Difference between revisions of "Wordpress"
Line 71: | Line 71: | ||
#Click on the "Go to the metadata of this SP" and save the xml file. | #Click on the "Go to the metadata of this SP" and save the xml file. | ||
− | #Go to the Cloudwork | + | #Go to the '''Cloudwork Dashboard'''>'''Single Sign On'''>'''Add New Service'''>'''Upload an XML File''' |
#Fill out the form | #Fill out the form | ||
#: Name: This name is used in the Cloudwork dashboard and Cloudwork reports | #: Name: This name is used in the Cloudwork dashboard and Cloudwork reports |
Revision as of 05:14, 19 October 2021
We use the following plugin for now: OneLogin Plugin
Contents
Setting up SAML in Wordpress
An important note here is that we've not done extensive testing of this plugin with multi-site installs. It works perfectly in single-site installs, but there's a possibility that we may need to do some extra troubleshooting at some point.
- Install plugin "OneLogin SAML SSO" via "Network Admin". This step only needs to be done once per multi-site environment.
- Navigate to My Sites -> (Site to enable SAML on) -> Dashboard -> Plugins
- Enable OneLogin SAML SSO
- Navigate to Settings -> SSO/SAML Settings
- Fill out the form using the information below.
Identity Provider Settings
You can find details for this in Cloudwork Dashboard>Single Sign On>Identity Provider
Options
Read through the options, enable the ones that suit this site's needs. Typically you will want to enable:
- Create user if not exists
- Update user data
- Force SAML Login (Optionally, come back and do this after you've tested and confirmed SAML is working)
Attribute Mapping
The Cloudwork defaults for attribute mapping are:
- Username: User-Name
- Email: mail
- First Name: givenName
- Last Name: sn
- Role: groups
Role Mapping
This is especially important if you enabled "Update user data". Cloudwork groups will be mapped to wordpress roles. If this mapping isn't correct, administrators may lose administrator access.
The default wordpress roles:
- Administrator
- Editor
- Author
- Contributor
- Subscriber
Make sure you have matching groups in Cloudwork for the Wordpress roles you intend to use.
Customise Actions and Links
Enable:
- Prevent reset password (Users' wordpress passwords are irrelevant under SSO)
- Prevent change password (as above)
- Prevent change email (Email address is provided via SAML assertions)
- You CAN choose to enable `Prevent use of ?normal`, but this is also your fallback for logging in without SAML if necessary.
Advanced Settings
Service Provider Entity Id: This value needs to be unique for every wordpress site. We'd recommend setting this to the URL of each site.
Strict Mode: Enable this option
We'd recommend not touching the rest of this section. If there is anything else here you'd like to enable, it's best we discuss it beforehand and make sure the service provider configuration in Cloudwork will support it.
6. Save. From this point on, don't log out of wordpress until you're sure SAML is working.
Cloudwork
This section happens in the Cloudwork Dashboard
- Click on the "Go to the metadata of this SP" and save the xml file.
- Go to the Cloudwork Dashboard>Single Sign On>Add New Service>Upload an XML File
- Fill out the form
- Name: This name is used in the Cloudwork dashboard and Cloudwork reports
- Upload: Choose the XML file you saved earlier
- Submit
- Test! Using a private browsing session or an incognito session, test that SAML is working as expected. If you need to log in without using SAML, navigate to /wp-login.php?normal