Change or hide the password reset URL if Shibboleth is the only auth method allowed

[michaelryanmcneill]

As pointed out by @earnjam, if a user ends up on wp-login.php they'll still be able to reset their local password, even if Shibboleth is the only auth method allowed. Instead, we should hook into the lostpassword_url filter: https://codex.wordpress.org/Plugin_API/Filter_Reference/lostpassword_url to change the URL to what the user provides, or we should hide the option entirely if a user hasn't provided a lost password URL.

[jrchamp]

I like the idea of showing the correct change password URL.

Going further, are they able to set a local password? If so, can they use that local password for non-Shibboleth authentication (e.g. REST API)? Should we prevent/block that for Shibboleth users?

[michaelryanmcneill]

This is a great point @jrchamp. I'm not 100% sure but I will definitely do some testing to determine if that is the case. If you have some free time to do a PR on this, that'd be awesome too.