search

SAML-Toolkits / wordpress-saml

OneLogin SAML plugin for Wordpress
MIT License
65 stars 75 forks source link

How to "disable the cache for this SAML plugin" #122

Open andrew-alloy opened 2 years ago

andrew-alloy commented 2 years ago

The instructions say:

Using the SAML Plugin in WPengine or similar This kind of WP hosting used to cache plugins and protect the wp-login.php view. You will need to contact them in order to disable the cache for this SAML plugin and also allow external HTTP POST to wp-login.php

I contacted WP Engine and they understood the part about allowing external HTTP POST to wp-login.php however they do not understand what is meant by disabling the cache for the SAML plugin.

Here is the relevant excerpt from my online chat with them:

AGENT (Jon K.): I believe the wp-login.php protection refers to our default login protection that we have enabled on sites and I can disable that, but I’m not seeing specifics listed anywhere for the cache exclusions. We can add cache exclusions for pages, cookies, or URL arguments, but we need to know which ones to exclude – we wouldn’t know off the top what should be excluded to make that particular plugin work with our caching, so it would be best if they could provide you with a list of pages or URLS that should be uncached.

USER: It seems they think you cache plugins themselves?

AGENT (Jon K.): That’s the phrasing they use but that’s not really how our caching works – we cache pages in our varnish cache but not things like plugin files, unless they’re static assets like CSS or JS.

USER: that makes sense. USER: The plugin is “OneLogin SAML SSO” USER: I wonder if it operates within it’s own folder

AGENT (Jon K.): yep, it looks like wp-content/onelogin-saml-sso for that one, but excluding files or ‘pages’ within that directory wouldn’t be likely to have the desired effect. For instance, /wp-content/plugins/onelogin-saml-sso/onelogin_saml.php is the URL for what looks to be the main PHP file for the plugin, but nobody would be accessing that page directly – it’s more likely there are pages with a certain cookie present or URL structure that the plugin uses that should be excluded from caching, we’d just need to know exactly what those are. AGENT (Jon K.): As far as the login protection goes, I’ve disabled that setting on the site from here so that shouldn’t be causing any conflicts.

Can you please explain further what they need to change?

pitbulk commented 2 years ago

Is not the cache assocaited with this specific plugin, is the WP cache in general.

https://wpengine.com/support/cache/#WP_Engine_Cache

andrew-alloy commented 2 years ago

Thank you. So we must disable WP Engine's entire caching system to use this plugin?

Is not the cache assocaited with this specific plugin, is the WP cache in general.

https://wpengine.com/support/cache/#WP_Engine_Cache

pitbulk commented 2 years ago

Only if you experience issues with it enabled and you are not able to configure it to ignore the SAML endpoints to be cached.