SITE-4575: Update SimpleSAMLphp security requirements to 2.3.7. (#402)

updates the SimpleSAMLphp security requirements to recommend version 2.3.7 as 
the minimum secure version, while maintaining 2.0.0 as the critical security 
threshold for CVE-2023-26881

Author: jazzsequence

.circleci/config.yml

@@ -3,7 +3,15 @@ workflows:
   version: 2
   main:
     jobs:
-      - test-behat
+      - test-behat:
+          name: "Test with SimpleSAMLphp 1.18.0"
+          simplesamlphp_version: "1.18.0"
+      - test-behat:
+          name: "Test with SimpleSAMLphp 2.0.0"
+          simplesamlphp_version: "2.0.0"
+      - test-behat:
+          name: "Test with SimpleSAMLphp 2.4.0"
+          simplesamlphp_version: "2.4.0"
       - test-phpunit:
           name: "Test with PHP 7.4"
           php_version: "7.4"
@@ -16,6 +24,11 @@ workflows:
       - test-phpunit:
           name: "Test with PHP 8.2"
           php_version: "8.2"
+      - behat-cleanup:
+          requires:
+            - "Test with SimpleSAMLphp 1.18.0"
+            - "Test with SimpleSAMLphp 2.0.0"
+            - "Test with SimpleSAMLphp 2.4.0"
   nightly:
     triggers:
       - schedule:
@@ -25,32 +38,57 @@ workflows:
               only:
                 - master
     jobs:
-      - test-behat
+      - test-behat:
+          name: "Test with SimpleSAMLphp 1.18.0"
+          simplesamlphp_version: "1.18.0"
+      - test-behat:
+          name: "Test with SimpleSAMLphp 2.0.0"
+          simplesamlphp_version: "2.0.0"
+      - test-behat:
+          name: "Test with SimpleSAMLphp 2.4.0"
+          simplesamlphp_version: "2.4.0"
+      - behat-cleanup:
+          requires:
+            - "Test with SimpleSAMLphp 1.18.0"
+            - "Test with SimpleSAMLphp 2.0.0"
+            - "Test with SimpleSAMLphp 2.4.0"
 jobs:
   test-behat:
+    parameters:
+      simplesamlphp_version:
+        type: enum
+        enum:
+          - "1.18.0"
+          - "2.0.0"
+          - "2.4.0"
     working_directory: ~/pantheon-systems/wp-saml-auth
-    parallelism: 1
     docker:
     - image: quay.io/pantheon-public/build-tools-ci:8.x-php8.2
     steps:
     - checkout
     - restore_cache:
         keys:
-          - test-behat-dependencies-{{ checksum "composer.json" }}
-    - run: composer install -n --prefer-dist
-    - save_cache:
-        key: test-behat-dependencies-{{ checksum "composer.json" }}
+          - composer-cache-v1-{{ checksum "composer.lock" }}
+          - composer-cache-v1-
+    - run:
+        name: Install Composer dependencies
+        command: composer install -n --prefer-dist
+    - save_cache: # Save composer's internal cache
+        key: composer-cache-v1-{{ checksum "composer.lock" }}
         paths:
           - vendor
     - run: echo $(openssl rand -hex 8) > /tmp/WORDPRESS_ADMIN_PASSWORD
-    - run: |
-        echo 'export TERMINUS_ENV=ci-$CIRCLE_BUILD_NUM' >> $BASH_ENV
-        echo 'export TERMINUS_SITE=wp-saml-auth' >> $BASH_ENV
-        echo 'export SITE_ENV=wp-saml-auth.ci-$CIRCLE_BUILD_NUM' >> $BASH_ENV
-        echo 'export WORDPRESS_ADMIN_USERNAME=pantheon' >> $BASH_ENV
-        echo 'export WORDPRESS_ADMIN_EMAIL=no-reply@getpantheon.com' >> $BASH_ENV
-        echo 'export WORDPRESS_ADMIN_PASSWORD=$(cat /tmp/WORDPRESS_ADMIN_PASSWORD)' >> $BASH_ENV
-        source $BASH_ENV
+    - run:
+        name: Set environment variables
+        command: |
+          echo 'export TERMINUS_ENV=ci-$CIRCLE_BUILD_NUM' >> $BASH_ENV
+          echo 'export TERMINUS_SITE=wp-saml-auth' >> $BASH_ENV
+          echo 'export SITE_ENV=wp-saml-auth.ci-$CIRCLE_BUILD_NUM' >> $BASH_ENV
+          echo 'export WORDPRESS_ADMIN_USERNAME=pantheon' >> $BASH_ENV
+          echo 'export WORDPRESS_ADMIN_EMAIL=no-reply@getpantheon.com' >> $BASH_ENV
+          echo 'export WORDPRESS_ADMIN_PASSWORD=$(cat /tmp/WORDPRESS_ADMIN_PASSWORD)' >> $BASH_ENV
+          echo 'export SIMPLESAMLPHP_VERSION="<< parameters.simplesamlphp_version >>"' >> $BASH_ENV
