I have a client that is using Okta for SSO to login to their internal wordpress site (its on the internet but you cannot get any content without logging in).
I have two apparently related problems (at least they look the same).
In the first place, I can't logout from wordpress. Every time you try, no matter where you are on the site, you end up on /wp-admin (my user happens to be an admin, so I'm not sure what others see).
In a similar vein, under certain circumstances (notably, if I delete all my WP cookies) you end up on wp-admin as well. Without giving too much away, the request sequence is:
- post to wp-content/plugins/saml-20-single-sign-on/saml/www/module.php/saml/sp/saml2-acs.php/1 with SAMLResponse and RelayState form fields. Responds with 303 with the value of RelayState being the value of the Location header and PHPSESSID and SimpleSAMLAuthToken cookies set
- Get of the RelayState URL. Responds with 302, location /wp-admin/,
wordpress_(admin?) auth cookie set twice (once of path /wp-content/plugins and once for /wp-admin) and
wordpress_logged_inauth cookie set
- /wp-admin responds normally setting
The only time I seem to get the right final page is if the auth cookies are already set.