Add setting to force all site visitors to login via AAD

Settings.php

@@ -79,6 +79,14 @@ class AADSSO_Settings {
 	*/
 	public $enable_auto_forward_to_aad = false;
 
+	/**
+	* Indicates if all visitors are forced to AAD for login, preventing anyone who is not signed in
+	* from accessing the site. Can be overridden with 'aad_force_login' filter.
+	*
+	* @var boolean Whether or not to force AAD sign-in for all visitors
+	*/
+	public $enable_force_aad_login = false;
+
 	/**
 	 * @var boolean Whether or not to use AAD group memberships to set WordPress roles.
 	 */
@@ -157,6 +165,7 @@ public static function get_defaults( $key = null ) {
 			'enable_auto_provisioning' => false,
 			'match_on_upn_alias' => false,
 			'enable_auto_forward_to_aad' => false,
+			'enable_force_aad_login' => false,
 			'enable_aad_group_to_wp_role' => false,
 			'redirect_uri' => wp_login_url(),
 			'logout_redirect_uri' => wp_login_url(),

SettingsPage.php

@@ -281,6 +281,14 @@ public function register_settings() {
 			'aadsso_settings_general' // section
 		);
 
+		add_settings_field(
+			'enable_force_aad_login', // id
+			__( 'Force all visitors to login via Azure AD', 'aad-sso-wordpress' ), // title
+			array( $this, 'enable_force_aad_login_callback' ), // callback
+			'aadsso_settings_page', // page
+			'aadsso_settings_general' // section
+		);
+
 		add_settings_field(
 			'enable_aad_group_to_wp_role', // id
 			__( 'Enable Azure AD group to WP role association', 'aad-sso-wordpress' ), // title
@@ -372,6 +380,7 @@ public function sanitize_settings( $input ) {
 		$boolean_settings = array(
 			'enable_auto_provisioning',
 			'enable_auto_forward_to_aad',
+			'enable_force_aad_login',
 			'enable_aad_group_to_wp_role',
 			'match_on_upn_alias',
 		);
@@ -617,6 +626,17 @@ public function enable_auto_forward_to_aad_callback() {
 		);
 	}
 
+	/**
+	 * Renders the `enable_force_aad_login` checkbox control.
+	 */
+	public function enable_force_aad_login_callback() {
+		$this->render_checkbox_field(
+			'enable_force_aad_login',
+			__( 'Force all site visitors to sign in via Azure AD.',
+				'aad-sso-wordpress')
+		);
+	}
+
 	/**
 	 * Renders the `enable_aad_group_to_wp_role` checkbox control.
 	 */

aad-sso-wordpress.php

@@ -83,6 +83,9 @@ public function __construct( $settings ) {
 		// If configured, bypass the login form and redirect straight to AAD
 		add_action( 'login_init', array( $this, 'save_redirect_and_maybe_bypass_login' ), 20 );
 
+		// If configured, force all visitors to login via AAD
+		add_action( 'init', array( $this, 'save_redirect_and_force_login' ), 20 );
+
 		// Redirect user back to original location
 		add_filter( 'login_redirect', array( $this, 'redirect_after_login' ), 20, 3 );
 
@@ -142,6 +145,39 @@ public static function get_instance( $settings ) {
 		return self::$instance;
 	}
 
+	/**
+	 * Based on settings and current page, force visitor to login via AAD.
+	 */
+	public function save_redirect_and_force_login() {
+
+		$this->register_session();
+
+		$current_url = home_url( add_query_arg( null, null ) );
+
+		$bypass = apply_filters(
+			'aad_force_login',
+			$this->settings->enable_force_aad_login
+		);
+
+		/*
+		 * If the user is attempting to log out AND the auto-forward to AAD
+		 * login is set then we need to ensure we do not auto-forward the user and get
+		 * them stuck in an infinite logout loop.
+		 */
+		if( ! is_user_logged_in() ) {
+
+			// Save the requested URL to session
+			if( ! isset( $_SESSION['aadsso_redirect_to'] ) ) {
+				$_SESSION['aadsso_redirect_to'] = $current_url;
+			}
+
+			if ( $bypass && ! isset( $_GET['code'] ) ) {
+				wp_redirect( $this->get_login_url() );
+				die();
+			}
+		}
+	}
+
 	/**
 	 * Based on settings and current page, bypasses the login form and forwards straight to AAD.
 	 */