[wp-hackers] Single sign-on SSL domain

Stephane Daury wordpress at tekartist.org
Thu Jul 23 15:54:15 UTC 2009 

Oh boy, you're in a world of pain on this one, especially if you have  
a lot of domains (not subdomains), which the wildcard cert won't help  
you with. Uou'd also still have the IP-per-host requirement,  
regardless of if it's a wildcard or not.

Anyway, one (hopefully) constructive solution I could offer would be  
for you to look into having your users managed in an LDAP server  
instead, then run an WP-to-LDAP auth plugin like http://wordpress.org/extend/plugins/wpdirauth 
  (which btw also has an option to force WP to serve the login screen  
under SSL).

This is how I was dealing with this when working for a large  
university, faced with the same issues as you currently are. What  
happens is that the login form is still WP's, but it hits the LDAP  
server in the back with the provided credentials when it doesn;t find  
a matching user in the WP tables. So all you have to do (beyond  
maintaining an LDAP server...) is *simply* not create and/or port your  
existing WP users to LDAP, and you're done.

The big question here is: are your users supposed to be able to  
register on their own, or are they provided with single sign-on  
credentials that work everywhere (like enterprise users would be)? The  
above LDAP plugin of course only handles login, not registration.

BTW: in regards to forcing OpenID: one reason they haven't replied  
might be that (up until recently?) WP will only let us extend the  
login form, not replace its core behavior. You could hack it to remove  
the WP login fields, but that'd mean hacking core files, which I would  
never advise to do. Note that this might change in the future, since  
changes to the auth system in WP 2.8 make it possible to overcome this  
issue, thanks to Will Norris' work: http://willnorris.com/2009/03/authentication-in-wordpress-28

Anyway, here were my two cents. Hoping it might be of help. :)

Cheers,

Stephane Daury

On Jul 23, 2009, at 9:53, Glenn Ansley wrote:

> If this problem was tasked to me, I would probably explore using the
> CUSTOM_USER_TABLE and CUSTOM_USER_META_TABLE constants [1] along with
> the SET_COOKIE_DOMAIN constant [2].
>
> If all your installs have access to the same MySQL server, the user
> tables won't be a problem. The COOKIES shouldn't be a problem either.
> A user is deemed logged in or not logged in based on COOKIES. You
> would just have to make sure that a) Your authentications blog set the
> COOKIE correct, b) that your other blogs looked for the correct COOKIE
> to determine whether or not the user was logged in and c) all your
> salts were set the same across all blogs [3].
>
> FullThrottle recently did something very similar for a client and
> documented it on our blog [4]. We weren't using SSL to login... but
> that shouldn't matter since you will only be handling logins from one
> blog.
>
> Bonus points: On all your actual blogs, redirect any requests for the
> login page to your SSL login along with a referral query. Then send
> them back after they're logged in via the SSL blog.
>
> I'm sure there's some hurdles to jump there as I've never done this
> exact thing, but that's how I would proceed.
>
> [1] http://codex.wordpress.org/Editing_wp-config.php#Custom_User_and_Usermeta_Tables
> [2] http://codex.wordpress.org/Editing_wp-config.php#Set_Cookie_Domain
> [3] http://codex.wordpress.org/Editing_wp-config.php#Security_Keys
> [4] http://fullthrottledevelopment.com/setting-a-single-login-across-wp-wpmu
>
> Glenn Ansley
> Owner / Developer | FullThrottle Development, LLC
> http://fullthrottledevelopment.com
> http://twitter.com/full_throttle
> (919) 522-1532
>
>
>
> On Thu, Jul 23, 2009 at 5:19 AM, Eric Marden<wp at xentek.net> wrote:
>> Check out startssl.com for cheaper certs (including standard ones  
>> for free).
>> You'll need to jump through a few hoops, and know how to use Client
>> certficate to authenticate to the site. Its easy once you do it once.
>>
>> In addition if you have the ability to configure your server(s) more
>> directly, you may also be able to set up a reverse proxy to handle  
>> your SSL
>> across your sites:
>> http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate
>>
>> -e
>>
>> - Eric Marden
>> __________________________________
>> http://xentek.net/code/wordpress/
>>
>>
>>
>>
>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list