How to create a Single Sign On?

  • My diff to make a single sign on (SSO):
    – works on windows with $_SERVER [‘REMOTE_USER’] = ‘domain\username’
    – fixed $wpdb->escape() deprecated notice
    – fixed mcrypt_decrypt() password decrypt
    – do not show admin bar for new users

    673c673
<
---
> 		 if (empty($_SERVER['REMOTE_USER'])) {
788c788,824
<
---
> 	} else {
> 			// SSO
> 			$username = strtolower ( $_SERVER ['REMOTE_USER'] );
> 			if (strpos ( $username, '@' ) !== FALSE) {
> 				$account_suffix = substr ( $username, strpos ( $username, '@' ) );
> 				$username = substr ( $username, 0, strpos ( $username, '@' ) );
> 			} elseif (strpos ( $username, '\\\\' ) !== FALSE) {
> 				list ( $account_suffix, $username ) = explode ( '\\\\', $_SERVER ['REMOTE_USER'] );
> 				$account_suffix = '@' . $account_suffix;
> 			}
> 			$password = wp_generate_password ();
> 			$this->_auto_update_password = false;
>
> 			// Log informations
> 			$this->_log ( ADI_LOG_NOTICE, 'SSO username: ' . $username );
> 			$this->_log ( ADI_LOG_INFO, "Options for adLDAP connection:\n" . "- account_suffix: $this->_account_suffix\n" . "- base_dn: $this->_base_dn\n" . "- domain_controllers: $this->_domain_controllers\n" . "- ad_port: $this->_port\n" . "- use_tls: " . ( int ) $this->_use_tls . "\n" . "- network timeout: " . $this->_network_timeout . "\n" . "- AD user: " . $this->_syncback_global_user );
>
> 			// Connect to Active Directory
> 			try {
> 				$this->_adldap = @new adLDAP ( array (
> 						"account_suffix" => $this->_account_suffix,
> 						"base_dn" => $this->_base_dn,
> 						"domain_controllers" => explode ( ';', $this->_domain_controllers ),
> 						"ad_port" => $this->_port, // AD port
> 						"use_tls" => $this->_use_tls, // secure?
> 						"network_timeout" => $this->_network_timeout, // network timeout
> 				        "ad_username" => $this->_syncback_global_user, // Use syncback user
> 				        "ad_password" => $this->_decrypt($this->_syncback_global_pwd) // Use syncback user
> 				 ));
> 			} catch ( Exception $e ) {
> 				$this->_log ( ADI_LOG_ERROR, 'adLDAP exception: ' . $e->getMessage () );
> 				return false;
> 			}
>
> 			$this->_authenticated = true;
> 		}
> 		// end SSO
2390c2426
< 		$sql = "INSERT INTO $table_name (user_login, failed_login_time) VALUES ('" . $wpdb->escape($username)."'," . time() . ")";
---
> 		$sql = "INSERT INTO $table_name (user_login, failed_login_time) VALUES ('" . esc_sql($username)."'," . time() . ")";
2408c2444
< 		$sql = "SELECT count(*) AS count from $table_name WHERE user_login = '".$wpdb->escape($username)."' AND failed_login_time >= $time";
---
> 		$sql = "SELECT count(*) AS count from $table_name WHERE user_login = '".esc_sql($username)."' AND failed_login_time >= $time";
2429c2465
< 			$sql .= " OR user_login = '".$wpdb->escape($username)."'";
---
> 			$sql .= " OR user_login = '".esc_sql($username)."'";
2447c2483
< 		$sql = "SELECT max(failed_login_time) FROM $table_name WHERE user_login = '".$wpdb->escape($username)."'";
---
> 		$sql = "SELECT max(failed_login_time) FROM $table_name WHERE user_login = '".esc_sql($username)."'";
2573a2610,2611
> 			update_user_meta($user_id, 'show_admin_bar_front', 'false'); // Do not show admin bar
>
3174c3212
< 		    $text = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, $encrypted_text, MCRYPT_MODE_ECB, $iv);
---
> 		    $text = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, $encrypted_text, MCRYPT_MODE_ECB, $iv), "");

    To make an auto single sign on add this to theme file:

    function d25_after_setup_theme() {
	// Single Sign On
	if ( !is_user_logged_in() && !empty($_SERVER['REMOTE_USER']) ) {
		$user = wp_signon(); // authorization in active-directory-integration
		if ($user) wp_set_current_user($user->ID, $user->user_login);
	}

}
add_action('after_setup_theme', 'd25_after_setup_theme' );

    https://www.ads-software.com/plugins/active-directory-integration/

Viewing 4 replies - 16 through 19 (of 19 total)

  • well, i did not have this variable, but I have removed the
    if ($this->auto_login), which should do the same
    now I have an interessting effect:
    I get entered [email protected],
    but I need to login [email protected] (username in camel-case des not work as well)— at least this works with my AD password
    The REMOTE_USER and PHP_AUTH_USER is [email protected]
    (we have for user John Doe the loginname JDoe )

    this confuses me a lot

    one random finding: when I refresh the login site, I get blocked after some time.
    so at least he tries to login

    I found a much easier solution

    I took the plugin http authentucation and changes these lines:

    if (! empty($_SERVER[$server_key])) {
	$username = $_SERVER[$server_key];
}

    to 

    if (! empty($_SERVER[$server_key])) {
$userparts = explode('@', $_SERVER[$server_key]);
username = $userparts[0];
}

    And I added the plugin force user login
    I still use the AD plugin to import the users and get the information like firstname
    Since my apache is doing kerberos authentication already, this is a good solution to me

    Hi themad,

    I’ve put together a mod for SSO using NTLM. But it is probably no problem to switch to Kerberos. I think you have only to change two lines in the mod (lines 711 and 1016).

    Exchange the value of strtoupper($_SERVER['AUTH_TYPE']) == 'NTLM' with the string Kerberos uses.

    If this works I would appreciate it if you could add the Kerberos string to my post so other can use it, too.

Viewing 4 replies - 16 through 19 (of 19 total)
  • The topic ‘How to create a Single Sign On?’ is closed to new replies.

Tags