SAML Bypass for certain plugins | WordPress.org

crmunro
(@crmunro)

6 years, 9 months ago

Hi there,

I’m wanting to use a third-party tool to manage our wordpress installations (think MainWP, ManageWP, UpdraftCentral, etc). They all seem to use /admin-ajax.php to interact with the site being managed. The OneLogin SAML SSO plugin redirects that URL off to SAML authentication (as expected) whenever one of these plugins makes a request. Ultimately, this means that the management tools fail to connect to my child sites.

To get around this, I’d like to add the following to line 55 of onelogin_saml.php:
$want_to_local_login = isset($_GET['normal']) || (isset($_POST['log']) && isset($_POST['pwd'])) || (strpos($_SERVER['SCRIPT_NAME'], 'admin-ajax.php') !== FALSE && $_SERVER['REMOTE_ADDR'] == 'IP_Address_of_management_host');

Is this an acceptable compromise between security and functionality, do you think? It seems to function well enough.

Thanks!

Viewing 1 replies (of 1 total)

Plugin Contributor onelogin
(@onelogin)

6 years, 8 months ago

Send a PR to https://github.com/onelogin/wordpress-saml/pulls and we will review.

Viewing 1 replies (of 1 total)

The topic ‘SAML Bypass for certain plugins’ is closed to new replies.

In: Plugins
1 reply
2 participants
Last reply from: onelogin
Last activity: 6 years, 8 months ago
Status: not resolved