Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add setting to force all site visitors to login via AAD #132

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions Settings.php
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,14 @@ class AADSSO_Settings {
*/
public $enable_auto_forward_to_aad = false;

/**
* Indicates if all visitors are forced to AAD for login, preventing anyone who is not signed in
* from accessing the site. Can be overridden with 'aad_force_login' filter.
*
* @var boolean Whether or not to force AAD sign-in for all visitors
*/
public $enable_force_aad_login = false;

/**
* @var boolean Whether or not to use AAD group memberships to set WordPress roles.
*/
Expand Down Expand Up @@ -157,6 +165,7 @@ public static function get_defaults( $key = null ) {
'enable_auto_provisioning' => false,
'match_on_upn_alias' => false,
'enable_auto_forward_to_aad' => false,
'enable_force_aad_login' => false,
'enable_aad_group_to_wp_role' => false,
'redirect_uri' => wp_login_url(),
'logout_redirect_uri' => wp_login_url(),
Expand Down
20 changes: 20 additions & 0 deletions SettingsPage.php
Original file line number Diff line number Diff line change
Expand Up @@ -281,6 +281,14 @@ public function register_settings() {
'aadsso_settings_general' // section
);

add_settings_field(
'enable_force_aad_login', // id
__( 'Force all visitors to login via Azure AD', 'aad-sso-wordpress' ), // title
array( $this, 'enable_force_aad_login_callback' ), // callback
'aadsso_settings_page', // page
'aadsso_settings_general' // section
);

add_settings_field(
'enable_aad_group_to_wp_role', // id
__( 'Enable Azure AD group to WP role association', 'aad-sso-wordpress' ), // title
Expand Down Expand Up @@ -372,6 +380,7 @@ public function sanitize_settings( $input ) {
$boolean_settings = array(
'enable_auto_provisioning',
'enable_auto_forward_to_aad',
'enable_force_aad_login',
'enable_aad_group_to_wp_role',
'match_on_upn_alias',
);
Expand Down Expand Up @@ -617,6 +626,17 @@ public function enable_auto_forward_to_aad_callback() {
);
}

/**
* Renders the `enable_force_aad_login` checkbox control.
*/
public function enable_force_aad_login_callback() {
$this->render_checkbox_field(
'enable_force_aad_login',
__( 'Force all site visitors to sign in via Azure AD.',
'aad-sso-wordpress')
);
}

/**
* Renders the `enable_aad_group_to_wp_role` checkbox control.
*/
Expand Down
36 changes: 36 additions & 0 deletions aad-sso-wordpress.php
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,9 @@ public function __construct( $settings ) {
// If configured, bypass the login form and redirect straight to AAD
add_action( 'login_init', array( $this, 'save_redirect_and_maybe_bypass_login' ), 20 );

// If configured, force all visitors to login via AAD
add_action( 'init', array( $this, 'save_redirect_and_force_login' ), 20 );

// Redirect user back to original location
add_filter( 'login_redirect', array( $this, 'redirect_after_login' ), 20, 3 );

Expand Down Expand Up @@ -142,6 +145,39 @@ public static function get_instance( $settings ) {
return self::$instance;
}

/**
* Based on settings and current page, force visitor to login via AAD.
*/
public function save_redirect_and_force_login() {

$this->register_session();

$current_url = (isset($_SERVER['HTTPS']) ? "https" : "http") . "://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might fail if the server is running on a non-standard port... Check this approach https://gist.github.com/leereamsnyder/fac3b9ccb6b99ab14f36

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, thanks for the feedback.


$bypass = apply_filters(
'aad_force_login',
$this->settings->enable_force_aad_login
);

/*
* If the user is attempting to log out AND the auto-forward to AAD
* login is set then we need to ensure we do not auto-forward the user and get
* them stuck in an infinite logout loop.
*/
if( ! is_user_logged_in() ) {

// Save the requested URL to session
if( ! isset( $_SESSION['aadsso_redirect_to'] ) ) {
$_SESSION['aadsso_redirect_to'] = $current_url;
}

if ( $bypass && ! isset( $_GET['code'] ) ) {
wp_redirect( $this->get_login_url() );
die();
}
}
}

/**
* Based on settings and current page, bypasses the login form and forwards straight to AAD.
*/
Expand Down