+          source $BASH_ENV
     - run: echo "StrictHostKeyChecking no" >> "$HOME/.ssh/config"
     - run: |
         if [ -z "$GITHUB_TOKEN" ]; then
@@ -67,12 +105,62 @@ jobs:
           exit 0
         fi
         terminus auth:login --machine-token=$TERMINUS_TOKEN
-    - run: ./bin/validate-fixture-version.sh
-    - run: ./bin/behat-prepare.sh
-    - run: ./bin/behat-test.sh --strict
     - run:
-        command: ./bin/behat-cleanup.sh
-        when: always
+        name: Save environment name for cleanup
+        command: |
+          echo "wp-saml-auth.ci-$CIRCLE_BUILD_NUM" > "/tmp/site_env_<< parameters.simplesamlphp_version >>.txt"
+    - persist_to_workspace:
+        root: /tmp
+        paths:
+          - "site_env_<< parameters.simplesamlphp_version >>.txt"
+    - run:
+        name: Validate fixture version
+        command: ./bin/validate-fixture-version.sh
+    - run:
+        name: Prepare and run Behat tests
+        command: |
+          set -e
+          source $BASH_ENV
+
+          # Prepare fixture environment for tests.
+          if [ << parameters.simplesamlphp_version >> != '1.18.0' ]; then
+            ./bin/behat-prepare.sh
+          else
+            ./bin/1.18/behat-prepare-simplesaml1.18.0.sh
+          fi
+
+          echo ""
+          echo "=========================================================================="
+          echo "Running Behat on https://${TERMINUS_ENV}-${TERMINUS_SITE}.pantheonsite.io/wp-login.php"
+          echo "with SimpleSAMLphp version $SIMPLESAMLPHP_VERSION"
+          echo "=========================================================================="
+          echo ""
+          ./bin/behat-test.sh --strict
+  behat-cleanup:
+    docker:
+      - image: quay.io/pantheon-public/build-tools-ci:8.x-php8.2
+    working_directory: ~/pantheon-systems/wp-saml-auth
+    steps:
+      - attach_workspace:
+          workspace: ~/workspace
+          at: /tmp/behat-envs
+      - checkout
+      - run:
+          name: Set environment variables
+          command: |
+            echo 'export TERMINUS_SITE=wp-saml-auth' >> $BASH_ENV
+            echo 'export TERMINUS_ENV=ci-$CIRCLE_BUILD_NUM' >> $BASH_ENV
+            echo 'export SITE_ENV=wp-saml-auth.ci-$CIRCLE_BUILD_NUM' >> $BASH_ENV
+            source $BASH_ENV
+      - run: |
+          if [ -z "$TERMINUS_TOKEN" ]; then
+            echo "TERMINUS_TOKEN environment variables missing; assuming unauthenticated build"
+            exit 0
+          fi
+          terminus auth:login --machine-token=$TERMINUS_TOKEN
+      - run:
+          name: Run Cleanup Script
+          command: ./bin/behat-cleanup.sh
   test-phpunit:
     parameters:
       php_version:
@@ -94,7 +182,10 @@ jobs:
       - restore_cache:
           keys:
             - test-phpunit-dependencies-{{ checksum "composer.json" }}
-      - run: composer update && composer install -n --prefer-dist
+      - run: |
+          composer update
+          composer install -n --prefer-dist
+          chmod +x bin/*.sh
       - save_cache:
           key: test-phpunit-dependencies-{{ checksum "composer.json" }}
           paths:
@@ -110,12 +201,11 @@ jobs:
             sudo docker-php-ext-enable imagick
             sudo docker-php-ext-install mysqli
             sudo apt-get install mariadb-client
+            curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
+            chmod +x wp-cli.phar
+            sudo mv wp-cli.phar /usr/local/bin/wp
       - run:
           name: "Run Tests"
           command: |
-            bash bin/install-wp-tests.sh wordpress_test root '' 127.0.0.1 latest
-            composer phpunit
-            WP_MULTISITE=1 composer phpunit
-            rm -rf $WP_TESTS_DIR $WP_CORE_DIR
-            bash bin/install-wp-tests.sh wordpress_test root '' 127.0.0.1 nightly true
+            composer test:install:withdb
             composer phpunit

