Overview

miniOrange SAML 2.0 Single Sign-On (SSO) Plugin enables seamless SSO login into your WordPress sites via authentication through any SAML 2.0 compliant Identity Provider.
What this means is that, once you authenticate or login via your Identity Provider, you also log into your WordPress sites without manually having to re-enter your credentials. The plugin allows your membership site to act as a SAML SP (Service Provider) which can beconfigured to establish trust between your site and IdP to securely authenticate and enable SSO / Login for the user into the membership site. The added advantage of SSO is that your credentials are stored in your Identity Provider and nowhere else, which adds another layer of security to your credentials.

miniOrange WordPress SAML SSO Plugin supports SSO setup with all major SAML compliant IDPs like ADFS, AzureAD, AzureB2C, Okta, Keycloak, GoogleApps and many more.

Key Features (WordPress SSO and MemberPress Integration)

miniOrange SAML 2.0 SSO Plugin provides multitudinous features which can be summed up as follows:

1. MemberPress Membership Mappings: Based on the user’s IdP attributes, user memberships will be updated each time the user performs SSO, providing secure access to the content of your site.
2. Attribute and Role Mapping (User Sync): It allows syncing/mapping of user profiles from the IdP to MemberPress profile fields and also assigns roles/memberships based on the user's group.
3. Multiple IDP Support: It supports Single Sign-On from multiple IdPs into your membership website. You can also enable Federation SSO for allowing users to login via their university credentials.
4. Complete Site Protection: It allows restriction of your site only to the members by automatic redirection of users to the IdP login page.
5. Single Logout: This feature allows you to terminate a user's SSO session on your site as well as their Identity Provider when the user logs out of your MemberPress membership site.
6. Page Restriction: You can configure your site in such a way that specific pages/posts can be restricted only to logged-in users. Users would be redirected to their IdP login page whenever they try to access a restricted page/post.
7. Multisite Network Support: You can configure the same SSO login with the same IdP for all subsites in a multisite network and manage SSO settings for each subsite at the network level.
8. Shortcode/Widget/Link for SSO Login: You can add a link, shortcode or a button anywhere on your MemberPress site to authenticate users via your Identity Provider.

Benefits of WordPress MemberPress Integrator

miniOrange provides seamless integration for memberpress using MemberPress Integrator to achieve the following benefits:

1. Content Restriction: You can configure your MemberPress site in such a way that specific users' membership levels can access specific content. Users would be assigned different membership levels based on the IdP groups using miniOrange memberpress integrator.
2. Drip feed content: You can configure your membership site in such a way that only members belonging to specific membership levels will receive content i.e., new blogs, posts, etc.
3. Support discount coupons: You can configure the integrator in a way that discount coupons could be made available to specific group of users depending on their membership level.
4. Email notifications: You can use membership levels to identify customers who have subscribed to updates regarding your membership site and send email notifications accordingly.
5. Dynamic Pricing Pages: It can help you control which members have access to the dynamic pricing page based on the membership levels.

How to setup Single Sign-On in a MemberPress site using miniOrange?

Prerequisite: Download and Installation

Download the WordPress SAML SSO Plugin on your MemberPress membership website to setup Single Sign-On:

SAML Single Sign On – SAML SSO Login

By miniOrange

(135)

WordPress Single Sign On SSO login with Azure, Azure B2C, Okta, ADFS, Keycloak, Salesforce, Ping, Onelogin, Gsuite, Shibboleth & many SAML IdPs [24/7 SUPPORT]

 Tested with 5.8.2

Get this plugin

Configure WP SAML SSO 2.0 Plugin: To setup SSO into your MemberPress website, you will need to configure the WP SAML SSO Plugin with your Identity Provider. To do so, you would need the IdP metadata in the form of URL or file. The IdP details needed to be configure the plugin are - IDP Entity ID, SAML Login URL, and X.509 Certificate

You can find your Identity Provider step-by-step guide from here.

If you cannot find your Identity Provider in the list, you can follow the instructions in the guide below to setup the plugin:

• Once the miniOrange SAML 2.0 SSO Plugin is installed, navigate to the Service Provider Setup tab in the plugin.
  Search for your Identity Provider name or click on your Identity Provider from the given Identity Providers.



• If your Identity Provider Name is not there in the default list, you can click on Custom IDP to add custom Identity Provider.



