Hi @cgscomputers
Thank you for reaching out!
It’s very well possible that WPO365 redirects a request that was initiated by MainWP Dashboard to install a plugin remotely to a child site to Microsoft. To work-around this, you must know the endpoint that MainWP Dashboard uses in the child site to upload the ZIP file e.g. /wp-json/mainwp/v1 or similar. Once you know the endpoint, you can add the path portion of that endpoint to the “List of pages freed from Authentication” on the plugin’s “Single Sign-on” configuration page.
I had a quick look on their website and noticed that they advise to configure (security related solutions such as firewalls) to allow-list the IP address, but this option is not currently not available for WPO365.
Hope this helps!
-Marco
Hi @wpo365 thanks for responding so quickly. I spoke to the guys at MainWP and with their assistance I was able to come up with an entry on the “pages freed from authentication” section that works. That being said, I wanted to make sure I’m doing this as secure as possible so I wanted to ask an additional question. As it turns out, when installing via ZIP file, the child site reaches back to the MainWP Dashboard site to download the ZIP. When it does so, it reaches back via /wp-admin/admin.php?sig=xxxxx&mwpdl=yyyyy where sig= and mwpdl= will vary with every installation.
As a result, I was able to use an entry for freed pages of “?sig=” which allows the plugins to be installed however, I wanted to know if there is a more strict entry that would work. I couldn’t find anything in your documentation about wildcards or regex being allowed here – I originally tried “?sig=*” and that resulted in failure (regex such as “?sig=.+&mwpdl=.+” also failed).
Hi @cgscomputers
Sorry for my late response. I missed the question at the end!
You can definitely add it as “/wp-admin/admin.php?sig=”. Maybe it is also possible to define a prefix for the sig value that is always the same and then you can at least add that as well. Or you can add all different signatures for all child sites, but obviously that is depending on the number of child sites.
Hope this helps!
-Marco
@wpo365 thanks for the reply – right now, the only option that is working is just using “?sig=”. Your suggesting won’t work because the plugin doesn’t allow anything that includes /wp-admin/ in the path (for obvious reasons). I am content with the solution I have for now.
It is possible to use the unique chain – but I have over 40 child sites and that would be a lot of rules to manage & maintain (plus those chains do change occasionally).
The good news is everything is working and I am good to go. Again, thanks for engaging here, I’m making good use of your SSO plugin and am very happy with it.
Thread closed according to user.
