I'm trying to override the authentication process to verify a user against SSO credentials that may or may not already exist in the browser session. We are using Sun Policy Agent and SSO interface to handle the enterprise authentication. There are several variables returned and available via the $_SERVER scope. One of which is a username that matches the user_login value stored in the WP database (these are unique within the enterprise). I do not need (or know) the password since we are assuming that if they made it past the SSO authentication, they are who they say they are.
I've created a plugin to override the pluggable.php auth_redirect() function which checks if the appropriate $_SERVER variable exists and if the user is logged in. If the user is not logged in, I verify the user exists in the database using get_userdatabylogin(). If there is a matching user, I want to log them in.
The problem I'm having is that I do not have a password to send to the sign_on() function. Since I do not require it, are there any tricks on how to bypass that whole process and just sign the user in?
I tried the following and can initiate a session but I get wp-admin/?c=1 indicating that i have a bad hook.
wp_set_auth_cookie($userdata->ID, FALSE); do_action('wp_login', $_SERVER['HTTP_EA_AGENCYUID']);
Anyone have any good ideas/suggestions?
Thanks in advance.