Single Sign On (sso) with Vanilla 2.6x

Hello, I am starting this new discussion in 2.6 Help as a main place to talk about SSO for Vanilla 2.6x open source. There were quite a few idiosyncrasies for our implementation, so I will first make a reply that is sort of a tutorial for those using WordPress and the WordPress (jsConnect) plug-in. I also operate other SSO implementations that don't use the WordPress plug-in, such as straight SAML.

So, If people post their questions to this discussion, I should get a notification... and after all my time spent on this topic, I may be able to help.. or I may not. ;-).. but it'll be good to keep all of this one place I think.

Note: It appears SSO will be (at least somewhat) backwards compatible through 2.7 as well.


  • Notes on: SSO with Vanilla and WordPress (and External Auth Provider [SAML])

    Vanilla 2.6.3:
    Wordpress 4.9.7+
    OneLogin Plugin:
    Vanilla WP Plugin 1.1.18: 
        WP: <find in plug-in search in WP>
    Main Documention (which appears to be fairly valid through to 2.7):
        Instead of doing a step by step, I’ll maybe expand on the idiosyncrasies of these versions, perhaps beyond that of which is explained in the docs. 
        So, instead of looking at this as an SSO how to, please start by reading the SSO documentation and using this document as a supplement. In brief, 
        to get SSO working in our systems, there were a few needed customizations and explanations beyond that of the documentation. 
        Using the docs (link above), you should be able to get SSO configured. Vanilla can be viewed as a child of wordpress in regards to users, passwords, and roles.
        In our system we have an external Auth provider. I'll only include info about that briefly.. focusing on SSO with WordPress.  
    Main Topics:
        1.) Slight Change in the Vanilla WordPress plug-in. 
        2.) Needed extra Garden Config for Single Sign Off
        3.) New URL (reminder) for *Automatic* Single Sign On to default provider. 
        4.) Approving your 'Target' redirect (for Single Sign Off) in Vanilla Admin.
        5.) Change in bootstrap.php to escape Target. 
        6.) If using Porter, make sure to match Role Names.
            a.) Comments on Roles. 
    Slight Change in the Vanilla WordPress plug-in:
        There is the use of a deprecated function in the Vanilla WordPress Plug-in (version 1.1.18). For me, this caused a "Whoops error" when using the /sso entry point.  You can see my changes suggested here which fixed the problem:
    Needed extra Garden Config for Single Sign Off
        I believe it was from vanilla 2.5 that there was a change in rewrite rules (pretty URLs vs query string). This change causes an infinite loop for single sign off. Specifically, the change is rewrite url's now being set to false by default in: '/library/core/class.request.php:1543:'.
        The solution is to add this in your garden config:
        $Configuration['Garden']['RewriteUrls'] = true;
        ** note, there are signs of this being depcrecated at some point.. but for now it seems to work. 
    New URL (reminder) for *Automatic* Single Sign On to default provider.
        This is in the docs, but just another mention. The old use of jsConnectAutoSignIn no longer works (or is needed). Though maybe not ideal, you can get
        the same effect by using the /sso entry point in your links to the forum.  I say this is not ideal, because if you are signed in to wordpress and
        you hit the forum without hitting that entry point, you won't be signed in automatically. so:
    Approving your 'Target' redirect (for Single Sign Off) in Vanilla Admin
        At this point, you need to approve your 'Target' if using it to redirect for a sign sign off. A little about this: We first sign out of Vanilla, then
        we redirect to wordpress where the user is asked if they want to sign out there as well. This is technically not Single Sign Off, but it is close enough
        for our sake. To use the redirect, do this:
        In the vanilla dashboard (admin), go to: Settings > Security 
        In Trusted Domains, enter your 'full' URL (minus http/s://). ie: 'www.<yourdomaindotcom>/wp-login.php?action=logout'
        ** note, the full URL is needed **
    Change in bootstrap.php to escape Target
        To get the above to work, we needed to use a custom function. The old jsConnectAutoSignIn app suggested the use of a bootstrap.before.php file
        in /config/.  However, the new bootstrap.php has deleted the reference for that file.. so it is no longer included. There is workaround... so do this:
        1.) create a file in /config/ called 'bootstrap.early.php'.
        2.) it's contents should be:
    <?php if (!defined('APPLICATION')) exit();
         function SignOutUrl($Target = '') {
            $SignOutUrl = C('Garden.Authenticator.SignOutUrl','/signout/{Session_TransientKey}?Target=%2$s');
            $SignOutUrl = FormatString($SignOutUrl,array('Session_TransientKey'=>Gdn::Session()->TransientKey()));
            $SignOutUrl = sprintf($SignOutUrl,($Target ? '&Target='.urlencode($Target) : ''));
            return $SignOutUrl;
    If using Porter, make sure to match Role Names
        This is in the docs, but just to help others. Some other forums may have, for example, a role called 'Administrators'.  The important thing to realize
        is that the wordpress role is without the 's'... ie. 'Administrator'. Roles will not match up if they are not exact.
    External Auth:
        We have an external Auth provider for our WordPress sites. In short, SSO works pretty well having our forums rely on WordPress, and our WordPress rely on our External Auth. It is a hierarchy, where users and roles all trickly down from our main Auth Provider. We use SAML as our standard. To get this working in regards to wordpress, we use a SAML plugin, which I am a contributor to. 
    OneLogin Plugin:
        This plugin facilitates the communication between our Authentication system and wordpress. 
        I had to rewrite some of this plug-in to get some features to work, however, the features were adopted by the plug-in itself, so the plug-in may simply just work out of the box.
Sign In or Register to comment.