[Plugin: simpleSAMLphp Authentication] Network update for simpleSAMLphp plugin

  • charlielove

    (@charlielove)


    12 years, 3 months ago

    I found this plugin to work well but it only adds the user connecting to one blog. I have updated the plugin so that when connecting to a WordPress Network it will add the user and then provision a new blog using the username as the identifier.

    I’ve quickly removed some of the paths from my own install but the code I uses is as follows. Thought it might help with version 0.6 🙂

    register_activation_hook( __FILE__, 'set_simplesamlphp_settings' );
add_action('admin_menu', 'simplesaml_authentication_add_options_page');

$simplesaml_authentication_opt = get_site_option('simplesaml_authentication_options');

$simplesaml_configured = true;

// try to configure the simpleSAMLphp client
if ($simplesaml_authentication_opt['include_path'] == '') {
  $simplesaml_configured = false;
} else {
  $include_file = $simplesaml_authentication_opt['include_path']."/lib/_autoload.php";
  if (!include_once($include_file))
    $simplesaml_configured = false;
}

if ($simplesaml_configured) {
  if($simplesaml_authentication_opt['sp_auth'] == '')
    $sp_auth = 'default-sp';
  else
    $sp_auth = $simplesaml_authentication_opt['sp_auth'];
  $as = new SimpleSAML_Auth_Simple($sp_auth);
}

// for wp_create_user function on line 120
require_once (ABSPATH . WPINC . '/registration.php');

// plugin hooks into authentication system
add_action('wp_authenticate', array('SimpleSAMLAuthentication', 'authenticate'), 10, 2);
add_action('wp_logout', array('SimpleSAMLAuthentication', 'logout'));
add_action('lost_password', array('SimpleSAMLAuthentication', 'disable_function'));
add_action('retrieve_password', array('SimpleSAMLAuthentication', 'disable_function'));
add_action('password_reset', array('SimpleSAMLAuthentication', 'disable_function'));
add_filter('show_password_fields', array('SimpleSAMLAuthentication', 'show_password_fields'));

if (!class_exists('SimpleSAMLAuthentication')) {
  class SimpleSAMLAuthentication {

    // password used by the plugin
    function passwordRoot() {
      return 'Authenticated through SimpleSAML';
    }    

    /*
     We call simpleSAMLphp to authenticate the user at the appropriate time
     If the user has not logged in previously, we create an account for them
    */
    function authenticate(&$username, &$password) {
      global $simplesaml_authentication_opt, $simplesaml_configured, $as;

      if (!$simplesaml_configured)
        die("simplesaml-authentication plugin not configured");

      // Reset values from input ($_POST and $_COOKIE)
      $username = $password = '';		

      $as->requireAuth();

      $attributes = $as->getAttributes();
      $username = $attributes['cn'][0];
      $password = md5(SimpleSAMLAuthentication::passwordRoot());

      if (!function_exists('get_userdatabylogin'))
        die("Could not load user data");
      $user = get_userdatabylogin($username);

      if ($user) {
        // user already exists
		//we will update the password in the user account just in case we have screwed it up and changed it!
  	    $user_info = array();
		$user_info['ID'] = $user->ID;
		$user_info['user_pass'] = $password;
		wp_update_user( $user_info ) ;
        return true;
      } else {
        // first time logging in
        if ($simplesaml_authentication_opt['new_user'] == 1) {
          // auto-registration is enabled

          // User is not in the WordPress database
          // they passed SimpleSAML and so are authorized
          // add them to the database
          // User must have an email address to register
          if($attributes['mail']) {
            // Try to get email address from attributes
            $user_email = $attributes['mail'][0];
          } else {
            // Otherwise use default email suffix
            if ($simplesaml_authentication_opt['email_suffix'] != '')
              $user_email = $username . '@' . $simplesaml_authentication_opt['email_suffix'];
          }
		  //correctly read other attributs
          $user_info = array();
          $user_info['user_login'] = $username;
          $user_info['user_pass'] = $password;
          $user_info['user_email'] = $user_email;

          if($attributes['givenName'])
            $user_info['first_name'] = $attributes['givenName'][0];
          if($attributes['sn'])
            $user_info['last_name'] = $attributes['sn'][0];

