Marco van Wieren
Forum Replies Created
-
Resolved and closing the ticket.
Resolved and closing the ticket.
Hi @janosf
Again, thank you for bringing this to my attention.
Release 42.10 contains the fix (now using phplibsec 3.0.52).
Hope that helps!
Best wishes
-Marco
Hi @janosf
Thank you for this information. I’ll see what can be done as soon as possible and will update this thread.
I am sorry for my late response, but your issue was fixed with release 42.6. Below is the change log item for it.
FIX Resolved an issue that prevented the plugin from redirecting the user back to the URL they intended to navigate to, before WPO365 initialized SSO and sent the user to Microsoft to authenticate. [LOGIN]
Hope that the original service has been restored – but now in a more reliable and secure way with nonce-verification enabled!
Hi
I just released version 42.5. This version fixes the issue created by the combined options of define( ‘WPO_AUTH_SCENARIO’, ‘internet’ ); and Use client-side redirect enabled.
Hope this helps!
-Marco
Hi @gabbsmo and @simonmista
For the sake of clarity, I would like the add the following. When you add the following line to your wp-config.php define( ‘WPO_AUTH_SCENARIO’, ‘internet’ ); then the plugin will try and bail out as soon as a request is not for your WP admin. Version 42.4 fixes this, but the combination with “Use client-side redirect” on the plugin’s “Login / logout” configuration page (causing the user to be redirected to Microsoft using a small JavaScript instead of being redirected by the server) has been overlooked. And as a result – if “Use client-side redirect” is enabled, a user is not redirected to Microsoft but instead ends up at https://<your website>/wpo/sso/start?cb=xyz. To fix this, there are actually 2 options:
- Leave “Use client-side redirect” checked, but instead check the option “Use admin URL to initiate authentication” on the plugin’s “Miscellaneous” configuration page. This is the recommended solution when you need client-side redirection, for example because your website is embedded in Teams or an iframe.
- Uncheck the “Use client-side redirect” option on the plugin’s “Login / logout” configuration page.
Hope this helps you and others alike!
-Marco
Hi @simonmista
I checked the URL that you posted and noticed that I indeed land at the wpo/sso/start?cb=… and that indicates that you didn’t yet disable the option “Use client-side redirect” on the plugin’s “Login / logout” configuration page or that you need to clear all server caches. Please ensure that this specific option is disabled (when you’re not embedding the WordPress site in Teams or an iframe), clear all server caches and test again.
Hope that helps!
Thank you @gabbsmo for confirming that it works when you disable the use of the client-side redirect. When you don’t need Teams or iframe support, then you’re anyway better of with it. The plugin’s Self-test would have also highlighted this. I will – however – look into re-enabling support for the combination of defining WPO_AUTH_SCENARIO in a wp-config.php and client-side redirection.
Again, thanks and let me know if anything comes up!
Yes, that is correct – I see that as well – but didn’t pay any attention to it. It must be a side effect of the inclusion of the latest version of the Teams SDK in pintra-redirect.js. If you’re not using the Teams integration and you don’t load the WordPress site inside an iframe, then try and uncheck the option “Use client-side redirect” on the plugin’s “Login / logout” configuration page.
Hope that helps!
Hi @gabbsmo
Are you using the Teams integration? If you do not use the site in a Microsoft Teams App or Tab (or in an iframe), then please try and uncheck the option “Use client-side redirect” on the plugin’s “Login / logout” configuration page, clear all server caches and test again.
Hope this helps!
- This reply was modified 2 weeks, 1 day ago by Marco van Wieren.
Thank you for bringing this to my attention. I have reviewed the code and it has been fixed with release 42.4, where this specific portion of the plugin has been refactored to resolved an issue that could prevent Single Sign-On from starting when the request URL was altered by plugins, reverse proxies, or subdirectory setups.
Hope this helps!
-Marco
Hi @gabbsmo
I have just now released version 42.4. I reviewed the current detection and realized that are also other scenarios where the detection will fail. I have updated the detection to “must end with”, which should also be able to work-around the URL changed by WPML – for example when it adds /en/.
Thank you again for bringing this to my attention!
-Marco
Hi @gabbsmo
I am also looking at a different but similar issue. I guess the problem may be that the plugin is comparing the home URL + the custom sso-start endpoint (being wpo/sso/start). If WPML is also adding a rewrite rule, then things are getting a bit messy of course.
I will look into this issue now and let you know my findings and next step.
Thank you for your patience!
Hi @simonmista and @gabbsmo
You’re absolutely right. The last update ignored the custom authentication scenario WPO_AUTH_SCENARIO. I have just released version 43.3. This release should resolve this issue.
Thank you for making me aware of this and I am sorry for any inconvenience!
-Marco