Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Vanilla WordPress External Identity Provider (IDP) and SSO - RFC
Now that I've done about 1 1/2 Vanilla integration's into 1-off custom sites, I am thinking about rolling this forum platform out to all of our wordpress sites as well (we operate around 20, some with forums). Because of the complexity of an External IDP, I wanted to throw out my thoughts to this forum for feedback.
The main idea is a single sign on between wordpress and vanilla. Here is my first guess on how to achieve this.
Here is my thoughts, which uses simpleSam:
IDP <-----> simpleSaml <-----> WordPress <--------- Vanilla with WordPress Plugin | | WordPress <--- Vanilla with WordPress Plugin, ( etc. and more )
So basically, all WordPress sites talk to the simpleSaml system for authentication. SimpleSaml get's it's auth from the IDP. Vanilla logs into WordPress using the plug-in.
or have a simple saml pluign for vanilla.
grep is your friend.
Indeed.. I don't yet know what would be better / easier.
jsConnect is ok but I would say connecting directly to simpleSam would be more robust and less fragile.
You can extend vanilla to add connection and authorisation methods. jsConnect would be an example of that.
grep is your friend.
@x00 I just realized you are talking about me creating a plugin. I'm not sure I'm up for that, technically-wise. I thought at first Vanilla had a solution for SAML, but it appears it's only for the paid services??
I guess I'll see if the wordpress will work, if not, will probably look for another open-source forum solution with SAML compatibility.
Though I made a request to make vanilla's SAML Addon open source, I've got this working quite well using jsconnect and vanilla's wordpress plugin. There are some tricks when using vanilla with a simplesamle IDP that has it's own authentication app, such as in single sign out redirects and sign-in URL's.. but I am proof it's possible.
I'm updating this thread in the case that anyone needs help with this sort of setup... I'm happy to offer what I know.
Maybe this will all change when / if vanilla starts releases it's newer versions as stable open-source releases... but for now, I have a roadmap for what I have described above using v 2.3.1