WordPress SSO Azure AD Office 365

WordPress Single Sign-On (SSO) using ADFS SAML as IDP

Setup WordPress SAML SSO using ADFS with WP Cloud SSO plugin.  Sync ADFS attributes into your WordPress website and map to your WordPress roles.  

 

In this guide we will go through the setups to setup ADFS as your identity provider and establish a trust between your Active Directory, syncing users, automatically creating WordPress users, setting WordPress roles based on ADFS synced attributes.

 

First step is to download WP Cloud SSO plugin if you’re not already using our plugin and then follow the steps below for configuring WordPress for ADFS as your SAML identity provider.

ADFS WordPress Single Sign On

with WP Cloud SSO

List of Supported SAML Identity Providers

Table of Contents

1.) Setup ADFS as IDP for WordPress

To configure ADFS as IdP please follow the steps below:

 

Configure ADFS as IdP:

  • In the Wp Cloud SSO plugin, go to Service Provider Metadata section, where you find the SP metadata, such as SP Entity ID and ACS ( AssertionConsumerService) URL which are necessary to configure the Identity Provider;
  • Go to ADFS Server;
  • Search for ADFS Management application;
  • In your ADFS Server open up server manager.  Select Tools/AD FS Management application;
  • In ADFS Management, select Relying Party Trust and click on Add Relying Party Trust;
  • Choose Claims aware from the Relying Party Trust Wizard and click on Start button;
  • In the next step choose data source variant and follow instructions below;

Configure Name ID format as EmailAdress

 

  • On this step click on configured relaying trust and click on Edit Access Control Policy;
  • Choose the Permit everyone control policy;
  • Click on the Apply and Ok buttons;
  • On this step click on configured relaying trust and click on Edit Claim Issuance Policy;
  • Click on the Add Rule button;
  • Select the Claim rule template as Send LDAP Attributes as Claims;
  • Click on the Next button;
  • Enter Attributes into the  Claim rule name field;
  • Select Attribute store as Active Directory;
  • Add mapping for E-Mail-Adresses field as on the screenshot below;
  • Click on the Finish button;
  • Click on the Add Rule button;
  • Select Claim rule template as Transform an Incomming Claim;
  • Click on the Next button;
  • Fill fields following as on screenshot below;
  • Click on Finish button;
  • Click on the Apply button and on the Ok button;

Windows SSO ( Optional)

Following below are the steps  to configure Windows SSO.

 

  • Steps to configure ADFS for Windows Authentication

 

  • Open elevated Command Prompt on the ADFS Server and execute the following command on it: 

 

  1. setspn -a HTTP/##ADFS Server FQDN## ##Domain Service Account##
  2. FQDN is Fully Qualified Domain Name ( Example : adfs4.example.com)
  3. Domain Service Account is the username of the account in AD.
  4. Example: set -a HTTP/adfs.example.com username/domain

 

  • Open AD FS Management Console, click on Services and navigate to  Authentication Methods section. On the right, click on Edit Primary Authentication Methods. Check Windows Authentication in Intranet zone. 
  • Open Internet Explorer to Security tab in Internet Options.

 

  • Add the FQDN of AD FS to the list of sites in Local Intranet and restart the browser. 

 

  • Select Custom Level for the Security Zone. In the list of options,  choose Automatic Logon only in Intranet zone. 
  • Open the powershell and execute following 2 commands to enable windows authentication in Chrome browser. 
				
					Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + "Chrome")

				
			
				
					Get-AdfsProperties | Select -ExpandProperty WIASupportedUserAgents;
				
			
  • You have successfully configured ADFS for Windows Authentication. 

2.) Configure WordPress as SP

ADFS Application Federation Metadata XML

 

To get the ADFS Federation Metadata, you can use this URL: 

https://< ADFS_Server_Name >/federationmetadata/2007-06/federationmetadata.xml

 

In the WordPress WP Cloud SSO plugin, go to the Identity Provider Setup tab of the plugin.

There are 2 ways to configure the WordPress SSO plugin:

3.) ADFS Attribute Mapping

Note: This upload feature is only available to paid plans. 

 

  • On this step click on configured relaying trust and click on Edit Claim Issuance Policy;
  • Click on the Add Rule;
  • Click on the Next button;
  • Enter Attributes into the  Claim rule name field;
  • Select Attribute store as Active Directory;
  • Select the desired attributes. 

Note: that output claim names will be transform to lowercase without space, for example, if output attribute name as Given Name – it will be transform to givenname;

  • Click on the Finish button;
  • Go to ADFS identity provider in Plugin; 
  • Click on the Test Configuration button; 
  • Login via ADFS account;
  • See results from IDP;
  • Go to the Attribute Mapping page in Plugin;
  • Insert values from ADFS into Attribute mapping section;
  • Click on the Save button.

4.) ADFS Role Mapping

WordPress has 7 pre-defined roles :

 

  •  Administrator
  •  Editor
  •  Author
  •  Contributor
  •  Subscriber
  •  Customer 

 

To configure default role mapping please follow the steps below: 

 

  • Go to the Attribute/Role Mapping page of Plugin;
  • In the Role Mapping section select one necessary role of the WordPress pre-defined role;
  • Click on the Save button;

To configure multiple group mapping bases on groups membership follow steps below:

Note: Multiple Role mapping feature is only available to paid plans. 

 

  • First of all, you need to configure receiving Group attribute (this attribute received all user groups) from ADFS;
  • Go to ADFS, click on the configured relaying party before;
  • Click on the Edit Claim Issuance Policy button;
  • Click on the Add Rule button;
  • Choose Claim rule template as Send Group Membership as a Claim;
  • Click on the Next button;
  • Enter Claim rule name;
  • Click on the Browse button;
  • Click on the Advanced button;
  • Click on the Find Now button;
  • Select the necessary group;
  • Click on the OK button;
  • In next step select Outgoing claim type as Group attribute;
  • Enter Outgoing claim value for group configured before, for example: Admins;
  • Click on the Finish button;
  • Click on the Apply button and click on the Ok button;
  • Go to Identity Provider Setup page of plugin; 
  • Choose configured ADFS identity provider;
  • And click on the Test Configuration button;
  • See that group attributes was successfully fetched;
  • In the next step go to Attribute Mapping page of Plugin;
  • Insert target Group attribute as source Group attribute from ADFS
  • Click on the Save button in Attribute Mapping section; 
  • Insert the value of target Group attribute from ADFS to the necessary role of WordPress;
  • Click on the Save button in Role Mapping section;
  • After this all user whose have group Admins will be with role as Administrator;
  • After this all users who have group attribute with Admins value will be assigned to Administrator role in WordPress;

5.) ADFS SSO Login Button - Redirect to IDP

Next is to enable your ADFS SSO login buttons, which can be found on the SSO Links tab.  Follow the SSO Login Widget page for instructions on setting up.

Login Button

6.) Multiple Environments Feature

For more information about Multiple Environments Feature follow the Multiple Environments SSO page