.github/workflows/lint-test.yml

@@ -29,3 +29,13 @@ jobs:
         run: |
           composer install
           composer lint
+  shellcheck:
+    name: ShellCheck
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Run ShellCheck
+        run: |
+          shellcheck --version
+          shellcheck bin/*.sh

.gitignore

@@ -3,3 +3,10 @@ wp-cli.local.yml
 /node_modules/
 /simplesamlphp/
 /vendor/
+
+# PHPUnit Helpers
+bin/helpers.sh
+bin/install-wp-tests.sh
+bin/install-local-tests.sh
+bin/phpunit-test.sh
+.phpunit*

README.md

@@ -1,10 +1,10 @@
 # WP SAML Auth #
-**Contributors:** [getpantheon](https://profiles.wordpress.org/getpantheon/), [danielbachhuber](https://profiles.wordpress.org/danielbachhuber/), [outlandish-josh](https://profiles.wordpress.org/outlandish-josh/), [jazzs3quence](https://profiles.wordpress.org/jazzs3quence/)  
+**Contributors:** [getpantheon](https://profiles.wordpress.org/getpantheon/), [danielbachhuber](https://profiles.wordpress.org/danielbachhuber/), [outlandish-josh](https://profiles.wordpress.org/outlandish-josh/), [jazzs3quence](https://profiles.wordpress.org/jazzs3quence/), [lcatlett](https://profiles.wordpress.org/lcatlett/)  
 **Tags:** authentication, SAML  
-**Requires at least:** 4.4  
-**Tested up to:** 6.3  
+**Requires at least:** 6.4  
+**Tested up to:** 6.8.1  
 **Requires PHP:** 7.3  
-**Stable tag:** 2.1.5-dev  
+**Stable tag:** 2.2.0-dev  
 **License:** GPLv2 or later  
 **License URI:** http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -40,6 +40,8 @@ If you're connecting directly to an existing IdP, you should use the bundled One
 
 If you have more complex authentication needs, then you can also use a SimpleSAMLphp installation running in the same environment. These settings are not configurable through the WordPress backend; they'll need to be defined with a filter. And, if you have a filter in place, the WordPress backend settings will be removed.
 
+**Note:** A security vulnerability was found in SimpleSAMLphp versions 2.0.0 and below. It is highly recommended if you are using SimpleSAMLphp with WP SAML Auth that you update your SimpleSAMLphp library to 2.4.0 or above. (See [CVE-2025-27773](https://nvd.nist.gov/vuln/detail/CVE-2025-27773) and [The SimpleSAMLphp SAML2 library incorrectly verifies signatures for HTTP-Redirect bindings](https://github.com/advisories/GHSA-46r4-f8gj-xg56) for more information.)
+
 Additional explanation of each setting can be found in the code snippet below.
 
 To install SimpleSAMLphp locally for testing purposes, the [Identity Provider QuickStart](https://simplesamlphp.org/docs/stable/simplesamlphp-idp) is a good place to start. On Pantheon, the SimpleSAMLphp web directory needs to be symlinked to `~/code/simplesaml` to be properly handled by Nginx. [Read the docs](https://pantheon.io/docs/shibboleth-sso/) for more details about configuring SimpleSAMLphp on Pantheon.
@@ -201,6 +203,28 @@ If you need to adapt authentication behavior based on the SAML response, you can
         return $ret;
     }, 10, 2 );
 
+If you have installed SimpleSAMLphp to a non-default path, you can set that path via the `wp_saml_auth_simplesamlphp_path_array` filter. By default, it is assumed that SimpleSAMLphp is installed into one of the following paths:
+* `ABSPATH . 'simplesaml'`
+* `ABSPATH . 'private/simplesamlphp'`
+* `ABSPATH . 'simplesamlphp'`
+
+```php
+add_filter( 'wp_saml_auth_simplesamlphp_path_array', function( $simplesamlphp_path_array ) {
+    // Override default paths with a defined path.
+    return [ ABSPATH . 'path/to/simplesamlphp' ];
+}
+```
+
+You can also define an explicit path to the SimpleSAMLphp autoloader file (defaults to the `lib/_autoload.php` file under the SimpleSAMLphp path) with the `wp_saml_auth_ssp_autoloader` filter.
+
+```php
+add_filter( 'wp_saml_auth_ssp_autoloader', function( $ssp_autoloader ) {
+    if ( ! file_exists( $ssp_autoloader ) ) {
+        return ABSPATH . 'path/to/simplesamlphp/autoload.php';
+    }
+}
+```
+
 ## WP-CLI Commands ##
 
