Step by Step Guide for WordPress Single Sign On (SSO) using Azure AD as IdP

Azure Ad Single Sign On (SSO) For WordPress miniOrange provides a ready to use solution for WordPress. This solution ensures that you are ready to roll out secure access to your WordPress site using Azure AD within minutes.

You can configure the application in Azure AD by following any of the one way listed below.

Step 1: Configuring Azure AD as IdP

  • Navigate to Azure AD portal http://portal.azure.com. Proceed to Azure Active Directory and click on App Registrations.
  • Click on New Application Registration and then select Application you’re developing.
  • app-registration
  • Assign a Name and Sign-on URL to application.Sign-on URL will be ACS URL provided in Identity Provider tab of the plugin. Select Web app/API as Application type and click on Create button.
  • create-app1
  • You’ll see the app on App Registration window. Click on Settings option which will open Settings window and go to Properties section under this window.
  • properties_window
  • Here change APP ID URI value with the SP-Enity ID / Issuer value provided in Identity Provider tab of the plugin and save.
  • app-properties

Step 2: Configure Application

  • Click on Azure Active Directory Tab display on the leftside of Dashboard.
  • Click on Endpoints on App Registration window and copy Federation Metadata Document endpoint (will be used in step 3).
  • endpoints1
  • You can also save the metadata document by going to this endpoint.
  • endpoints

Step 3:Configuring Wordpress as SP

    • In miniOrange SAML plugin, go to Service Provider tab. There are three ways to configure the plugin:
      •  By Uploading ADFS Metadata :

        • Click on Upload IDP Metadata.
        • Enter Identity Provider Name.
        • Upload metadata file and click on Upload.

         By ADFS Metadata URL :

        • Click on Upload IDP Metadata.
        • Enter Identity Provider Name.
        • Enter Metadata URL and click on Fetch Metadata.

         Manual Configuration :

        • Copy SAML Entity ID, SAML Single-Sign-On Endpoint URL and X.509 certificate from Federation Metadata document and paste it in IdP Entity ID or Issuer, SAML Login URL, X.509 Certificate fields respectively in the plugin.
        Identity Provider Name For Example:Azure AD
        IdP Entity ID or Issuer SAML Entity ID in the Federation Metadata document
        SAML Login URL SAML Single-Sign-On Endpoint URL in the Federation Metadata document
        X.509 Certificate X.509 certificate is enclosed in X509Certificate tag in Federation Metadata document XML file. (parent tag: KeyDescriptor use="signing")

Step 4: Attribute Mapping.

  • Attributes are user details that are stored in your Identity Provider.
  • Attribute Mapping helps you to get user attributes from your IdP and map them to WordPress user attributes like firstname, lastname etc.
  • While auto registering the users in your WordPress site these attributes will automatically get mapped to your WordPress user details.
  • In miniOrange SAML plugin, go to Attribute/RoleMapping tab and fill in all the fields.
  • Username: Name of the username attribute from IdP (Keep NameID by default)
    Email: Name of the email attribute from IdP (Keep NameID by default)
    FirstName: Name of the firstname attribute from IdP
    LastName: Name of the lastname attribute from IdP
    Group/Role: Name of the Role attribute from IdP

    See the screenshot below for Attribute Mapping. Right Hand side attributes are the attributes that are sent by the IdP and these attributes are mapped to WordPress attributes. NameID attribute is mapped to user's Email and Username. fname is mapped to First Name, lname is mapped to Last Name and group is mapped to Group/Role

    For example, if the attributes that are fetched from IdP contains the following data:

    NameId: chris@miniorange.com

    fname: Chris

    lname: Luke

    group: wp-admin;wp-subscriber;wp-editor;default

    During the SSO, when user will be created in WordPress site, it's Username and Email Address will be chris@miniorange.com (NameId is mapped to Username and Email). It's First Name will be Chris (fname is mapped to First Name)and Last Name will be Luke (lname is mapped to Last Name) and groups will be assigned as per the role mapping given in the Role Mapping Section.

    Note: If you want the users to assign the role during SSO then you must map the group attribute to the WordPress group/role as given here in Attribute Mapping.

    Unable to load Image
  • You can check the Test Configuration Results to get a better idea of which values to map here.

Step 5: Role mapping (It is Optional to fill this).

