Feature request: a way to circumvent permit_wp_login=false

[dsXLII]

I know, it sounds crazy. Feel free to point out how this is potentially a security risk, because it probably is. :)

Anyway, here's what I'm picturing in my head:

• A named define - something like define('WP_SAML_AUTH_BACKDOOR', 'mysecretpasscode'); that can be set in wp-config.php
• A check, probably in the middle of do_saml_authentication(), that looks to see if that string is in the URL, probably as a GET parameter (/wp-login.php?mysecretpasscode)
• If permit_wp_login=false is set, but the backdoor string is present, act as if permit_wp_login is true

Use cases:

• In my environment, when a new site is created, it takes a few hours for our SAML IdP to refresh its metadata, this would allow me to get into that new site right away
• If the IdP is unavailable or malfunctioning, especially if this site is "the site where we tell users about problems with the IdP", but nobody with sufficient access/training to get into the web server and deactivate the wp-saml-auth plugin is around
• Possibly automation or testing scenarios?

It seems like it should be relatively simple to implement, and I can probably get a PR ready in the near future. But before I put in that work, I'd like opinions. Is this even a good idea? Anyone else think it'd be useful to them? What gotchas should I look out for when implementing it?

[kaechele]

I was looking for something similar while debugging a WordPress instance with our SAML set up. The OneLogin plugin has the normal GET parameter to get fail-safe access to the local login screen. This plugin doesn't seem to have this. It would require changes at multiple points in the plugin to enable this functionality, as the permit_wp_login option is use at different stages throughout the request flow. So any bypass would have to be persisted throughout the entire request session. This terrible hack is a quick workaround that gives you the ability to toggle the permit_wp_login parameter from the outside by appending ?saml_failsafe to the wp-login.php URL.

add_action('login_init', function () {
    if (array_key_exists('saml_failsafe', $_GET) && getenv("APP_ENV") === "development") {
        $wp_saml_auth_settings = get_option('wp_saml_auth_settings');
        $wp_saml_auth_settings['permit_wp_login'] = !$wp_saml_auth_settings['permit_wp_login'];
        update_option('wp_saml_auth_settings', $wp_saml_auth_settings);
    }
});

Personally, I would strongly advise against attempting to use this in a production environment for any length of time. Depending, on your use case you may have to remove the getenv check I put in there to ensure this doesn't run in my production environment if the snippet ends up there by accident.

[shawnweeks]

If your like me and locked yourself out after disabling permit_wp_login and ended up here from Google, here is how you re-enable the logins with the WP CLI. If your using Docker you'll have to adapt this command to the WP CLI Docker Image.

wp option patch update 'wp_saml_auth_settings' 'permit_wp_login' 'true'