• Navigate to the Service Provider Setup tab of the plugin and provide your Identity Provider details like IdP Entity ID, SAML Login URL, and X.509 Certificate.
• If you have the IdP metadata file or URL, you can directly upload the IdP metadata by clicking on the Upload IDP Metadata File/XML button.



• Click on Save button once you have entered all the required information.
• Now, to test your configuration, click on the Test Configuration button.



• On successful configuration, you will get a TEST SUCCESSFUL message and the Attribute Name and Attribute Values in the Test Configuration window.

Types of User Profile Mapping

A. MemberPress Membership Mapping

• These user memberships would be updated based on the user’s IDP group every time the user performs SSO, allowing you to maintain consistency in user information and secure access to your site.
• User Membership Assignment: User memberships would be updated based on the user’s IDP group every time the user performs SSO.
• Default Membership Assignment: If a user from unmapped groups in your IDP SSOs into MemberPress, that user will be automatically assigned a default membership level.
• Multiple Role Assignment: You can assign one membership level to users from multiple roles in their IDP.

B. Default Membership Mapping

• In addition, miniOrange memberpress Integrator also has default membership mapping for all IDPs.
• For example, you want users from Azure AD with user group group1 to be assigned Membership2 and all other users, no matter what their IDP is, should be assigned Membership1. This can be achieved by the Default Mapping for IDPs.

C. Membership Mappings for Multiple IDPs

• miniOrange MemberPress Integrator supports multiple IDPs, which means you can configure memberships based on the user's IDP group, for each IDP individually.




For example, you have two MemberPress Memberships - Membership1 and Membership2, and two user groups in your IDP - group1 and group2. Using WordPress MemberPress Integrator, you would be able to assign users of group1 to Membership1 when they perform SSO into your MemberPress site. Similarly, users of group2 can be assigned Membership2.

Note: For Multiple IDPs different groups will be stored in different IDPs like Okta, Azure AD, etc. and assignment of Memberships will take place in a similar way as shown in MemberPress Mapping.

MemberPress Integrator Setup

MemberPress Users Attribute Mapping

MemberPress User profiles can be mapped based on the member details received from the Identity Provider (IdP) with the help of attribute mapping.Basic MemberPress membership site attributes include Username, Email, First Name, Last Name, Role and Display Name, which can be mapped based on IdP attributes.

• To map the attributes mentioned above, navigate to the Attribute/Role Mapping tab of the WP SAML SSO Plugin.
• Under the Attribute Mapping section, select the attribute values you want to assign to the respective fields from the dropdown list.
• For example, you can map the Username as the First Name of the user by selecting the attribute value from the dropdown list.



• Check the list of Attributes sent by the IDP by clicking on the Test Configuration button in the Service Provider Setup tab of the miniOrange SAML SP Single Sign On plugin. Note the Attribute Name whose values contain the user group. For example in the image given below Attribute Name is MemberOf.

MemberPress users Membership Level Mapping

• The attribute MemberOf contains the group information for the user.

You can follow the steps below to map this to MemberPress Membership levels:

• Go to the Attribute/Role Mapping tab of the miniOrange SAML SP SSO plugin.
• Under the Attribute Mapping section, provide the Group/Role value as MemberOf and click on the Save button.



• Now, navigate to the MemberPress Integrator add-on.
• Select your Identity Provider. click on the Select button.
• For mapping memberpress Membership levels, select Membership level from dropdown and enter the attribute value of the attribute mapped to Group/Role in IDP group name input boxes.



• Let's say you have two MemberPress Membership levels, Membership3 and Membership2 and now you want to map the SSO users to these levels based on the value of MemberOf attribute as sent by the IDP.
• As per the above mapping, while performing SSO, any user having MemberOf attribute’s value as group3 will be added to Membership3 MemberPress Membership level and any user having MemberOf attribute’s value as group2 or group1 will be added to that specific MemberPress Membership level selected.
• Default Role is used to assign default Membership level to the users that SSO into MemberPress from Unmapped Groups.
• For Multiple IDPs, select your IDP each time and assign roles accordingly. Multiple Mapping is only available for Enterprise and All Inclusive versions of the SSO plugin.

MemberPress User Role Mapping

Users can be assigned roles on the basis of the IdP groups they belong to.

• Go to the Attribute/Role Mapping section of the SAML SSO Plugin and scroll down to the Role Mapping section.
• You can choose the Default Role for the users which would be assigned to every SSO user.

