) but considering we have hundreds of other systems integrated (that could have handled the things differently), that would require more thoughts...

Thanks for any input!

Centralized IT may have shibbolized email addresses differently than what a departmental web admin may have for his/her local users, even though they're both technically correct. One entity may use mixed case versus another. Comparisons of email addresses should be case-insensitive when a user tries to manually link his/her account with Shibboleth.

diff -Naur public_html/wp-content/plugins/shibboleth/options-user.php public_html_modified/wp-content/plugins/shibboleth/options-user.php
--- public_html/wp-content/plugins/shibboleth/options-user.php  2018-03-12 14:39:51.000000000 -0600
+++ public_html_modified/wp-content/plugins/shibboleth/options-user.php 2018-03-13 16:40:15.386361724 -0600
@@ -218,7 +218,7 @@
                                                                        wp_safe_redirect( get_edit_user_link() . '?shibboleth=failed' );
                                                                        exit;
                                                                }
-                                               } elseif ( $user->user_email == $email && $allowed === 'bypass' ) {
+                                               } elseif ( $user->user_email === $email && $allowed === 'bypass' ) {
                                                        update_user_meta( $user->ID, 'shibboleth_account', true );
                                                        wp_safe_redirect( get_edit_user_link() . '?shibboleth=linked' );
                                                        exit;

I have a problem setting up shibboleth-authentication for a wordpress-installation (both the wordpress-instance and the shibboleth-idp/sp are completely new set-up).
The login at the service provider works as it should, I already configured the Login-URL and the redirect to the Shibboleth-Login-Page (example.com/Shibboleth.sso/Login) is working fine, I can log in and retrieve all attributes I defined.
As soon as I try to log into WordPress, the URL (https://example.com/idp/profile/SAML2/Redirect/SSO?SAMLRequest=abcde...) is refreshing once a second endlessly, each time having a new Request-ID. In my webserver-logs, I can see that the endless redirect loop consists of "/wp/wp-login.php?action=shibboleth" -> "/Shibboleth.sso/Login?target=wordpress" -> "/idp/profile/SAML2/Redirect/SSO?SAMLRequest=..." and back to wp-login. I already added debug logs to the shibboleth.php logging the entire content of my $_SERVERS-Array during the execution of shibboleth.php, but there is absolutely nothing shibboleth-related, neither before nor after the login.
A valid Session is created (as shown in /Shibbolrth.sso/Session), but not Accepted by the Plugin.
I tried switching from the .htaccess-based protection to an Apache config, this of course protected the whole website instead the admin-folder only, but at least the sessions got accepted, and new users were created. The Login-loop hower was still there, but I could access WordPress when I reloded it.

(The below is copy/pasted from my original post at https://wordpress.org/support/topic/issues-with-multisite-not-provisioning-users-on-all-network-sites/ .)

I’ve used the Shibboleth plugin successfully on hundreds of single WordPress installs, and first off, I’d like to thank everyone who works on it. Y’all are awesome.

We’re exploring implementing multisite, and have created a test network of three sites. The plugin is active at the network level, instead of at the site level (this prevents the owners of individual sites from inadvertently breaking the Shib settings, and should make it easier to add new sites to the network if we wish). I used more-or-less the same settings we use for all our single-site installs, with only a few changes (in particular, making the login URL relative instead of absolute). I’ve enabled the ‘Automatically create accounts’ setting, allowing automatic merging and disallowing manual merging. Our sites’ default role is ‘Subscriber’.

When a new user (one that doesn’t already have an account on the network) visits any site in the network, the account is provisioned as I would expect — the network-level account is created, and the account is granted Subscriber privileges on whatever specific site the user first hit. But when that user visits another site in the network, they are not automatically granted the default role for that site. I’m still trying to narrow down exactly what happens when, but either that user is redirected to /wp-admin/ for their “first” site (the one where their Subscriber account was first provisioned), or the user gets the WordPress screen saying that they don’t have any role on that site (listing the one site where they do have a role).

This feels like a bug. I'd expect a user, visiting other subsites in the network, to be treated like a "new" user for those sites, and to have their user account auto-provisoned for that site and granted the default role. Instead, the new-user code probably doesn't trigger (since strictly speaking the user already does exist), and the user does not get default access to the second/third/etc. subsites.

Note: This issue was replicated from the original fork of the Shibboleth plugin located here: https://github.com/michaelryanmcneill/shibboleth-fork.

