WP SAML Auth
by Pantheon Systems on WordPress.org
SAML authentication for WordPress, using the bundled OneLogin SAML library or optionally installed SimpleSAMLphp. OneLogin provides a SAML authentication bridge; SimpleSAMLphp provides SAML plus a variety of other authentication mechanisms. This plugin acts as a bridge between WordPress and the authentication library.
If your organization uses Google Apps, integrating Google Apps with WP SAML Auth takes just a few steps.
The standard user flow looks like this:
- User can log in via SAML using a button added to the standard WordPress login view.
- When the button is clicked, the user is handed off to the authentication library. With OneLogin, the user is redirected to the SAML identity provider. With SimpleSAMLphp, the user is redirected to the SimpleSAMLphp install.
- Once the user is authenticated with the identity provider, they’re redirected back to WordPress and signed in to their account. A new WordPress user will be created if none exists (although this behavior can be disabled).
- When the user logs out of WordPress, they are also logged out of the identity provider.
A set of configuration options allow you to change the plugin’s default behavior. For instance, permit_wp_login=>false will force all authentication to go through the SAML identity provider, bypassing wp-login.php. Similiarly, auto_provision=>false will disable automatic creation of new WordPress users.
See installation instructions for full configuration details.
Installing SimpleSAMLphp
The plugin supports both SimpleSAMLphp v1.x and v2.x. The autoloader is automatically detected:
SimpleSAMLphp v2.x uses vendor/autoload.php
SimpleSAMLphp v1.x uses lib/_autoload.php
Default Search Paths
The plugin automatically searches for SimpleSAMLphp in these locations:
* ABSPATH . 'simplesaml'
* ABSPATH . 'private/simplesamlphp'
* ABSPATH . 'simplesamlphp'
* ABSPATH . 'vendor/simplesamlphp/simplesamlphp' (Composer installation)
* plugin_dir_path . 'simplesamlphp'
For each path, the plugin checks for both vendor/autoload.php (v2.x) and lib/_autoload.php (v1.x).
This means Composer installations work automatically! If you run composer require simplesamlphp/simplesamlphp in your site root, the plugin will find it without any additional configuration.
Composer Installation (Advanced)
If you install SimpleSAMLphp via Composer to a custom location (not the standard vendor/simplesamlphp/simplesamlphp), you can specify the autoloader path:
add_filter( 'wp_saml_auth_option', function( $value, $option_name ) {
if ( 'simplesamlphp_autoload' === $option_name ) {
// Point to your custom Composer vendor autoloader
return '/custom/path/vendor/autoload.php';
}
return $value;
}, 10, 2 );
Custom Installation Paths
If SimpleSAMLphp is installed in a non-default location, you can set custom search paths with the wp_saml_auth_simplesamlphp_path_array filter:
add_filter( 'wp_saml_auth_simplesamlphp_path_array', function( $simplesamlphp_path_array ) {
// Override default paths with custom paths
return [ '/custom/path/to/simplesamlphp' ];
} );
Or define an explicit autoloader path with the wp_saml_auth_ssp_autoloader filter:
add_filter( 'wp_saml_auth_ssp_autoloader', function( $ssp_autoloader ) {
return ABSPATH . 'path/to/simplesamlphp/vendor/autoload.php';
} );WP-CLI Commands
This plugin implements a variety of WP-CLI commands. All commands are grouped into the wp saml-auth namespace.
$ wp help saml-auth
NAME
wp saml-auth
DESCRIPTION
Configure and manage the WP SAML Auth plugin.
SYNOPSIS
wp saml-auth
SUBCOMMANDS
scaffold-config Scaffold a configuration filter to customize WP SAML Auth usage.
Use wp help saml-auth to learn more about each command.
Note: The scaffold-config command generates a configuration function with default values. The simplesamlphp_autoload option is not included in the scaffolded output because the plugin auto-detects SimpleSAMLphp installations. Only add this option manually if SimpleSAMLphp is in a non-standard location.
Contributing
See CONTRIBUTING.md for information on contributing.
