-
Notifications
You must be signed in to change notification settings - Fork 22
/
readme.txt
195 lines (148 loc) · 8.87 KB
/
readme.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
=== Shibboleth ===
Contributors: willnorris, mitchoyoshitaka
Tags: shibboleth, authentication, login, saml
Requires at least: 3.3
Tested up to: 4.5
Stable tag: 1.7
Allows WordPress to externalize user authentication and account creation to a
Shibboleth Service Provider.
== Description ==
This plugin is designed to support integrating your WordPress or WordPress MU
blog into your existing identity management infrastructure using a
[Shibboleth][] Service Provider.
WordPress can be configured so that all standard login requests will be sent to
your configured Shibboleth Identity Provider or Discovery Service. Upon
successful authentication, a new WordPress account will be automatically
provisioned for the user if one does not already exist. User attributes
(username, first name, last name, display name, nickname, and email address)
can be synchronized with your enterprise's system of record each time the user
logs into WordPress.
Finally, the user's role within WordPress can be automatically set (and
continually updated) based on any attribute Shibboleth provides. For example,
you may decide to give users with an eduPersonAffiliation value of *faculty*
the WordPress role of *editor*, while the eduPersonAffiliation value of
*student* maps to the WordPress role *contributor*. Or you may choose to limit
access to WordPress altogether using a special eduPersonEntitlement value.
[Shibboleth]: http://shibboleth.internet2.edu/
= Contribute on GitHub =
This plugin is actively maintained by the community, [using
GitHub](https://github.com/mitcho/shibboleth). Contributions are welcome, via
pull request, [on GitHub](https://github.com/mitcho/shibboleth). Issues can be
submitted [on the issue tracker](https://github.com/mitcho/shibboleth/issues).
== Installation ==
First and foremost, you must have the Shibboleth Service Provider [properly
installed][] and working. If you don't have Shibboleth working yet, I assure
you that you won't get this plugin to work. This plugin expects Shibboleth to
be configured to use "lazy sessions", so ensure that you have Shibboleth
configured with requireSession set to "false". Upon activation, the plugin
will attempt to set the appropriate directives in WordPress's .htaccess file.
If it is unable to do so, you can add this manually:
AuthType shibboleth
Require shibboleth
The option to automatically login the users into WordPress also works when not
using the lazy session options as it will force login into WordPress. In other
words, if the user has an active session and you are requiring authentication
to access this WordPress site and they need to be logged into WordPress, then
they will be logged in without having to use the WordPress login page.
This works very well for sites that use WordPress for internal ticketing and
helpdesk functions where any access to content requires authentication.
Consider the following .htaccess options when used in conjunction with the
automatic login feature
AuthType shibboleth
ShibRequestSetting requireSession 1
Require valid-user
OR
Authtype shibboleth
ShibRequestSetting requireSession 1
Require isMemberOf group1 group2
Require sAMAccountName user1 user 2
NOTE: If the plugin is successful in updating your .htaccess file, it will
place the option between a marked block:
BEGIN Shibboleth
END Shibboleth
If you add more options, you may want to consider moving all configuration
options out of this block as they will be cleared out upon deactivation
of the plugin.
= For single-user WordPress =
Upload the `shibboleth` folder to your WordPress plugins folder (probably
`/wp-content/plugins`), and activate it through the WordPress admin panel.
Configure it from the Shibboleth settings page.
= For WordPress MU =
Shibboleth works equally well with WordPress MU using either vhosts or folders
for blogs. Upload the `shibboleth` folder to your `mu-plugins` folder
(probably `/wp-content/mu-plugins`). Move the file `shibboleth-mu.php` from
the `shibboleth` folder up one directory so that it is in `mu-plugins`
alongside the `shibboleth` folder. No need to activate it, just configure it
from the Shibboleth settings page, found under "Site Admin".
[properly installed]: https://spaces.internet2.edu/display/SHIB2/Installation
== Frequently Asked Questions ==
= What is Shibboleth? =
From [the Shibboleth homepage][]:
> The Shibboleth System is a standards based, open source software package for
> web single sign-on across or within organizational boundaries. It allows
> sites to make informed authorization decisions for individual access of
> protected online resources in a privacy-preserving manner.