  • WordPress uses a concept of Roles, designed to give the site owner the ability to control what users can and cannot do within the site.
  • WordPress has six pre-defined roles: Super Admin, Administrator, Editor, Author, Contributor and Subscriber.
  • Role mapping helps you to assign specific roles to users of a certain group in your IdP.
  • While auto registering, the users are assigned roles based on the group they are mapped to.
  • If you are using custom roles (Custom Role created as per existing WordPress role) then all these custom roles will also be visible in the Role Mapping section.
  • See the screenshot below which expains how the role mapping works. Once the Attribute Mapping done, you have to map all the IdP groups to WordPress roles.

    In the screenshot below, we have mapped 'wp-admin' group to 'Administrator' role, 'wp-editor' group to 'Editor' role and 'wp-subscriber', 'default' groups to 'Subscriber role'. It means that if the user belongs to the 'wp-admin' group in IdP then the user will be assigned 'Administrator' role in WordPress site. If the user belongs to the 'wp-editor' group in Idp then the user will be assigned 'Editor' role in WordPress site. If the user belongs to the 'wp-subscriber' or 'default' group in IdP then the user will be assigned 'Subscriber' roleb in WordPress site. If the user does not belong to any of these groups in IdP then the user will be assigned the default role in WordPress site which is 'Subscriber' as given in the Screenshot. You can also change the default role to some other role from the dropdown.

    There are 4 checkboxes given in the Role Mapping section which are used for the following scenerios

    1.Do not auto create users if roles are not mapped here: If this option is enabled then user will not be created in WordPress site if the user does not belong to any mapped group. For example, if the user does not belong to 'wp-admin', 'wp-editor', 'wp-subscriber','default' groups in IdP and this checkbox is enabled then this user will not be created in the site during SSO.

    2. Do not update existing user's roles: If this option is enabled then roles of the existing users of WordPress can not be modified, i.e., role will be assigned as per role mapping to the user during the registration/user creation during SSO. Once the user is created in WordPress site, the role mapping will not work.

    3. Do no assign the role to unlisted users: If you want the user creation to take place during the SSO but the groups of the IdP does not map to the WordPress roles as per the Role Mapping then user will be created in WordPress but no role will be assigned to that user.

    4. Do not allow the users to login with following roles: You cam add the semicolon separated IdP groups. The users belonging to these groups will not be allowed to login.

    Unable to load Image

Step 6: Sign In Setting

  • Go to Sign In Settings tab. Enable auto-redirect to IDP using Redirect to IdP if user not logged in option.
  • Unable to upload image

Free Trial

If you don't find what you are looking for, please contact us at info@miniorange.com or call us at 1 978 658 9387.

Step 1: Configuring Azure AD as IdP

  • Navigate to Azure AD portal http://portal.azure.com. Proceed to the Active Directory tab and navigate to the Enterprise Applications tab
  • enterprise_applications-1
  • Click on New Application
  • new_application-1
  • Click on Non-gallery application section and enter the name for your app and click on Add button.
  • non_gallery_application-1

Step 2: Configure Application

 Single Sign On Configuration

  • Click on Single sign-on from the application's left hand navigation menu. The next screen presents the options for configuring single sign-on. Click on SAML.
  • configure_single_sign_on-4
  • Enter the SP Entity ID for Identifier and the ACS URL for Reply URL from Identity Provider tab of the plugin.
  • configure_urls-1
  • By default following Attributes will be sent in the SAML token. You can view or edit the claims sent in the SAML token to the application under the Attributes tab.
  • user_attributes_in_saml_token-1
  • Copy App Federation Metadata Url (will be used in step 3).
  • metadata_url

 Assign users and groups to your SAML application

  • As a security control, Azure AD will not issue a token allowing a user to sign into the application unless Azure AD has granted access to the user. Users may be granted access directly, or through a group membership.
  • Click on User and groups from the applications left hand navigation menu. The next screen persents the options for assigning the users/groups to the application.
  • configure_user_groups

Step 3:Configuring Wordpress as SP

    • In miniOrange SAML plugin, go to Service Provider tab. There are three ways to configure the plugin:
      •  By Uploading ADFS Metadata :

        • Click on Upload IDP Metadata.
        • Enter Identity Provider Name.
        • Upload metadata file and click on Upload.

         By ADFS Metadata URL :

        • Click on Upload IDP Metadata.
        • Enter Identity Provider Name.
        • Enter Metadata URL and click on Fetch Metadata.

         Manual Configuration :

        • Click on Configure Test to see the application's SAML documentation.
        • configure_sp
        • Copy SAML Entity ID,SAML Single Sign On Service URL and SAML Signing Certificate from applications SAML documentation and paste it in IdP Entity ID or Issuer, SAML Login URL, X.509 Certificate fields respectively in the plugin.
        • sp_configuration_values
        Identity Provider Name For Example:Azure AD
        IdP Entity ID or Issuer SAML Entity ID
        SAML Login URL SAML Single Sign On Service URL
        X.509 Certificate SAML Signing Certificate

Step 4: Attribute Mapping.

