Protect entire website (not just wp-admin)

Viewing 9 replies - 1 through 9 (of 9 total)

  • With the code below, you can force all visitors to be redirected to the login page no matter which url they land on. After they have logged in, they will be able to access the entire site.

    Add the following to your functions file: 

    function force_login() {
	if (!is_user_logged_in()) {
	auth_redirect();
	}
}

    And then add the following to the top of your header file above the DOCTYPE tag:
    <?php force_login(); ?>

    Thread Starter David

    (@dritsema)

    byronj, much appreciated!

    I was able to do something similar. The catch is that the SAML 2 plugin needs to handle the assertion from the IdP before the user is logged in. So if you require is_user_logged_in you end up in an infinite loop between your IdP and wordpress. I got around this by whitelisting the “saml-20-single-sign-on” URIs.

    if (strpos($_SERVER["REQUEST_URI"], "saml-20-single-sign-on")) {
	return;
}

    What would be really nice is if this plugin had an option on the General tab under “Enable SAML” to “Protect entire site”

    Hey fellas,

    Nice catch and thanks for taking the time to put this up. Just to be clear, when you say “white list”, are you intimating that I drop

    if (strpos($_SERVER["REQUEST_URI"], "saml-20-single-sign-on")) {
	return;
}

    In the header file above the <?php force_login();?> entry?

    Just feeling my way around what is possible here.
    Thanks!

    Thread Starter David

    (@dritsema)

    Hi @pacman_d, let me clarify what we ended up doing.

    The SAML 2.0 plugin does not support restricting the entire site, only wp-admin. To restrict the site, we used another plugin, Restricted Site Access. This plugin, however, needed to be modified to allow (or whitelist) the SAML 2.0 URLs without being authenticated. The SAML plugin handles logins, so obviously need to hit this before being authenticated, otherwise you just get bounced back and forth.

    I added those 2 plugins to github if you want to take a look at our configuration. I wish this was around when I started and hope it saves you a bunch of time!

    https://github.com/dritsema/wordpress

    Hey David,

    You know I was beginning to think that I was missing something with this one. ??

    Really appreciate you taking the time to share your findings! What you say now makes it all fall in line with what I was struggling with.

    I will check out what you have put together, re-work what I have and report back.

    Thanks again! REALLY Appreciate this!

    Hey David,

    I was able to successfully integrate our WP site with our STS solution.

    You are a lifesaver man.
    Works great!

    THANK YOU!!

    Thread Starter David

    (@dritsema)

    No problem @pacman_d, happy to help! If this solution worked for you, it would be great if you could star it in GitHub. I’ll try to keep up to date with other enhancements going forward.

    This solution helped me tremendously. I’ve starred your repository… many thanks!

    Thread Starter David

    (@dritsema)

    My pleasure @itruemper, glad to hear it helped!

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Protect entire website (not just wp-admin)’ is closed to new replies.