search

ktbartholomew / saml-20-single-sign-on

Wordpress plugin that makes a Wordpress site act as a SAML service provider
GNU General Public License v2.0
37 stars 22 forks source link

Subfolder Multisite confuses SimpleSAMLPHP #2

Open ktbartholomew opened 8 years ago

ktbartholomew commented 8 years ago

Subfolder multisite installs use URL rewriting to ensure that all the sites use the same plugin files, but this creates some issues with SimpleSAMLPHP.

  1. Metadata URLs have a site number, but can also only be accessed under the appropriate site's subfolder.
  2. SAML responses include a Destination attribute that includes the site's subfolder. When SimpleSAMLPHP tries to process the response, it believes its current URL is that of the site's main blog instead and throws an exception.

The plugin should normalize all URLs to fall under that of the main blog, to be consistent with the way Wordpress routes these requests. Other parts of the SAML request (most likely the ReturnTo property should ensure that the user is redirected to the correct blog after the SAML process is complete.

stocker commented 7 years ago

Hi @ktbartholomew, I ran into this issue on a subdirectory multisite. Do you know of any workarounds or a fix?

ktbartholomew commented 7 years ago

@stocker There's no easy workaround that doesn't involve a significant re-work of how SimpleSAMLPHP fits into the auth flow. It would end up being a huge change, and one that I simply don't have the time to work through. I wish I had a better answer for you, but this is at the very edge of how SimpleSAMLPHP was designed to be used.

stocker commented 7 years ago

Hi Keith. Thanks for the prompt reply. It was very helpful that you had documented this issue , so I didn’t bang my head against it for hours.

From: Keith Bartholomew notifications@github.com Reply-To: ktbartholomew/saml-20-single-sign-on reply@reply.github.com Date: Tuesday, February 7, 2017 at 10:06 AM To: ktbartholomew/saml-20-single-sign-on saml-20-single-sign-on@noreply.github.com Cc: "Scott B. Stocker" stocker@stanford.edu, Mention mention@noreply.github.com Subject: Re: [ktbartholomew/saml-20-single-sign-on] Subfolder Multisite confuses SimpleSAMLPHP (#2)

@stockerhttps://github.com/stocker There's no easy workaround that doesn't involve a significant re-work of how SimpleSAMLPHP fits into the auth flow. It would end up being a huge change, and one that I simply don't have the time to work through. I wish I had a better answer for you, but this is at the very edge of how SimpleSAMLPHP was designed to be used.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/ktbartholomew/saml-20-single-sign-on/issues/2#issuecomment-278087550, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ABGJ1wAkIREEAHgWqWOcNYNaRTu287AKks5raLKKgaJpZM4G8-1W.

ktbartholomew commented 7 years ago

@stocker If you manage some workaround for this in your environment, I'm sure others would benefit from you including your solution here. PRs are welcome too, if you're so inclined 😄