disable login with user/password

[simevo]

dopo il 1 login SPID viene creato l'utente WP; dopodichè l'utente potrà bypassare il login SPID creandosi una password e accedendo col login WP normale ? ma in tal caso ai login successivi non avremmo più la garanzia SPID e gli eventuali attributi non verebbero aggiornati ! sarebbe una cosa da disabilitare ?

[giuliogatto]

Bisogna anche considerare la procedura di Logout oltre al Login: da quello che leggo e capisco della documentazione tecnica, quando si esegue un Logout dalla sessione globale anche la sessione individuale deve essere cancellata.

[Valamiro]

se tento di loggarmi come utente wp (da /wp-admin) e sono un utente spid sarebbe bello se mi venissero chieste nuovamente le credenziali spid...

[michaeltieso]

Would it be better if we gave the WordPress admin the option to disable regular WordPress user/pass? Disabling it by default without being able to change it may not be what all configurations of people using WordPress with this plugin may want.

[giuliogatto]

I think the issue here is the relationship between the 2 user sessions: the Global user session with the IDP and the Individual user session with the Service Provider (framework/cms/standalone).
My understanding from the (technical docs ) is that when the Global user session is closed with a Logout, the Individual user session can still persist.

Therefore, from a Service Provider point of view I suppose we can have 3 possible situations:

1. User is logged out from both the Global Session and the Individual session
2. User is logged with the CMS Individual session but not with the Global session
3. User is logged with both the Individual and Global session

If we implement a logic where a Global login with the IDP always causes a Login with the framework (and register a new user associated with the user email if not already present in the user table) then a fourth possible situation cannot be happening: a situation where the Global session exists but the Individual session doesn't. In other words the SPID login button must always login with the framework/cms too.

There is one corner-case to consider: the situation where a user already logged in with the CMS, executes a Global login with a different email address (from the one he's using in the CMS). In this case the CMS should perform a check and maybe associate the secondary email with the user in a specific user field. (or find another possible solution)

The Service Provider is providing some kind of service at a specific url, so what should be shown at that specific url in those 3 previous situations?

1. The SPID login button
2. The SPID login button
3. The provided service

I think disabling regular WordPress user/pass by default is not what most Service Providers would want, but that could definitively be an option in the Admin settings.

[simevo]

Many installs will have both SPID users (citizens) and non-SPID users (admin, staff...).
There is always at least one non-SPID user, i.e. the admin himself, who will tipically have the non-SPID account that was created during the WP install.
So +1 to have it as an option in the Admin settings.

The conversation in this issue has focused on the title, and not on my 1st comment. I have created a new issue for that: #58.
BTW, this issue is in milestone 0.2, but #58 is in milestone 0.1.

For the time being, if we have no time to address this one, I propose to reenable regular WordPress user/pass.