Single sign on (SSO) for a custom domain site, where the admin panel is on an SSL-secured subdomain. For WordPress Multisite.
| Author: | Peter Upfold (profile at wordpress.org) |
| WordPress version required: | 3.3.1 |
| WordPress version tested: | 3.3.2 |
| Plugin version: | 1.0 |
| Added to WordPress repository: | 07-03-2012 |
| Last updated: | 07-03-2012
Warning! This plugin has not been updated in over 2 years. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.
|
| Rating, %: | 0 |
| Rated by: | 0 |
| Plugin URI: | http://www.vanpattenmedia.com/ |
| Total downloads: | 1 514 |
| Active installs: | 10+ |
 Click to start download |
|
Designed to be run in concert with SSL Subdomain for Multisite.
This plugin depends upon WPMU Domain Mapping, which must be installed and network activated for this to work.
What this Plugin does
If you have the SSL Subdomain for Multisite plugin installed and network activated, you now have logins and admin happening on https://demo-site.mynetwork.com, while normal site access is on http://demo-site.com.
This works great. Except, once you log in to demo-site.mynetwork.com to do some admin work, then visit the main site, perhaps to post a comment as a logged in WordPress user, you are not logged in on the main site. This means that you can’t, for example, post that comment while logged in — you aren’t logged in there! Other logged-in niceties like the display of the admin bar, or the avoidance of caching, are not available. If you log in again, it logs you in to https://demo-site.mynetwork.com but still you remain not logged in on http://demo-site.com.
This plugin solves this problem by enabling a single sign on (SSO) for both the admin panel and the main site on the custom domain. Upon login, this plugin bounces the user across to the main site to set a cookie there, then bounces them back to the admin panel.
Now, you can work in the admin panel normally, and if you click ‘Visit Site’ from the Admin panel, you go over to the custom domain, where you are also logged in and can perform all actions as normal. Single Sign On!
(Foolish) Assumptions
-
You are using WPMU Domain Mapping for custom domains on your Multisite network.
-
You have SSL configured for your master domain (e.g.
www.mynetwork.com), and for the wildcard*.mynetwork.com. You would like normal site access to happen over the custom domains with HTTP, and all admin and login access over the subdomains of*.mynetwork.comwith HTTPS. -
You have the
FORCE_SSL_LOGINsetting inwp-config.phpON. -
You have the
FORCE_SSL_ADMINsetting inwp-config.phpOFF. We’ll handle that — WordPress’ forcing of SSL admins may confuse this plugin.
This plugin was tested with and is intended to be used in concert with SSL Subdomain for Multisite.
Known Issues
- The
redirect_toparameter is not fully working at present. Sometimes, you will be sent to the root admin page, instead of the specific page you were trying to access. This needs to be improved, as it does compromise the user experience. -
This provides better security than only enabling
FORCE_SSL_LOGINbut notFORCE_SSL_ADMIN, since with this plugin and SSL Subdomain for Multisite, login and admin are served over HTTPS.However, the nature of this setup means that a man-in-the-middle attacker could theoretically impersonate you for the duration of the login session. It is not possible at the moment to avoid this theoretical attack scenario without serving everything over HTTPS (making arbitrary custom domain support impossible), or preventing login to the actual custom domain site.
ChangeLog