Recently I was confronted with the problem to have multiple user types on a WordPress Blog who needed to be logged in using an external service/authentication mechanism partly. But they all had to use the same login form for the system. A common problem? The WordPress Function Reference and  Codex do not document this topic very well and it took me a lot of time to figure out how to do this best, so I want to keep it for the future and provide it to my blog visitors.

Override the WordPress default login action

Write the following to your functions.php-file:

// this action is executed just before the invocation of the WordPress authentication process
add_action('wp_authenticate','checkTheUserAuthentication');

function checkTheUserAuthentication() {

     $username=$_POST['log'];
     $password=$_POST['pwd'];

    // try to log into the external service or database with username and password
    $ext_auth = try2AuthenticateExternalService($username,$password);

    // if external authentication was successful
    if($ext_auth) {

         // find a way to get the user id
         $user_id = username_exists($username);
         // userdata will contain all information about the user
         $userdata = get_userdata($user_id);
         $user = set_current_user($user_id,$username);

         // this will actually make the user authenticated as soon as the cookie is in the browser
         wp_set_auth_cookie($user_id);
         // the wp_login action is used by a lot of plugins, just decide if you need it
        do_action('wp_login',$userdata->ID);

        // you can redirect the authenticated user to the "logged-in-page", define('MY_PROFILE_PAGE',1); f.e. first
        header("Location:".get_page_link(MY_PROFILE_PAGE));
    }

}

Note that this script will login your useres totally without using their passwords, so use it carefully.

If you experience any problems with this way of authentication, make sure that the Cookies in the Browser are set and sent properly – make sure that setcookie() in wp-includes/pluggable.php uses all parameters of the setcookie()-function correctly. Especially check the values for COOKIE_DOMAIN, COOKIEPATH and SITECOOKIEPATH as we had and issue with that.