Difference between revisions of "Wordpress"

From Studentnet Wiki
Jump to navigation Jump to search
(Created page with "We use the following plugin for now: [https://en-au.wordpress.org/plugins/onelogin-saml-sso/ OneLogin Plugin] == Setting up SAML in Wordpress == An important note here is th...")
 
(4 intermediate revisions by the same user not shown)
Line 10: Line 10:
 
#Navigate to Settings -> SSO/SAML Settings
 
#Navigate to Settings -> SSO/SAML Settings
 
#Fill out the form using the information below.
 
#Fill out the form using the information below.
 +
 +
=== Identity Provider Settings ===
 +
 +
You can find details for this in Cloudwork: Features -> Single Sign On -> Identity Provider
 +
 +
=== Options ===
 +
 +
Read through the options, enable the ones that suit this site's needs. Typically you will want to enable:
 +
 +
*Create user if not exists
 +
*Update user data
 +
*Force SAML Login (Optionally, come back and do this after you've tested and confirmed SAML is working)
 +
 +
=== Attribute Mapping ===
 +
 +
The Cloudwork defaults for attribute mapping are:
 +
 +
*Username: User-Name
 +
*Email: mail
 +
*First Name: givenName
 +
*Last Name: sn
 +
*Role: groups
 +
 +
=== Role Mapping ===
 +
 +
This is especially important if you enabled "Update user data". Cloudwork groups will be mapped to wordpress roles. If this mapping isn't correct, administrators may lose administrator access.
 +
 +
The default wordpress roles:
 +
 +
*Administrator
 +
*Editor
 +
*Author
 +
*Contributor
 +
*Subscriber
 +
 +
Make sure you have matching groups in Cloudwork for the Wordpress roles you intend to use.
 +
 +
=== Customise Actions and Links ===
 +
 +
Enable:
 +
 +
*Prevent reset password (Users' wordpress passwords are irrelevant under SSO)
 +
*Prevent change password (as above)
 +
*Prevent change email (Email address is provided via SAML assertions)
 +
*You CAN choose to enable `Prevent use of ?normal`, but this is also your fallback for logging in without SAML if necessary.
 +
 +
=== Advanced Settings ===
 +
 +
Service Provider Entity Id: This value needs to be unique for every wordpress site. We'd recommend setting this to the URL of each site.
 +
 +
Strict Mode: Enable this option
 +
 +
We'd recommend not touching the rest of this section. If there is anything else here you'd like to enable, it's best we discuss it beforehand and make sure the service provider configuration in Cloudwork will support it.
 +
 +
6. Save. From this point on, don't log out of wordpress until you're sure SAML is working.
 +
 +
== Cloudwork ==
 +
 +
This section happens in the Cloudwork Dashboard
 +
 +
#Click on the "Go to the metadata of this SP" and save the xml file.
 +
#Go to the Cloudwork dashboard -> Features -> Single Sign On -> Add New Service -> Upload an XML File
 +
#Fill out the form
 +
#: Name: This name is used in the Cloudwork dashboard and Cloudwork reports
 +
#: Upload: Choose the XML file you saved earlier
 +
#Submit
 +
#Test! Using a private browsing session or an incognito session, test that SAML is working as expected. If you need to log in without using SAML, navigate to /wp-login.php?normal
 +
 +
 +
[[Category:Single Sign On Services]]

Revision as of 02:04, 23 November 2017

We use the following plugin for now: OneLogin Plugin

Setting up SAML in Wordpress

An important note here is that we've not done extensive testing of this plugin with multi-site installs. It works perfectly in single-site installs, but there's a possibility that we may need to do some extra troubleshooting at some point.

  1. Install plugin "OneLogin SAML SSO" via "Network Admin". This step only needs to be done once per multi-site environment.
  2. Navigate to My Sites -> (Site to enable SAML on) -> Dashboard -> Plugins
  3. Enable OneLogin SAML SSO
  4. Navigate to Settings -> SSO/SAML Settings
  5. Fill out the form using the information below.

Identity Provider Settings

You can find details for this in Cloudwork: Features -> Single Sign On -> Identity Provider

Options

Read through the options, enable the ones that suit this site's needs. Typically you will want to enable:

  • Create user if not exists
  • Update user data
  • Force SAML Login (Optionally, come back and do this after you've tested and confirmed SAML is working)

Attribute Mapping

The Cloudwork defaults for attribute mapping are:

  • Username: User-Name
  • Email: mail
  • First Name: givenName
  • Last Name: sn
  • Role: groups

Role Mapping

This is especially important if you enabled "Update user data". Cloudwork groups will be mapped to wordpress roles. If this mapping isn't correct, administrators may lose administrator access.

The default wordpress roles:

  • Administrator
  • Editor
  • Author
  • Contributor
  • Subscriber

Make sure you have matching groups in Cloudwork for the Wordpress roles you intend to use.

Customise Actions and Links

Enable:

  • Prevent reset password (Users' wordpress passwords are irrelevant under SSO)
  • Prevent change password (as above)
  • Prevent change email (Email address is provided via SAML assertions)
  • You CAN choose to enable `Prevent use of ?normal`, but this is also your fallback for logging in without SAML if necessary.

Advanced Settings

Service Provider Entity Id: This value needs to be unique for every wordpress site. We'd recommend setting this to the URL of each site.

Strict Mode: Enable this option

We'd recommend not touching the rest of this section. If there is anything else here you'd like to enable, it's best we discuss it beforehand and make sure the service provider configuration in Cloudwork will support it.

6. Save. From this point on, don't log out of wordpress until you're sure SAML is working.

Cloudwork

This section happens in the Cloudwork Dashboard

  1. Click on the "Go to the metadata of this SP" and save the xml file.
  2. Go to the Cloudwork dashboard -> Features -> Single Sign On -> Add New Service -> Upload an XML File
  3. Fill out the form
    Name: This name is used in the Cloudwork dashboard and Cloudwork reports
    Upload: Choose the XML file you saved earlier
  4. Submit
  5. Test! Using a private browsing session or an incognito session, test that SAML is working as expected. If you need to log in without using SAML, navigate to /wp-login.php?normal