 This plugin implements a variety of [WP-CLI](https://wp-cli.org) commands. All commands are grouped into the `wp saml-auth` namespace.
@@ -233,6 +257,16 @@ See [CONTRIBUTING.md](https://github.com/pantheon-systems/wp-saml-auth/blob/mast
 ### Reporting Security Bugs
 Please report security bugs found in the WP SAML Auth plugin's source code through the [Patchstack Vulnerability Disclosure Program](https://patchstack.com/database/vdp/wp-saml-auth). The Patchstack team will assist you with verification, CVE assignment, and notify the developers of this plugin.
 
+## Security Requirements
+
+### SimpleSAMLphp Version
+
+If you're using the SimpleSAMLphp connection type:
+- **Critical Security Requirement:** Version 2.0.0 or later is required to fix CVE-2023-26881 (XML signature validation bypass vulnerability).
+- **Recommended Security Requirement:** Version 2.3.7 or later is recommended for additional security fixes.
+- Authentication will be blocked for versions below 2.0.0 when "Enforce Security Requirements" is enabled.
+- It's always recommended to use the latest stable version of SimpleSAMLphp for security and compatibility.
+
 ## Frequently Asked Questions ##
 
 ### Can I update an existing WordPress user's data when they log back in? ###
@@ -272,13 +306,20 @@ There is no third step. Because SimpleSAMLphp loads WordPress, which has WP Nati
 
 ## Upgrade Notice ##
 
+### 2.2.0 ###
+WP SAML Auth 2.2.0 requires WordPress version 6.4 or later.
+
+SimpleSAMLphp recommended version is 2.3.7 or later for `simplesamlphp` SAML authentication type. With "Enforce Security Requirements" enabled, SimpleSAMLphp versions below 2.0.0 will be blocked. 2.0.0 or later is required to fix CVE-2023-26881 (XML signature validation bypass vulnerability).
+
 ### 2.0.0 ###
 Minimum supported PHP version is 7.3.
 
 ## Changelog ##
 
-### 2.1.5-dev ###
+### 2.2.0-dev ###
 * Add a hook to modify returned attributes. [[#379](https://github.com/pantheon-systems/wp-saml-auth/pull/379/)] (props @anthonybaxter-uwu)
+* Updates [`onelogin/php-saml`](https://github.com/SAML-Toolkits/php-saml) to 4.2.0. [[#402](https://github.com/pantheon-systems/wp-saml-auth/pull/402/)]
+* Adds warnings and the option to disable SAML when using a vulnerable version of simplesamlphp [[#402](https://github.com/pantheon-systems/wp-saml-auth/pull/402/)]
 
 ### 2.1.4 (November 27, 2023) ###
 * Fix typo in the label for the certificate path [[#352](https://github.com/pantheon-systems/wp-saml-auth/pull/352)]

bin/1.18/1-adminnotice.feature

@@ -0,0 +1,13 @@
+Feature: Admin Notice for SimpleSAMLphp 1.18 Vulnerability
+  In order to ensure administrators are aware of critical security issues
+  As a site administrator
+  I need to see an admin notice regarding the SimpleSAMLphp vulnerability
+
+  Scenario: Admin user sees the SimpleSAMLphp vulnerability notice
+    Given I log in as an admin
+    Then I should be on "/wp-admin/"
+    And I should see "Security Alert:" in the "div.notice.notice-error[data-slug='wp-saml-auth'][data-type='simplesamlphp-critical-vulnerability']" element
+    And I should see "The SimpleSAMLphp version used by the WP SAML Auth plugin (1.18.4) has a critical security vulnerability (CVE-2023-26881). Please update to version 2.0.0 or later. Learn more." in the "div.notice.notice-error[data-slug='wp-saml-auth'][data-type='simplesamlphp-critical-vulnerability'] p" element
+    And I go to "/wp-admin/options-general.php"
+    Then I should see "Security Alert:" in the "div.notice.notice-error[data-slug='wp-saml-auth'][data-type='simplesamlphp-critical-vulnerability']" element
+    And I should see "The SimpleSAMLphp version used by the WP SAML Auth plugin (1.18.4) has a critical security vulnerability (CVE-2023-26881)" in the "div.notice.notice-error[data-slug='wp-saml-auth'] p" element