Once the WordPress Okta SSO has been configured, you can proceed with some additional configuration steps to make the most out of WP Single Sign-On. This includes steps for Advanced & Custom Attribute Mapping, Group & Role Mapping, Single Logout, and more.
1. Attribute Mapping
- In the Service Provider Setup tab, after metadata exchange click on Test Connection.
- After performing SSO, the default attributes will be sent from Okta and will be available for Attribute Mapping.
- There are certain default attributes that are sent from the Okta side for every connection that are listed in the table.
Adding extra Attributes on the Okta Side:
- Navigate to Directory tab in the left handside menu of Okta.Then click on People option.
- Click on Add Person.
- Then, Add the attributes in the form and click on the Save button.
- now, click on the user you just created and navigate to the Profile tab to add the user attributes.
- If you have not configured the options for which attributes to be sent to your SP, go back to the applications tab and select your application.
- Under general tab, navigate to SAML settings section and click on Edit option.
- Now, head to the Attribute Statements option and add Attribute Name (Okta would send the attribute values under this name) in the left-hand text field and the actual user attributes name on the right-hand text field.
- In WordPress SAML plugin, go to Attribute/Role Mapping tab and fill up the following fields in Attribute Mapping section.
- Select attributes from the dropdown, sent by Okta in order to map with the WordPress attributes.
Creating custom attributes for Okta user:
- Go to profile editor under Directory in left-hand side menu.
- In the Users section, click on User (default) profile option (Type : Okta) .
- Click on Add Attribute. Click on save. Your custom attribute would be added to the user profile.
- To edit the attribute value, head to the user in the People.
- Under the Profile section, you will see the custom attribute added.
2. Custom Attribute Mapping
- This feature allows you to create custom attributes that can be mapped with any of the attributes sent by the Okta. This is stored in user meta table in WordPress database.
- To display this custom attribute in the users menu table in WordPress, enable the Display Attribute toggle.
3. Role Mapping
- The Attribute Mapping section also provides mapping for fields named Group / Role.
- This attribute will contain the role-related information sent by the Identity Provider (i.e, okta).
- The roles are allocated to specific users on the bases of their Roles / Groups at the time of login.
- The value of this attribute which is mapped to Group / Role will be considered in the Role Mapping section.
- Values of selected Group / Roles of respective users can be placed in the input box of different default Roles which have to be assigned to the respective user.
- For Example:
- For example, If you want a user whose Group / Role attribute value is SAML to be assigned as an Editor in WordPress, just provide the mapping as SAML in the Editor field of Role Mapping section.
Group Mapping in Okta :
- In the admin console, go to Directory => Groups.
- Click on Add group option and add your groups.
- Assign people to your group.
- In your application, add the Group Statement Attributes under the SAML settings section and save your settings. For e.g. the settings as below will display all the groups that user belongs to.
4. Single Logout
- Copy the Single Logout URL from the Service Provider Metadata tab.
- Download the certificate from Service Provider Metadata tab.
- Now, navigate to your Okta application under SAML settings and click on Edit.
- Then, click on the Show Advanced Settings.
- Upload the downloaded SP certificate in the Signature Certificate field.
- Check the Enable Single Logout checkbox (Allow application to initiate Single Logout).
- Paste the copied Single Logout URL from the Service Provider Metadata tab in the Single Logout URL of Okta application.
- Similarly, copy the SP-Entity ID / Issuer from the plugin and paste in the SP Issuer field here in the Okta App.
5. Signed SSO Requests
- In the Service Provider Setup tab, enable the Sign SSO & SLO Requests toggle for performing Signed SSO and Single Logout Requests.
- Now navigate to your Okta App, Under SAML settings click on Edit and go to the Show Advanced Settings option.
- And, enable the Signed Requests checkbox.
- Then, save your configured application.
Conclusion
Setting up additional configuration for Advanced & Custom Attribute Mapping, Group & Role Mapping, Single Logout along with SSO allows you to maximize efficiency and user identity management from your IDP to your WordPress site.