Single Sign On with domain mapping +/- multi-domains

Hi,

So ive been going round in cirles for a couple of days trying to work this out. I have a multisite network and im trying to allow users of all sites in the network to have single sign on to all other sites (ie if you are logged in to one sight, you are logged into all of them).

I am using both mapped domains and multidomain subdomains for my sites. Mapped domains and multi-domain plugins seem to handle SSO differently. In multidomains there is simply an 'on/off' SSO button, for mapped there is an option for 'cross domain auto-login', which may be loaded asynchronously if option is selected.

Unfortunately, only some of the sites on the network seem to allow SSO. It doesnt seem to be related to the theme used or other plugins - ive tested extensivly. I have also tried all combos of SSO options in multidomains and domain mapping but no joy.

If you log in at finalstutor.com, you can also access medrocket.cloud and webapp.finalstutor.com, but not medrocket.net

If you login at webapp.finalstutor.com you can also access medrocket.cloud but no others

If you login at medrocket.net you can also access medrocket.cloud but no others

If you log in at medrocket.cloud you cant access any others.

There must be some kind of pattern here to explain how the cookies are working but i cant figure it out!

Any help to get this working would be hugely appreciated! Ive opended my dashboard if it helps.

  • Dimitris

    Hey there Matt,

    hope you're doing good and thanks for reaching us!

    I just accessed your website and I created a new user (dimitriswpmudev) that assigned to main domain and all of the remaining subsites as administrator.

    This new user, logging in via main domain, was able to see all of his sites in his admin dashboard, and navigate to these. For accessing dashboard pages, the original domain was being used. I don't know if you were trying with mapped domain instead, you can try to set the "Administration mapping" in the Domain Mapping network settings to "mapped domain" instead and check how that goes.

    As with your own admin user, which is my experience via WPMUDEV support access, I can see that you can navigate everywhere apart from the last subsite where you are not a user. You should first add yourself to that subsite to have access.

    As you may understand, I feel a bit lost here, so please advise what I might doing wrong here or which web flow to test. :slight_smile:
    Warm regards,
    Dimitris

  • Matt

    Hi Dimitris,

    Thanks for looking at this for me. I fully agree the problem is a little complex. The problem is different in front end and back end.

    In the front end: If you log in to medrocket.cloud as dimitriswpmudev, and then go to medrocket.net, you will not be logged in to medrocket.net in front end. Go to medrocket.net/wp-admin and you will see you have to log in again to get to the admin dashboard.

    Strangely, you are correcty that in the back end this doesnt happen. You can navigate freely between MOST sites, regardless of which site you log in through. I say 'most' because you still will not be able to get into webapp.finalstutor.com from the backend (dont confuse with webapp2.finalstutor.com). Ive no idea why this happens. In fact, the only way to get onto that site from either the front or back end is to go to finalstutor.com/wp-admin, login and then navigate to webapp.finalstutor.com from there. You cant access it via any other route (even webapp.finalstutor.com/wp-admin will not allow you to log in directly!).

    So very confusing!!

    Thanks again Dimitris

    PS - i changed the password of dimitriswpmudev so that i could test using that account to replicate what you were seeing. If you want to use it again feel free to change the password back.

  • Adam Czajczyk

    Hello Matt,

    I hope you're having a nice day and don't mind me jumping in.

    I checked your site and I think the issue here is a bit different. You've got both Multi-Domains plugin and Domain Mapping plugin enabled on your site and there are the same domains used with both of them.

    This is what should not be happening. For example:

    - the main domain is medrocket.cloud; that's fine
    - there are sub-domains of medrocket.cloud and that's fine also
    - then, there are sub-domains of finalstutor.com which is not an expected scenario.

    Let me explain then.

    The "finalstutor.com" domain is added to Multi-Domains so it can be used to create sub-sites under it as long as it has wild-card DNS configured (make sure that it does please). However, that same "finalstutor.com" domain is mapped to one of the sub-sites and furthermore, a sub-domain of finalstutor.com is mapped to another domain.

