Step by Step Guide for WordPress Single Sign On (SSO) using Jboss Keycloak as IdP

Jboss Keycloak Single Sign On (SSO) for Wordpress miniOrange provides a ready to use solution for Wordpress. This solution ensures a quick ready to roll out secure access to your Wordpress site using Jboss Keycloak.

Step 1: Configuring Jboss Keycloak as IdP

  • In your Keycloak admin console, select the realm that you want to use.
  • From left menu, select Clients.
  • Create a new client/application. Configure the following:
  • Client ID The SP-EntityID / Issuer from the step 1 of the plugin under Identity Provider tab.
    Name Provide a name for this client (Eg. Wordpress)
    Description Provide a description (Eg. Wordpress site)
    Enabled ON
    Client Protocol SAML
    Include AuthnStatement ON
    Sign Documents ON
    Sign Assertions ON
    Signature Algorithm RSA_SHA256
    Canonicalization Method EXCLUSIVE
    Force Name ID Format ON
    Name ID Format Email
    Root URL The ACS (Assertion Consumer Service) URL from the step 1 of the plugin under Identity Provider tab.
    Valid Redirect URIs The ACS (Assertion Consumer Service) URL from the step 1 of the plugin under Identity Provider tab.
  • Under Fine Grain SAML Endpoint Configuration, configure the following:
  • Assertion Consumer Service POST Binding URL The ACS (Assertion Consumer Service) URL from the step 1 of the plugin under Identity Provider tab.
    Logout Service Redirect Binding URL The Single Logout URL from the step 1 of the plugin under Identity Provider tab.
  • Click on Save.

Step 2: Configuring Wordpress as SP

  • Go to, http://<YOUR_DOMAIN>>/auth/realms/{YOUR_REALM}/protocol/saml/descriptor. This will open an XML in the browser.
  • In miniOrange SAML plugin, go to Service Provider Tab. Enter the following values:
  • Identity Provider Name: Keycloak
    SAML Login URL: Search for SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect". Enter the Location value in the textbox.
    IdP Entity ID or Issuer: Search for entityID. Enter it's value in this textbox.
    X.509 Certificate: Enter the X509Certificate tag value in this textbox.
    Response Signed: Checked
    Assertion Signed: Unchecked
  • In miniOrange SAML plugin, go to Attribute/RoleMapping tab. Enter the following values:
  • Username: Name of the username attribute from IdP (Keep NameID by default)
    Email: Name of the email attribute from IdP (Keep NameID by default)
    FirstName: Name of the firstname attribute from IdP
    LastName: Name of the lastname attribute from IdP
    Group/Role: Name of the Role attribute from IdP
  • You can check the Test Configuration Results to get a better idea of which values to map here.
  • Under the Role Mapping section, configure which GROUP value coming in the SAML response needs to be mapped to which role in WordPress. The Group value coming in the SAML response will be mapped to the Role assigned here and the user will be assigned that role in WordPress.
  • Go to SSO Login Settings tab. Enable auto-redirect to IDP using Redirect to IdP if user not logged in option.

  • For further details refer :
    http://lists.jboss.org/pipermail/keycloak-user/2015-May/002260.html
    http://www.keycloak.org/


Business Trial For Free

If you don't find what you are looking for, please contact us at info@miniorange.com or call us at +1 978 658 9387.