Replace update_usermeta() with update_user_meta(): https://github.com/michaelryanmcneill/shibboleth/blob/master/shibboleth.php#L363

// update user data
update_usermeta($user->ID, 'shibboleth_account', true);
shibboleth_update_user_data($user->ID);
if ( shibboleth_get_option('shibboleth_update_roles') ) {
	$user->set_role($user_role);
	do_action( 'shibboleth_set_user_roles', $user );
}
return $user;

/**
 * Create a new WordPress user account, and mark it as a Shibboleth account.
 *
 * @param string $user_login login name for the new user
 * @return object WP_User object for newly created user
 */
function shibboleth_create_new_user($user_login) {
	if ( empty($user_login) ) return null;
	// create account and flag as a shibboleth acount
	require_once( ABSPATH . WPINC . '/registration.php' );
	$user_id = wp_insert_user(array('user_login'=>$user_login));
	$user = new WP_User($user_id);
	update_usermeta($user->ID, 'shibboleth_account', true);
	// always update user data and role on account creation
	shibboleth_update_user_data($user->ID, true);
	$user_role = shibboleth_get_user_role();
	$user->set_role($user_role);
	do_action( 'shibboleth_set_user_roles', $user );
	return $user;
}

See more:
https://developer.wordpress.org/reference/functions/update_usermeta/
https://developer.wordpress.org/reference/functions/update_user_meta/

As first seen on https://wordpress.org/support/topic/possible-bug-with-user-creation-might-be-in-core-not-sure/ ...

Our org's SSO system has a few users with an apostrophe in their username (all the instances I've seen are of the firstname_o'lastname variety). I'm having issues getting these users signed into a site that uses this Shibboleth plugin.

The fine folks in my local identity team created me a test account, "wg-j.o'tester", for troubleshooting this issue.

On the first visit, a local user account is created successfully:
[20-Jul-2021 19:14:37 UTC] [Shibboleth WordPress Plugin Logging] SUCCESS: User wg-j.otester (ID: 1114) was created with role subscriber.

Note that the apostrophe is now missing (the username has been changed to wg-j.otester).

On subsequent visits, after the Shib login, WordPress is trying and failing to create a new account (presumably after seeing that no account named "wg-j.o'tester" exists):

[20-Jul-2021 19:17:28 UTC] [Shibboleth WordPress Plugin Logging] ERROR: Unable to create account based on data provided. Reason: Sorry, that username already exists!.

@jrchamp called out (in the thread on wordpress.org) that the user is created with sanitize_user() in strict mode, but other places are using sanitize_user() in non-strict mode. The difference between the two, for this purpose, is that strict mode removes apostrophes (and many other characters) from usernames.

I'm not sure what the best way is to handle this. I'm tempted to add a filter on the username, as provided by Shibboleth, before anything else is done with it, and then adding a filter that strips apostrophes, so that all username comparisons are done with the no-apostrophe version. Such a filter may be useful for other cases too, maybe munging usernames that look like Active Directory principals (stripping the @dom.ain component maybe). In theory, this is just a one-liner, presumably near the top of shibboleth_authenticate_user(), something like:
$username = apply_filters( 'shibboleth_override_username', $username );

First: How terrible is this idea? I'm aware of the possibility of username collisions (if there are users with names o'tester and also otester, they may be incorrectly treated as the same user). I've checked with folks in our organization, and there aren't any instances of that here, but it's certainly a risk in the more general sense.

Second: If this is a good idea (and I'm still on the fence...) I think the place to add this new filter would be about eight lines into shibboleth_authenticate_user(), right after the calls to shibboleth_getenv() that initially populates the username. Is that the best place to put it?

The profile fields are not filled out when an account is initially created. When the user logs out and back in for the 2nd time the fields are updated correctly. I tested with managed and unmanaged fields, same result.

Does anyone else have this issue?

Per request I am cross-referencing an issue I posted to WordPress.org. This is all a bit new to me so I hope this is what you wanted:

https://wordpress.org/support/topic/shibboleth-v1-8-not-allowing-login/

Hello,

I'm working on upgrading our server which include moving back to the official repo (instead of the patched one forked from Mitcho repo). I had to dig down further in Shibboleth (which was usually configured by my collegue) as the migration to RedHat 7 had some unexpected surprises which where solved mostly by moving to php-fpm instead of mod_php.

I have some questions if someone could help me but they are not directly related to the plugin, let me know if there is a better place to ask but I guess I could benefit from the experience of other users using Shibboleth / the Shibboleth plugin in the context of WordPress.

1. What do you use in .htaccess?
   I have added a RewriteCond %{REQUEST_URI} !^/Shibboleth.sso so that I am able to use /Login /Logout on the SP but I also have noticed that it expose alot of data through /Session (data of the user but maybe more than we should show). Do you just explicitely keep /Login /Logout? (or none?)

2. Also, reading more on Shibboleth I think I have found an article that suggested that logout should be done on sp with a redirect for logout on idp (maybe https://wiki.shibboleth.net/confluence/display/CONCEPT/SLOIssues). What would be best practice as logout url in the configs of Shibboleth plugin?

Eric

Note: This issue was replicated from the original fork of the Shibboleth plugin located here: https://github.com/michaelryanmcneill/shibboleth-fork.

As detailed here: mitcho/shibboleth#30 a collision can happen if the Shibboleth email attribute matches an email that already exists in the wp_users table. If that happens, no associated user data gets updated and there is an error that never appears to the user. This should be gracefully handled either by merging accounts, throwing an error, or something else. Maybe, we can allow administrators to select whether they'd like to merge accounts or error in the settings page.

We are trying to create a departmental intranet and only give access to members of the department. The problem is that value for the "member" header is a long string containing all the different groups I belong to on campus, including my unit, separated by spaces and semicolons. It seems that the plugin looks for an exact match instead of trying to match it as a substring. For example:

urn:mace:domain:campus:departmentOne groups:[...];urn:mace:domain:campus:departmentTwo ...

