IdP initiated SSO

[milesimarco]

Is your feature request related to a problem? Please describe. Some OpenID use cases need to support IdP initiated SSO. Even if it's not a standard feature of OpenID, it should be a game changer in such cases.

Describe the solution you'd like There are many technical ways. Here is an example of the logic i'm actually testing for PoC purposes:

add_action( 'login_init', function() {
    if ( isset( $_GET['IdPinitiatedSSO'] ) && $_GET['IdPinitiatedSSO'] == '1' ) {
        // Redirect to openid_connect_generic_auth_url
        // (actually using the documented shortcode [openid_connect_generic_auth_url], some dedicated functions would be nice to have to call get_authentication_url)
        exit();
    }
} );

In this case calling the endpoint https://mywebsite/wp-login.php?IdPinitiatedSSO=1 from the IdP (e.g., clicking the WordPress SP icon on Office365) starts the OpenID flow in the same way as if i had clicked on the "Login with OpenID" button. No security flaws should be involved because the endpoint only simulates a user action and authentication/authorization is intended to be checked again with the SP/IdP process.

Describe alternatives you've considered Cookie or state/session based flows could be also considered, but not mandatory for the scope.

Additional context What do you think? Thank you and keep up the good work!

[timnolte]

@milesimarco yes, what you are describing is what's defined as "Initiating Login from a Third Party" in the OpenID Connect specification. We will looking in to supporting that part of the specification. Thanks!