Once the WordPress Salesforce SSO has been configured, you can proceed with some additional configuration steps to make the most out of WP Single Sign-On. This includes steps for Advanced & Custom Attribute Mapping, Group & Role Mapping, Single Logout, and more.

Attribute Mapping

• In the Service Provider Setup tab, after metadata exchange click on Test Connection.
• After performing SSO, the default attributes will be sent from Salesforce and will be available for Attribute Mapping.
• There are certain default attributes that are sent from the Salesforce side for every connection that are listed in the table.

Adding extra Attributes on the Salesforce Side:

1. Switch to Salesforce Lightning mode from profile menu and then go to the Setup page by clicking on setup button.
2. In the left column, click on Apps => Connected Apps => Manage Connected Apps.



3. Then click on your created app and scroll down to Custom Attributes.
4. Click on New.



5. Fill attribute Key with custom attribute name.
6. Click on the Insert Field button and add the attributes.
7. Click on the Save button.



8. Navigate to the Service Provider Setup Tab, there click on Test Connection.
9. A popup window will appear. If your connection is successful then the list of attributes mapped and the custom attribute will be displayed.

Configure Advanced & Custom Attribute Mapping

• Write your custom attribute name in Custom Attribute Name input box, select the attribute from IDP using the dropdown in the Attribute Name from IDP field
• The Custom Attribute Name would be the key name in the user-meta table of WordPress.
• The Display Attribute Toggle shows the value of the user-meta key in the Users table of the WordPress site.



• You can add new attributes using ADD Attribute button.
• And then, click on Save button to save the configurations.

Setting up Role Mapping

• The Attribute Mapping section also provides mapping for fields named Group/Role.
• This attribute will contain the role-related information sent by the Identity Provider (i.e, Salesforce).
• The roles are allocated to specific users on the bases of their roles/groups at the time of login.
• The value of this attribute which is mapped to Group/Role will be considered in the Role Mapping section.



• Values of selected Group/Roles of respective users can be placed in the input box of different default Roles which have to be assigned to the respective user.



• For Example:
1. Select Group/Role.



2. Now the User with this particular User Id will get a subscriber role during SSO in WordPress website.

Signed SSO Requests

• For Signed SSO Requests, enable the Sign SSO & SLO Requests toggle in the Service Provider Setup tab in the plugin.



• Download the SP Certificate from the Service Provider Metadata tab.



• Now navigate to the Salesforce platform.
• In the left column, click on Apps => Connected Apps => Manage Connected Apps.
• Then, click on your app and on Edit Policies.
• Scroll down to SAML Service Provider Settings and there you will find the Verify Requests Signatures check box.



• After enabling this option, upload the SP certificate by Choose File button.
• And then, click on Save button to save the configurations.

Configuring Single Logout (SLO)

• For enabling the SAML Logout URL option you can navigate to the left column, and click on Apps => Connected Apps => Manage Connected Apps.
• Then, go to your app and click on Edit Policies.
• Scroll down to SAML Service Provider Settings and there you will find the Enable Single Logout check box.
• After enabling this option, fill the Single logout URL input field with the Single Logout URL from the Service Provider Metadata tab in the plugin.
• Enable the option Verify Request Signatures and upload the certificate downloaded from Service Provider Metadata tab.
• And then, click on Save button to save the configurations.

How to Encrypt your SAML Assertion

• For Salesforce As Identity Provider you need to enable the encryption while creating the application itself (App Manager => New Connected App).
• Scroll down to the Web App Settings and check the Enable Saml option.
• Then, enable the Encrypt SAML Response option.



• Now upload the certificate downloaded from Service Provider Metadata tab using the Choose File button.

Conclusion

Setting up additional configuration for Advanced & Custom Attribute Mapping, Group & Role Mapping, Single Logout along with SSO allows you to maximize efficiency and user identity management from your IDP to your WordPress site.

Common Salesforce Troubleshooting Resources

• How to setup SSO for Salesforce Communities?
• Connecting single WordPress to multiple Salesforce Communities
• How to synchronize objects from WordPress to Salesforce?
• How to Single Sign-On into Salesforce Communities using WordPress credentials?
• How to renew/upgrade SP certificate in the SAML SSO plugin with Salesforce as IDP?