Add CUNY SSO integration to Commons In A Box
When this plugin is activated, authorization via CUNY SSO is required for a user to register.
The visitor's browser session is redirected to CUNY SSO for authentication. When authentication with CUNY SSO is successful, information about that session is sent back to the Commons In A Box site, and the SSO attributes are checked to determine if the user is authorized to register. If they are, the user can continue with registration.
The plugin manages the following paths:
/sso/login
will initiate alogin request through CUNY SSO./sso/verify
handles the SAML response from CUNY SSO./sso/logout
will initiate a logout request through CUNY SSO./sso/metadata.xml
provides the SP metadata for the site.
The plugin has a default configuration for CUNY SSO identiy provider (IdP) and service provider (SP) metadata.
The CUNY SSO IdP configuration was based on the metadata file provided by CUNY IT.
Both IdP and SP configurations can be overridden or modified with the sps_cbox_sso_saml_settings
filter.
The plugin manages authorization via the SAML attributes expected by CUNY SPS OpenLab.
The sps_cbox_sso_can_register
filter can be used to override this behavior based on the available SAML attributes.
Once active, SSO is required for new user regitration. If needed, site admins can add users manually and allow them to login with standard WordPress authentication.
Site admins can also add a user's CUNY SSO EMPLID to a user's profile to connect an existing user account with CUNY SSO.
Site admins can also remove a user's CUNY SSO EMPLID to disconnect a user account from CUNY SSO.
If the cuny_sso_allow_wp_login
option is set to yes
on the site, any user without an EMPLID can login with their WordPress credentials.
A private key and certificate are required for the plugin to sign and verify SAML requests and responses. These can be stored as options in WordPress or filtered in code. No keys are provided by default with the plugin.
openssl req -new -x509 -key private.key -out certificate.crt -days 3650
wp option set sps_cbox_sso_x509_certificate $(cat certificate.crt)
wp option set sps_cbox_sso_private_key $(cat private.key)
Or, filter the keys with sps_cbox_sso_private_key
and sps_cbox_sso_x509_certificate
.
The plugin relies on a composer configuration for autoloading and the underlying onelogin/php-saml
library. WP-CLI's dist-archive command can be used to build a versioned zip file for distribution.
composer install --no-progress --no-dev
composer dump-autoload
wp dist-archive ./