User login loops in WP 5.5 multisite

[jacqdesign]

Hello, I am reopening the issue I had posted before.

This time, I wiped everything and started from scratch. Installed WP 5.5, setup multisite. Created a single multisite to test. No custom theme nor other plugins running besides Shib 2.2.2. Shib was installed using the WP Add New Plugin interface, so everything was setup automatically.

https://comdev.org.ohio-state.edu/test1/ is the site in question.

I can provide login info privately through email for you to troubleshoot if you wish to see the behavior of the looping.

Below is what is in the .htaccess file currently:

# Force SSL
RewriteEngine On
RewriteCond %{HTTPS} ^off$ [NC]
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [L,R=301,NE,QSA]

# Shibboleth quick-exit
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/Shibboleth.sso($|/)
RewriteRule . - [L]

# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]

# add a trailing slash to /wp-admin
RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
RewriteRule . index.php [L]
</IfModule>

# END WordPress
# BEGIN Shibboleth
# The directives (lines) between "BEGIN Shibboleth" and "END Shibboleth" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_shib>
AuthType shibboleth
Require shibboleth
</IfModule>
# END Shibboleth

[michaelryanmcneill]

It looks like you're getting the wrong .htaccess directives. Can you make sure you have the latest plugin installed?

It should look something like this:

# BEGIN Shibboleth
# The directives (lines) between "BEGIN Shibboleth" and "END Shibboleth" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_shib>
AuthType shibboleth
Require shibboleth
</IfModule>
<IfModule mod_shib.c>
AuthType shibboleth
Require shibboleth
</IfModule>
<IfModule mod_shib.cpp>
AuthType shibboleth
Require shibboleth
</IfModule>
# END Shibboleth

[jacqdesign]

Thank you. I just updated the .htaccess file with the code you have provided. I have the latest plugin installed.

After the update, it is still looping.

[jrchamp]

My first guess would be that the Shibboleth attributes might not be using the right mapping. You can sometimes get a list of the attributes from https://comdev.org.ohio-state.edu/Shibboleth.sso/Session (you may need to log in first via https://comdev.org.ohio-state.edu/Shibboleth.sso/Login )

[jrchamp]

You may also want to create a small test file to make sure PHP has access to the attribute like:

<?php
echo "<pre>
eppn: {$_SERVER['eppn']}
REMOTE_USER: {$_SERVER['REMOTE_USER']}
</pre>";

If that doesn't give you anything, then you might need to be DANGERous for a couple seconds just to figure out what the name is supposed to be:

<?php
echo "<pre>";
var_dump($_SERVER);
echo "</pre>";

Definitely delete that after you run it.

[michaelryanmcneill]

Yep, I agree with @jrchamp. You need to check to make sure the attributes are being passed along properly. If they are being passed along, you'll need to make sure PHP can access them as @jrchamp explained. If you see the attributes in PHP and in Shibboleth, then let us know and we'll dig further.

[jacqdesign]

Thank you~ I did the https://comdev.org.ohio-state.edu/Shibboleth.sso/Session you suggested and here is the output.

Miscellaneous
Session Expiration (barring inactivity): 479 minute(s)
Client Address: 172.17.220.144
SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
Identity Provider: urn:mace:incommon:osu.edu
Authentication Time: 2020-08-12T22:31:21.961Z
Authentication Context Class: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Authentication Context Decl: (none)

Attributes
EMAIL: 1 value(s)
EMPLOYEE-ID: 1 value(s)
FIRST-NAME: 1 value(s)
LAST-NAME: 1 value(s)
OSUID: 1 value(s)
WHOIS-ID: 1 value(s)
displayName: 1 value(s)
employeeNumber: 1 value(s)
eppn: 1 value(s)
givenName: 1 value(s)
mail: 1 value(s)
sn: 1 value(s)

[jacqdesign]

Thank you @jrchamp. I am so sorry if it was obvious but I wanted to make sure. To make the test file like you have suggested. Do I just create a test.php file with the code you have suggested below and put it in the main theme folder to see if it generates output?

You may also want to create a small test file to make sure PHP has access to the attribute like:

<?php
echo "<pre>
eppn: {$_SERVER['eppn']}
REMOTE_USER: {$_SERVER['REMOTE_USER']}
</pre>";

If that doesn't give you anything, then you might need to be DANGERous for a couple seconds just to figure out what the name is supposed to be:

<?php
echo "<pre>";
var_dump($_SERVER);
echo "</pre>";

Definitely delete that after you run it.

[jrchamp]

Yes, that should work. If you end up using the dangerous option, use a filename that only you know, because there is sometimes private information in $_SERVER.

