Use OneLogin's PHP SAML library for SAML auth without SimpleSAMLphp #68
Conversation
Sessions aren't shared between WP SAML Auth and SimpleSAMLphp
This reverts commit 3c730c3.
|
Interestingly, here are the cookies that are present in the SimpleSAMLphp login screen locally:
And here's what's in the test environment:
|
|
Downgrading SimpleSAMLphp seems to have fixed the cookie issue. However, for whatever reason, the login form doesn't seem to want to submit:
Or, it's submitting and returning "invalid username / password". |
WIP - Test fix for one login branch
|
@stevector This is finally ready for a review. In addition to reading through the code, it'd be helpful to have you attempt to configure this locally... following the instructions in the readme, and suggesting clarifications where you have ideas. If you try to use Auth0 as a SAML IdP, you may get stuck. The last time I tried, Auth0 wouldn't pass responses back to URLs ending with I ended up setting up SimpleSAMLphp as a SAML IdP locally and it worked well enough. You could copy the necessary configuration out of the Behat setup steps. |
|
Thanks @danielbachhuber! I'm booked up solid early in the week. I've blocked time on Friday to review. |
|
@stevector How's the review coming along? I'd love to get this landed and out the door :) |
There was a problem hiding this comment.
Hi @danielbachhuber, I got this PR working on a Pantheon site today.
I added some minor suggestions/requests inline.
My overall impression is that it still takes a lot of wrangling to get this plugin up and running. I don't want to block the PR on this, but I'm tempted to sign up for a GSuite account just to make myself an admin of an easy identity provider that would could write tests/instructions against. Using an ID provider on the same server makes the process confusing.
inc/class-wp-saml-auth.php
Outdated
| $this->provider = new SimpleSAML_Auth_Simple( self::get_option( 'auth_source' ) ); | ||
| $connection_type = self::get_option( 'connection_type' ); | ||
| if ( 'internal' === $connection_type ) { | ||
| $autoload = dirname( __DIR__ ) . '/vendor/autoload.php'; |
There was a problem hiding this comment.
Let's allow for the possibility of an all-Composer setup where vendor directory would not be within the plugin directory.
We handled that in LCache like this: https://github.com/lcache/wp-lcache/blob/master/object-cache.php#L12
|
|
||
| function wpsax_filter_option( $value, $option_name ) { | ||
| $defaults = array( | ||
| /** | ||
| * Type of SAML connection bridge to use. | ||
| * | ||
| * 'internal' uses OneLogin bundled library; 'simplesamlphp' uses SimpleSAMLphp. |
There was a problem hiding this comment.
Decisions, not options.
😄
Should we be deprecating SimpleSAMLphp at some point?
There was a problem hiding this comment.
Should we be deprecating SimpleSAMLphp at some point?
At this point, I'm leaning towards no. The cost of us maintaining the SimpleSAMLphp implementation is trivial compared to the cost of forcing existing users to migrate to OneLogin. Plus, I'm not positive there's feature parity between SimpleSAMLphp and OneLogin for everything users may be using (e.g. being able to select between 2 IdPs).
| @@ -1,43 +1,94 @@ | |||
| # WP SAML Auth # | |||
There was a problem hiding this comment.
Can you draft the Changelog entry?
There was a problem hiding this comment.
I typically do this just before release.
circle.yml
Outdated
| @@ -51,4 +51,5 @@ test: | |||
| override: | |||
| - ./bin/behat-test.sh --strict | |||
| post: | |||
| - ./bin/behat-cleanup.sh | |||
| # - ./bin/behat-cleanup.sh | |||
| - echo 'disabled' | |||
There was a problem hiding this comment.
This line will need to change back before merge.
tests/behat/login.feature
Outdated
| @@ -9,6 +9,8 @@ Feature: SAML Login | |||
| And I fill in "username" with "employee" | |||
| And I fill in "password" with "employeepass" | |||
| And I press "submit" | |||
| And print last response | |||
There was a problem hiding this comment.
This line can be taken out.
| add_action( 'admin_notices', function() { | ||
| if ( current_user_can( 'manage_options' ) ) { | ||
| // Translators: Links to the WP SAML Auth plugin. | ||
| echo '<div class="message error"><p>' . wp_kses_post( sprintf( __( "WP SAML Auth wasn't able to find the <code>SimpleSAML_Auth_Simple</code> class. Please check the <code>simplesamlphp_autoload</code> configuration option, or <a href='%s'>visit the plugin page</a> for more information.", 'wp-saml-auth' ), 'https://wordpress.org/plugins/wp-saml-auth/' ) ) . '</p></div>'; |
There was a problem hiding this comment.
This is the message I see after just enabling the module (without doing an config). It suggests that SimpleSAML, rather than OneLogin is the preferred option. I think we should consider flipping some ifs/else statements.
There was a problem hiding this comment.
Because I've introduced a new connection_type=>(internal|simplesamlphp) configuration argument, the default connection type still needs to be simplesamlphp to avoid a backwards compatibility break on existing installs.
The code path is such that you'll see one error message with one connection type, and the other with the other connection type. You must've had connection_type=simplesamlphp at the time.
|
|
||
| See installation instructions for full configuration details. | ||
|
|
||
| ## Installation ## | ||
|
|
||
| This plugin requires access to a SimpleSAMLphp installation running in the same environment. If you are already running SimpleSAMLphp, then you are good to go. Otherwise, you'll need to install and configure SimpleSAMLphp before you can begin using this plugin. For local testing purposes, the [Identity Provider QuickStart](https://simplesamlphp.org/docs/stable/simplesamlphp-idp) is a good place to start. | ||
| This plugin requires access to a functioning SAML identity provider. If all you need is SAML authentication, then you should use the bundled OneLogin SAML library. If you have more complex authentication needs, then you can also use a SimpleSAMLphp installation running in the same environment. |
There was a problem hiding this comment.
Can you split up the code snippets that follow such that there is one for OneLogin and one for SimpleSAMLphp?
There was a problem hiding this comment.
Why? There's more overlap between them than there are differences.
bin/fixtures/functions.php
Outdated
| return $value; | ||
| } | ||
| if ( 'user_login_attribute' === $option_name ) { | ||
| return 'urn:oid:0.9.2342.19200300.100.1.1'; |
There was a problem hiding this comment.
Where did these values come from?
There was a problem hiding this comment.
I sniffed it out of the SAML response. It looks like this is SAML 2 spec though: https://commons.lbl.gov/display/IDMgmt/Attribute+Definitions#AttributeDefinitions-uiduid
Could you clarify on this? Were you confused specifically about the testing implementation, or the testing implementation and plugin configuration generally? |
|
@danielbachhuber and I were just chatting about this on Slack. I think we're good to go. |
See #60