We use the following plugin for now: OneLogin Plugin
Setting up SAML in Wordpress
An important note here is that we've not done extensive testing of this plugin with multi-site installs. It works perfectly in single-site installs, but there's a possibility that we may need to do some extra troubleshooting at some point.
- Install plugin "OneLogin SAML SSO" via "Network Admin". This step only needs to be done once per multi-site environment.
- Navigate to My Sites -> (Site to enable SAML on) -> Dashboard -> Plugins
- Enable OneLogin SAML SSO
- Navigate to Settings -> SSO/SAML Settings
- Fill out the form using the information below.
Identity Provider Settings
You can find details for this in Cloudwork Dashboard>Single Sign On>Identity Provider
Read through the options, enable the ones that suit this site's needs. Typically you will want to enable:
- Create user if not exists
- Update user data
- Force SAML Login (Optionally, come back and do this after you've tested and confirmed SAML is working)
The Cloudwork defaults for attribute mapping are:
- Username: User-Name
- Email: mail
- First Name: givenName
- Last Name: sn
- Role: groups
This is especially important if you enabled "Update user data". Cloudwork groups will be mapped to wordpress roles. If this mapping isn't correct, administrators may lose administrator access.
The default wordpress roles:
Make sure you have matching groups in Cloudwork for the Wordpress roles you intend to use.
Customise Actions and Links
- Prevent reset password (Users' wordpress passwords are irrelevant under SSO)
- Prevent change password (as above)
- Prevent change email (Email address is provided via SAML assertions)
- You CAN choose to enable `Prevent use of ?normal`, but this is also your fallback for logging in without SAML if necessary.
Service Provider Entity Id: This value needs to be unique for every wordpress site. We'd recommend setting this to the URL of each site.
Strict Mode: Enable this option
We'd recommend not touching the rest of this section. If there is anything else here you'd like to enable, it's best we discuss it beforehand and make sure the service provider configuration in Cloudwork will support it.
Save. From this point on, don't log out of wordpress until you're sure SAML is working.
This section happens in the Cloudwork Dashboard
- Click on the "Go to the metadata of this SP" and save the xml file.
- Go to the Cloudwork Dashboard>Single Sign On>Add New Service>Upload an XML File
- Fill out the form
- Name: This name is used in the Cloudwork dashboard and Cloudwork reports
- Upload: Choose the XML file you saved earlier
- Click Submit
- Test! Using a private browsing session or an incognito session, test that SAML is working as expected. If you need to log in without using SAML, navigate to /wp-login.php?normal