(The below is copy/pasted from my original post at https://wordpress.org/support/topic/issues-with-multisite-not-provisioning-users-on-all-network-sites/ .)
I’ve used the Shibboleth plugin successfully on hundreds of single WordPress installs, and first off, I’d like to thank everyone who works on it. Y’all are awesome.
We’re exploring implementing multisite, and have created a test network of three sites. The plugin is active at the network level, instead of at the site level (this prevents the owners of individual sites from inadvertently breaking the Shib settings, and should make it easier to add new sites to the network if we wish). I used more-or-less the same settings we use for all our single-site installs, with only a few changes (in particular, making the login URL relative instead of absolute). I’ve enabled the ‘Automatically create accounts’ setting, allowing automatic merging and disallowing manual merging. Our sites’ default role is ‘Subscriber’.
When a new user (one that doesn’t already have an account on the network) visits any site in the network, the account is provisioned as I would expect — the network-level account is created, and the account is granted Subscriber privileges on whatever specific site the user first hit. But when that user visits another site in the network, they are not automatically granted the default role for that site. I’m still trying to narrow down exactly what happens when, but either that user is redirected to /wp-admin/ for their “first” site (the one where their Subscriber account was first provisioned), or the user gets the WordPress screen saying that they don’t have any role on that site (listing the one site where they do have a role).
This feels like a bug. I'd expect a user, visiting other subsites in the network, to be treated like a "new" user for those sites, and to have their user account auto-provisoned for that site and granted the default role. Instead, the new-user code probably doesn't trigger (since strictly speaking the user already does exist), and the user does not get default access to the second/third/etc. subsites.
(The below is copy/pasted from my original post at https://wordpress.org/support/topic/issues-with-multisite-not-provisioning-users-on-all-network-sites/ .)
I’ve used the Shibboleth plugin successfully on hundreds of single WordPress installs, and first off, I’d like to thank everyone who works on it. Y’all are awesome.
We’re exploring implementing multisite, and have created a test network of three sites. The plugin is active at the network level, instead of at the site level (this prevents the owners of individual sites from inadvertently breaking the Shib settings, and should make it easier to add new sites to the network if we wish). I used more-or-less the same settings we use for all our single-site installs, with only a few changes (in particular, making the login URL relative instead of absolute). I’ve enabled the ‘Automatically create accounts’ setting, allowing automatic merging and disallowing manual merging. Our sites’ default role is ‘Subscriber’.
When a new user (one that doesn’t already have an account on the network) visits any site in the network, the account is provisioned as I would expect — the network-level account is created, and the account is granted Subscriber privileges on whatever specific site the user first hit. But when that user visits another site in the network, they are not automatically granted the default role for that site. I’m still trying to narrow down exactly what happens when, but either that user is redirected to /wp-admin/ for their “first” site (the one where their Subscriber account was first provisioned), or the user gets the WordPress screen saying that they don’t have any role on that site (listing the one site where they do have a role).
This feels like a bug. I'd expect a user, visiting other subsites in the network, to be treated like a "new" user for those sites, and to have their user account auto-provisoned for that site and granted the default role. Instead, the new-user code probably doesn't trigger (since strictly speaking the user already does exist), and the user does not get default access to the second/third/etc. subsites.