When attempting to activate the plug-in, a fatal error occurs. Function return type-hinting is not supported in PHP 5.6.
Plugin could not be activated because it triggered a fatal error.
Parse error: syntax error, unexpected ‘:’, expecting ‘;’ or ‘{‘ in wp-content/plugins/miniorange-saml-20-single-sign-on/login.php on line 376
]]>Hi there, I’m trying to understand if this plugin would work for an academic journal site, and how should that be set up.
Basically the journal needs to give login access to institutions and libraries so that their staff and students can login. Currently institutions provide us their IP address, and when we allows access to their IPs for University accounts on our wordpress site, their users are able to login on our site by logging in into their webiste, so I guess they have a Single Sign system installed on their end (like maybe Shibboleth, Unity, OpenAthens, etc), but I’m not sure exactly what they use (maybe they have different ones)? The downside of this is that IP addresses change and are not great to manage, also not all libraries and institutions are able to use those systems.
So if we install SSO login plugin on our site, how could we give access to institutional users that their own SSO (and some who don’t)? Also, can it be used with institutions who do not use SSO?
What details would we need from the institutional subscriber to set up access to our WordPress site for their users? Thanks!
]]>Hi.
I like your plugin. It does work well, but recently I’ve faced issues with Content Security Policy (CSP) implementation with your plugin.
The best practices are not use ‘unsafe-inline’ and ‘unsafe-eval’ for scripts.
To make a long story short, I coded the functionality of dynamic CSP (it calculates hashes or adds a nonce for inline and external scripts). Details are not so important, but I use standard WP functions and filters for scripts: wp_add_inline_script(), wp_print_inline_script_tag(), wp_localize_script(), etc. It allows me to add the SCP nonce to them or calculate hashes for them. Everything works well, but…
Your plugin outputs inline script with an inline handler in a not appropriate way without using any WP functions or filters (‘wp_inline_script_attributes’, ‘wp_script_attributes’). At least in the mo_saml_add_sso_button(). It makes impossible to implement CSP for your scripts and forces me to make dirty tricks to fix it. It’s really sad.
I urge you to support CSP and output JS scripts with WP functions/filters only (and don’t use inline handlers like onclick, etc.).
Thanks.
]]>Hello, we wanted to share/ask if this plugin can access our actual requirements.
We have 8 websites, from the same group and they actually have different WordPress users created.
This group also uses Azure, and we would like to manage all websites access using Azure SSO.
We also wanted to give different access to the WordPress sites (admin, editor) but manage all from Azure, is this possible?
What happen to our actual users in WordPress and the content they’ve created? They are mapped to the Azure users in some way?
One last question, is there a feature to turn off any login if the user is not authorized from the Azure portal? And if we delete a user from Azure, we need to be sure that user can never login to any of the websites.
Thank you.
]]>it started to be like that a month ago..
tnx
]]>Hello!!
I have a setup where my main website is powered by WordPress, and I have a XenForo forum on a subdomain. I’m interested in implementing Single Sign-On (SSO) between the two platforms.
Is it possible to share WordPress login details with the XenForo forum using this plugin? Or could I do the opposite and allow users to log in to WordPress using their XenForo credentials? Any guidance or tips on how to achieve this would be greatly appreciated!
Thank you!
]]>Fatal error: require_once(): Failed opening required ‘/home/tantricastro/public_html/wp-config.php’ (include_path=’.:/opt/cpanel/ea-php74/root/usr/share/pear’) in?/home/tantricastro/public_html/wp-load.php?on line?50
Above is the error message.
I tried to deactivate the miniorange SSO plugin
got a windows asking for reason and click on skip after this my site is no longer loading to the admin panel
]]>Hi,
1 – Does it support simultaneous login with another WordPress site (2 sites with WordPress)?
