SAML Single Sign-On (SSO) for WordPress using PingFederate as IDP | PingFederate WordPress SSO Login

Overview

PingFederate Single Sign-On (SSO) login for WordPress can be achieved by using our WordPress SAML Single Sign-On (SSO) plugin. Our plugin is compatible with all the SAML compliant Identity Providers. Here we will go through a step-by-step guide to configure SSO login between WordPress site and PingFederate by considering PingFederate as IDP (Identity Provider) and WordPress as SP (Service Provider).
You can visit our WordPress SSO plugin to know more about the other features we provide.

Download Plugin Pricing Plans Free Trial

Pre-requisites : Download And Installation

To configure PingFederate as SAML IdP with WordPress, you will need to install the miniOrange WP SAML SP SSO plugin.

Configuration Steps

Step 1: Setup PingFederate as IdP (Identity Provider)

Follow the following steps to Configure PingFederate as IdP:

• In the miniOrange SAML SP SSO plugin, navigate to Service Provider Metadata tab. Here, you can find the SP metadata such as SP Entity ID and ACS (AssertionConsumerService) URL which are required to configure the Identity Provider.

• Login to your PingFederate User Admin dashboard.
• Click on the Identity Provider in the left navigation menu.
• Under SP CONNECTION, click on Create New button.

• Select the Browser SSO Profiles connection template on the Connection Type tab and click Next.

• Select Browser SSO on the Connection Options tab and click Next.

• Select File as the method for importing metadata and click Choose file to choose the miniOrange SSO plugin’s metadata on the Import Metadata tab. Click Next.

• Review the information on the Metadata Summary tab and click Next.
• In the General Info tab ensure that the Service Provider’s Entity ID, Connection Name, and Base URL fields pre-populate based on the metadata. Click Next.
• Navigate to the Browser SSO tab and click on the Configure Browser SSO. You will be redirected to Browser SSO Setup wizard.
• Select the IDP-Initiated SSO and SP-Initiated SSO options on the SAML Profiles tab and click Next.

• Enter your desired assertion validity time from on the Assertion Lifetime tab and click Next. By default, it is configured 5 minutes for both.
• Navigate to the Assertion Creation and click on the Configure Assertion Creation. You will be redirected to the assertion creation setup wizard.
• In the Identity Mapping tab select STANDARD and click Next.
• Select a Subject Name Format for the SAML_SUBJECT on the Attribute Contract tab and click Next.
• Click Map New Adapter Instance on the Authentication Source Mapping.

• Select an Adapter Instance and click Next. The adapter must include the user’s email address.

• Select the Use only the adapter contract values in the SAML assertion option on the Mapping Method tab and click Next.
• Select your adapter instance as the Source and the email as the Value on the Attribute Contract Fulfilment tab and click Next.

• (Optional): Select any authorization conditions you would like on the Issuance Criteria tab and click Next.
• Click Done on the Summary.
• Click Next on the Authentication Source Mapping tab.
• Click Done on the Summary tab.
• Click Next on the Assertion Creation.
• Navigate to the Protocol Settings tab of the Browser SSO wizard and click on the Configure Protocol settings.
• Select POST for Binding and specify the single sign-on Endpoint URL in the Endpoint URL field on the Assertion Consumer Service URL Click Next.
• Select POST on the Allowable SAML Bindings tab and click Next.
• Select your desired signature policies for assertions on the Signature Policy tab and click Next.

• Select your desired encryption policy for assertions on the Encryption Policy tab and click Next.
• Click Done on the Protocol Settings Summary tab.
• Click Done on the Browser SSO Summary.
• Navigate to the Credentials and click on the Configure Credentials. You will be redirected to the Credentials setup wizard.
• Select the Signing Certificate to use with the Single Sign-On service and select Include the certificate in the signature element in the Digital Signature Settings tab. Click Done.

• Click Done on the Summary.
• Click Next on the Credentials.
• Select Active for the Connection Status on the Activation & Summary tab and click Save.
• Now, navigate to the Ping Federate User Admin dashboardè Identity Provide.
• Click Manage All under SP Connections.
• Click Export Metadata for the desired service provider connection.
• Click Export on the Export & Summary tab and click Done.



