-
Notifications
You must be signed in to change notification settings - Fork 0
Integrating with WordPress
Integration with WordPress will check if a user is logged in to wayf. If the user is logged in we authenticate him as a single user, if not we redirect the user to a wayf login, if he has requested to login.
In the file functions.php we require a file called login.php. The functions.php file is something that WordPress loads automatically to execute third party / theme functions. We split up the files to make it more legible and easier to maintain. In the login.php file we are going to bind into the wordpress load function. This will run everytime a page is loaded in wordpress.
add_action('wp', function () {
if (!is_user_logged_in()) {
global $do_not_redirect;
$do_not_redirect = true;
require_once('wayf-login.php');
}
});
So if the user is not logged in, we redirect users to the wayf-login.php file that actually does the wayf checking.
Since this file needs to be available without auto loading of classes and libraries by WordPress we start by including two autoloading files. One for WordPress and the other one from simpleSAMLphp.
require_once(dirname(dirname(dirname(dirname(__FILE__)))) . "/simplesamlphp/lib/_autoload.php");
require_once(dirname(dirname(dirname(dirname(__FILE__)))) . "/wp-load.php");
After that we can access wordpress and simpleSAMLphp functions to check for logins.
$as = new SimpleSAML_Auth_Simple('default-sp');
$attributes = $as->getAttributes();
global $do_not_redirect;
if (!$do_not_redirect) {
// Redirect to wayf Login
$as->requireAuth();
$attributes = $as->getAttributes();
}
Here we have found a simpleSAMLphp authentication object that uses the default-sp authsource, defined earlier. We are using the global variable, do_not_redirect so we can determine whether or not we should send the user directly to WAYF. You can remove this if you always want to send a user directly to WAYF, but that can be quite intrusive.
if (isset($attributes['eduPersonPrincipalName'])) {
// WP login.
$user = get_users(array('search' => 'wayfuser'));
if (is_array($user)) {
if (count($user) > 1) {
// FATAL error. more than one user with username wayfuser?
}
$user = array_shift($user);
}
Here we are back from WAYF, either after a user logged in, or if he has already logged in from somewhere else. We find the user called wayfuser in the wordpress users database. You can do some fancy error reporting if you find more than one user with the username wayfuser, this however should not be possible. Take a look at the get_users function documentation at the WordPress Codex.
wp_set_current_user($user->ID, $user->user_login);
wp_set_auth_cookie($user->ID);
do_action('wp_login', $user->user_login);
// Redirect back.
header('Location: '. $_POST['redirect_to']);
}
Now we have authenticated the user and authorized him access to this blog with the correct user token. Remember, this is most useful if you have a closed blog for example.
The wayf-login.php file was used on every page, as described above. But if we want to allow users to login with a login form on a page then this code can be used to do that.
<form method="post" action="<?php echo esc_url( site_url( 'wp-content/themes/twentytwelve/wayf-login.php', 'login_post' ) ); ?>">
<input name="redirect_to" type="hidden" value="<?php echo ( is_ssl() ? 'https://' : 'http://' ) . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; ?>"/>
<button class="btn btn-large" type="submit">WAYF Login</button>
</form>
This small html/php code will generate a button that will post to the wayf-login.php page a parameter that is this page, so the script can now where to go back. That's all there is to it.
To log out, means to destroy the wayf session. This is also a bit intrusive, and will log the user out of all other services the wayf has him logged in. Here we modify the wp-login.php file in the blog directory. In line 408, under the case 'logout' in the switch of the $http_post variable we add these.
require_once(dirname(__FILE__) . "/simplesamlphp/lib/_autoload.php");
$as = new SimpleSAML_Auth_Simple('default-sp');
$redirect_to = !empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : 'wp-login.php?loggedout=true';
$as->logout($redirect_to);
wp_safe_redirect( $redirect_to );
This code fetches the login session and uses the simpleSAMLphp library to log out.