| 开发者 | idgold |
|---|---|
| 更新时间 | 2026年7月14日 05:01 |
| 捐献地址: | 去捐款 |
| PHP版本: | 8.1 及以上 |
| WordPress版本: | 7.0 |
| 版权: | GPLv2 or later |
| 版权网址: | 版权信息 |
wp-config.php or a pre-set bypass key.?idp=slug link.[oasso_restrict] shortcode, and category/tag-level rules. The same protection also covers the REST API, feeds, and oEmbed, so restricted content doesn't leak through a side door.wp-config.php or a pre-set bypass key), so a misconfiguration doesn't leave you stranded./wp-content/plugins/open-access-sso/.Yes — completely. There is no premium tier, no license key, and nothing to unlock. Every feature you read about ships in the GPLv2-or-later codebase: role mapping, multi-IdP, access control, the audit log, WooCommerce integration, all of it. The full source is on Codeberg, so you can see exactly what you're installing.
Almost certainly. Open Access SSO speaks standard SAML 2.0, so it works with any standards-compliant identity provider — Microsoft Entra ID (Azure AD), Okta, OneLogin, Keycloak, ADFS, Shibboleth, and NetIQ Access Manager (now OpenText), among others. There's no built-in or default IdP; you bring your own, and you point the plugin at it. The identity-provider setup guide (see Documentation) walks through the common providers step by step.
No. Setup is point-and-click in the WordPress admin. You add your identity provider one of three easy ways — upload its metadata XML file, paste a metadata URL, or type the details in by hand — then copy the SP metadata the plugin generates and register your site with your IdP. No code required for normal use. (If you are a developer, there's a documented, stable hook API waiting for you.)
Yes, and no tracking whatsoever. The plugin has no telemetry, no analytics, no "phone home," and no external CDN. The only time it ever reaches out to the network is when you ask it to fetch your IdP's metadata from a URL — plus an optional, off-by-default certificate-rotation check that re-fetches that same address you entered. It never contacts the plugin author or any third party, and every setting stays in your own site's database. Sign-ins are validated end to end before anyone is let in, and your SP private keys are encrypted at rest. For the full details, see the security & hardening guide in Documentation.
You have a built-in emergency way back in. You can either add define( 'OASSO_BYPASS', true ); to wp-config.php to switch off forced SSO entirely, or set a Bypass Secret Key on the dashboard ahead of time and visit /wp-admin/?oasso_bypass_key=YOUR_KEY to get back in without touching any files. The key route is rate-limited per IP address to frustrate brute-force guessing. The troubleshooting guide (see Documentation) covers recovery in detail.
Yes. Configure as many IdPs as you need under Tools → Open Access SSO → Identity Providers. Your users pick the right one with a button on the login page or via a simple ?idp=slug link.
Yes — that's one of the headline features. Map WordPress roles from the groups or attributes your IdP sends, using exact, contains, or regex matching, with per-IdP rule sets, a default-role fallback, and an option to deny anyone who doesn't match a rule. For safety, SSO won't grant admin-level roles unless you explicitly turn that on, and existing administrator accounts are never auto-linked to an SSO login.
Yes, out of the box — including the modern encryption that some providers (such as NetIQ Access Manager) turn on by default and that stock PHP can't unwrap on its own. The plugin bundles a small MIT-licensed library to handle exactly that, so encrypted sign-in just works where a plain PHP setup would fall short. Encrypted user identifiers are supported too.
Yes. NetIQ Access Manager (now part of OpenText) is a standard SAML 2.0 identity provider and is fully supported, including its default encrypted assertions. One clarification: NetIQ Identity Manager (sometimes called "IDM") is a separate user-provisioning product, not a SAML IdP — it's Access Manager that acts as the identity provider here.
Yes. The plugin tracks each IdP's signing-certificate expiry and can warn you before it changes, detecting rotation on a daily or weekly check with your choice of manual, auto-trust, grace-period, or require-approval handling — and you can pin a specific certificate if you want strict change control. A searchable, database-backed audit log records who signed in and when, with CSV export and a retention period you set.
When a page with attached media is restricted, the plugin physically moves those files out of the public uploads folder into a private directory (uploads/oasso-private/) with an unguessable name, and serves them through an access-checked gateway URL. Direct links to the old file location stop working for everyone — that is the point. Unprotecting the page (or uninstalling the plugin) moves the files back. Files uploaded before version 2.4.0 are moved only when you click "Relocate existing protected media" under Access Control. After relocating, purge your page cache/CDN. If you deactivate the plugin, relocated files are unreachable (but not exposed) until you reactivate or restore them first.