2 – The login can be directed exclusively to one product. For example, the external site sells several courses, but I am only interested in selling one on my site. I want the user to have exclusive access to the chosen course when choosing this course on my site.
thanks
]]>This email was sent from Wordfence plugin to our account :
Critical Problems:
We are currently using version 25.2.0 on this site. Can you please confirm if this is malicious code and a security threat or if these are false positive from the Wordfence scan.
]]>Hello, I’ve been setting up this plugin for one of my clients and we have followed the article on how to setup on Office365. But when we try to login we get the following message.
Application with identifier ‘/wp-content/plugins/miniorange-saml-20-single-sign-on/’ was not found in the directory. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
We suspect we’ve missed a step as the documentation seems to be for an older version of Azure, are you able to help point us in the right direction so we can get the plugin installed?
]]>Hello,
i configured simplesamlphp as a SP to connect to our saml2 Idp.
I would just like to use the plugin to enable users belonging to our organization to view the wordpress website (just viewing, the majority does not have to publish) and leave the local (traditional) authentication for editors and admins, it does not need to go through sso. Is it possible with this plugin? And how?
Thank you
]]>A number of miniOrange plugins have recently been found to be vulnerable, as outlined under CVE-2024-2172.
The SSO plugin isn’t included (yet!) but I am rather concerned.
Can we get some clarification and confirmation on whether the SSO plugin is impacted by CVE-2024-2172 or not?
I’m facing a critical issue with my multisite WordPress setup.
My site employs Miniorange for SAML SSO integration with OKTA. Recently, excessive binlog creation filled up the drive space, leading to the app going down (This binlog is used to copy the data over to a replica database)
Looking at the db logs , I can see there are repetitive requests to update mo_saml_session_index and mo_saml_request, which might be the reason why binlogs are getting full.
Miniorange helpdesk suspects wordpress blocking miniorange from setting wordpress_logged_in cookie, is causing SAML requests to loop endlessly.
But the issue started happening all of a sudden.
How and where can I whitelist the Miniorange SSO plugin to use wp_set_auth_cookie in a self-hosted environment? (Wp site is hosted on 3 linux server, we are using nginx. Database is stored accross two other separate dbs)
Any insights on preventing SAML requests from going into loops?
The wordpress site is customized, I cannot directly modify (install or update plugins) Will have to do that by deployment.
]]>When I try to login with this plugin, I get this error:
PHP Fatal error: Uncaught ArgumentCountError: 4 arguments are required, 1 given in /nas/content/live/uddd3e/wp-content/plugins/miniorange-saml-20-single-sign-on/class-mo-saml-utilities.php:423\nStack trace:\n#0
What could be this issue?
Rather simple question. I am setting up SSO with Mini Orange plugin. I am using AD integration at the moment. Do I have to disable AD integration first. Or can they both work while I test SSO?
]]>Please check the links: https://www.ads-software.com/support/topic/woocommerce-rest-api-error-6. I have trouble using WooCommerce REST API as discussed in the other thread. Any help is much appreciated.
]]>I configured the SSO in Freshdesk and I’m using your plugin as IDP. I built a page with 2 buttons. One for this Freshdesk page: https://deerdesignerdevops.freshdesk.com/support/tickets
and other for this page: https://deerdesignerdevops.freshdesk.com/support/tickets/new
But when the users that are already logged in my wordpress site and try to access those urls they are redirected to the freshdesk login page to authenticate again (https://deerdesignerdevops.freshdesk.com/support/login). Is there a way to skip this page and redirect the user right into those pages above, already autheticated?
]]>Trying to login to an Azure Appservice WordPress site with SSO
I get below error altough config seems ok
Error 403
We’re sorry, but we could not fulfill your request for / on this server.
You do not have permission to access this server. Data may not be posted from offsite forms.
Your technical support key is: a9fe-8207-cd36-1abb
You can use this key to fix this problem yourself.
If you are unable to fix the problem yourself, please contact webmaster at ctcautoleasing.com and be sure to provide the technical support key shown above.