    I admit that I'm not 100% sure that this is the issue but I think it is realted as domains used with Multi-Domains plugin should not be used as mapped domains and vice versa. That can be causing unexpected behavior of both these plugins.

    Could you try to "unmap" finalstutor.com from finalstutor.medrocket.cloud and webapp2.finalstutor.com from webapp-finalstutor.medrocket.cloud and then see if you are able to access:

    - medrocket.cloud
    - medrocket.net
    - finalstutor.medrocket.cloud
    - webapp.finalstutor.com
    - webapp-finalstutor.medrocket.com

    and if SSO works then?

    You may always map domains back and this test would show if the issue is related here. Let us know about results, please.

    Best regards,
    Adam

  • Matt

    Hi Adam

    Welcome to the party and thanks for your help. I've unmapped finalstutor.com and webapp2.finalstutor.com. Unfortunately it's still not working for SSO though. If you log in to medrocket.cloud you still are not logged into the front end of medrocket.net or webapp.finalstutor.com.

    As an aside, the reason I mapped finalstutor.com was because using multi domains there doesn't seem to be a way to use the top level domain, you can only make sub-domains. So I used domain mapping to allow me to use the top level domain. Is there a better way?

    Thanks again for the help

    PS I have set up wild cards for all the domains as requested and these are now showing as 'available' in the multi domains plugin.

  • Adam Czajczyk

    Hello Matt!

    Thank you for your replay.

    I have checked the site and it seems to be working now nearly as it should:

    1. I have created myself a subscriber-role account on a main site (that's the same as if I registered for the site) and I was able to login to that site but for all other sites I got a "You're not allowed..." message; that is as it should be

    2. Then, using support access - that means being logged in as super-admin, I added my existing account (see above) to other sites and I was logged in to all of them without a need to a login separately; I could access their dashboards without having to login again;

    The only exception is the webapp.finalstutor.com site which is because it has "natively" assigned a different domain. Domain Mapping SSO will only work with domains that were mapped using Domain Mapping and not those that were mapped using core WP feature (so a "mapped" domain set as Site/WordPress URL in site settings).

    The issue then would be how to make that work. Solution would be to map the domain using Domain Mapping but then that domain shouldn't be used with Multiple-Domains. Multiple-Domains indeed let you only create sub-domains but not use any of added domains as "alternative main domain" so I'm afraid that may require either some custom coded solution (as it's related to "cross-domain cookies" and security "forced" by browsers) or "re-thinking" site's structure.

    If you have any additional/further questions on this, let me know please.

    Best regards,
    Adam

  • Matt

    Hi Adam,

    Thanks for the reply. So do I understand correctly that subscriber role cannot use SSO with domain mapping, only admins? I'm sure i have previously managed to do it with subscriber role- which is what I am trying to achieve here.

    Regarding multi domains: What I am trying to achieve is to be able to use finalstutor.com, webapp.finalstutor.com and medrocket.cloud mapped to separate sites, and have SSO for subscriber role. It doesn't really matter how achieve that in terms of which plugins I use. Would it be better to Uninstall multi domains and just use domain mapping plugin? Would that work? Or any other suggestions?

    Thanks again :slight_smile:

  • Dimitris

    Hey there Matt,

    hope you're doing good today! :slight_smile:

    Regarding SSO from Domain Mapping plugin:
    This should work for administrators as well as for subscribers. Adam mentioned above that in order to work properly, the mapped domains you use in your installation should be mapped via Domain Mapping plugin and not using the native WP functionality to map a domain or any other "layer" of mapping like Multi Domains.
    Finally, the user should have an actual subscriber role into a subsite in order to have access to it, that's why Adam should use the admin access to insert his test subscriber user into the rest of the subsites.

