On multisite, wp-simple-saml doesn't apply the validation/sanitisation rules in wpmu_validate_user_signup(), which can lead to it creating usernames which WordPress doesn't treat as valid. These rules are different to (and on top of) the regular sanitize_user() rules.
Notably, on multisite, there are a variety of additional rules that apply (for boring historical reasons related to WPMU and DNS restrictions):
- Usernames must be lowercase alphanumeric (although
strtolower() is applied automatically); this means the following characters are not valid in multisite although they are in single site:
- Hyphens (
-)
- Dots (
.)
- Spaces (
)
- At-characters (
@)
- Usernames must be at least 4 characters
- Usernames cannot be on the illegal names list (e.g.
web, www, administrator, etc) - these are set in a network option (illegal_names)
- Usernames can't be all-numeric
- Emails may be restricted to a single domain
A few of these rules would probably break SSO in some contexts, so we might need to consider whether these rules should be relaxed across the board? Consistency would be good though.
On multisite, wp-simple-saml doesn't apply the validation/sanitisation rules in
wpmu_validate_user_signup(), which can lead to it creating usernames which WordPress doesn't treat as valid. These rules are different to (and on top of) the regularsanitize_user()rules.Notably, on multisite, there are a variety of additional rules that apply (for boring historical reasons related to WPMU and DNS restrictions):
strtolower()is applied automatically); this means the following characters are not valid in multisite although they are in single site:-).)@)web,www,administrator, etc) - these are set in a network option (illegal_names)A few of these rules would probably break SSO in some contexts, so we might need to consider whether these rules should be relaxed across the board? Consistency would be good though.