That's roughly what the value of "member" looks like, which is basically a mix of groups at the campus level and at the department level. I want to be able to create a role map by having it match against only a small substring. There are supposed to be a couple of filters for this, but I am not sure how to use them.

Has anyone experienced issue and have an idea of how to work around it?

Sincerely,

Nick

As pointed out by @earnjam, if a user ends up on wp-login.php they'll still be able to reset their local password, even if Shibboleth is the only auth method allowed. Instead, we should hook into the lostpassword_url filter: https://codex.wordpress.org/Plugin_API/Filter_Reference/lostpassword_url to change the URL to what the user provides, or we should hide the option entirely if a user hasn't provided a lost password URL.

Currently, if you're running a subdomain multisite (or multisite with domain mapping), and your IDP is configured to not bypass endpoint checks (for more info, see: https://docs.shib.ncsu.edu/docs/advanced/bypassends.html), you will have to manually keep a list of endpoints registered in metadata. This is not ideal for large multisite networks where there are thousands of sites. Instead, we should allow an additional "Multisite" configuration tab and options set that would allow for authentication to come from a single subsite (or the main site), like those provided by this plugin: https://github.com/DevriX/multisite-auth.

The most recent version of the plugin lists the "Tested up to" value as 4.9.14. I don't know if there are specific test criteria that need to be met, but I can vouch that the plugin has been working well for me on several single-site installs through multiple major versions of WordPress 5.x.

If there are specific test cases that need to be run in order to increment this value, let me know and I'd be happy to help if I can.

The thing that prompted me to look at this was the Wordfence security plugin which has started flagging the Shibboleth plugin as 'possibly abandoned'. I think it will do so for any plugin that hasn't received an update over a two year period.

I have an issue that may not pertain directly to this plugin but was wondering if anyone could help me out.

I want to use this plugin but I am serving my website via NGINX. I have compiled NGINX with the required modules (nginx-http-shibboleth) and it connects to the Shibboleth provider. I am able to generate a session, login and logout. The problem is that the plugin is not able to take the session variables and create an account. Instead when I attempt to login it always loops back to the shibboleth authentication.

I think the problem is that NGINX does not pass the Shibboleth session variables in the header. The reason I believe this is when I var_dump $_SERVER in php it does not contain any Shibboleth data. Does anyone have any tips on how I could do this or debug this further? I am happy to post any config files or logs if needed.

X-Post

It would be ideal to offer options for administrators to enable logging. I envision separate options to enable logging for unsuccessful authentication attempts and successful authentication attempts, as well as user creation, manual account merging, automatic account merging, and role updates. This would give administrators additional insight when troubleshooting issues or investigating access attempts.

Issue #22 added a blank default role option so that automatically created users are not automatically given a role in the system. Unfortunately, when shibboleth_default_role is blank and shibboleth_create_accounts is enabled, no user can log in even if they already have an existing account and existing roles. We discussed this in the previous issue and the idea of a fake role value was proposed. Where that would be the simple answer, I'd prefer if we could continue to use the blank value and handle it appropriately in the rest of the code.

This came up on the WordPress plugin support forum: https://wordpress.org/support/topic/sibboleth-installation-internal-server-error/

It's fair to say that we do expect people to install the mod_shib package before installing our plugin, but it might also be good to not take their site offline. In that ticket, I suggest wrapping the Shibboleth configuration directives in an IfModule block, as in:

<IfModule mod_shib>
    AuthType shibboleth
    Require shibboleth
</IfModule>

Is this something that we would be interested in adding to the core plugin? If so, I'd be happy to create a pull request.

On some websites, the theme display a login form in the frontend. When it's the case, the shibboleth_login_form function will display an incorrect link to shibboleth login (actual_page_url?action=shibboleth) that will fail to redirect the user.

I fixed this by changing the first line of the function (line 864) to :
global $wp; $login_url = add_query_arg( 'action', 'shibboleth', wp_login_url( home_url( $wp->request ) ) );
This way, the user will be redirected correctly to shibboleth auth page, then redirected back to the original page.

Is it possible to implement this feature in the next release ? I'm currently using last version (2.1.1).

We have recently updated WP to version 5.5.5 and the new users we have created and setup websites with can't get in to through the usual way. The old users that were created before the update seems to be working perfectly. So this issues is only with the new users that are being created after the WP version update.

Can you please help me troubleshoot and resolve the problem? We have 200+ new students that are signed up and need to get in for submitting their assignment and we can't seem to pin point exactly what could cause this issue since the settings are all the same from before the update. Thank you!

Hi all. I'm working with a new client who set up a dev box for me with Shibboleth 1.8.1 installed. Everything worked. I backed everything up with All In One WP Migration, then updated Shibboleth to current (2.0.2). Now I get a 401 Authorization Required error for both front- and back-ends.

I restored the original 1.8.1 version, but it has no impact on the error. Unfortunately, I need a working version of wordpress to use the All In One WP Migration plugin to do a recovery...and now I can't.

Any ideas how to get out of this mess?