WordPress Single Sign-On (SSO) using ADFS SAML as IDP
Setup WordPress SAML SSO using ADFS with WP Cloud SSO plugin. Sync ADFS attributes into your WordPress website and map to your WordPress roles.
In this guide we will go through the setups to setup ADFS as your identity provider and establish a trust between your Active Directory, syncing users, automatically creating WordPress users, setting WordPress roles based on ADFS synced attributes.
First step is to download WP Cloud SSO plugin if you’re not already using our plugin and then follow the steps below for configuring WordPress for ADFS as your SAML identity provider.
To configure ADFS as IdP please follow the steps below:
Configure ADFS as IdP:
In the Wp Cloud SSO plugin, go to Service Provider Metadata section, where you find the SP metadata, such as SP Entity ID and ACS ( AssertionConsumerService) URL which are necessary to configure the Identity Provider;
Go to ADFSServer;
Search for ADFS Management application;
In your ADFS Server open up server manager. Select Tools/AD FS Management application;
In ADFS Management, select Relying Party Trust and click on Add Relying Party Trust;
Choose Claims aware from the Relying Party Trust Wizard and click on Start button;
In the next step choose data source variant and follow instructions below;
Metadata URL
Metadata XML file
Manual Configuration
Metadata URL
Go to Service Provider Metadata tab from the plugin and copy the Metadata URL;
Choose Import data about relying party published online or on a local network option and add the metadata URL in Federation metadata address;
Click on Next.
Note: In the next step enter the desired Display Name and click Next.
Metadata XML file
Go to Service Provider Metadata tab from the plugin and click on the Download XML metadata button to download the plugin metadata file;
Choose Import data about relying party from file option and upload the metadata file;
Click on Next;
Note: In the next step enter the desired Display Name and click Next.
Manual Configuration
Choose Enter data about the relying party manually and click on the Next button;
Enter Displayname and click on the Next button;
On the next step click on the Next Button;
On the next step click on the Next button;
Configure Identifiers
Insert value SP Entity ID field from Service Provider Metadata page of plugin into Relaying party trust identifier and click on the Add button;
On the next step click on the Next button;
Click on the Next button and click on the Finish button;
On this step click on configured relaying trust and click on the Properties;
Choose the Endpoints tab and click on Add SAML button;
Select Endpoint type as SAML Assertion Consumer;
Select Binding as POST;
Insert ACS URL from Service Provider Metadata page of the plugin into the Trusted URL field;
Click on the Ok button;
Click on the Add SAML button;
Select Endpoint type as SAML Logout;
Select Binding as POST;
Insert SLO (Single Logout ) URL from the Service Provider Metadata page of the plugin into the Trusted URL field;
Click on the Ok button and click Apply;
Configure Name ID format as EmailAdress
On this step click on configured relaying trust and click on Edit Access Control Policy;
Choose the Permit everyone control policy;
Click on the Apply and Ok buttons;
On this step click on configured relaying trust and click on Edit Claim Issuance Policy;
Click on the Add Rule button;
Select the Claim rule template as Send LDAP Attributes as Claims;
Click on the Next button;
Enter Attributes into the Claim rule name field;
Select Attribute store as Active Directory;
Add mapping for E-Mail-Adresses field as on the screenshot below;
Click on the Finish button;
Click on the Add Rule button;
Select Claim rule template as Transform an Incomming Claim;
Click on the Next button;
Fill fields following as on screenshot below;
Click on Finish button;
Click on the Apply button and on the Ok button;
Windows SSO ( Optional)
Following below are the steps to configure Windows SSO.
Steps to configure ADFS for Windows Authentication
Open elevated Command Prompt on the ADFS Server and execute the following command on it:
setspn -a HTTP/##ADFS Server FQDN## ##Domain Service Account##
FQDN is Fully Qualified Domain Name ( Example : adfs4.example.com)
Domain Service Account is the username of the account in AD.
Example: set -a HTTP/adfs.example.com username/domain
Open AD FS Management Console, click on Services and navigate to Authentication Methods section. On the right, click on Edit Primary Authentication Methods. Check Windows Authentication in Intranet zone.
Open Internet Explorer to Security tab in Internet Options.
Add the FQDN of AD FS to the list of sites in Local Intranet and restart the browser.
Select Custom Level for the Security Zone. In the list of options, choose Automatic Logon only in Intranet zone.
Open the powershell and execute following 2 commands to enable windows authentication in Chrome browser.