          // Set user role based on eduPersonEntitlement
          if($simplesaml_authentication_opt['admin_entitlement'] != '' &&
	      $attributes['eduPersonEntitlement'] &&
             in_array($simplesaml_authentication_opt['admin_entitlement'],
                $attributes['eduPersonEntitlement'])) {
            $user_info['eduPersonEntitlement'] = "administrator";
          } else {
            $user_info['eduPersonEntitlement'] = "author";
          }
		  //now create the users primary blog for them
		  $blog_title = strtolower(preg_replace('/[^a-zA-Z0-9 ]/','',$username));
          $wp_uid = wp_insert_user($user_info);
		  $result = wpmu_create_blog('blogs.glew.org.uk','/' .$blog_title,$blog_title,$wp_uid,array(),'1');
		  //remove user from main blog!
		  remove_user_from_blog($wp_uid, '1', '');
		  //write options for authentication plugin
		  if (function_exists('add_options_page')) {
			    add_options_page('simpleSAMLphp Authentication', 'simpleSAMLphp Authentication', 8, basename(__FILE__), 'simplesaml_authentication_options_page');
		  }
		  // Setup Default Options Array
 	      global $wpdb;
		  $optionarray_update = array(
			   'new_user' => TRUE,
			   'redirect_url' => '',
			   'email_suffix' => 'example.com',
			   'sp_auth' => 'default-sp',
			   'include_path' => $simplesaml_authentication_opt['include_path'],
			   'admin_entitlement' => '',
			   );
   		  add_site_option($result, 'simplesaml_authentication_options', $optionarray_update);
		}
        else {
          $error = sprintf(__('<p><strong>ERROR</strong>: %s is not registered with this blog. Please contact the <a href="mailto:%s">blog administrator</a> to create a new account!</p>'), $username, get_option('admin_email'));
          $errors['registerfail'] = $error;
          print($error);
          print('<p><a href="/wp-login.php?action=logout">Log out</a> of SimpleSAML.</p>');
          exit();
        }
      }
    }

	//do hook for activating a blog
	function set_simplesamlphp_settings() {
		  // Setup Default Options Array
 	      global $wpdb;
		  global $blog_id;
		  $optionarray_update = array(
			   'new_user' => TRUE,
			   'redirect_url' => '',
			   'email_suffix' => 'example.com',
			   'sp_auth' => 'default-sp',
			   'include_path' => '<path to your simplesamlphp installation for service provider>',
			   'admin_entitlement' => '',
			   );
   		  add_blog_option($blog_id, 'simplesaml_authentication_options', $optionarray_update);
	}

    function logout() {
      global $simplesaml_authentication_opt, $simplesaml_configured, $as;
      if (!$simplesaml_configured)
        die("simplesaml-authentication not configured");

      $as->logout(get_settings('siteurl'));
    }

    /*
     Don't show password fields on user profile page.
    */
    function show_password_fields($show_password_fields) {
      return false;
    }

    function disable_function() {
      die('Disabled');
    }

  }
 }

//----------------------------------------------------------------------------
//		ADMIN OPTION PAGE FUNCTIONS
//----------------------------------------------------------------------------

function simplesaml_authentication_add_options_page() {
  if (function_exists('add_options_page')) {
    add_options_page('simpleSAMLphp Authentication', 'simpleSAMLphp Authentication', 8, basename(__FILE__), 'simplesaml_authentication_options_page');
  }
} 

function simplesaml_authentication_options_page() {
  global $wpdb;