For assigning specific roles to users in specific IdP groups, you will need to mention the IdP Attribute Name in which the group values are being received from the Identity Provider.

• Go to the Attribute/Role Mapping tab of the WP SAML SSO plugin.
• Under Attribute Mapping section, provide the Group/Role value as groups and click on the Save button.



• You can assign roles to groups by entering the group name in the input box for each WordPress role.
• Click on Save.



• Do not auto-create users if roles are not mapped: By enabling this feature only mapped users would be able to access the MemberPress site.
• Do not assign roles to unlisted users: Enabling this feature allows you to update the roles of existing users and does not assign any MemberPress roles to new users.
• Do not update existing users’ roles: Enabling this feature would not change the existing user’s given role in the MemberPress site “after SSO”.
• Do not allow the users to log in with particular roles: By enabling this feature you can restrict login into your membership site to specific users based on their IdP groups.
• Other than this users can also create Custom Roles for different groups to limit access.

Custom Attribute Mapping:

Allows you to Map Custom Attributes i.e. you can map additional IdP attributes to MemberPress members' profile. You can enable the Display Attribute option for an attribute if you want to display it in the Wordpress Users menu.

• To add a custom attribute navigate to Attribute/Role Mapping section of the WP SAML SSO Plugin.
• Under Map Custom Attributes, enter your desired name under the Custom Attribute Name and assign the Attribute Name from IdP by selecting the attribute value from the dropdown list.
• Click on Add Attribute to add more custom attributes. Once done, click on Save.
• For example, you can create an attribute Phone and assign your desired attribute value by assigning it the Attribute Name from IDP containing that value.

How to initiate SSO from MemberPress site?

1. Auto-Redirection from MemberPress site: If a login session is not found on the MemberPress site while accessing it, the user is automatically redirected to the IdP login page for authentication. A Forced Authentication option is available in this which forces the user to authenticate themselves each time they try to login into the MemberPress site.



2. Auto-Redirection from WordPress: This feature redirects users to the IdP login page when they try to access any MemberPress site admin page. This feature comes with a functionality of backdoor access to your MemberPress site through your WordPress login in case you are locked out of your IdP site.


3. Login Button: It is used to create a login button on the WordPress login page to redirect users to IdP Login Page for authentication. This also provides an option to redirect all the users to the WordPress login page, from where the users can initiate SSO.



4. SSO Links: Widget, shortcode or SSO link can be placed on any page/post and header/footer on the MemberPress site for users to login with their IdP credentials (SSO).


5. IDP initiated SSO: The plugin also supports IDP initiated SSO which would allow the users to automatically login to your Membership site by clicking on the application from your Identity Provider dashboard.

Restricting access to MemberPress Membership site

1. Domain Mapping: This feature enables you to restrict/allow MemberPress site access to users from a particular domain.
• To enable this option navigate to the Attribute/Role Mapping section of the WP SAML SSO Plugin.
• Under Domain Restriction enable the Enable domain restriction login. Enter the domain you want to restrict or allow access to and click on Save.



• When a user from a restricted domain tries to login he/she will receive the following error message.



• This message can be customised under the Restricted Domain error message under Custom Messages section.

Restrict Specific Pages/Posts on your MemberPress Membership Site

With the help of Page Restriction plugin you can restrict specific pages/posts on your MemberPress site i.e. users will be required to login through their IdP to access restricted pages.

• Go to the Page Restriction plugin and navigate to Restrict to logged in Users tab.
• Under Select pages you want to give access to Logged in Users only, select the pages which you want to restrict to logged in users only and click on Save Configuration.
• On the right side under Page Restrict Options select Single Sign-On option.

Note: Enabling this option will let your users SSO into the MemberPress site using their IdP credentials when they try to access the restricted page.




• Using Page Restriction you can also restrict specific pages or posts based on the WordPress user roles.

Our MemberPress solution provides seamless integration for membership mapping for WordPress members. Our WordPress SAML SSO Plugin supports integrations with a number of addons to extend the functionality of your site.
If you have any custom requirement, please contact us at samlsupport@xecurify.com and we will help you achieve your use case.

Additional Resources

• What is Single Sign-On?
• What is MemberPress?
• MemberPress Integration
• miniOrange MemberPress Integration
• What is SAML?
• Frequently Asked Questions (FAQs)