Overview

Companies that manage sensitive or regulated data frequently need to restrict who can access specific content on their digital platforms. This is especially important in government and the public sector, where data control, compliance, and security rules are extremely strict.
WordPress is frequently used by these organizations as a centralized content portal, while Azure Active Directory (Azure AD, now known as Microsoft Entra ID) serves as the main identity provider (IDP) for group management and user authentication. However, simply verifying users is not enough. There must also be a process in place to ensure that users have access only to content related to their department or function. The miniOrange Page & Post Restriction Plugin for WordPress meets this need by enabling role-based access control for WordPress pages, posts, and custom post types (CPTs). This allows organizations to safely display department-specific content while keeping all other data private or sensitive.

Scenarios

Consider a government organization that manages and distributes geological data across multiple internal divisions. Each department is responsible for a specific geographic region or type of geological analysis, and users should only be able to access maps that are relevant to their department.

This government agency uses:

• Azure AD to manage user identities and department-based groups.
• WordPress as the central portal for publishing geological maps.
• CPTs in WordPress to organise geological maps and datasets.

Single Sign-On (SSO) is used to authenticate users, and department membership is determined by the user’s Azure AD group. Once logged in, users automatically gain access only to the geological map CPTs associated with their department, while all other maps remain hidden.

If there isn’t a well-planned access control system in place, users might accidentally access data that doesn’t belong to them. This could put them at risk of breaking the rules and revealing sensitive information.
Note: For simplicity, Azure AD is used throughout this content to refer to Microsoft Entra ID.

Prerequisites

To support this use case, the solution must deliver the following required capabilities:

• Azure AD–based Single Sign On (SSO) for user authentication
• Automatic role provisioning in WordPress based on Azure AD group membership
• Granular access control for CPTs
• Role-based authorization for WordPress pages, posts, and CPTs
• Secure storage and controlled access to sensitive geological data
• Centralized access policy enforcement without requiring custom code

Components Involved

• Azure AD: Acts as the primary IDP, managing users and grouping them by department. Each department is mapped to a corresponding Azure AD group.
• WordPress: Serves as the content platform and hosts geological maps as CPTs.
• miniOrange SAML SSO Plugin for WordPress: Enables login in WordPress using Azure AD and ensures automatic authentication. It also maps Azure AD group attributes to WordPress roles, allowing control over content visibility after login.
• miniOrange Page & Post Restriction Plugin: Enforces access rules across all WordPress content, including CPTs. Administrators can define which WordPress roles are allowed to view specific geological map CPTs.

Solution

The solution can be implemented in WordPress by combining Page and Post Restriction with SAML SSO-based role assignment.

When a user logs in via Azure AD:

• Their department membership is identified through Azure AD groups
• A corresponding WordPress role is assigned automatically
• Access rules configured in the Page & Post Restriction plugin determine which CPTs the user can view

Each geological map CPT is protected using role-based rules, ensuring that only authorized departments can access the data. All unrelated CPTs remain invisible to the user, preventing accidental or unauthorized access.

User Flow

User Logs In via Azure AD

• The user accesses the WordPress portal
• Authentication occurs through Azure AD using SSO
• The miniOrange SSO plugin maps the user’s Azure AD group to a WordPress role

Access to Geological Map CPTs

• The user navigates to the geological maps section
• WordPress evaluates access rules for each CPT
• Only maps associated with the user’s role are displayed

Unauthorized Access Attempt

• If a user attempts to access a CPT outside their assigned role
• The Page & Post Restriction plugin blocks access
• The user is redirected to a restricted access page or login screen

Solution Architecture

• Identity Provider (IDP): Azure Active Directory
• Authentication Method: SSO (SAML or OAuth/OIDC)
• User Store: Azure AD
• Content Platform: WordPress
• Access Control: WordPress Roles + Page & Post Restriction
• Protected Resources: CPTs (Geological Maps)

Setup Overview

Configure Azure AD SSO with WordPress

• Enable Azure AD SSO using the miniOrange SSO plugin for WordPress
• Configure attribute and group mapping
• Assign WordPress roles based on Azure AD groups

Configure Page & Post Restriction for CPTs

• Enable restriction rules for CPTs
• Define role-based access for each geological map CPT
• Configure redirection for unauthorized users

Conclusion

By combining Azure AD SSO with the miniOrange Page & Post Restriction Plugin for WordPress, government agencies can enforce department-based access control for sensitive Custom Post Types [in this case, their geological maps] in WordPress. This approach ensures that geological data is accessible only to authorized departments, reduces the risk of data exposure, and simplifies access management through centralized identity and role control.
For assistance with setup or advanced access policies, please contact samlsupport@xecurify.com

Additional Resources

1. Page and Post Restriction Plugin
2. How to setup Page and Post Restriction Plugin