jrchamp
commented
5 years ago The config page does need to be updated. Currently, the code does:
"If there is no default role, the user will not be assigned a role when creating an account with Shibboleth."
It sounds like you want:
"If there is no default role, the user will not be able to create an account with Shibboleth."
Such a change would mean:
- If you want users to be able to create accounts on their own, you must have an attribute with a known, static value to check.
- It is no longer possible to create a no-role account with Shibboleth.
- If you do not have an attribute to check (e.g. if you only receive the targeted-id) then the user managing the WordPress site/network must must both create the user accounts and assign roles to users.
Philosophically, Shibboleth is primarily about authentication, not authorization. In that sense, using the WordPress authorization functions is the appropriate security mechanism. The security guarantee that Shibboleth gives you is that the user being created has logged in with Shibboleth.
I like part of this change, but I would want it to be optional to avoid forcing a large maintenance burden on our users who have less control over the attributes they receive.
michaelryanmcneill
Alhrath
dandalpiaz
indrek-k
As I understand when I read the config page in "If there is no default role, the user will not be able to log in with Shibboleth.", unmapped roles should deny access when default role is set to "None". But it's not the case : an account is still created with no role and the user is logged in, which can be a security issue in some structures, like ours.
To solve this, I temporarily edited the code in the function shibboleth_create_new_user, moving "$user_role = shibboleth_get_user_role();" from line 636 to line 617 and adding " || empty( $user_role )" to the condition at line 619.
Is it possible to implement a fix in the next release ? I actually use the latest version (2.1.1).