[the Shibboleth homepage]: http://shibboleth.internet2.edu/
= Can I extend the Shibboleth plugin to provide custom logic? =
Yes, the plugin provides a number of new [actions][] and [filters][] that can
be used to extend the functionality of the plugin. Search `shibboleth.php` for
occurances of the function calls `apply_filters` and `do_action` to find them
all. Then [write a new plugin][] that makes use of the hooks. If your require
additional hooks to allow for extending other parts of the plugin, please
notify the plugin authors via the [support forum][].
Before extending the plugin in this manner, please ensure that it is not
actually more appropriate to add this logic to Shibboleth. It may make more
sense to add a new attribute to your Shibboleth Identity Provider's attribute
store (e.g. LDAP directory), or a new attribute definition to the Identity
Provider's internal attribute resolver or the Shibboleth Service Provider's
internal attribute extractor. In the end, the Shibboleth administrator will
have to make that call as to what is most appropriate.
[actions]: http://codex.wordpress.org/Plugin_API#Actions
[filters]: http://codex.wordpress.org/Plugin_API#Filters
[write a new plugin]: http://codex.wordpress.org/Writing_a_Plugin
[support forum]: http://wordpress.org/tags/shibboleth?forum_id=10#postform
== Screenshots ==
1. Configure login, logout, and password management URLs
2. Specify which Shibboleth headers map to user profile fields
3. Assign users into WordPress roles based on arbitrary data provided by Shibboleth
== Changelog ==
= version 1.7 (2016-03-20) =
- fixed a security vulnerability reported by WordPress security team
- load multisite options correctly; [thanks to jdelsemme for reporting](https://github.com/mitcho/shibboleth/issues/8)
- updated htaccess setting strings; [props dericcrago](https://github.com/mitcho/shibboleth/pull/6)
- fix reauth loop; [props jrchamp](https://github.com/mitcho/shibboleth/pull/5)
- set l10n text domain; [props jrchamp](https://github.com/mitcho/shibboleth/pull/5)
= version 1.6 (2014-04-07) =
- tested for compatibility with recent WordPress versions; now requires WordPress 3.3
- options screen now limited to admins; [props billjojo](https://github.com/mitcho/shibboleth/pull/1)
- new option to auto-login using Shibboleth; [props billjojo](https://github.com/mitcho/shibboleth/pull/1)
- remove workaround for MU `add_site_option`; [props billjojo](https://github.com/mitcho/shibboleth/pull/2)
= version 1.5 (2012-10-01) =
- [Bugfix](http://wordpress.org/support/topic/plugin-shibboleth-loop-wrong-key-checked): check for `Shib_Session_ID` as well as `Shib-Session-ID` out of the box. Props David Smith
= version 1.4 (2010-08-30) =
- tested for compatibility with WordPress 3.0
- new hooks for developers to override the default user role mapping controls
- now applies `sanitize_name()` to the Shibboleth user's `nicename` column
= version 1.3 (2009-10-02) =
- required WordPress version bumped to 2.8
- much cleaner integration with WordPress authentication system
- individual user profile fields can be designated as managed by Shibboleth
- start of support for i18n. If anyone is willing to provide translations, please contact the plugin author
= version 1.2 (2009-04-21) =
- fix bug where shibboleth users couldn't update their profile. (props pchapman on bug report)
- fix bug where local logins were being sent to shibboleth
= version 1.1 (2009-03-16) =
- cleaner integration with WordPress login form (now uses a custom action instead of hijacking the standard login action)
- add option for enterprise password change URL -- shown on user profile page.
- add option for enterprise password reset URL -- Shibboleth users are auto-redirected here if attempt WP password reset.
- add plugin deactivation hook to remove .htaccess rules
- add option to specify Shibboleth header for user nickname
- add filters for all user attributes and user role (allow other plugins to override these values)
- much cleaner interface on user edit admin page
- fix bug with options being overwritten in WordPress MU
= version 1.0 (2009-03-14) =
- now works properly with WordPress MU
- move Shibboleth menu to Site Admin for WordPress MU (props: Chris Bland)
- lots of code cleanup and documentation
= version 0.1 =
- initial public release