  • Attributes are user details that are stored in your Identity Provider.
  • Attribute Mapping helps you to get user attributes from your IdP and map them to WordPress user attributes like firstname, lastname etc.
  • While auto registering the users in your WordPress site these attributes will automatically get mapped to your WordPress user details.
  • In miniOrange SAML plugin, go to Attribute/RoleMapping tab and fill in all the fields.
  • Username: Name of the username attribute from IdP (Keep NameID by default)
    Email: Name of the email attribute from IdP (Keep NameID by default)
    FirstName: Name of the firstname attribute from IdP
    LastName: Name of the lastname attribute from IdP
    Group/Role: Name of the Role attribute from IdP

    See the screenshot below for Attribute Mapping. Right Hand side attributes are the attributes that are sent by the IdP and these attributes are mapped to WordPress attributes. NameID attribute is mapped to user's Email and Username. fname is mapped to First Name, lname is mapped to Last Name and group is mapped to Group/Role

    For example, if the attributes that are fetched from IdP contains the following data:

    NameId: chris@miniorange.com

    fname: Chris

    lname: Luke

    group: wp-admin;wp-subscriber;wp-editor;default

    During the SSO, when user will be created in WordPress site, it's Username and Email Address will be chris@miniorange.com (NameId is mapped to Username and Email). It's First Name will be Chris (fname is mapped to First Name)and Last Name will be Luke (lname is mapped to Last Name) and groups will be assigned as per the role mapping given in the Role Mapping Section.

    Note: If you want the users to assign the role during SSO then you must map the group attribute to the WordPress group/role as given here in Attribute Mapping.

    Unable to load Image
  • You can check the Test Configuration Results to get a better idea of which values to map here.

Step 5: Role mapping (It is Optional to fill this).

  • WordPress uses a concept of Roles, designed to give the site owner the ability to control what users can and cannot do within the site.
  • WordPress has six pre-defined roles: Super Admin, Administrator, Editor, Author, Contributor and Subscriber.
  • Role mapping helps you to assign specific roles to users of a certain group in your IdP.
  • While auto registering, the users are assigned roles based on the group they are mapped to.
  • If you are using custom roles (Custom Role created as per existing WordPress role) then all these custom roles will also be visible in the Role Mapping section.
  • See the screenshot below which expains how the role mapping works. Once the Attribute Mapping done, you have to map all the IdP groups to WordPress roles.

    In the screenshot below, we have mapped 'wp-admin' group to 'Administrator' role, 'wp-editor' group to 'Editor' role and 'wp-subscriber', 'default' groups to 'Subscriber role'. It means that if the user belongs to the 'wp-admin' group in IdP then the user will be assigned 'Administrator' role in WordPress site. If the user belongs to the 'wp-editor' group in Idp then the user will be assigned 'Editor' role in WordPress site. If the user belongs to the 'wp-subscriber' or 'default' group in IdP then the user will be assigned 'Subscriber' roleb in WordPress site. If the user does not belong to any of these groups in IdP then the user will be assigned the default role in WordPress site which is 'Subscriber' as given in the Screenshot. You can also change the default role to some other role from the dropdown.

    There are 4 checkboxes given in the Role Mapping section which are used for the following scenerios

    1.Do not auto create users if roles are not mapped here: If this option is enabled then user will not be created in WordPress site if the user does not belong to any mapped group. For example, if the user does not belong to 'wp-admin', 'wp-editor', 'wp-subscriber','default' groups in IdP and this checkbox is enabled then this user will not be created in the site during SSO.

    2. Do not update existing user's roles: If this option is enabled then roles of the existing users of WordPress can not be modified, i.e., role will be assigned as per role mapping to the user during the registration/user creation during SSO. Once the user is created in WordPress site, the role mapping will not work.

    3. Do no assign the role to unlisted users: If you want the user creation to take place during the SSO but the groups of the IdP does not map to the WordPress roles as per the Role Mapping then user will be created in WordPress but no role will be assigned to that user.

    4. Do not allow the users to login with following roles: You cam add the semicolon separated IdP groups. The users belonging to these groups will not be allowed to login.

    Unable to load Image

Step 6: Sign In Setting

  • Go to Sign In Settings tab. Enable auto-redirect to IDP using Redirect to IdP if user not logged in option.
  • Unable to upload image

Free Trial

If you don't find what you are looking for, please contact us at info@miniorange.com or call us at 1 978 658 9387.