How to Setup WordPress Active Directory SSO
In the age of cloud computing, most companies employ multiple cloud apps for different purposes. Multiple password difficulty restrictions are imposed on users by these web-based apps. Therefore, customers would end up needing to remember multiple passwords for each of their cloud-based services. All of these passwords must be remembered, which is a difficult process.
With single sign-on, a user doesn’t have to sign in to each application they use individually. The user just has to log in once, and that credentials can be used for other apps as well as the original one. As a user, you probably don’t care about SSO. Use the applications that help you get things done without having to enter your password all the time.
As a database and a set of services, Active Directory connects users to the network resources they need to accomplish their jobs. Users and computers are listed in the database (or directory), along with their permissions. For example, a user’s profile may include their job title and phone number, as well as their password. It will also keep a record of their permissions to access the system.
With both of them combined, it makes it easier for you to manage your IT environment. In WordPress, you can achieve this using some plugins from the WordPress plugin repository.
The first and foremost requirement for this is to have a WordPress installation, you can check out our guides on how to setup WordPress for Windows server and how to install a WordPress server on Linux with Apache. Secondly, you’ll need Active Directory as an Identity Provider.
Plugins that can be used to integrate are:
- SAML SP SSO 2.0 Plugin by miniOrange
- Next Active Directory Integration by active-directory-wp.com
In short, the plugins listed above will allow you to authenticate and authorise users against an Active Directory, as well as automatic registration and updating of users in WordPress.
Installing and Setting up Using SAML SP SSO 2.0 Plugin
Step 1: Installation of SAML SP SSO Plugin
From Your WordPress Dashboard
- Click on Plugins > Add New tab.
- Search for SSO Login. Install the plugin.
- From your Plugins tab, activate the SAML SP Single Sign On Plugin by miniOrange.
From WordPress.org
- Download SAML SP Single Sign On – SSO Login plugin.
- Unzip the plugin directory and upload it to your /wp-content/plugins/ directory on your WordPress site.
- Activate it from your Plugins page.
You can enable Single Sign-On (SSO) for almost any Identity Provider. For this guide, we will show you how to set up using Azure Active Directory and a custom Identity Provider. Other popular Identity Providers are Salesforce, Office 365, and GSuite / Google Apps. They all support SAML SSO for WordPress login.
Step 2: Configure SAML SP SSO 2.0 Plugin (Custom Identity Provider)
- Go to miniOrange SAML 2.0 SSO after activating the SAML SP Single Sign-On plugin.
- Use the search bar to find your Identity Provider or click on your Identity Provider from the list of available Identity Providers.
- If your Identity Provider Name is not there in the default list, you can click on Custom IDP to add custom Identity Provider.
- Identity providers may be configured in two ways under the Service Provider Setup tab:
- Manual Configuration: Type in your Identity Provider information, such as IdP Entity ID, SAML Login URL, and X.509 Certificate. The information you need can be obtained from your Identity Provider.
- Upload IDP Metadata File/XML: Note: Endpoints and scopes are automatically filled up for Default Applications in the default list. You can, however, alter it if necessary.
- Manual Configuration: Type in your Identity Provider information, such as IdP Entity ID, SAML Login URL, and X.509 Certificate. The information you need can be obtained from your Identity Provider.
- Once you have filled all necessary information, click on the Save button.
- Please test your configuration by clicking on the “Test Configuration” button to make sure everything is set up correctly.
- On successful configuration, you will get Attributes Name and Attribute Values on the Test Configuration window. By clicking on the Configure Attribute/Role Mapping option, you can map the attribute names given by your identity provider with the attributes provided by the service provider.
Step 2: Configure SAML SP SSO 2.0 Plugin (Azure AD)
- Log in as an admin to Azure AD Portal
- Select Azure Active Directory.
- Select App registrations.
- Click on New registration from the menu at the left.
- Select the type of account you want to create and give it a name.
- Fill out the Redirect URL box with ACS URL given in Service Provider Meta Tab of the plugin and click on Register.
- Click on Expose an API on the left-hand menu panel to begin.
- Replace the APPLICATION ID URL with the SP Entity ID of the plugin and click the Set button.
- Click on Endpoints in the Azure Active Directory > App Registrations pane.
- You’ll be redirected to a page with numerous URLs.
- In order to configure your Service Provider, copy the URL of the Federation Metadata document.
In the miniOrange SAML plugin, go to the Service Provider Setup tab of the plugin. Configure the plugin by uploading IDP metadata:
- Click on the Upload IDP metadata button.
- Enter the Identity Provider Name
- A metadata file is to be uploaded by clicking the Upload button, or a URL can be used by clicking Fetch Metadata to fetch metadata from a website.
- WordPress SAML Single Sign-On (SSO) Login-upload metadata
Attribute Mapping
- In the free plugin, only NameID is supported for the Email and Username attributes of the WordPress user.
- When a user uses SSO, the NameID value supplied by the IDP will be mapped to the email and username of the WordPress user.
- WordPress SAML Single Sign-On (SSO) Login-attribute mapping
Role Mapping
- A default role could be granted to all non-admin users when they do SSO using the free plugin.
- Navigate to the Role Mapping area under the Attribute/Role Mapping tab.
- Save your changes by selecting the Default Role and clicking Save.
Installing and Setting up Using Next Active Directory Integration
Step1: Installation
- Next Active Directory Integration can be easily installed from the WordPress Plugin Directory and unpack the folder to your wordpress/wp-content/plugins directory.
- To get the dependencies, developers should simply clone the Git Repository and place it in their wp-content/plugins directory.
- Go to Plugins in the left the navigation bar > installed plugins menu
- Activate the Next Active Directory Integration plug-in
Step 2: Networking & Single Sign On
On the SSO configuration page, you have to enter the required information if you want to use a single sign-on.
Enable SSO
With this option, users can log in with a single click on WordPress. The user has to be previously authenticated by the webserver or frontend proxy. After the user has opened the WordPress site Next Active Directory Integration checks for the existence of the Username variable. Users are immediately authorised and their account information from Active Directory is retrieved.
Step 3: Configuration
You can allow synchronisation from WordPress back to your Active Directory to keep everything up to date with the current user’s data.
Support / Documentation
For further documentation on using the features discussed above, refer to the following:
Next Active Directory Integration Documentation:
https://active-directory-wp.com/docs/Getting_Started.html
WordPress SAML Single Sign-On Setup Guides for miniOrange plugins
Final Thoughts
Active Directory simplifies the lives of administrators and end-users while increasing security for businesses. AD provides administrators with centralised user and rights management as well as centralised control over device and user logins. Authentication just needs to be done once, and then users may access any resources in the domain that they’re permitted to access without any problems (single sign-on).
Pairing Active Directory with WordPress allows your organization to enjoy the benefits of AD security and SSO.