]]>Hi,
We have dead link checker set up and we are getting the bellow issue with images missing for the miniorange plugin:
Anchor text: .ui-widget-header
/wp-content/plugins/miniorange-saml-20-single-sign-on/includes/css/images/ui-bg_glass_75_e6e6e6_1x400.png
Anchor text: .ui-state-default, .ui-widget-content .ui-state-default, .ui-widget-header .ui-state-default
/wp-content/plugins/miniorange-saml-20-single-sign-on/includes/css/images/ui-bg_glass_75_dadada_1x400.png
Anchor text: .ui-state-hover, .ui-widget-content .ui-state-hover, .ui-widget-header .ui-state-hover, .ui-state-focus, .ui-widget-content .ui-state-focus, .ui-widget-header .ui-state-focus
/wp-content/plugins/miniorange-saml-20-single-sign-on/includes/css/images/ui-bg_glass_65_ffffff_1x400.png
Anchor text: .ui-state-active, .ui-widget-content .ui-state-active, .ui-widget-header .ui-state-active
/wp-content/plugins/miniorange-saml-20-single-sign-on/includes/css/images/ui-bg_glass_55_fbf9ee_1x400.png
Anchor text: .ui-state-highlight, .ui-widget-content .ui-state-highlight, .ui-widget-header .ui-state-highlight
/wp-content/plugins/miniorange-saml-20-single-sign-on/includes/css/images/ui-bg_glass_95_fef1ec_1x400.png
Anchor text: .ui-state-error, .ui-widget-content .ui-state-error, .ui-widget-header .ui-state-error
/wp-content/plugins/miniorange-saml-20-single-sign-on/includes/css/images/ui-bg_flat_0_aaaaaa_40x100.png
Anchor text: .ui-widget-overlay
Can you please let me know why these images are missing or how to solve this issue. I was thinking to use robots.txt file to disallow indexing for these URLs then I thought I will check with you first.
Note: The plugin is up to date.
Thank you so much for your help
]]>We are using SSO to administer our pages and create users. If the Author of a page has left our organisation, the Author field appears to be hidden in Edit mode. So I am unable to assign a new Author to the page.
]]>A client with a membership site has one large customer who wants to use SAML SSO to centrally manage their own employees’ memberships. That would be overkill for most of the other customers.
Is SSO optional with this plugin or would it be required for all customers on the site?
Thanks!
When editing a new post with Elementor, the Elementor page won’t load (blank page). After disabling miniorange-saml-20-single-sign-on plugin, editing the new post with Elementor works as expected.
There is a conflict between these two plugins.
In the console, the error is:
Uncaught TypeError: Cannot convert undefined or null to object
at Function.entries (<anonymous>)
at loopBuilderModule.createDocumentSaveHandles (editor.min.js?ver=3.12.3:2:63893)Thank you!
]]>Hi,
I’m using the free versione of miniOrange SSO using SAML 2.0 on WordPress 6.1.1.
After configuring the plugin with the IDP data and after uploading the xml with SP metadata on the IDP, I’m trying to test the authentication.
IDP and SP talk each other but the login doesn’t work because to the NameID isn’t associated a right value.
The message I have, testing the login, is:
Warning: The NameID value is longer than 60 characters. User will not be created during SSO.
Warning: The NameID value is not a valid Email IDI’d like to assign the email address of the user to the NameID address, I know the attribute name on the IDP side (urn:oid:….), but how can I associate this urn:oid to the NameId?
Is it possible with the free version of the plugin?
Thank you very much
claudio
]]>error on expiry, error came site down, no way to update the key, support doesn’t help, even after purchasing the enterprise plan, I cant use the plugin
]]>This plugin is regularly injected with malware on our website. It seems to happen about once a month. Most recently, it was version 12.1, and the following files were infected:
Assertion.php
LogoutRequest.php
MetadataReader.php
Response.php
Utilities.php
includes/lib/mo-options-enum.php
login.php
mo_login_saml_sso_widget.php
mo_saml_settings_page.php`
This is happening on a very regular basis, and it is only happening with this plugin.