  // Setup Default Options Array
  $optionarray_def = array(
			   'new_user' => TRUE,
			   'redirect_url' => '',
			   'email_suffix' => 'example.com',
			   'sp_auth' => 'default-sp',
			   'include_path' => '<path to your simplesamlphp installation for service provider',
			   'admin_entitlement' => '',
			   );

  if (isset($_POST['submit']) ) {
    // Options Array Update
    $optionarray_update = array (
				 'new_user' => $_POST['new_user'],
				 'redirect_url' => $_POST['redirect_url'],
				 'email_suffix' => $_POST['email_suffix'],
				 'include_path' => $_POST['include_path'],
				 'sp_auth' => $_POST['sp_auth'],
				 'admin_entitlement' => $_POST['admin_entitlement'],
				 );

    update_site_option('simplesaml_authentication_options', $optionarray_update);
  }

  // Get Options
  $optionarray_def = get_site_option('simplesaml_authentication_options');

  ?>
	<div class="wrap">
	<h2>simpleSAMLphp Authentication Options</h2>
    <?php 

	    global $current_blog;
		$blog_path = substr($current_blog->path,0,-1);
    	if(is_super_admin()) {
	?>

	<form method="post" action="<?php echo $blog_path . $_SERVER['PHP_SELF'] .  '?page=' . basename(__FILE__); ?>&updated=true">
	<fieldset class="options">

     <h3>User registration options</h3>

	<table class="form-table">
	   <tr valign="top">
		<th scope="row">User registration</th>
		<td><label for="new_user">
		<input name="new_user" type="checkbox" id="new_user_inp" value="1" <?php checked('1', $optionarray_def['new_user']); ?> />
Automatically register new users</label>
		<span class="setting-description">(Users will be registered with the role of Subscriber.)</span></td>
		</tr>
		<tr>
		<th><label for="email_suffix"> Default email domain</label></th>
		<td>
	   	<input type="text" name="email_suffix" id="email_suffix_inp" value="<?php echo $optionarray_def['email_suffix']; ?>" size="35" />
		<span class="setting-description">If an email address is not availble from the <acronym title="Identity Provider">IdP</acronym> <strong>username@domain</strong> will be used.</td>
</tr>
		<tr>
		<th> <label for="admin_entitlement">Administrator Entitlement URI</label></th>
		<td>
		<input type="text" name="admin_entitlement" id="admin_entitlement_inp" value="<?php echo $optionarray_def['admin_entitlement']; ?>" size="40" />
		<span class="setting-description">An <a href="http://rnd.feide.no/node/1022">eduPersonEntitlement</a> URI to be mapped to the Administrator role.</span>
		</td>
		</tr>
	</table>

    <h3>simpleSAMLphp options</h3>
    <p><em>Note:</em> Once you fill in these options, WordPress authentication will happen through <a href="http://rnd.feide.no/simplesamlphp">simpleSAMLphp</a>, even if you misconfigure it. To avoid being locked out of WordPress, use a second browser to check your settings before you end this session as Administrator. If you get an error in the other browser, correct your settings here. If you can not resolve the issue, disable this plug-in.</p>
  	<table class="form-table">
	   <tr valign="top">
		<th scope="row"><label for="include_path">Path to simpleSAMLphp</label></th>
		<td><input type="text" name="include_path" id="include_path_inp" value="<?php echo $optionarray_def['include_path']; ?>" size="35" />
		<span class="setting-description">simpleSAMLphp suggested location is <tt>/var/simplesamlphp</tt>.</span>
		</td>
		</tr>

	   <tr valign="top">
	   <th scope="row"><label for="sp_auth">Authentication source ID</label></th>
	   <td><input type="text" name="sp_auth" id="sp_auth_inp" value="<?php echo $optionarray_def['sp_auth']; ?>" size="35" />
		<span class="setting-description">simpleSAMLphp default is "default-sp".</span>
             </td>
	     </tr>
	</table>
	</fieldset>
	<p />
	<div class="submit">
		<input type="submit" name="submit" value="<?php _e('Update Options') ?> &raquo;" />
	</div>
	</form>
    <?php } else { ?>
    <div>Sorry, but you cannot edit these settings</div>
    <? } ?>
<?php
}
?>

    http://wordpress.org/extend/plugins/simplesamlphp-authentication/

  • The topic ‘[Plugin: simpleSAMLphp Authentication] Network update for simpleSAMLphp plugin’ is closed to new replies.