WordPress SSO Azure AD Office 365

WordPress Single Sign-On (SSO) using Okta SAML as IDP

Use Okta as your SAML IDP for WordPress Single Sign using our WP Cloud SSO WordPress plugin.  Automatically sync and allow your Okta users to login to your WordPress website.

 

In this guide we explain how to configure WP Cloud SSO using Okta as your SAML identity provider.  Sync your Okta user attributes and groups and map to WordPress roles.

 

Don’t have the WP Cloud SSO plugin ? Click Here to Download for Free.

WP CLoud SSO

Okta WordPress SSO

with WP Cloud SSO

List of SAML Identity Providers

Getting Started Setting up WordPress Okta SSO

Table of Contents

1.) Setup Okta as IDP for WordPress

Below are the steps to follow to configure Okta as IdP.

Configure Okta as IdP.

  • In the WordPress SAML SP SSO plugin go to Service Provider (SP) Metadata tab. In this section, find metadata, such as SP Entity ID and ACS (AssertionConsumerService) URL, which are compulsory to configure Okta as Identity Provider (IdP);
  • Next step is to navigate to Applications Tab and click on Applications;
  • Click on Create App Integration section to create new app;
  • Select SAML 2.0 button to create new app;

In section General Settings tab, enter App Name and click on Next;

  • To configure WP Cloud SSO enter following details: 
SAML Settings Entry

Single Sign On URL

ACS(AssertionConsumerService) URL from the Service Provider Metadata tab of the plugin

Audience URL ( SP entity ID)
SP Entity ID/Issuer from the Service Provider Metadata tab of the plugin
Name ID Format
Select E-Mail Address as a Name Id from dropdown list
Application Username
Okta username

Group Attribute Statements for WordPress Role Mapping

  • Next, Configure Group Attribute Statements step . This is an important step if you require WordPress role membership using Okta Groups. Here is where you need to setup group mapping.

Lets say for example users in a group called xOkta you want to give the WordPress Editor roles when logging in, we configure this section as follows:

Name: Groups

Name Format: Basic

Filter: Equals: Group Name

The following screen is where you add this group attribute statement on our plugin:

Attribute/Role Mapping Tab on WP Cloud SSO Plugin

If you want to add multiple groups from Okta, simply add a regex filter to add all the groups you require. You can use a wild card statement like the following if you have alot of Okta groups:

Once you’ve configured your group attribute statement you can click next to finish.

Assign Groups to Okta Application to allow access to WordPress

Then on your assignment tab, you can specify the groups that have permissions to use your application.  

  • Click on WP Cloud SSO;
  • Assign People or Groups that will be login using this provider;

Search for your group. In my example i will assign xOkta group.

Now you should see the assigned group to your application as in my example:

  • You have successfully configured Okta as SAML IdP ( Identity Provider) for WP Cloud SSO. 

2.) Setup WordPress as Service Provider

In the WP Cloud SSO plugin there are 2 ways to setup Okta SAML authentication with WordPress as your service provider.

A.) Upload Okta IDP Federation Metadata from URL

Note: This upload feature is only available to paid plans. Refer to step B.) which allows you to configure manually.

To get Okta federation metadata:

  • Open your Application;
  • Select Sign On;
  • Scroll down and select Actions and click View Idp metadata where status is Active;
  • Copy the link for the tab that will open;
  • Open WP Cloud SSO the plugin;
  • Click on Identity Provider Setup;
  • Select Okta provider;
  • Click on Upload IDP Metadata ;
  • Input Identity Provider Name;
  • Enter the coped metadata link on Enter metadata URL field;
  • Click Fetch Metadata.

B.) Manually Add Okta IDP Application URL's

  • Open your Application;
  • Select Sing On;
  • Scroll down and select View SAML setup instructions. Remember these fields to insert in Plugin;
  • Open the Identity Provider Setup page on your plugin; 
  • Select Okta provider;
  • Identity Provider Name > Provider name;
  • IdP Entity ID or Issuer > Identity Provider Issuer;
  • SAML Login URL > Identity Provider Single Sign-On URL;
  • X.509 Certificate > X.509 Certificate;
  • Click Save;
  • Provider successfully configured.

3.) Attribute Mapping

  • This section allows you to setup attribute mappings sent from your Okta SAML application.  NameID is hard coded for Email and Username attributes.
  • In the WordPress SAML plugin, navigate to Attribute/Role Mapping section and enter details in Attribute Mapping section;
  • Custom Attribute Mapping:  This feature allows you to map any Okta user attribute to usermeta table of your WordPress users.

Within your Okta application, click on General Tab,  click EditSAML Settings‘. Click Next on General Settings. Scroll down on the ‘Configure SAML‘ step to ‘Attribute Statements

Here you can configure which user attributes you would like to map from Okta users to your WordPress users.

 

In my example i’ve configured firstname, lastname and displayname.

On the WP Cloud SSO plugin on the Attribute/Role mapping tab we add these attribute statements as follows, making sure to match the Okta attribute name statements.

Once you’ve saved, if you navigate to the Identity Provider tab on the plugin and click on Test Configuration you will be able to confirm that the plugin is receiving the correct attributes from Okta

Test Configuration

You’ll notice in my test configuration output i have other custom attributes that i’ve added.  You can add as many other Okta user attributes.  To add custom okta user attributes to map to your WordPress users, go back to your Okta SAML application and the same steps we done previously simply add them as i’ve done in the following screenshot:

Then on our WP Cloud SSO plugin add these attribute statements to the Custom Attributes section as follows:

When a user logins, these attributes will be updated on their WordPress profile, as long as there is data populated on their Okta profile for these attributes.

WordPress User Attributes
WordPress User Profile with New Okta Attributes

4.) Role Mapping

  • The free plug in allows you to choose a default role that will be assigned to all the non-admin users when they perform SSO;
  • Navigate to Attribute/Role Mapping section and click on Role Mapping Section;
  • Choose the Default Role and click Save;

WordPress Role Mapping using Okta Groups

For users who have upgraded to Premium/Enterprise plans you can use WordPress Role Mapping using Okta Groups.  This feature allows you assign and manage roles of users when they perform SSO. This is compatible with any of the WordPress roles;

 

Note: In order for WordPress Role Mappings to work, make sure you have configured the Group Attribute Statements for WordPress Role Mapping section at the beginning of this tutorial. This explains how to configure this within your Okta SAML application first before we configure the plugin.

 

  • In the section Attribute Mapping of the plugin, you should already have Group field populated with the Okta group attribute statement we configured earlier.  This field contains the Group attribute information sent by Okta and will be used for Role Mapping.  For example ‘Groups‘; 
  • Within the role mappings, enter the Okta Group Name into your desired role mapping;

 

An example,  if you want a user whose Group attribute value is wp-editor to be assigned as an Editor in WordPress, please provide the group ID mapping  in the Editor field in Role Mapping section. 

 

Note: Remember to assign these Okta groups to your Okta SAML application we created earlier

6.) Okta SSO Login Button - Redirect to IDP

Next is to enable your Okta SSO login buttons, which can be found on the SSO Links tab.  Follow the SSO Login Widget page for instructions on setting up.

Login Button

7.) Multiple Environments Feature

For more information about Multiple Environments Feature follow the Multiple Environments SSO page.