Allow redirection after SSO login

[SteelWagstaff]

Currently when users login using the generic Pressbooks/WordPress login routine, the user can specify a post-login redirection location in the login URL by appending redirect_to=URL to the login address, e.g. https://mynetwork.url/wp-login.php?redirect_to=https%3A%2F%2Fmynetwork.url%2Fwp-signup.php (takes the user to the book registration page) or https://mynetwork.url/wp-login.php?redirect_to=https%3A%2F%2Fmynetwork.url%2Fwp-admin (takes the user to the Pressbooks dashboard). When a user attempts to use this URL pattern in combination with login via our SSO method, however, no redirection occurs after login (the login URL is sanitized as part of the SSO login routine).

See

pressbooks-saml-sso/inc/class-saml.php

Line 432 in e2c0f30

$redirect_to = filter_input( INPUT_POST, 'RelayState', FILTER_SANITIZE_URL );

+

pressbooks-saml-sso/inc/namespace.php

Line 20 in e2c0f30

function login_url() {

+

pressbooks-saml-sso/inc/class-saml.php

Lines 800 to 811 in e2c0f30

	/**
	* Default behaviour: User is always redirected to the page they signed in from (network homepage or book homepage).
	* To accomplish this we track home_url() in $_SESSION
	* Dev should unset() on success.
	*
	* @param bool $overwrite
	*/
	public function trackHomeUrl( $overwrite = false ) {
	if ( empty( $_SESSION[ self::SIGN_IN_PAGE ] ) || $overwrite ) {
	$_SESSION[ self::SIGN_IN_PAGE ] = home_url();
	}
	}

[SteelWagstaff]

It appears that there's a SAML parameter called RelayState (see https://stackoverflow.com/questions/34350160/what-is-exactly-relaystate-parameter-used-in-sso-ex-saml or http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html#5.1.2.SP-Initiated%20SSO:%20%20Redirect/POST%20Bindings|outline) that we may be able to use to redirect users upon login to desired pages.

[SteelWagstaff]

@connerbw The client who requested this is willing/able to create temporary accounts on their IdP for us to use in testing whenever that would be helpful.

[dac514]

Will work:

• https://integrations.pressbooks.network/portuguese/chapter/dialogo-1/
• https://integrations.pressbooks.network/portuguese/wp-admin/tools.php?page=pb_import

Will not work (will fallback to home url, like it did before)

• https://google.com/

Rules for redirect_to=URL come from:
https://developer.wordpress.org/reference/functions/wp_validate_redirect/

[SteelWagstaff]

Worked as intended. New users were able to redirect to signup.php page and received expected privileges error when attempting to redirect to wp-admin page they don't have access to.