]]>Hi,
I already asked the following question here
I merged those two questions here:
I like to create subdomain or sub-directory (whichever has the property I will explain) in my WordPress site. The property I like to have is that, I could connect profile of users such that register in one of them they could also have access to their profile in other. Let me explain a little bit more.
Assume you have a website “example.com” and you have WooCommerce (for instance) installed on it. A customer registers on this site and creates his/her profile.
Now I want to have a section such as “support” (support.example.com or example.com/support), with related menus and contents which are different from original site.
I In this section (subdomain or sub-directory), I need to not bother the customer to register again from the beginning. I like the customer can access his profile inside the “support” section.
Now my question is that
1-Is it possible to have such property which I explained above?
2-If it is possible, which one is more correct, via subdomain or sub-directory?
3-Is there a better way than subdomain or sub-directory?
In SSO plugin you mentioned, one web site should be the main IdP and the others like a SP.
I need that if someone registered in one of them, then he also can login to other, plus if he/she is inside the same browser then he/she does not need to be asked to enter those login information again in both direction, I mean if he/she register inside subdomain (sub-directory) then he/she can go to his profile in the main site and vice versa.
Is it possible to do this with SSO plugin?
Thanks.
]]>Here are the malware detected in the plugin: https://gyazo.com/d6341412fd4c61e64d3faa4cfed8ecea
Please can the plugin be tested with the latest update of WP with all vulnerabilities resolved.
Thanks!
]]>Greetings…
Is there a solution that will allow us to sync our Home Assistant directory with one of the directories listed here that you support?
Once I find a way to sync user directory of home assistant with one of the platforms that you support than I can utilize SSO using your plugin.
Thanks in advance.
Rob
]]>Hi,
A wordfence scan has come back and there 7 files within the plugin that appears to be malicous or unsafe.
Example:
File appears to be malicious or unsafe: wp-content/uploads/backup/miniorange-oauth-oidc-single-sign-on-backup-28.4.2/includes/lib/mo-options-enum.php
Type: File
File Type: Not a core, theme, or plugin file from www.ads-software.com.
Details: This file contains an obfuscated include statement that is usually associated with a deeper infection. We suggest getting your site professionally cleaned by the experts at Wordfence.
The matched text in this file is: include “\x4d\x6f\117
There are also two files that have end with .suspected that have been flagged from the scan.
File appears to be malicious or unsafe: wp-content/uploads/backup/miniorange-oauth-oidc-single-sign-on-backup-28.4.2/classes/Premium/GrantTypes/Utils/RSAUtils/Math/BigInteger.php.suspected
Type: File
File appears to be malicious or unsafe: wp-content/uploads/backup/miniorange-oauth-oidc-single-sign-on-backup-28.4.2/classes/Premium/GrantTypes/Utils/RSAUtils/RSA.php.suspected
Type: File
The details on these two files are here:
Details: This file contains an obfuscated include statement that is usually associated with a deeper infection. We suggest getting your site professionally cleaned by the experts at Wordfence.
The matched text in this file is: include_once “\x52\x61\156
The issue type is: Backdoor:PHP/ObfuscatedInclude.6067
Description: PHP include() statement with an obfuscated filepath.
We are currently using version 28.4.5 on this site. Can you please confirm if this is malicious code and a security threat or if these are false positive from the Wordfence scan.
]]>After installing v4.9.21, I find that the RelayState URL parameter is being truncated when using the plugin. The first letter of my URL after the protocol is missing (ex: https://example.org becomes https://xample.org). As a result, I get redirected to a URL that doesn’t exist after authenticating.
I find if I manually roll back to v4.9.20, everything works as expected with the same configuration settings.
Unfortunately I can’t provide a public link for the sites where I am experiencing this issue. I’m using the free version of the plugin. I have my “Recipient URL” and “Destination URL” set to the same value on the Service Provider Metadata tab (though I’m not certain if either of these are used for the RelayState parameter, I’m just guessing).