Prevent SSO-authed account from resetting password?

  • Resolved Paul Gilzow

    (@gilzow)


    7 years, 2 months ago

    Just started using your plugin, so maybe I’m overlooking something. From our experiments, an SSO-authed account user can reset their WordPress account password and log in as a local account bypassing SSO authentication. Is there a way for the plugin to block password resets for those accounts that are connected to SSO authentication?

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author Daniel Bachhuber

    (@danielbachhuber)

    Have you set the permit_wp_login parameter to false? If it’s set to false, it shouldn’t be possible for a WordPress user to log in through wp-login.php.

    Thread Starter Paul Gilzow

    (@gilzow)

    If this feature is disabled, all authentication requests will be channeled through SimpleSAMLphp.

    Based on the description, we have that set to true since we want at least one local admin account to be able to authenticate. We also have other sites that will have a mix of local and shib-authed accounts. I’m assuming given your answer it’s an all or nothing situation?

    Plugin Author Daniel Bachhuber

    (@danielbachhuber)

    Based on the description, we have that set to true since we want at least one local admin account to be able to authenticate. We also have other sites that will have a mix of local and shib-authed accounts.

    Makes sense.

    I’m assuming given your answer it’s an all or nothing situation?

    Currently, yes. However, this is an enhancement I’d be open to. See https://github.com/pantheon-systems/wp-saml-auth/issues/15 for related conversation.

    Thread Starter Paul Gilzow

    (@gilzow)

    I might have to fork and do a custom mod for our use then. Once completed I’ll submit a pull request in case you want to incorporate our changes.

    Plugin Author Daniel Bachhuber

    (@danielbachhuber)

    Sounds good, thanks!

    In my mind, the simplest implementation would be to set some user meta if a user signs in through SSO. Then, based on this user meta flag, filter map_meta_cap to: 1) disallow editing the user entirely, or 2) force a randomly generated password anytime the user object is updated. The latter would be a less ideal user experience, as the WordPress user would think they could change their password, but it would prevent them from signing in with the new password.

    Thread Starter Paul Gilzow

    (@gilzow)

    Yeah, that’s how I do it in my ldap-auth plugin: wpDirAuth

    Random generated password is stored locally, but the user is never able to get to the point where they can touch it unless the plugin is deactivated/deleted.

    In addition, I’d like for the plugin to auto-detect if a user should be shib-authed instead of requiring them to click a button. I already know that having both on one screen is going to cause confusion for our users. Should be easy enough once there’s a user_meta flag. Hook the authenticate filter and then if the user has the flag set, fail the login, and present them with the button to login via SSO.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Prevent SSO-authed account from resetting password?’ is closed to new replies.

Tags