Linux 软件免费装

在这里免费安装WordPress以及其他软件

Banner图

WP SAML Auth

开发者 getpantheon
danielbachhuber
Outlandish Josh
jspellman
jazzs3quence
AnaisPantheor
更新时间 2026年1月9日 07:48
PHP版本: 7.4 及以上
WordPress版本: 6.9
版权: GPLv2 or later
版权网址: 版权信息

标签

authentication SAML

下载

1.2.4 1.2.5 2.1.2 2.1.0 0.3.2 0.3.3 0.3.4 0.3.5 0.3.7 0.3.8 0.4.0 0.5.0 0.5.1 0.5.2 0.6.0 0.7.3 0.8.0 0.8.1 0.8.2 0.8.3 1.0.0 1.0.1 1.0.2 1.1.0 1.1.1 1.2.1 0.7.2 1.2.0 1.2.2 0.3.0 0.7.1 1.2.3 1.2.6 2.0.0 2.1.1 2.1.3 2.1.4 2.2.0 0.3.1 0.7.0 0.1.0 0.2.0 0.2.2 0.3.10 0.3.11 0.3.6 0.3.9 1.2.7 2.0.1 2.3.0

详情介绍:

SAML authentication for WordPress, using the bundled OneLogin SAML library or optionally installed SimpleSAMLphp. OneLogin provides a SAML authentication bridge; SimpleSAMLphp provides SAML plus a variety of other authentication mechanisms. This plugin acts as a bridge between WordPress and the authentication library. If your organization uses Google Apps, integrating Google Apps with WP SAML Auth takes just a few steps. The standard user flow looks like this: A set of configuration options allow you to change the plugin's default behavior. For instance, permit_wp_login=>false will force all authentication to go through the SAML identity provider, bypassing wp-login.php. Similiarly, auto_provision=>false will disable automatic creation of new WordPress users. See installation instructions for full configuration details.

安装:

Once you've activated the plugin, and have access to a functioning SAML Identity Provider (IdP), there are a couple of ways WP SAML Auth can be configured:
  1. Settings page in the WordPress backend. The settings page offers the most common configuration options, but not all. It's located at "Settings" -> "WP SAML Auth".
  2. Code snippet applied with a filter. The code snippet approach, documented below, allows access to all configuration settings. The settings page is disabled entirely when a code snippet is present.
If you're connecting directly to an existing IdP, you should use the bundled OneLogin SAML library. The necessary and most common settings are available in the WordPress backend. If you have more complex authentication needs, then you can also use a SimpleSAMLphp installation running in the same environment. These settings are not configurable through the WordPress backend; they'll need to be defined with a filter. And, if you have a filter in place, the WordPress backend settings will be removed. Note: A security vulnerability was found in SimpleSAMLphp versions 2.0.0 and below. It is highly recommended if you are using SimpleSAMLphp with WP SAML Auth that you update your SimpleSAMLphp library to 2.4.0 or above. (See CVE-2025-27773 and The SimpleSAMLphp SAML2 library incorrectly verifies signatures for HTTP-Redirect bindings for more information.) Additional explanation of each setting can be found in the code snippet below. To install SimpleSAMLphp locally for testing purposes, the Identity Provider QuickStart is a good place to start. On Pantheon, the SimpleSAMLphp web directory needs to be symlinked to ~/code/simplesaml to be properly handled by Nginx. Read the docs for more details about configuring SimpleSAMLphp on Pantheon. Because SAML authentication is handled as a part of the login flow, your SAML identity provider will need to send responses back to wp-login.php. For instance, if your domain is pantheon.io, then you'd use http://pantheon.io/wp-login.php as your AssertionConsumerService configuration value. Where to add configuration code: When using the filter-based configuration approach, add your code to a location that loads before the plugin initializes. You can create a custom must-use plugin or add the code to your theme's functions.php file (note: theme-based configuration will need to be migrated if you switch themes). To configure the plugin with a filter, or for additional detail on each setting, use this code snippet: function wpsax_filter_option( $value, $option_name ) { $defaults = array( / * Type of SAML connection bridge to use. * * 'internal' uses OneLogin bundled library; 'simplesamlphp' uses SimpleSAMLphp. * * Defaults to SimpleSAMLphp for backwards compatibility. * * @param string */ 'connection_type' => 'internal', / * Configuration options for OneLogin library use. * * See comments with "Required:" for values you absolutely need to configure. * * @param array / 'internal_config' => array( // Validation of SAML responses is required. 'strict' => true, 'debug' => defined( 'WP_DEBUG' ) && WP_DEBUG ? true : false, 'baseurl' => home_url(), 'sp' => array( 'entityId' => 'urn:' . parse_url( home_url(), PHP_URL_HOST ), 'assertionConsumerService' => array( 'url' => wp_login_url(), 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', ), ), 'idp' => array( // Required: Set based on provider's supplied value. 'entityId' => '', 'singleSignOnService' => array( // Required: Set based on provider's supplied value. 'url' => '', 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', ), 'singleLogoutService' => array( // Required: Set based on provider's supplied value. 'url' => '', 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', ), // Required: Contents of the IDP's public x509 certificate. // Use file_get_contents() to load certificate contents into scope. 'x509cert' => '', // Optional: Instead of using the x509 cert, you can specify the fingerprint and algorithm. 'certFingerprint' => '', 'certFingerprintAlgorithm' => '', ), ), / * Path to SimpleSAMLphp autoloader. * * SimpleSAMLphp v2.x uses 'vendor/autoload.php' * SimpleSAMLphp v1.x uses 'lib/_autoload.php' * * The plugin will automatically search for SimpleSAMLphp in common * installation paths and detect the correct autoloader for both versions. * * You typically don't need to set this - leave it commented out to use auto-detection. * Only set this value if SimpleSAMLphp is in a non-standard location. * * Examples: * - SimpleSAMLphp v2.x: dirname( FILE ) . '/simplesamlphp/vendor/autoload.php' * - SimpleSAMLphp v1.x: dirname( FILE ) . '/simplesamlphp/lib/_autoload.php' * - Composer (site root): ABSPATH . 'vendor/autoload.php' * * @param string / // 'simplesamlphp_autoload' => dirname( FILE ) . '/simplesamlphp/vendor/autoload.php', / * Authentication source to pass to SimpleSAMLphp * * This must be one of your configured identity providers in * SimpleSAMLphp. If the identity provider isn't configured * properly, the plugin will not work properly. * * @param string */ 'auth_source' => 'default-sp', / * Whether or not to automatically provision new WordPress users. * * When WordPress is presented with a SAML user without a * corresponding WordPress account, it can either create a new user * or display an error that the user needs to contact the site * administrator. * * @param bool / 'auto_provision' => true, / * Whether or not to permit logging in with username and password. * * If this feature is disabled, all authentication requests will be * channeled through SimpleSAMLphp. * * @param bool / 'permit_wp_login' => true, / * Attribute by which to get a WordPress user for a SAML user. * * @param string Supported options are 'email' and 'login'. */ 'get_user_by' => 'email', / * SAML attribute which includes the user_login value for a user. * * @param string / 'user_login_attribute' => 'uid', / * SAML attribute which includes the user_email value for a user. * * @param string / 'user_email_attribute' => 'mail', / * SAML attribute which includes the display_name value for a user. * * @param string */ 'display_name_attribute' => 'display_name', / * SAML attribute which includes the first_name value for a user. * * @param string / 'first_name_attribute' => 'first_name', / * SAML attribute which includes the last_name value for a user. * * @param string / 'last_name_attribute' => 'last_name', /* * Default WordPress role to grant when provisioning new users. * * @param string / 'default_role' => get_option( 'default_role' ), ); $value = isset( $defaults[ $option_name ] ) ? $defaults[ $option_name ] : $value; return $value; } add_filter( 'wp_saml_auth_option', 'wpsax_filter_option', 10, 2 ); If you need to adapt authentication behavior based on the SAML response, you can do so with the wp_saml_auth_pre_authentication filter: /* * Reject authentication if $attributes doesn't include the authorized group. / add_filter( 'wp_saml_auth_pre_authentication', function( $ret, $attributes ) { if ( empty( $attributes['group'] ) || ! in_array( 'administrators', $attributes['group'] ) ) { return new WP_Error( 'unauthorized-group', "Sorry, you're not a member of an authorized group." ); } return $ret; }, 10, 2 ); If you're using the OneLogin connection type and need to modify the internal_config (e.g. to set requestedAuthnContext to false), you can use the wp_saml_auth_internal_config filter: /* * Modify the OneLogin SAML configuration. / add_filter( 'wp_saml_auth_internal_config', function( $config ) { $config['security'] = array( 'requestedAuthnContext' => false, ); return $config; } );

升级注意事项:

2.2.0 Security Notice: The recommended version of SimpleSAMLphp library is 2.3.7 or later when using the simplesamlphp SAML authentication type. SimpleSAMLphp 2.0.0 or later is required to fix CVE-2023-26881 (XML signature validation bypass vulnerability). New: With "Enforce Security Requirements" enabled, SimpleSAMLphp versions below 2.0.0 will be blocked. WP SAML Auth 2.2.0 requires WordPress version 6.4 or later. 2.0.0 Minimum supported PHP version is 7.3.

常见问题:

Can I update an existing WordPress user's data when they log back in?