No. Open Access SSO is an independent open-source project. It is not affiliated with, and is not a continuation of, Sun Microsystems' or Oracle's discontinued "OpenSSO" product — the similar name is coincidental.
If-None-Match / If-Modified-Since) so browsers and caches skip re-downloading unchanged files..htaccess-based protection of the legacy public path does not apply.oasso_media_relocated and oasso_media_restored hooks fire when a file moves into or out of the private directory; both are recorded in the audit log.disable_functions is undefined and calling it is fatal — on one such host this crashed the page save ("There has been a critical error on this website") the moment a restriction change triggered media relocation. All relocation, restore, health-check, and uninstall paths now run inside fail-safe boundaries: a server error can no longer break the page save (or the uninstall), it is recorded in the plugin debug log with the exact cause even when Debug Mode is off, and a persistent, dismissible admin notice names the affected file with retry instructions. The disk-space preflight and the regex rule matchers (role mapping, login redirects) also detect disabled disk_free_space/ini_set and degrade gracefully instead of crashing the save or the SSO login.oasso_cert_rotation_blocked and oasso_cert_pin_changed hooks).wp_validate_redirect(), so a crafted Referer header can no longer place an external redirect target into the SAML RelayState (CWE-601).OASSO_BYPASS wp-config constant or the bypass secret key), and sign-in is never enforced while no Identity Provider is enabled, so a misconfiguration cannot lock you out.?oasso_error= value can no longer suppress the Force-SSO redirect or render chosen text on the login page.wp-sitemap.xml) for visitors who are not allowed to see them (CWE-200).oasso-protected/ and oasso-file/ delivery routes (CWE-276).wp_capabilities, wp_user_level, session_tokens, and their multisite variants), even if such a mapping is configured — refused at both the settings save and the login write.oasso_max_saml_message_bytes.allow_legacy_decryption_algorithms setting (off by default), and any such acceptance is audit-logged.Conditions or bearer SubjectConfirmationData NotOnOrAfter); one with none is rejected (CWE-613). The new "Require assertion expiry" Service Provider setting (on by default) lets you relax this for a non-conforming IdP.=, +, -, @, tab or carriage return, plus their full-width Unicode variants) in IdP-controlled fields, preventing CSV / formula injection when an exported log is opened in a spreadsheet (CWE-1236).StatusCode and StatusMessage for clearer diagnostics, and the SP metadata advertises the supported assertion-encryption algorithms (RSA-OAEP key transport, AES-GCM/CBC data) for IdPs that consume them.manage_options or edit_users) unless you explicitly enable the new "Allow Administrator-Level Roles via SSO" setting in General Settings (off by default). This prevents a role-mapping rule from silently elevating an auto-provisioned SSO user to a role that can take over the site. Users who would have received such a role get the default role instead. If you deliberately map an IdP identity or group to an administrator-level role, enable this setting; the configuration importer enables it automatically when an imported config already maps to such a role.edit_term meta capability, instead of a hardcoded manage_categories. Custom taxonomies that use their own capabilities now save restriction settings correctly.Issuer is now required and must match the configured IdP, and assertions must carry an AudienceRestriction naming this Service Provider. A new "Require audience restriction" Service Provider setting (on by default) lets you relax the audience check for an IdP that legitimately omits it.?ossa=acs / ?ossa=slo URLs; it now shows the correct ?oasso_acs=1 / ?oasso_slo=1 endpoints. Removed a non-functional metadata "Download" button (copy the metadata from the field shown instead).oas_ / OAS_ to oasso_ / OASSO_ across all options, hooks, transients, cron events, user/post meta, AJAX actions, nonces, asset handles, and custom tables. The PHP namespace (OpenAccessSSO) and plugin slug (open-access-sso) are unchanged.[oas_restrict] → [oasso_restrict] and [oas_login_button] → [oasso_login_button].[oasso_restrict] shortcode now passes its returned content through wp_kses_post().wp_add_inline_script, wp_add_inline_style, wp_get_inline_script_tag) or a linked stylesheet, instead of raw <script>/<style> tags.libxml_disable_entity_loader() calls. The plugin requires PHP 8.1+, where libxml ≥ 2.9 already disables external-entity loading by default and LIBXML_NONET blocks network access; the calls were dead code and deprecated in PHP 8.0.phpcs:ignore annotations with reason comments at intentional sites (cross-origin POST at the SAML ACS endpoint, PCRE limit hardening before user-supplied regex evaluation, table DROP on uninstall, internal-only DB query composition). No behaviour change.README.md (GitHub-only readme) is no longer shipped in the distributable zip; composer.json is now included so the bundled vendor/ directory is transparent to plugin reviewers.OAS_BYPASS.