Shibboleth at NC State » Technical Documentation » Using Shibboleth with WordPress » Shibboleth Protected Site Problem

Shibboleth Protected Site Problem

Symptoms

You want to have your entire wordpress site require a Shibboleth login, regardless of whether or not the user logs in to Wordpress. You have put code like this in the top level .htaccess file on your server.

AuthType shibboleth
ShibRequestSetting requireSession true
require shib-session

This will appear to work OK, but you will probably notice that sometimes the site sends you back to the IdP for a new login during repeated page loads. Since you still have an IdP session, it just loops back to wordpress and usually works. Eventually though, you may see your cookie list get full of old login cookies. This is especially likely if you are using the MARs plugin and logging in to /wp-admin/ on the site. You might also have problems with caching or link-checking plugins that are having trouble loading the site pages.

What seems to be happening here is this: Wordpress makes internal calls back to itself while processing some of its page loads. If you look at the web server logs you will see these as page requests coming from the IP address of the web server. You will also see that those internal hits are being redirected to the IdP to try to login. That is, the built-in Wordpress client is not logged in, and since the entire site requires Shibboleth, the client is being asked to login with the IdP. That confuses Apache somehow and causes it to replace the session cookie on your browser, effectively logging you out of your SP session.

Fix

To solve this problem, you need to make an exception in your .htaccess file to allow these internal Wordpress hits to bypass the Shibboleth login requirement. You need to know the IP address or range of your web servers to put that into the file. In this example, the site was running on IP 152.1.227.72, one of our cPanel web servers.

Replace the simple .htaccess rule from above with a block like this:

<RequireAny>
  # allow wp to call itself on web12cp without shib
  Require ip 152.1.227.72

  # Everyone else needs shib
  AuthType shibboleth
  ShibRequestSetting requireSession true
  require shib-session
</RequireAny>

With that in place, you should be able to use the site without repeated logins. You should also see that hits coming from the web server IP addresses are completing correctly with code 200 replies and not 302 redirects.