OpenSSO Single Sign-on Plugin for WordPress

less than 1 minute read

Encouraged by a comment on my post about the OpenSSO module for Drupal, and the amount of OpenSSO/Drupal buzz on Twitter, I decided to attack WordPress next. Although WordPress has a very different plugin model from Drupal, I was able to reuse much of the code from the Drupal module and get a basic single sign-on plugin working quite quickly. As with the Drupal module, there are certainly bugs in the WordPress plugin - in particular, I just noticed that, if you log in to OpenSSO as a user without a corresponding WordPress account, you can get into a redirect loop if you try to go to a protected page at WordPress. :-/ As usual, there is a README and source code - also available via CVS, and I’ve added the new provider plugin to the list on the OpenSSO Extensions page. So… That’s two thirds of the Drupal/Joomla/Wordpress CMS trifecta covered… A competent Joomla hacker should be able to take the Drupal/WordPress work and adapt it pretty easily… Anyone want to try while I’m at Catalyst this week?




Hi Pat. Regarding the redirection loop for OpenSSO/wordpress - the same condition exists for the Jira/Confluence plugin (seraph). I suppose the correct behaviour would be to display an error page (customisable)?


Hey, is the PHP Client still under active development? Since more than 2 years nothing happened there. You should think about providing real support for that piece of code.

Pat Patterson

Damien - yes - I think that is the correct behavior. If we have a username from OpenSSO, but there is no corresponding user in the other system we should show an error page and stop the redirect madness :-)

I'm also thinking about how to detect and stop redirect loops in general - for instance, if you misconfigure the OpenSSO cookie name or the DNS domains don't match. I'm thinking about a cookie holding the time we did the redirect. If we try to do another redirect to the OpenSSO login page within (say) 2 seconds of the last one, we're likely in a redirect loop. I'll try this out in the Drupal/WordPress providers and see how it works.

Dennis - the PHP client SDK was a contribution from the community. IIRC, we did the identity services soon after, and no one has really used (or even asked about) the PHP SDK since - not even its author. No users + no mail traffic + no bug reports => no development...

Pat, a redirect within two seconds will not indicate a loop - at least not for us. We have the 'problem' where our backend application is behind sjsws acting as a URL policy enforcement point. In CDSSO mode the first access to that application is the POST of LARES, this post is proxied back to the app, but without the session cookie in the request as that cookie is set on response to the LARES.
Because the backend app requires the session cookie (it uses j2ee agent - though it could be because it uses SDK) it redirects back to login which imediately redirects back as the user is authenticated, this time the session cookie comes through.
I thought there was already an option to stop redirects after a number of redirects - will try find that setting...


The best way to get this plugin to the masses is to upload it to Wordpress` plugin directory
then it also supports easier updating for the users

Leave a Comment

Your email address will not be published. Required fields are marked *