You have successfully configured PingFederate as SAML IdP (Identity Provider) for achieving PingFederate SSO login into your WordPress Site.




Step 2: Configure WordPress as SP (Service Provider)

• Free
• Standard
• Premium
In the WordPress SAML SSO plugin, go to the Service Provider Setup tab of the plugin. There are two ways to configure the WordPress SSO plugin:
A. By uploading IDP metadata:
• Click on Upload IDP metadata button.
• Enter the Identity Provider Name
• You can either upload a metadata file and click on Upload button or use a metadata URL and click on Fetch Metadata.



B.Manual Configuration:
• Provide the required settings (i.e. Identity Provider Name, IDP Entity ID or Issuer, SAML Login URL, X.509 Certificate) as provided by your Identity Provider and click on the Save button.
• Click on Test configuration to check the attributes and values sent by IDP.



Step 3: Attribute Mapping
• In the free plugin, only NameID is supported for Email and Username attributes of the WordPress user.
• When a user performs SSO, the NameID value sent by the IDP will get mapped to the email and username of the WordPress user.



In the WordPress SAML SSO plugin, go to the Service Provider Setup tab of the plugin. There are two ways to configure the WordPress SSO plugin:
A. By uploading IDP metadata:
• Click on Upload IDP metadata button.
• Enter the Identity Provider Name
• You can either upload a metadata file and click on Upload button or use a metadata URL and click on Fetch Metadata.
B.Manual Configuration:
• Provide the required settings (i.e. Identity Provider Name, IDP Entity ID or Issuer, SAML Login URL, X.509 Certificate) as provided by your Identity Provider and click on the Save button.
• Click on Test configuration to check the attributes and values sent by IDP.



Step 3: Attribute Mapping
• Attribute Mapping feature allows you to map the user attributes sent by the IDP during SSO to the user attributes at WordPress.
• In WordPress SAML plugin, go to Attribute/Role Mapping tab and fill up the following fields in Attribute Mapping section.
NOTE: If you click on Test Configuration button in Service Provider Setup tab and authenticate with your IDP, you can see a list of attributes sent by the IDP in the Attribute/Role mapping tab. This information can be used to provide the above mapping.


In the WordPress SAML SSO plugin, go to the Service Provider Setup tab of the plugin. There are two ways to configure the WordPress SSO plugin:
A. By uploading IDP metadata:
• Click on Upload IDP metadata button.
• Enter the Identity Provider Name
• You can either upload a metadata file and click on Upload button or use a metadata URL and click on Fetch Metadata.
• In the Premium plugin, you can enable auto-sync for the metadata URL which will auto-update the plugin configuration as per the IDP metadata after a set interval of time



B.Manual Configuration:
• Provide the required settings (i.e. Identity Provider Name, IDP Entity ID or Issuer, SAML Login URL, X.509 Certificate) as provided by your Identity Provider and click on the Save button.
• Click on Test configuration to check the attributes and values sent by IDP.



• In the Premium Plugin, you can provide the SAML Logout URL to achieve Single Logout on your WordPress site.


Step 3: Attribute Mapping
• Attribute Mapping feature allows you to map the user attributes sent by the IDP during SSO to the user attributes at WordPress.
• In WordPress SAML plugin, go to Attribute/Role Mapping tab and fill up the following fields in Attribute Mapping section.



• Custom Attribute Mapping: This feature allows you to map any attribute sent by the IDP to the usermeta table of WordPress.



Step 4: Role Mapping
• In the free plugin, you can choose a Default Role which will be assigned to all the non-admin users when they perform SSO.
• Go to Attribute/Role mapping tab and navigate to Role Mapping section.
• Select the Default Role and click on the Update button.



Step 4: Role Mapping
In the standard plugin, you can choose a default role which will be assigned to all the non-admin users when they perform SSO.

• Go to Attribute/Role mapping tab and navigate to Role Mapping section.
• Select the Default Role and click on the Save button.