[jrchamp]

eppn looks to be the right attribute for your environment if you are using scoped usernames (recommended). If you are using unscoped usernames, I'm not sure which value you would use, because the documentation makes OSUID seem like an employee number and not a username.

[jacqdesign]

Thank you @jrchamp. I just did the test file and here's what it returned. The two items match the user that I am using the log in. The info is the correct username for Shib login.

eppn: kovacevic.7@osu.edu
REMOTE_USER: kovacevic.7@osu.edu

eppn looks to be the right attribute for your environment if you are using scoped usernames (recommended). If you are using unscoped usernames, I'm not sure which value you would use, because the documentation makes OSUID seem like an employee number and not a username.

[michaelryanmcneill]

What is username attribute set to in the Shibboleth plugin configuration?

[jacqdesign]

It is set to "eppn" and Managed.

What is username attribute set to in the Shibboleth plugin configuration?

[michaelryanmcneill]

Alright, please send me a note at michael (at) michaelryanmcneill (dot) com with temporary credentials and I'll take a look at it. Can you also provide local WordPress credentials and install the Query Monitor plugin so I can review the configuration?

[jacqdesign]

Thank you Michael, should I set you up with super admin for the network so you can see the Shib settings?

Alright, please send me a note at michael (at) michaelryanmcneill (dot) com with temporary credentials and I'll take a look at it. Can you also provide local WordPress credentials and install the Query Monitor plugin so I can review the configuration?

[michaelryanmcneill]

Yes please.

[jacqdesign]

Thank you @michaelryanmcneill ! I have set you up as super admin, installed the plugin and emailed you directly the Shib login to test with.

Thank you a ton!

[michaelryanmcneill]

So, just some quick information: Logging in with Shibboleth works from https://comdev.org.ohio-state.edu/wp-admin/. Logging in with Shibboleth does not work from https://comdev.org.ohio-state.edu/test1/wp-admin/.

I'm going to have to dig into this more tomorrow, but I'll see what I can do to help.

[jacqdesign]

Thank you @michaelryanmcneill

Yes, you are correct about it working for the main site. It only does the looping on the multisite under it.

Really appreciate you looking into this!

[jrchamp]

@michaelryanmcneill One thing to check is if automatic account provisioning is enabled. It might be related to that issue we were seeing before where the subsite was not creating the account. Maybe https://github.com/michaelryanmcneill/shibboleth/issues/54

[michaelryanmcneill]

I thought that too @jrchamp but turns out that is not it. After some additional debugging the issue is that Shib-Session-ID doesn't exist on the sub-site which is what the plugin uses to validate if a session is active. Strangely enough, the problem is that on the sub-sites, OSU uses "Redirected Environment Variables" but for the main site, they use just regular "Environment Variables". Updating the setting to "Redirected Environment Variables" solved the problem on the sub-site but broke the main site. @jacqdesign if you have a contact that works with Shibboleth at OSU, could you ask them why REDIRECT_ is being prepended to the shibboleth environment variables only on the sub-sites and if there is a configuration option that they can implement to fix that (either making all of them prefixed with REDIRECT_ or none of them prefixed? If they can't fix that, I'm going to have to spend some time thinking about the best way to solve this. My first guess is either we combine "Redirected Environment Variables" and "Environment Variables" into a single option or make a combined option a selectable choice, but I'm not sure that I like the sound of either of those. I'm going to do some additional troubleshooting @jacqdesign so if you can leave my access up for a little bit longer, I'd appreciate it.

[jacqdesign]

Thank you @michaelryanmcneill I am reaching out to OSU and see if I can forward your request to the person in charge of Shibboleth there.

[eshicks4]

That would be me - I'm the web admin. Hopefully this will reopen this issue. I'm not sure there's much we can do on our end.

REDIRECT_ is painfully undocumented but a good explanation can be found here: https://stackoverflow.com/questions/3050444/when-setting-environment-variables-in-apache-rewriterule-directives-what-causes

We don't run the URLs through any mod_rewrite rules before it gets to the custom ones in their .htaccess file. You may try looking for clues in the .htaccess file in the top-level directory, though - something there might be causing a rewrite event.

It also looks like multiple rewrite events can create multiple levels of REDIRECT in front of the variable names. Rather than just looking for one or the other you may be better off regex matching. (i.e. looking for '(REDIRECT)*VARNAME' instead of VARNAME xor REDIRECT_VARNAME)

[eshicks4]

On 2nd thought, if you do search for multiple variants, make sure you prioritize so someone can't override their proper eppn with another one and hijack the account.

[michaelryanmcneill]

@eshicks4 thanks for the follow-up. We did implement a fix that does solve this problem. I've never seen a REDIRECT_REDIRECT_ environment variable, but we can only support so many edge cases.