Difference between revisions of "Wordpress"
Jrobertson (talk | contribs) (Created page with "We use the following plugin for now: [https://en-au.wordpress.org/plugins/onelogin-saml-sso/ OneLogin Plugin] == Setting up SAML in Wordpress == An important note here is th...") |
|||
(8 intermediate revisions by 2 users not shown) | |||
Line 6: | Line 6: | ||
#Install plugin "OneLogin SAML SSO" via "Network Admin". This step only needs to be done once per multi-site environment. | #Install plugin "OneLogin SAML SSO" via "Network Admin". This step only needs to be done once per multi-site environment. | ||
− | #Navigate to My Sites -> (Site to enable SAML on) -> Dashboard -> Plugins | + | #Navigate to '''My Sites''' -> (Site to enable SAML on) -> '''Dashboard''' -> '''Plugins''' |
#Enable OneLogin SAML SSO | #Enable OneLogin SAML SSO | ||
− | #Navigate to Settings -> SSO/SAML Settings | + | #Navigate to '''Settings''' -> '''SSO/SAML Settings''' |
#Fill out the form using the information below. | #Fill out the form using the information below. | ||
+ | |||
+ | === Identity Provider Settings === | ||
+ | |||
+ | You can find details for this in '''Cloudwork Dashboard'''>'''Single Sign On'''>'''Identity Provider''' | ||
+ | |||
+ | === Options === | ||
+ | |||
+ | Read through the options, enable the ones that suit this site's needs. Typically you will want to enable: | ||
+ | |||
+ | *Create user if not exists | ||
+ | *Update user data | ||
+ | *Force SAML Login (Optionally, come back and do this after you've tested and confirmed SAML is working) | ||
+ | |||
+ | === Attribute Mapping === | ||
+ | |||
+ | The Cloudwork defaults for attribute mapping are: | ||
+ | |||
+ | *Username: User-Name | ||
+ | *Email: mail | ||
+ | *First Name: givenName | ||
+ | *Last Name: sn | ||
+ | *Role: groups | ||
+ | |||
+ | === Role Mapping === | ||
+ | |||
+ | This is especially important if you enabled "Update user data". Cloudwork groups will be mapped to wordpress roles. If this mapping isn't correct, administrators may lose administrator access. | ||
+ | |||
+ | The default wordpress roles: | ||
+ | |||
+ | *Administrator | ||
+ | *Editor | ||
+ | *Author | ||
+ | *Contributor | ||
+ | *Subscriber | ||
+ | |||
+ | Make sure you have matching groups in Cloudwork for the Wordpress roles you intend to use. | ||
+ | |||
+ | === Customise Actions and Links === | ||
+ | |||
+ | Enable: | ||
+ | |||
+ | *Prevent reset password (Users' wordpress passwords are irrelevant under SSO) | ||
+ | *Prevent change password (as above) | ||
+ | *Prevent change email (Email address is provided via SAML assertions) | ||
+ | *You CAN choose to enable `Prevent use of ?normal`, but this is also your fallback for logging in without SAML if necessary. | ||
+ | |||
+ | === Advanced Settings === | ||
+ | |||
+ | Service Provider Entity Id: This value needs to be unique for every wordpress site. We'd recommend setting this to the URL of each site. | ||
+ | |||
+ | Strict Mode: Enable this option | ||
+ | |||
+ | We'd recommend not touching the rest of this section. If there is anything else here you'd like to enable, it's best we discuss it beforehand and make sure the service provider configuration in Cloudwork will support it. | ||
+ | |||
+ | Save. From this point on, don't log out of wordpress until you're sure SAML is working. | ||
+ | |||
+ | == Cloudwork == | ||
+ | |||
+ | This section happens in the Cloudwork Dashboard | ||
+ | |||
+ | #Click on the "Go to the metadata of this SP" and save the xml file. | ||
+ | #Go to the '''Cloudwork Dashboard'''>'''Single Sign On'''>'''Add New Service'''>'''Upload an XML File''' | ||
+ | #Fill out the form | ||
+ | #: '''Name''': This name is used in the Cloudwork dashboard and Cloudwork reports | ||
+ | #: '''Upload''': Choose the XML file you saved earlier | ||
+ | #Click '''Submit''' | ||
+ | #Test! Using a private browsing session or an incognito session, test that SAML is working as expected. If you need to log in without using SAML, navigate to /wp-login.php?normal | ||
+ | |||
+ | |||
+ | [[Category:Single Sign On Services]] |
Latest revision as of 05:24, 19 October 2021
We use the following plugin for now: OneLogin Plugin
Contents
Setting up SAML in Wordpress
An important note here is that we've not done extensive testing of this plugin with multi-site installs. It works perfectly in single-site installs, but there's a possibility that we may need to do some extra troubleshooting at some point.
- Install plugin "OneLogin SAML SSO" via "Network Admin". This step only needs to be done once per multi-site environment.
- Navigate to My Sites -> (Site to enable SAML on) -> Dashboard -> Plugins
- Enable OneLogin SAML SSO
- Navigate to Settings -> SSO/SAML Settings
- Fill out the form using the information below.
Identity Provider Settings
You can find details for this in Cloudwork Dashboard>Single Sign On>Identity Provider
Options
Read through the options, enable the ones that suit this site's needs. Typically you will want to enable:
- Create user if not exists
- Update user data
- Force SAML Login (Optionally, come back and do this after you've tested and confirmed SAML is working)
Attribute Mapping
The Cloudwork defaults for attribute mapping are:
- Username: User-Name
- Email: mail
- First Name: givenName
- Last Name: sn
- Role: groups
Role Mapping
This is especially important if you enabled "Update user data". Cloudwork groups will be mapped to wordpress roles. If this mapping isn't correct, administrators may lose administrator access.
The default wordpress roles:
- Administrator
- Editor
- Author
- Contributor
- Subscriber
Make sure you have matching groups in Cloudwork for the Wordpress roles you intend to use.
Customise Actions and Links
Enable:
- Prevent reset password (Users' wordpress passwords are irrelevant under SSO)
- Prevent change password (as above)
- Prevent change email (Email address is provided via SAML assertions)
- You CAN choose to enable `Prevent use of ?normal`, but this is also your fallback for logging in without SAML if necessary.
Advanced Settings
Service Provider Entity Id: This value needs to be unique for every wordpress site. We'd recommend setting this to the URL of each site.
Strict Mode: Enable this option
We'd recommend not touching the rest of this section. If there is anything else here you'd like to enable, it's best we discuss it beforehand and make sure the service provider configuration in Cloudwork will support it.
Save. From this point on, don't log out of wordpress until you're sure SAML is working.
Cloudwork
This section happens in the Cloudwork Dashboard
- Click on the "Go to the metadata of this SP" and save the xml file.
- Go to the Cloudwork Dashboard>Single Sign On>Add New Service>Upload an XML File
- Fill out the form
- Name: This name is used in the Cloudwork dashboard and Cloudwork reports
- Upload: Choose the XML file you saved earlier
- Click Submit
- Test! Using a private browsing session or an incognito session, test that SAML is working as expected. If you need to log in without using SAML, navigate to /wp-login.php?normal