ADFS WordPress SSO

Setup WordPress SAML SSO using ADFS with WP Cloud SSO plugin.  Sync ADFS attributes into your WordPress website and map to your WordPress roles.  

 

In this guide we will go through the setups to setup ADFS as your identity provider and establish a trust between your Active Directory, syncing users, automatically creating WordPress users, setting WordPress roles based on ADFS synced attributes.

 

First step is to download WP Cloud SSO plugin if you’re not already using our plugin and then follow the steps below for configuring WordPress for ADFS as your SAML identity provider.

ADFS WordPress Single Sign On

with WP Cloud SSO

Table of Contents

1.) Setup ADFS as IDP for WordPress

To configure ADFS as IdP please follow the steps below:

 

  1. Configure ADFS as IdP:
  • In the WP Cloud SSO plugin, go to Service Provider Metadata section, where you find the SP metadata, such as SP Entity ID and ACS ( AssertionConsumerService) URL which are necessary to configure the Identity Provider. 

 

  • In your ADFS Server open up server manager.  Select Tools/AD FS Management application. 
ADFS Management
  • In AD FS Management , select Relying Party Trust and click on Add Relying Party Trust. 
Relying Party Trusts
  • Choose Claims aware from the Relying Party Trust Wizard and click on Start button. 
Claims aware
  • Choose Access Control Policy 
  • Select Permit everyone as an Access Control Policy and click on Next.
  • Ready to Add Trust

 

  • In Ready to Add Trust click on Next and then Close. 
  • Edit Claim Issuance Policy 

 

  • In the list of Relying Party Trust, choose the application created and click on Edit Claim Issuance Policy
  • In Issuance Transform Rules tab click on Add Role button. 
Edit Claim issuance Policy
  • Choose Rule Type 

 

  • Select Send LDAP Attributes as Claims and click on Next
  • Configure Claim Rule 

 

  • Add a Claim Rule Name and select the Attribute Store as required from the dropdown.
  • Under Mapping of LDAP Attributes to outgoing claim types, Select LDAP Attribute as E-Mail-Addresses and Outgoing Claim as Name ID
  • Once you have configured the attributes, click on Finish.

 

  • After configuring ADFS as IDP, you will need the Federation Metadata to configure your Service Provider.

 

  • To get the ADFS Federation Metadata, please use this URL link: https://<ADFS_Server Name>/federationmetadata/2007-06/federationmetadata.xml

 

  • You have successfully configured ADFS as SAML IdP ( Identity Provider) for achieving ADFS Single Sign-On (SSO) Login.

 

Windows SSO ( Optional)

Following below are the steps  to configure Windows SSO.

 

  • Steps to configure ADFS for Windows Authentication

 

  • Open elevated Command Prompt on the ADFS Server and execute the following command on it: 

 

  1. setspn -a HTTP/##ADFS Server FQDN## ##Domain Service Account##
  2. FQDN is Fully Qualified Domain Name ( Example : adfs4.example.com)
  3. Domain Service Account is the username of the account in AD.
  4. Example: set -a HTTP/adfs.example.com username/domain

 

  • Open AD FS Management Console, click on Services and navigate to  Authentication Methods section. On the right, click on Edit Primary Authentication Methods. Check Windows Authentication in Intranet zone. 
Authentication Methods
Edit Authentication methods
  • Open Internet Explorer to Security tab in Internet Options.

 

  • Add the FQDN of AD FS to the list of sites in Local Intranet and restart the browser. 

 

  • Select Custom Level for the Security Zone. In the list of options,  choose Automatic Logon only in Intranet zone. 
Security Settings- Local Intranet Zone
  • Open the powershell and execute following 2 commands to enable windows authentication in Chrome browser. 
				
					Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + "Chrome")

				
			
				
					Get-AdfsProperties | Select -ExpandProperty WIASupportedUserAgents;
				
			
  • You have successfully configured ADFS for Windows Authentication. 

2.) Configure WordPress as SP

3.) Attribute Mapping

  • Attribute Mapping factor lets you map the user attributes that are sent by the IDP during SSO to user attributes at WordPress. 
  • In WordPress SAML plugin, navigate to Attribute/Role Mapping tab and fill in the following fields in Attribute Mapping section. 

 

IMAGE TO FOLLOW X 

 

  • Custom Attribute Mapping: this feature allows you to map any attribute sent by the IDP to usermeta table of WordPress. 

 

Image to follow xxx

4.) Role Mapping

This feature allows you assign and manage roles of users when they perform SSO. This is compatible with any custom roles plus default WordPress roles. 

 

  • In the section Attribute Mapping of the plugin, input a mapping for a field called Group/Role.  This feature contains the role related to information sent by IDP and will be used for       Role Mapping.

 

  • Click on role mapping section and input mappings for the highlighted roles. 

 

IMAGE TO FOLLOW XXX

 

An example,  if you want a user whose Group/Role attribute value is wp-editor to be assigned as an Editor in WordPress, please provide the mapping as wp-editor in the Editor field in Role Mapping section. 

Avatar for Andrew Fitzgerald
Andrew Fitzgerald

Cloud Solution Architect. Helping customers transform their business to the cloud. 20 years experience working in complex infrastructure environments and a Microsoft Certified Solutions Expert on everything Cloud

0 0 votes
Article Rating
Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x