search

SAML-Toolkits / wordpress-saml

OneLogin SAML plugin for Wordpress
MIT License
65 stars 74 forks source link

Wordpress 4.9.7 and Group assign of 'Registered' #69

Closed donovandb closed 4 years ago

donovandb commented 6 years ago

Another EDIT: It may be that this updated Plug-in is messing with the Groups plugin feature of automatically adding a group upon creating a new user. Any idea if there is code updates here between this version and version 2.5.0 that may have changed the behavior when creating an user?

EDIT: Sorry, I think this has to do with the WordPress Plugin 'Groups'. I've used that in the past along with SSO and this plug-in and it has always added 'Registered' as the default group upon signing in. With WordPress 4.9.7 and this latest version of onelogin wordpress SAML, it does not do that anymore.

Hello, on a new integration, Successfully created wordpress users are no longer being assigned 'Registered' in the group with WordPress 4.9.7.

Any ideas?

pitbulk commented 6 years ago

If no roles is read from the SAMLResponse, then the extension uses

$userdata['role'] = get_option('default_role');

Can you check if that setting is defined in your environment? Maybe modified by WordPress 4.9.7 or by any of your plugins?

donovandb commented 6 years ago

@pitbulk, thanks for the reply.

I believe 'role' and 'group' are different (When the wordpress Groups plug-in is installed). Role is getting propagated correctly. Not groups.

I'll post this anyway.. as I still can't find where the issue is coming from:

[root@vps2 wp-content]# pwd
/home/cessnaowner/public_html/wp-content
[root@vps2 wp-content]# grep -Hinre 'default_role' *
plugins/better-wp-security/core/lib/class-itsec-lib-password-requirements.php:154:                      $canonical = ITSEC_Lib_Canonical_Roles::get_canonical_roleubscriber' ) );
plugins/onelogin-saml-sso/php/functions.php:248:                        $userdata['role'] = get_option('default_role');
plugins/wp-security-audit-log/classes/Sensors/System.php:522:           if ( $is_option_page && wp_verify_nonce( $post_array['_wpnonce'], 'general-options' ) && !
plugins/wp-security-audit-log/classes/Sensors/System.php:523:                   $old = get_option( 'default_role' );
plugins/wp-security-audit-log/classes/Sensors/System.php:524:                   $new = trim( $post_array['default_role'] );
plugins/wp-security-audit-log/classes/Sensors/System.php:605:           if ( isset( $post_array['action'] ) && 'update' === $post_array['action'] && isset( $post_
plugins/wp-security-audit-log/classes/Sensors/System.php:606:                   $old_role = get_option( '_bbp_default_role' );
plugins/wp-security-audit-log/classes/Sensors/System.php:607:                   $new_role = $post_array['_bbp_default_role'];
donovandb commented 6 years ago

I did some further testing. I found another WordPress 4.9.7 site that we have and installed the 'Groups' plugin there too. I then simply turned on the local WordPress membership registration, registered (/wp-login.php?action=register) a user, and then went to the users panel. 'Registered' was indeed applied to this manually created user, which is a feature of 'Groups' (it automatically assigns 'Registered' to all registered users)

Next, I installed the OneLogin SAML SSO plug-in, configured it, then signed in using Single Sign On. This verified the same error of 'Registered' not automatically being applied as noted here.

Finally, I updated WordPress to 4.9.8, just to check if there was something in that update that might fix the issue. It did not.

I can only concluded that there is likely some incompatibility between the Groups and OneLogin SAML SSO plugins, that is preventing Groups from assigning 'Registered' to newly created users using the OneLogin SAML SSO plugin. Again, this works on older versions of the two plugins.

donovandb commented 6 years ago

I think I fixed this issue. I made a few changes... but I think this is what fixed it:

In php/functions.php, LINE 54, Changed this:

function saml_user_register() {
    $target = get_option('onelogin_saml_customize_links_user_registration');
    if (!empty($target)) {
        wp_redirect($target);
        exit;
    }
}

to this:

function saml_user_register() {
    $target = get_option('onelogin_saml_customize_links_user_registration');
    if (!empty($target)) {
        wp_redirect($target);
        return false;
    }
}

The later is what was in the old file.

Other things I did that I don't think mattered, but don't have time to verify: Added this to wordpresses wp-config.php just before 'That's all, stop editing! Happy blogging.' define('WP_MEMORY_LIMIT', '512M');

In the One Login's Plugin: onelogin_saml.php I rearranged the order of calls to the older version, starting line 37:

// Check if exists SAML Messages
add_action('init', 'saml_checker', 1);

// add menu option for configuration
add_action('admin_menu', 'onelogin_saml_configuration');

Hope this helps someone using Groups plugin... my guess is that this fix may also affect other pluggins that attach hooks to the new user creation.

pitbulk commented 6 years ago

Thanks for the research, I will test it in a couple of weeks and provide some patch that fix the current issue.

pitbulk commented 4 years ago

https://github.com/onelogin/wordpress-saml/commit/025d042c7e4bf17786136f758a7f365dfc0a89d5