Closed timmmmyboy closed 3 years ago
pitbulk
commented
3 years ago The extension supports multisites.
You can go to the network and there you will see a place to set a SAML Setting template that could be injected in all your sites, later you could customize one by one.
timmmmyboy
commented
3 years ago I understand the plugin supports multisite, however the ACS URLs on subsites don't work since there is no option to use a common ACS URL. Customize one by one? This is on a multisite with 9,000 subsites. Many we manage have 12k plus sites and creation is automated with end user signup. I don't think you understand the bug report?
pitbulk
commented
3 years ago Are you connecting the 9,000 sites with 1 unique IdP?
timmmmyboy
commented
3 years ago Yes, this is usually in an academic setting where a school will have a single IdP and want all subsites to automatically work with SSO using the same metadata. That's where injecting settings to each subsite becomes difficult in addition to the ACS URLs changing with each site. An option for the entire network to use the same settings directly from the network admin would work really well in this case.
pitbulk
commented
3 years ago You may understand your scenario is a rare scenario. Normally sites are isolated, that why each subsite has its own set of users.
The fact of not acting as a unique SP is not a bug
Each site at the end is an SP and you could connect it with the IdP you want. I added the ability at the network level to be able to inject the same IdP in all the possible sites, but at the end, each site has its own SP metadata.
In your use case, we can do the trick of assigning to all the SPs the same SP Entity ID, so the IdP will see all the sites like a unique IdP. but yes, the ACS and SLS endpoints gonna be different, for example:
If you unify the ACS URLs to be only 1, how the extension gonna know the site that was requested?
pitbulk
commented
3 years ago Instead, unify the ACS URL, if the IdP does not support regex for ACS URLs (OneLogin IdP supports it) then what I suggest you is to try is to register at the IdP a unique SP, and all the different ACS
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
validUntil="2020-11-30T00:41:33Z"
cacheDuration="PT604800S"
entityID="http://wpmultisite.local/">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="http://wpmultisite.local/site2/wp-login.php?saml_sls" />
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://wpmultisite.local/site1/wp-login.php?saml_acs"
index="1" />
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://wpmultisite.local/site2/wp-login.php?saml_acs"
index="2" />
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://wpmultisite.local/site3/wp-login.php?saml_acs"
index="3" />
.....
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://wpmultisite.local/site9000/wp-login.php?saml_acs"
index="9000" />
</md:SPSSODescriptor>
</md:EntityDescriptor>
We have this working on a multisite that is subfolder sites. Logging into the main site is fine but if you attempt to login directly to a subsite because the SAML request changes the ACS URL to maindomain.xyz/subsite/wp-login.php?saml_acs the IdP no longer accepts it. For now I hard-coded the plugin to not change the ACS URL but is there a way for the ACS and SLS URLs to remain constant in a multisite environment?