For our implementation of WordPress Shibboleth we’ve made a couple modifications to the stock plugin. This comes in two flavors, a patch to the plugin and a seperate plugin that adds additional functionality:

• shib-uiuc-v1.php
• shib-v1.6-uiuc.patch

WP Shibboleth

The patch adds these features, you will want to search for “XXX: UIUC” to customize to your setup:

• Login form message that allows people to choose Shibboleth or local authentication in WordPress
• Add a “redirect_to” parameter to the Shibboleth login process, so that WordPress can return properly after authentication.

UIUC Shibboleth

The UIUC Shibboleth plugin extends the stock Shibboleth plugin by auto-creating users from LDAP. When we configured our Shibboleth setup we chose to use the eduPersonPrincipalName as the username in WordPress. But this does not mix well with how WordPress expects to add new users from the “site-new.php” and “user-new.php” pages. We replace the “get_user_by” function to create users in WordPress with the eduPersonPrincipalName when a new user or site is added to the system and the Shibboleth user didn’t already exist.

To use the UIUC Shibboleth plugin you will need an LDAP directory that contains all the users Shibboleth with authenticate. Users in the directory will need these attributes:

• LDAP Username: the unscoped username; we use “uid”. This could be “samaccountname” for Active Directory.
• LDAP Email: most likely “mail”.
• Shibboleth Username: what the WP Shibboleth plugin will consider the username, as retrieved from LDAP. Our directory has “edupersonprincipalname” (or eppn) as this attribute. What you place here will depend on how you’ve configured your WP Shibboleth plugin.
• Shibboleth Email: what the WP Shibboleth plugin will consider the email address, as retrieved from LDAP. Our directory uses the same attribute in both cases: “mail”.

Note that all the attribute names are lowercased.

Disclaimer: not all of the features we’ve added are in active use. Use with caution and test heavily! If you have a question or comment, feel free to email me.

For our implementation we’ve added some extensions to the stock WordPress Domain Mapping plugin. Our patch is hosted here: dm-v0.5.4.3-uiuc.patch. After applying, search for “XXX: UIUC” to see specific changes we’ve added that you might want to adapt to your install. Here is a summary of the things we’ve modified:

Per-Blog Enable

We wanted the ability to enable domain mapping on a per-blog basis. When this setting is enabled (by a super admin) the domain mapping does not appear on a blog’s Setting page unless a super admin has enabled it for that particular blog.

Per-Blog CNAME and IP Address

Because our Subject Alternate Name SSL certificates can only accommodate 30 subjects, we needed a way to provision a blog onto a specific IP/CNAME/SSL certificate setup. This feature lets super admins visit a blog’s domain mapping settings and specify a CNAME or IP address different than the Network configuration. By default the blog domain mapping instructions will display the Network configuration.

Admin Only Primary Domain

Allow only super admins to change a blog’s primary domain. This is for when you want users to be able to setup aliases, but still have users redirected to the network blog address. Super admins will still be able to change the primary domain of a blog.

Don’t Force SSL for Admin URL Mapping

When remapping an admin URL, handle “/wp-admin/admin-ajax.php” a little differently. Usually the “force_ssl_admin” rule takes effect, but it shouldn’t for “admin-ajax.php” because it can be called from non-admin pages. If you force SSL on this callback, the same-origin policy might be violated for AJAX callbacks.

Preserve “redirect_to” After Login

After the Shibboleth login process, preserve the “redirect_to” URL parameter to handle redirection instead of just finishing at “wp-login.php”.

Additional URL Mappings

Also map “wp-login.php” for login and logout hooks. This lets SSL work properly in cases where you are not using SAN for your mapped domains.

Hook “allowed_redirect_hosts”

Let WordPress consider a redirect to a mapped domain as safe/allowed. This is done by hooking into the “allowed_redirect_hosts” filter.