Additional configuration for WordPress Keycloak Single Sign-On

Once the WordPress Keycloak SSO has been configured, you can proceed with some additional configuration steps to make the most out of WP Single Sign-On. This includes steps for Advanced & Custom Attribute Mapping, Group & Role Mapping, Single Logout, and more.

1. Attribute Mapping

• In the Service Provider Setup tab, after metadata exchange click on Test Connection.
• After performing SSO, the default attributes will be sent from Keycloak and will be available for Attribute Mapping.

Adding extra Attributes on the Keycloak Side:

• Go to the Clients section.
• From the Clients List, click on the Client ID of your configured client application.
• Navigate to the Mapper tab.
• Click on Add Mapper and select By configuration.


• Now, click on the User Attribute option.


• Fill the details as per the table below:

Name	The name you want to give to this mapper.
User Attribute	The custom attribute which you wish to send to your Service Provider.
Friendly Name(optional)	Any readable name.
SAML Attribute Name	The name with which you want to send that custom attribute to your service provider.



• Then, click on the Save button.

2. Custom Attribute Mapping

• This feature allows you to create custom attributes that can be mapped with any of the attributes sent by the keycloak. This is stored in user meta table in WordPress database.
• To display this custom attribute in the users menu table in WordPress, enable the Display Attribute toggle.

3. Role Mapping

• The Attribute Mapping section also provides mapping for fields named Group/Role.
• This attribute will contain the role-related information sent by the Identity Provider (i.e, Keycloak).
• The roles are allocated to specific users on the bases of their roles/groups at the time of login.
• The value of this attribute which is mapped to Group/Role will be considered in the Role Mapping section.



• Values of selected Group/Roles of respective users can be placed in the input box of different default Roles which have to be assigned to the respective user.



• For Example:
1. For example, If you want a user whose Group/Role attribute value is SAML to be assigned as an Editor in WordPress, just provide the mapping as SAML in the Editor field of Role Mapping section.

4. Single Logout

• Copy the Single Logout URL from the Service Provider Metadata tab.
• Now, navigate to your Keycloak admin dashboard.
• Go to the Clients section and click on the Client ID of your configured client application.
• Under Advanced tab, go to the Fine Grain SAML Endpoint Configuration and configure the following details:

Logout Service POST Binding URL	Single Logout URL that you copied from Service Provider metadata.
Logout Service Redirect Binding URL	Single Logout URL that you copied from Service Provider metadata.
Logout Service ARTIFACT Binding URL	Single Logout URL that you copied from Service Provider metadata.



• And, click on Save.

5. Signed SSO Requests

• In the Service Provider Setup tab, enable the Sign SSO & SLO Requests toggle for performing Signed SSO and Single Logout Requests.



• Then, click on the Save button to save the configuration.
• Go to the Manage Certificates tab and under the miniorange default certificate configuration click on Download Certificate.


• Then, open your Keycloak admin dashboard and go to the Clients section.
• Click on the Client ID of your configured client application.
• Now, navigate to the Keys tab and enable the Client signature required toggle.


• Configure the further information as per below table:

Select method	import
Archive Format	JKS
Import File	Upload the certificate you downloaded from the plugin side.
Key alias	Your username
Store password	Your password



• Then, click on Confirm.

Conclusion

Setting up additional configuration for Advanced & Custom Attribute Mapping, Group & Role Mapping, Single Logout along with SSO allows you to maximize efficiency and user identity management from your IDP to your WordPress site.