From 58e3467af2df1522df5d63b3aafac34ff5847a99 Mon Sep 17 00:00:00 2001 From: David Stone Date: Mon, 4 May 2026 14:22:42 -0600 Subject: [PATCH] fix: handle sso param and extract return_url in login page redirect When user is already logged in on main site and visits login page with SSO params, redirect them directly to the subsite with a verification token instead of showing 'already logged in' message. - Check for 'sso' param in addition to 'return_url' - Extract return_url from redirect_to query params if present - Handle WP_Error user object in handle_login_redirect --- inc/sso/class-sso.php | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/inc/sso/class-sso.php b/inc/sso/class-sso.php index 47c2059ed..945ea803e 100644 --- a/inc/sso/class-sso.php +++ b/inc/sso/class-sso.php @@ -645,10 +645,26 @@ public function handle_already_logged_in_on_login_page(): void { return; } - // Check if this is an SSO flow (return_url param present) + // Check if this is an SSO flow (sso param or return_url param present) + $sso_action = $this->input('sso', ''); $return_url = $this->input('return_url', ''); + // Also extract return_url from redirect_to if present if ( empty($return_url) ) { + $redirect_to = $this->input('redirect_to', ''); + if ( $redirect_to ) { + $parsed = wp_parse_url($redirect_to, PHP_URL_QUERY); + if ( $parsed ) { + parse_str($parsed, $query_params); + if ( ! empty($query_params['return_url']) ) { + $return_url = $query_params['return_url']; + } + } + } + } + + // Check for SSO flow - either sso param or return_url pointing to different domain + if ( empty($sso_action) && empty($return_url) ) { return; }