    Regarding multi domains:
    It's true that using Domain Mapping plugin you can map mapped-domain.com or/and sub.mapped-domain.com to your subsites.
    I tried that in a test environment of mine with a subfolder installation though, but should work without any issues. Just keep in mind to set the DNS records of those subdomains to point to the IP that main WP installation points, or use the same DocumentRoot folder.

    Hope that was some help, feel free to post back here if more assistance is required here!

    Take care,
    Dimitris

  • Matt

    Hi Both,

    I have completely removed multi-domains but i am still having exactly the same issues as described above. I am now only using Domain Mapping plugin for all domain mapping. I am not using any other plugins and i dont *think* i am using wordpress native mapping functions (i didnt know wordpress could do it to be honest, but ive only used domain mapping plugin anyway). Obviously i have ensured all accounts i am steting with have the same role in all sites.

    Any other ideas?

    Thanks.

  • Dimitris

    Hey there Matt,

    hope you're doing good and I'm sorry for the delayed reply here, it's been quite busy lately in our forums and we try to keep up with every member here! :slight_smile:

    I tried to access your website once more but seems that the support access period has expired (it does automagically after 5 days as a measure of security).
    Could you please re-grant it for us and let us know here in your next reply?
    https://premium.wpmudev.org/docs/getting-started/getting-support/#chapter-4

    Warm regards,
    Dimitris

  • Adam Czajczyk

    Hello Matt!

    Thank you for re-granting access.

    I checked the site again and here's what I have found:

    1. Setup seems fine and should be working fine now, but...
    2. Having a subscriber user account on the main site and all three other sites

    - if I login via main site I can access other sites being already logged in via original URL's
    - I cannot access them (I mean, as logged in user) via mapped domains

    The fact is that I should be logged in but still what bothers me a bit is that even though the login and administration mapping is set to "domain entered by the user" two of these sites on (finalstutor.com and webapp.finalstutor.com) still redirect me to the mapped domain.

    The current setup of Domain Mapping is proper in my opinion and while previous configuration (with Multi-Domains) shouldn't work, this one should. I wasn't able to replicate that same behavior on my sandbox though therefore I expect one of two cases here: either it's something specific to this particular install of yours or it's a bug in DM that I just couldn't catch up on my setup because of different configuration/specification.

    I'll need some helping hand from 2nd-line support with this. I have already filled a report for them so it would be great if you could:
    - keep DM configuration for now as it is so they could check it
    - try to keep support access open so they could access the site?

    Best regards,
    Adam

  • Matt

    Hi Adam,

    Thanks again for all your help with this. No problem I will leave everything as it is, and re-open support access when it expires.

    As part of my initial bug testing of this issue I did in fact start again with a fresh install of WP, but I got the same problem.

    We shall wait to see what 2nd-line says. If you need any further details from me please do let me know.

    Thanks again,

    Matt

  • Dimitris

    Hi Adam - its been a couple of weeks. Any progress on this?

    Hey there Matt,

    hope you're doing good and don't mind chiming in here!

    Please keep in mind that specifically site-specific issues, which aren't reproducible, require some more time from SLS team. I've already pinged them though, to provide some feedback on this.
    Me or another colleague of mine will keep you posted here as soon as possible!
    Your patience here is more than appreciated!

    Take care,
    Dimitris :slight_smile:

  • Dimitris

    Hello Matt,

    hope you're doing good today! :slight_smile:

    Could you please share some server credentials to forward to our devs to have a better look inside?
    As this is public forum, you should send us your details through our safe contact form https://premium.wpmudev.org/contact/#i-have-a-different-question using this template:

    Subject: "Attn: Dimitris"
    - WordPress admin (login url/username/password)
    - FTP credentials (host/username/password)
    - cPanel/Plesk credentials for DB access (host/username/password)
    - link back to this thread for reference
    - any other relevant urls

    Keep in mind the subject line as ensures that it gets assigned to me.
    If you keep support access granted (it auto-expires after 5 days), there's no need for WP admin account.

    Warm regards,
    Dimitris

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.