Additional Configuration for WordPress Azure B2C Single Sign-On

Overview

Once the WordPress Azure B2C SSO has been configured, you can proceed with some additional configuration steps to make the most out of WP Single Sign-On. This includes steps for Custom Attribute Mapping, Group & Role Mapping, Single Logout, and more.

Step 1: Attribute Mapping

Attribute Mapping allows you to map the user attributes sent by Azure B2C (like name, email, etc.) to the corresponding user fields in WordPress. This ensures user profiles are created or updated with correct information during Single Sign-On (SSO).

• Navigate the Attribute/Role Mapping tab in the miniOrange SAML SSO plugin..
• The following fields are available by default:

Username	Usually mapped to NameID or email
Email	Typically mapped to email
First Name	Can be mapped to givenName
Last Name	Can be mapped to surname
Group/Role	Can be mapped to group/role name
Display Name	Can be mapped to Username or a different attribute

Step 2: Custom Attribute Mapping

Add Custom Claims in Azure B2C

• Log in to the Azure Portal and navigate to your Azure B2C tenant.
• Under Policies, select User Flows (or Custom Policies, if applicable).
• Select the user flow (e.g., B2C_1_signupsignin) you're using for SSO.
• Under Application Claims, enable any custom or standard attributes you want to send (e.g., jobTitle, extension_).

• Click Save.

Verify the Claims in the Plugin

• In WordPress, go to the miniOrange SAML Plugin → Service Provider Setup tab.
• Click Test Configuration to initiate SSO and inspect the SAML Response.
• Copy the exact claim name you want to map (e.g., jobTitle, extension_department).

Map Custom Attributes

• Go to the Attribute Mapping tab in the miniOrange SAML SSO plugin.
• In the Custom Attribute Mapping section:
• Click on the Add Attribute button and enter the SAML Attribute Name (e.g., jobTitle).
• Map it to the WordPress usermeta field (e.g., job_title).

• Save the changes.
• If you want to display the attributes in the WordPress users table, then enable the Display Attribute option.

Step 3: Role/Group Mapping

With Role/Group Mapping, WordPress roles can be assigned to users based on attributes sent by Azure B2C during SSO login. While configuring role/group mapping you can choose any attribute sent by Azure B2C to assign roles.

The Role/Group Mapping feature allows you to assign specific WordPress roles to users based on the groups or roles they belong to in Azure B2C. This helps streamline user management by dynamically assigning roles such as Administrator, Editor, or Subscriber depending on a user's group membership in Azure B2C.

This feature supports both default WordPress roles (Administrator, Editor, Subscriber, etc.) as well as custom roles created in your WordPress setup.

To Set Up Role Mapping:

• Navigate to the Role Mapping tab in miniOrange SSO using SAML 2.0 plugin.
• Select the IDP Group/Role attribute sent from Azure B2C. Make sure that the attribute you select will have the user's group values in it.
• To map roles to the users, enter the group name against the WordPress role. For eg. If you want to assign an Administrator role to the user that has the group “Azure_admins”, then add the groupname “Azure_admins” inside the field in front of the Administrator role.
• To map roles to the group, select the group attribute and enter the group name against the WordPress role. For eg. If you want to assign an Administrator role to the user that has the group “Azure_admins”, then add the groupname “Azure_admins” inside the field in front of the Administrator role.

Example: To assign the Administrator role to users with the Azure group Azure_admins, enter Azure_admins next to the Administrator role field.

Map WordPress Roles based on Custom Azure B2C Roles

• In Azure B2C, navigate to your User Flow and Application Claims.
• Enable the role claim (e.g., extension_userRole) to be included in the token.
• Save your changes.

In WordPress:

• Perform a Test Configuration and review the SAML response.
• Copy the attribute name and value (e.g., extension_userRole: editor).
• In the plugin: Enter the Attribute Name (e.g., extension_userRole) and Enter the Attribute Value (e.g. editor) to map it to the desired WordPress role (e.g., Editor).

Step 4: Configure SAML Single Logout (SLO) in Azure AD B2C

SAML Single Logout (SLO) enables users to be automatically logged out from all connected applications when they sign out from WordPress.

• Navigate to the Service Provider Metadata tab in the WordPress SAML SSO plugin.
• Copy the Single Logout URL provided in the metadata section.
• Log in to your Azure AD B2C portal.
• Go to the App Registration associated with your WordPress site.
• In the left-hand menu, select the Manifest tab.
• Locate the "logoutUrl" field within the manifest JSON.
• Replace the null value with the Single Logout URL you copied from the plugin.
• Click Save to apply the changes

Conclusion

Configuring advanced features like Custom Attribute Mapping, Role/Group Mapping, and Single Logout (SLO) along with SSO allows you to enhance user identity management and streamline access control between your Azure B2C IDP and WordPress site.