| Once you’ve activated the plugin, and have access to a functioning SAML Identity Provider (IdP), there are a couple of ways WP SAML Auth can be configured.
If you’re connecting directly to an existing IdP, you should use the bundled OneLogin SAML library. The settings can be configured through the WordPress backend under “Settings” -> “WP SAML Auth”. Additional explanation of each setting can be found in the code snippet below.
If you have more complex authentication needs, then you can also use a SimpleSAMLphp installation running in the same environment. These settings are not configurable through the WordPress backend; they’ll need to be defined with a filter. And, if you have a filter in place, the WordPress backend settings will be removed.
To install SimpleSAMLphp locally for testing purposes, the Identity Provider QuickStart is a good place to start. On Pantheon, the SimpleSAMLphp web directory needs to be symlinked to ~/code/simplesaml to be properly handled by Nginx. Read the docs for more details about configuring SimpleSAMLphp on Pantheon.
Because SAML authentication is handled as a part of the login flow, your SAML identity provider will need to send responses back to wp-login.php. For instance, if your domain is pantheon.io, then you’d use http://pantheon.io/wp-login.php as your AssertionConsumerService configuration value.
To configure the plugin with a filter, or for additional detail on each setting, use this code snippet:
function wpsax_filter_option( $value, $option_name ) {
$defaults = array(
/**
* Type of SAML connection bridge to use.
*
* 'internal' uses OneLogin bundled library; 'simplesamlphp' uses SimpleSAMLphp.
*
* Defaults to SimpleSAMLphp for backwards compatibility.
*
* @param string
*/
'connection_type' => 'internal',
/**
* Configuration options for OneLogin library use.
*
* See comments with "Required:" for values you absolutely need to configure.
*
* @param array
*/
'internal_config' => array(
// Validation of SAML responses is required.
'strict' => true,
'debug' => defined( 'WP_DEBUG' ) && WP_DEBUG ? true : false,
'baseurl' => home_url(),
'sp' => array(
'entityId' => 'urn:' . parse_url( home_url(), PHP_URL_HOST ),
'assertionConsumerService' => array(
'url' => wp_login_url(),
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
),
),
'idp' => array(
// Required: Set based on provider's supplied value.
'entityId' => '',
'singleSignOnService' => array(
// Required: Set based on provider's supplied value.
'url' => '',
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
),
'singleLogoutService' => array(
// Required: Set based on provider's supplied value.
'url' => '',
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
),
// Required: Contents of the IDP's public x509 certificate.
// Use file_get_contents() to load certificate contents into scope.
'x509cert' => '',
// Optional: Instead of using the x509 cert, you can specify the fingerprint and algorithm.
'certFingerprint' => '',
'certFingerprintAlgorithm' => '',
),
),
/**
* Path to SimpleSAMLphp autoloader.
*
* Follow the standard implementation by installing SimpleSAMLphp
* alongside the plugin, and provide the path to its autoloader.
* Alternatively, this plugin will work if it can find the
* `SimpleSAML_Auth_Simple` class.
*
* @param string
*/
'simplesamlphp_autoload' => dirname( __FILE__ ) . '/simplesamlphp/lib/_autoload.php',
/**
* Authentication source to pass to SimpleSAMLphp
*
* This must be one of your configured identity providers in
* SimpleSAMLphp. If the identity provider isn't configured
* properly, the plugin will not work properly.
*
* @param string
*/
'auth_source' => 'default-sp',
/**
* Whether or not to automatically provision new WordPress users.
*
* When WordPress is presented with a SAML user without a
* corresponding WordPress account, it can either create a new user
* or display an error that the user needs to contact the site
* administrator.
*
* @param bool
*/
'auto_provision' => true,
/**
* Whether or not to permit logging in with username and password.
*
* If this feature is disabled, all authentication requests will be
* channeled through SimpleSAMLphp.
*
* @param bool
*/
'permit_wp_login' => true,
/**
* Attribute by which to get a WordPress user for a SAML user.
*
* @param string Supported options are 'email' and 'login'.
*/
'get_user_by' => 'email',
/**
* SAML attribute which includes the user_login value for a user.
*
* @param string
*/
'user_login_attribute' => 'uid',
/**
* SAML attribute which includes the user_email value for a user.
*
* @param string
*/
'user_email_attribute' => 'mail',
/**
* SAML attribute which includes the display_name value for a user.
*
* @param string
*/
'display_name_attribute' => 'display_name',
/**
* SAML attribute which includes the first_name value for a user.
*
* @param string
*/
'first_name_attribute' => 'first_name',
/**
* SAML attribute which includes the last_name value for a user.
*
* @param string
*/
'last_name_attribute' => 'last_name',
/**
* Default WordPress role to grant when provisioning new users.
*
* @param string
*/
'default_role' => get_option( 'default_role' ),
);
$value = isset( $defaults[ $option_name ] ) ? $defaults[ $option_name ] : $value;
return $value;
}
add_filter( 'wp_saml_auth_option', 'wpsax_filter_option', 10, 2 );
If you need to adapt authentication behavior based on the SAML response, you can do so with the wp_saml_auth_pre_authentication filter:
/**
* Reject authentication if $attributes doesn't include the authorized group.
*/
add_filter( 'wp_saml_auth_pre_authentication', function( $ret, $attributes ) {
if ( empty( $attributes['group'] ) || ! in_array( 'administrators', $attributes['group'] ) ) {
return new WP_Error( 'unauthorized-group', "Sorry, you're not a member of an authorized group." );
}
return $ret;
}, 10, 2 );
|
