This plugin hasn’t been updated in over 2 years. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.

simpleSAMLphp Authentication

Description

SimpleSAMLphp is a simple application written in native PHP that deals with
authentication. SimpleSAMLphp supports several federation protocols,
authentication mechanisms and can be used both for local authentication, as a
service provider or as an identity provider

This plugin uses some hooks in WordPress’s authentication system to bypass the
normal login screen and authenticate using a simpleSAMLphp Service Provider
(SP) instead. Note that logged-in state is still maintained in cookies, and
user entries are created in the local database.

Who made this?

Thanks to Stephen
Schwink
who developed the the CAS
Authentication
plugin on which this plugin is heavily based.

Installation

  1. Download simpleSAMLphp version 1.5 or higher on your web server and configure it as a service provider.
  2. Upload simplesaml-authentication.php to the wp-content/plugins/ directory of your WordPress installation.
  3. Log in as administrator and activate the plugin. Go to the Options tab and configure the plugin. If applicable, configure an eduPersonEntitlement that will be mapped to the Administrator role. Decide which attribute to use for the username. Take into consideration that the sanatize_user() function will be called on the value of this attribute (see wp_includes/formatting.php) which will remove anything but lowercase alphanumeric, space, dot, dash, and @-sign, and truncate it to 60 characters. A check is done to prevent creation of accounts with wrong usernames.
    If the attribute you intend to use as username does have illegal characters, or is longer, you can work around this by using a hash of the username. Configure an extra attribute in simpleSAMLphp, for instance by applying an authproc filter like this:

    25 => array(
        'class' => 'core:PHP',
        'code' => '$attributes["wp_userid"] =
            array(hash("sha224", $attributes["id_with_slashes"][0]));',
    ),
    

    Then use wp_userid as the username attribute. Now STAY LOGGED IN to your original administrator account. You won’t be able to log back in once you log out.

  4. Open a different browser, or on another computer. Log in to your blog to make sure that it works.
  5. In the first browser window, make the newly created user an Administrator. You can log out now. (Alternately, you can change some entries in the wp_usermeta table to make a new user the admin)
  6. Disable Options -> General -> Anyone can register (they won’t be able to)
  7. Make sure you enable administration over SSL (see https://codex.wordpress.org/Administration_Over_SSL)

FAQ

What version of simpleSAMLphp is needed?

Starting from version 0.3.0 the plugin requires simpleSAMLphp 1.5 or higher. Use version 0.2.x of this plugin for simpleSAMLphp < 1.5 support.

Contributors & Developers

“simpleSAMLphp Authentication” is open source software. The following people have contributed to this plugin.

Contributors

Changelog

0.7.0

  • Fixed security issue with hard coded passwords that were generated for users that were automatically enrolled using SAML. It was wrongly assumed that these passwords would never be used if SAML takes over the normal login process. This turned out to be possible after all. An attacker could use XML-RPC calls to perform any actions that a SAML enrolled user could do. The authentication logic was fixed to prevent this. Also, there is now upgrade logic in place, which checks for existing vulnerable password hashes, and fixes that by setting them to a value that doesn’t correspond to any password.
  • Cleanup, removal of deprecated function calls, small cosmetic changes.
  • Tested with 3.5.1 and simpleSAMLphp 1.10.0.

0.6.3

  • Fixed some bugs that occured when upgrading from 0.5.2 to 0.6.x

0.6.2

  • Version bump

0.6.1

  • Documentation formatting update

0.6.0

  • Added check for illegal usernames
  • Cleaned up indentation and bracket use
  • Removed deprecated function calls
  • Added configuration options to select which attributes to use for username, First Name, Last Name, E-mail
  • Tested with 3.3.1 and simpleSAMLphp 1.8.2

0.5.2

  • Added patch by Sixto Martin to provide single logout functionality

0.5.1

  • Tested up to 3.1.4 alpha (svn18146)
  • Tested with simpleSAMLphp 1.8

0.5.0

  • Upgrade plugin to support WordPress 3.1
  • Tested with simpleSAMLphp 1.7
  • Fix logout, returns to home page now
  • Modify attributes to map with default LDAP attributes (for differerent attribute names please use (or update!) the attibute mapping in the simpleSAMLphp SP configuration)

0.4.0

  • Make it work again with latest WP (thanks to Ivo Jansch)

0.3.0

  • Use simpleSAMLphp 1.5 API

0.2.1