Support » Plugin: SAML 2.0 Single Sign-On » Inconsistent handling or RelayState?

  • I have a client that is using Okta for SSO to login to their internal wordpress site (its on the internet but you cannot get any content without logging in).

    I have two apparently related problems (at least they look the same).

    In the first place, I can’t logout from wordpress. Every time you try, no matter where you are on the site, you end up on /wp-admin (my user happens to be an admin, so I’m not sure what others see).

    In a similar vein, under certain circumstances (notably, if I delete all my WP cookies) you end up on wp-admin as well. Without giving too much away, the request sequence is:

    1. post to wp-content/plugins/saml-20-single-sign-on/saml/www/module.php/saml/sp/saml2-acs.php/1 with SAMLResponse and RelayState form fields. Responds with 303 with the value of RelayState being the value of the Location header and PHPSESSID and SimpleSAMLAuthToken cookies set
    2. Get of the RelayState URL. Responds with 302, location /wp-admin/, wordpress_ (admin?) auth cookie set twice (once of path /wp-content/plugins and once for /wp-admin) and wordpress_logged_in auth cookie set
    3. /wp-admin responds normally setting wp-settings and wp-settings-time cookies

    The only time I seem to get the right final page is if the auth cookies are already set.

Viewing 1 replies (of 1 total)
  • Incidentally, to “fix” the issue with relay state (and you’re going to want to fix it if you’re using Okta, you need to edit lib/classes/saml_client.php at line 150 or so, you’ll see


    you want to change it to:

    $current_url = (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"]=="on") ? "https://" : "http://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"];
    // wp_redirect(get_admin_url());

    This will have the saml login reload the current page (if i read the rest of the code correctly, that should be “/”… which may be a bad assumption if its using a string and not asking for the home_url()) rather than wp_login. The reason we’re doing a redirect to the current page is that the simulated signon does not seem to set the current user, it only creates the necessary cookies. By redirecting to some page, it is not necessary to set the current user. So we redirect to the current page. I hate the extra redirect but its the smallest possible change that has the effect we need.

Viewing 1 replies (of 1 total)
  • The topic ‘Inconsistent handling or RelayState?’ is closed to new replies.