Step 4: Role Mapping
This feature allows you to assign and manage roles of the users when they perform SSO. Along with the default WordPress roles, this is compatible with any custom roles as well.
• From the Attribute Mapping section of the plugin, provide a mapping for the field named Group/Role. This attribute will contain the role related information sent by the IDP and will be used for Role Mapping.
• Navigate to role mapping section and provide the mappings for the highlighted roles.



• For example, If you want a user whose Group/Role attribute value is wp-editor to be assigned as an Editor in WordPress, just provide the mapping as wp-editor in the Editor field of Role Mapping section.


Step 5: SSO settings
• In the free plugin you can add a Single Sign-On button by enabling Add a Single Sign-On button on the WordPress Login Page toggle in Option 1.



• If your WordPress theme supports login widget, you can add a login widget to enable SP-Initiated SSO on your site.
• Navigate to Redirection and SSO links tab and follow the given steps given under Option 2: Use a Widget to add a login widget on your site.



Step 5: SSO settings
In the Standard plugin you can enable SP-initiated SSO using the following options.
• Auto-Redirection from site: If this option is enabled, any unauthenticated user trying to access your site will get redirected to the IDP login page and after successful authentication, they will be redirected back to the same page on your site which they were trying to access.

Steps:

• Go to Redirection and SSO Links tab of the plugin and navigate to Option 1: Auto - Redirection from site.
• Enable Redirect to IDP if user not logged in [PROTECT COMPLETE SITE]option.




• Auto-Redirection from WordPress Login: If this option is enabled, any unauthenticated user trying to access the default WordPress login page will get redirected to the IDP login page for authentication. After successful authentication, they will be redirected back to the WordPress site.

Steps:

• Go to Redirection and SSO Links tab of the plugin and navigate to Option 2: Auto- Redirection from WordPress Login.
• Enable Redirect to IDP from WordPress Login Page option.




NOTE: Please enable the Backdoor login and note down the backdoor URL. This will allow you to access the WordPress login page in case you get locked out of the IDP.



• SSO Links: You can add SSO links anywhere on your site using the Shortcode and Widget provided in Redirection and SSO Links tab > Option 3: SSO Links section of the plugin



Step 5: SSO Settings
In the Premium plugin you can enable SP-initiated SSO using the following options.
• Auto-Redirection from site: If this option is enabled, any unauthenticated user trying to access your site will get redirected to the IDP login page and after successful authentication they will be redirected back to the same page on your site which they were trying to access.

Steps:

• Go to Redirection and SSO Links tab of the plugin and navigate to Option 1 : Auto-Redirection from site.
• Enable Redirect to IDP if user not logged in [PROTECT COMPLETE SITE] option.



• Auto-Redirection from WordPress Login: If this option is enabled, any unauthenticated user trying to access the default WordPress login page will get redirected to the IDP login page for authentication. After successful authentication, they will be redirected back to the WordPress site.

Steps:

• Go to Redirection and SSO Links tab of the plugin and navigate to Option 2: Auto-Redirection from WordPress Login.
• Enable Redirect to IDP from WordPress Login Page option.




NOTE: Please enable the Backdoor login and note down the backdoor URL. This will allow you to access the WordPress login page in case you get locked out of the IDP login.



• Login Button: You can add a customized login button anywhere on your site or WordPress login page by navigating to Option 3: Login Button section of Redirection and SSO Links tab.



• SSO Links: You can add SSO links anywhere on your site using the Shortcode and Widget provided in Option 4: SSO Links section of Redirection and SSO Links tab.




In this Guide, you have successfully configured PingFederate SAML Single Sign-On (PingFederate SSO Login) choosing PingFederate as IdP and WordPress as SP using miniOrange plugin-SAML Single Sign On – SSO Login.This solution ensures that you are ready to roll out secure access to your WordPress (WP) site using PingFederate login credentials within minutes.




Related Articles



• What is SSO?
• What is SAML?
• WordPress SAML SSO
• WordPress SAML IDP
• WordPress Multisite SSO