If you'd like to make sure the user's display name, first name, and last name are updated in WordPress when they log back in, you can use the following code snippet: /* * Update user attributes after a user has logged in via SAML. / add_action( 'wp_saml_auth_existing_user_authenticated', function( $existing_user, $attributes ) { $user_args = array( 'ID' => $existing_user->ID, ); foreach ( array( 'display_name', 'first_name', 'last_name' ) as $type ) { $attribute = \WP_SAML_Auth::get_option( "{$type}_attribute" ); $user_args[ $type ] = ! empty( $attributes[ $attribute ][0] ) ? $attributes[ $attribute ][0] : ''; } wp_update_user( $user_args ); }, 10, 2 ); The wp_saml_auth_existing_user_authenticated action fires after the user has successfully authenticated with the SAML IdP. The code snippet then uses a pattern similar to WP SAML Auth to fetch display name, first name, and last name from the SAML response. Lastly, the code snippet updates the existing WordPress user object.

How do I use SimpleSAMLphp and WP SAML Auth on a multi web node environment?

Because SimpleSAMLphp uses PHP sessions to manage user authentication, it will work unreliably or not at all on a server configuration with multiple web nodes. This is because PHP's default session handler uses the filesystem, and each web node has a different filesystem. Fortunately, there's a way around this. First, install and activate the WP Native PHP Sessions plugin, which registers a database-based PHP session handler for WordPress to use. Next, modify SimpleSAMLphp's www/_include.php file to require wp-load.php. If you installed SimpleSAMLphp within the wp-saml-auth directory, you'd edit wp-saml-auth/simplesamlphp/www/_include.php to include: <?php require_once dirname( dirname( dirname( dirname( dirname( dirname( FILE ) ) ) ) ) ) . '/wp-load.php'; Note: the declaration does need to be at the top of _include.php, to ensure WordPress (and thus the session handling) is loaded before SimpleSAMLphp. There is no third step. Because SimpleSAMLphp loads WordPress, which has WP Native PHP Sessions active, SimpleSAMLphp and WP SAML Auth will be able to communicate to one another on a multi web node environment.

Where do I report security bugs found in this plugin?

Please report security bugs found in the source code of the WP SAML Auth plugin through the Patchstack Vulnerability Disclosure Program. The Patchstack team will assist you with verification, CVE assignment, and notify the developers of this plugin.

What are the security requirements for SimpleSAMLphp?

If you're using the SimpleSAMLphp connection type:

  • Critical Security Requirement: Version 2.0.0 or later is required to fix CVE-2023-26881 (XML signature validation bypass vulnerability).
  • Recommended Security Requirement: Version 2.3.7 or later is recommended for additional security fixes.
  • Authentication will be blocked for versions below 2.0.0 when "Enforce Security Requirements" is enabled.
  • It's always recommended to use the latest stable version of SimpleSAMLphp for security and compatibility.

更新日志:

2.3.0 (January 8, 2026) 2.2.0 (9 June 2024) 2.1.4 (November 27, 2023) 2.1.3 (April 8, 2023) 2.1.2 (April 7, 2023) 2.1.1 (March 15, 2023) 2.1.0 (November 29, 2022) 2.0.1 (January 24, 2022) 2.0.0 (January 6, 2022) 1.2.7 (December 9, 2021) 1.2.6 (October 12, 2021) 1.2.5 (August 18, 2021) 1.2.4 (August 18, 2021) 1.2.3 (May 25, 2021) 1.2.2 (Apr 26, 2021) 1.2.1 (Mar 2, 2021) 1.2.0 (Feb 22, 2021) 1.1.1 (Feb 3, 2021) 1.1.0 (Dec 1, 2020) 1.0.2 (May 27, 2020) 1.0.1 (May 26, 2020) 1.0.0 (March 2, 2020) 0.8.3 (February 3, 2020) 0.8.2 (January 22, 2020) 0.8.1 (November 25, 2019) 0.8.0 (November 20, 2019) 0.7.3 (November 7, 2019) 0.7.2 (October 30, 2019) 0.7.1 (September 26, 2019) 0.7.0 (September 16, 2019) 0.6.0 (May 14, 2019) 0.5.2 (April 8, 2019) 0.5.1 (November 15, 2018) 0.5.0 (November 7, 2018) 0.4.0 (September 5, 2018) 0.3.11 (July 18, 2018) 0.3.10 (June 28, 2018) 0.3.9 (March 29, 2018) 0.3.8 (February 26, 2018) 0.3.7 (February 13, 2018) 0.3.6 (February 7, 2018) 0.3.5 (January 19, 2018) 0.3.4 (December 22, 2017) 0.3.3 (November 28, 2017) 0.3.2 (November 9, 2017) 0.3.1 (July 12, 2017) 0.3.0 (June 29, 2017) 0.2.2 (May 24, 2017) 0.2.1 (March 22, 2017) 0.2.0 (March 7, 2017) 0.1.0 (April 18, 2016)