diff --git a/Settings.php b/Settings.php index 5f39cf3..0fef931 100644 --- a/Settings.php +++ b/Settings.php @@ -79,6 +79,14 @@ class AADSSO_Settings { */ public $enable_auto_forward_to_aad = false; + /** + * Indicates if all visitors are forced to AAD for login, preventing anyone who is not signed in + * from accessing the site. Can be overridden with 'aad_force_login' filter. + * + * @var boolean Whether or not to force AAD sign-in for all visitors + */ + public $enable_force_aad_login = false; + /** * @var boolean Whether or not to use AAD group memberships to set WordPress roles. */ @@ -157,6 +165,7 @@ public static function get_defaults( $key = null ) { 'enable_auto_provisioning' => false, 'match_on_upn_alias' => false, 'enable_auto_forward_to_aad' => false, + 'enable_force_aad_login' => false, 'enable_aad_group_to_wp_role' => false, 'redirect_uri' => wp_login_url(), 'logout_redirect_uri' => wp_login_url(), diff --git a/SettingsPage.php b/SettingsPage.php index 328b67a..1d16159 100644 --- a/SettingsPage.php +++ b/SettingsPage.php @@ -281,6 +281,14 @@ public function register_settings() { 'aadsso_settings_general' // section ); + add_settings_field( + 'enable_force_aad_login', // id + __( 'Force all visitors to login via Azure AD', 'aad-sso-wordpress' ), // title + array( $this, 'enable_force_aad_login_callback' ), // callback + 'aadsso_settings_page', // page + 'aadsso_settings_general' // section + ); + add_settings_field( 'enable_aad_group_to_wp_role', // id __( 'Enable Azure AD group to WP role association', 'aad-sso-wordpress' ), // title @@ -372,6 +380,7 @@ public function sanitize_settings( $input ) { $boolean_settings = array( 'enable_auto_provisioning', 'enable_auto_forward_to_aad', + 'enable_force_aad_login', 'enable_aad_group_to_wp_role', 'match_on_upn_alias', ); @@ -617,6 +626,17 @@ public function enable_auto_forward_to_aad_callback() { ); } + /** + * Renders the `enable_force_aad_login` checkbox control. + */ + public function enable_force_aad_login_callback() { + $this->render_checkbox_field( + 'enable_force_aad_login', + __( 'Force all site visitors to sign in via Azure AD.', + 'aad-sso-wordpress') + ); + } + /** * Renders the `enable_aad_group_to_wp_role` checkbox control. */ diff --git a/aad-sso-wordpress.php b/aad-sso-wordpress.php index 0cda951..beecac0 100644 --- a/aad-sso-wordpress.php +++ b/aad-sso-wordpress.php @@ -83,6 +83,9 @@ public function __construct( $settings ) { // If configured, bypass the login form and redirect straight to AAD add_action( 'login_init', array( $this, 'save_redirect_and_maybe_bypass_login' ), 20 ); + // If configured, force all visitors to login via AAD + add_action( 'init', array( $this, 'save_redirect_and_force_login' ), 20 ); + // Redirect user back to original location add_filter( 'login_redirect', array( $this, 'redirect_after_login' ), 20, 3 ); @@ -142,6 +145,39 @@ public static function get_instance( $settings ) { return self::$instance; } + /** + * Based on settings and current page, force visitor to login via AAD. + */ + public function save_redirect_and_force_login() { + + $this->register_session(); + + $current_url = home_url( add_query_arg( null, null ) ); + + $bypass = apply_filters( + 'aad_force_login', + $this->settings->enable_force_aad_login + ); + + /* + * If the user is attempting to log out AND the auto-forward to AAD + * login is set then we need to ensure we do not auto-forward the user and get + * them stuck in an infinite logout loop. + */ + if( ! is_user_logged_in() ) { + + // Save the requested URL to session + if( ! isset( $_SESSION['aadsso_redirect_to'] ) ) { + $_SESSION['aadsso_redirect_to'] = $current_url; + } + + if ( $bypass && ! isset( $_GET['code'] ) ) { + wp_redirect( $this->get_login_url() ); + die(); + } + } + } + /** * Based on settings and current page, bypasses the login form and forwards straight to AAD. */