User login loops in WP 5.x multisite

[jacqdesign]

I am still trying to figure out a fix for the issues we are having with with Shibboleth 2 doing infinite loop when ANY user logs in to the sites on the network. It does not appear to loop on the "main" site. But anything that is the "multisite" network, the loop happens, even with super-admin login.

Put in correct username password, it just loop through https://webauth.service.ohio-state.edu/idp/profile/SAML2/Redirect/SSO?execution=e3s1 until it eventually times out.

Any help is greatly appreciated!

Here are the files I thought might be helpful for you to review for me.

.htaccess file

RewriteEngine On

# Force SSL
# I think this is doing the same thing as the next block
#RewriteEngine On
#RewriteCond %{HTTPS} ^off$ [NC]
#RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [L,R=301,NE,QSA]

# Force HTTPS
RewriteCond %{SERVER_NAME} ^www\. [NC,OR]
RewriteCond %{HTTPS} ^off$ [NC]
RewriteCond %{SERVER_NAME} ^(www\.)?(.*) [NC]
RewriteRule ^/?(.*) https://%2/$1 [L,R=301,NE,QSA]

# Allow Shib urls
RewriteCond %{REQUEST_URI} ^/Shibboleth.sso($|/)
RewriteRule . - [L]

#Shib
AuthType shibboleth
ShibRequestSetting redirectToSSL 443
ShibRequestSetting requireSession 1
Require shib-session

# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]

# add a trailing slash to /wp-admin
RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
RewriteRule . index.php [L]

# END WordPress

This might be completely messed up, but I tried to adjust code to work on PHP 7 and the new WordPress version.

shibboleth-mu.php

<?php

// include regular Shibboleth plugin file
require_once dirname(__FILE__) . '/shibboleth/shibboleth.php';

function shibboleth_muplugins_loaded() {
    add_filter('shibboleth_plugin_path', function($p) {
        echo($p);
        return WPMU_PLUGIN_URL . "/shibboleth";} );
}
add_action('muplugins_loaded', 'shibboleth_muplugins_loaded');
?>

[jrchamp]

Sorry for the delayed response - I never saw an email for this issue.

I'm very confused about the setup here.

• Why is there a shibboleth-mu.php? It seems like you would network enable the Shibboleth plugin instead.
• Is the whole site Shibboleth protected? If you go to the home page, it should already be Shibboleth logged in if I'm reading the .htaccess correctly. Otherwise, your VirtualHost's Directory's AllowOverride is probably not set correctly. It definitely needs AuthConfig and FileInfo, or if you want everything, All

Side note: If you plan to keep the shibboleth-mu, I would definitely remove the echo($p); line that was likely for debugging.

[jacqdesign]

Dear Jonathan,

Thank you so much for writing back.

I think when I network enable the Shibboleth v1 plugin years ago, it created the shibboleth-mu.php I believe, following the "Must-Use" plugin process.

I can try to uninstall and then install Shibboleth v2 and network enable again and see if that works. But I was under the impression that to force Shibboleth on all websites on the network, plugin-mu.php is required.

Yes, the WHOLE site, the main site and all the multi-sites under it all are Shibboleth protected.

Here’s a doc page for my client, Ohio State University, for using Shibboleth in OSU Web Hosting https://webauth.service.ohio-state.edu/~shibboleth/

Their instruction on configuring Shibboleth for Wordpress. https://web.osu.edu/technical-support/wordpress/wordpress-shib/

I think I will have to talk to the university web hosting team for making the VirtualHost's Directory that you mentioned. I don’t think I have access to make the config change needed. These are all a little over my head, please forgive me if I need a little more hand holding.

Thank you!

[jrchamp]

As I understand it:

• Network enabled plugins are enabled once for the whole network and the configuration is set once in one place.
• Must-Use plugins are force-enabled on each site individually and cannot be disabled but might have their own configuration per-site.

In this case, it is much easier to manage a network enabled plugin rather than one that depending-on-how-it-is-written might have inconsistent configuration.

[michaelryanmcneill]

I'm going to go ahead and close this out. If there is additional assistance needed, please reopen the issue.

[jacqdesign]

I was still not able to find a solution for this issue. But I will reach out again later.

Thank you.

Sincerely, Jacq Davis Founder | Designer

jacq@jacqdesign.com www.jacqdesign.com

On Jun 17, 2020, at 11:13 AM, Michael McNeill notifications@github.com wrote:

I'm going to go ahead and close this out. If there is additional assistance needed, please reopen the issue.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/michaelryanmcneill/shibboleth/issues/61#issuecomment-645537373, or unsubscribe https://github.com/notifications/unsubscribe-auth/AONNIFGTF2GBALUZVNIELXTRXEBUTANCNFSM4KNYZV7Q.