Setup WordPress SAML SSO using ADFS with WP Cloud SSO plugin. Sync ADFS attributes into your WordPress website and map to your WordPress roles.
In this guide we will go through the setups to setup ADFS as your identity provider and establish a trust between your Active Directory, syncing users, automatically creating WordPress users, setting WordPress roles based on ADFS synced attributes.
First step is to download WP Cloud SSO plugin if you’re not already using our plugin and then follow the steps below for configuring WordPress for ADFS as your SAML identity provider.
Table of Contents
1.) Setup ADFS as IDP for WordPress
To configure ADFS as IdP please follow the steps below:
- Configure ADFS as IdP:
- In the WP Cloud SSO plugin, go to Service Provider Metadata section, where you find the SP metadata, such as SP Entity ID and ACS ( AssertionConsumerService) URL which are necessary to configure the Identity Provider.
- In your ADFS Server open up server manager. Select Tools/AD FS Management application.
- In AD FS Management , select Relying Party Trust and click on Add Relying Party Trust.
- Choose Claims aware from the Relying Party Trust Wizard and click on Start button.
- Go to Service Provider Metadata tab from the plugin and copy the Metadata URL.
- Choose Import data about relying party published online or on a local network option and add the metadata URL in Federation metadata address.
- Click on Next.
- Choose Access Control Policy
- Select Permit everyone as an Access Control Policy and click on Next.
- Ready to Add Trust
- In Ready to Add Trust click on Next and then Close.
- Edit Claim Issuance Policy
- In the list of Relying Party Trust, choose the application created and click on Edit Claim Issuance Policy.
- In Issuance Transform Rules tab click on Add Role button.
- Choose Rule Type
- Select Send LDAP Attributes as Claims and click on Next.
- Configure Claim Rule
- Add a Claim Rule Name and select the Attribute Store as required from the dropdown.
- Under Mapping of LDAP Attributes to outgoing claim types, Select LDAP Attribute as E-Mail-Addresses and Outgoing Claim as Name ID.
- Once you have configured the attributes, click on Finish.
- After configuring ADFS as IDP, you will need the Federation Metadata to configure your Service Provider.
- To get the ADFS Federation Metadata, please use this URL link: https://<ADFS_Server Name>/federationmetadata/2007-06/federationmetadata.xml
- You have successfully configured ADFS as SAML IdP ( Identity Provider) for achieving ADFS Single Sign-On (SSO) Login.
Windows SSO ( Optional)
Following below are the steps to configure Windows SSO.
- Steps to configure ADFS for Windows Authentication
- Open elevated Command Prompt on the ADFS Server and execute the following command on it:
- setspn -a HTTP/##ADFS Server FQDN## ##Domain Service Account##
- FQDN is Fully Qualified Domain Name ( Example : adfs4.example.com)
- Domain Service Account is the username of the account in AD.
- Example: set -a HTTP/adfs.example.com username/domain
- Open AD FS Management Console, click on Services and navigate to Authentication Methods section. On the right, click on Edit Primary Authentication Methods. Check Windows Authentication in Intranet zone.
- Open Internet Explorer to Security tab in Internet Options.
- Add the FQDN of AD FS to the list of sites in Local Intranet and restart the browser.
- Select Custom Level for the Security Zone. In the list of options, choose Automatic Logon only in Intranet zone.
- Open the powershell and execute following 2 commands to enable windows authentication in Chrome browser.
Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + "Chrome")
Get-AdfsProperties | Select -ExpandProperty WIASupportedUserAgents;
- You have successfully configured ADFS for Windows Authentication.
2.) Configure WordPress as SP
In the WordPress SAML SSO plugin, navigate to Service Provider Setup tab of the plugin. There are 2 ways to configure the WordPress SSO plugin:
- By uploading IDP metadata button:
- Click on Upload IDP metadata button.
- Enter the Identity Provider Name.
- You can either upload a metadata file and click on Upload button or use a metadata URL and click on Fetch Metadata.
IMAGE TO FOLLOW XX
2. Manual Configuration:
- Fill in the requested settings ( i.e. Identity Provider Name, IdP Entity ID or Issuer, SAML Login URL, X.509 Certificate) as provided by your Identity Provider and click Save button.
3.) Attribute Mapping
- Attribute Mapping factor lets you map the user attributes that are sent by the IDP during SSO to user attributes at WordPress.
- In WordPress SAML plugin, navigate to Attribute/Role Mapping tab and fill in the following fields in Attribute Mapping section.
IMAGE TO FOLLOW X
- Custom Attribute Mapping: this feature allows you to map any attribute sent by the IDP to usermeta table of WordPress.
Image to follow xxx
4.) Role Mapping
This feature allows you assign and manage roles of users when they perform SSO. This is compatible with any custom roles plus default WordPress roles.
- In the section Attribute Mapping of the plugin, input a mapping for a field called Group/Role. This feature contains the role related to information sent by IDP and will be used for Role Mapping.
- Click on role mapping section and input mappings for the highlighted roles.
IMAGE TO FOLLOW XXX
An example, if you want a user whose Group/Role attribute value is wp-editor to be assigned as an Editor in WordPress, please provide the mapping as wp-editor in the Editor field in Role Mapping section.