In the WordPress WP Cloud SSO plugin, go to the Identity Provider Setup tab of the plugin.
There are 2 ways to configure the WordPress SSO plugin:
Free Plan
Premium/Enterprise Plans
Free Plan
Manual ADFS IDP Configuration:
Download and open ADFS metadata xml file;
Press CTRL+F and find EntityId attribute enclosed in EntityDescriptor tag;
Copy founded string;
Go to the Identity Provider Setup page in Plugin and select ADFS identity provider;
Enter Identity Provider Name;
Insert EntityId to the IdP Entity ID or Issuer field of the plugin;
Go back to the XML metadata file;
Press CTRL+F and find SingleSignOnService tag with enclosed Binding attribute as urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;
Copy value of the Location attribute;
Go back to the Service Provider Page of the plugin;
Insert the value of the Location attribute enclosed in the SingleSignOnService tag into the SAML Login URL field in the Plugin;
Go back to the XML metadata file;
Press CTRL+F and find IDPSSODescriptor tag;
Find the first KeyDescriptor child tag with enclosed use attribute as signing;
Copy value of the X509Certificate child tag;
Go back to the Service Provider Page of the plugin;
Transform value of X509Certificate tag to the following format:
—–BEGIN CERTIFICATE—–
X509Certificate
—–END CERTIFICATE—–
Insert the transformed value in the previous step into X.509 Certificate field in the Plugin;
Click on the Save button;
Premium/Enterprise Plans
Upload ADFS IDP Federation Metadata XML File:
Note: The upload feature is only available to paid plans. Refer to the Free Plan tab which allows you to configure manually.
Go to the Identity Provider Setup page of plugin;
Select ADFS identity provider;
Click on Upload IDP Metadata
Enter Identity Provider Name
Either upload a metadata file and click on Upload button or use a metadata URL and click on Fetch Metadata.
3.) ADFS Attribute Mapping
Note: This upload feature is only available to paid plans.
On this step click on configured relaying trust and click on Edit Claim Issuance Policy;
Click on the Add Rule;
Click on the Next button;
Enter Attributes into the Claim rule name field;
Select Attribute store as Active Directory;
Select the desired attributes.
Note: that output claim names will be transform to lowercase without space, for example, if output attribute name as Given Name – it will be transform to givenname;
Click on the Finish button;
Go to ADFS identity provider in Plugin;
Click on the Test Configuration button;
Login via ADFS account;
See results from IDP;
Go to the Attribute Mapping page in Plugin;
Insert values from ADFS into Attribute mapping section;
Click on the Save button.
4.) ADFS Role Mapping
WordPress has 7 pre-defined roles :
Administrator
Editor
Author
Contributor
Subscriber
Customer
To configure default role mapping please follow the steps below:
Go to the Attribute/Role Mapping page of Plugin;
In the Role Mapping section select one necessary role of the WordPress pre-defined role;
Click on the Save button;
To configure multiple group mapping bases on groups membership follow steps below:
Note: Multiple Role mapping feature is only available to paid plans.
First of all, you need to configure receiving Group attribute (this attribute received all user groups) from ADFS;
Go to ADFS, click on the configured relaying party before;
Click on the Edit Claim Issuance Policy button;
Click on the Add Rule button;
Choose Claim rule template as Send Group Membership as a Claim;
Click on the Next button;
Enter Claim rule name;
Click on the Browse button;
Click on the Advanced button;
Click on the Find Now button;
Select the necessary group;
Click on the OK button;
In next step select Outgoing claim type as Group attribute;
Enter Outgoing claim value for group configured before, for example: Admins;
Click on the Finish button;
Click on the Apply button and click on the Ok button;
Go to Identity Provider Setup page of plugin;
Choose configured ADFS identity provider;
And click on the Test Configuration button;
See that group attributes was successfully fetched;
In the next step go to Attribute Mapping page of Plugin;
Insert target Group attribute as source Group attribute from ADFS;
Click on the Save button in Attribute Mapping section;
Insert the value of target Group attribute from ADFS to the necessary role of WordPress;
Click on the Save button in Role Mapping section;
After this all user whose have group Admins will be with role as Administrator;
After this all users who have group attribute with Admins value will be assigned to Administrator role in WordPress;
5.) ADFS SSO Login Button - Redirect to IDP
Next is to enable your ADFS SSO login buttons, which can be found on the SSO Links tab. Follow the SSO Login Widget page for instructions on setting up.