Establish a trust between Azure AD and your WordPress blog to enable SSO, so users can login using their Azure AD user account and enable the single sign on experience for your users.
In this guide we will go through the steps to configure WordPress to use Azure AD / Office365 using WP Cloud SSO plugin. We will configure Azure AD / Office 365 as your identity provider (IDP) and WordPress as your service provider (SP). WP Cloud SSO allows unlimited user authentications from Azure AD.
First step is to download our plugin and then Step 1 Setup Azure AD as WordPress IDP
List of Supported Identity Providers using WP Cloud SSO
Enter the name for your app and select Non-Gallery application and click on Create button;
Click on Setup Single sign-on;
Select the SAML tab;
Click on Edit and enter SP Entity ID for Identifier (Entity ID) and the ACS (Assertion Consumer Service) URL for Reply URL from the Service Provider Metadata tab of the plugin.
Assign AzureAD Groups to WP Cloud SSO Enterprise Application
Now we can assign users and groups to your SAML application. This allows you to use WordPress Role Mapping based on yours in your AzureAD Groups;
Go to tab Users and groups tab and click on Add user/group;
Click on Users to choose the required User or Group and click Select;
If you get the following message ‘When you assign a group to an application, only users directly in the group will have access. The assignment does not cascade to nested groups.‘ close this message by pressing the X and press Assign.
Next click on the properties on your group and copy the Object ID as we will need this later when you add this to our role mappings within our plugin.
2.) Configure WordPress as SP
Azure AD Application Federation Metadata XML
To download your Azure AD enterprise application metadata xml, you will find this under your Azure AD enterprise application ‘Single sign-on‘ properties under Federation Metadata XML.
Also The App Federation Metadata URL you can use as your fetch metadata URL within WP Cloud SSO upload settings.
Download federation metadata xml from the following:
In the WP Cloud SSO plugin there are 2 ways to setup Azure Active Directory with WordPress as your service provider.
A.) Upload Azure AD IDP Federation Metadata XML File
Note: This upload feature is only available to paid plans. Refer to step B.) which allows you to configure manually.
Click on Identity Provider Setup;
Click on Upload IDP Metadata;
Input Identity Provider Name;
Either upload a metadata file and click on Upload button or use a metadata URL and click on Fetch Metadata.
B.) Manually add Azure AD Application URL's
Within your Azure AD Application the URLs are:
IdP Entity ID or Issuer = Azure AD Identifier;
SAML Login URL = Login URL;
SAML Logout URL = Logout URL .
Here is an example of my AzureAD application URL settings, yours will be similar:
Click on Identity Provider Setup;
Provide the settings as required ( i.e. Identity Provider Name, IdP Entity ID or Issuer, SAML Login URL) as provided by your Azure AD application and click on Save Changes.
Manually Adding X.509 Certificate
To add your X.509 Certificate from your AzureAD Enterprise Application, you can get this from your Federation Metadata XML which you can download from your Azure AD Enterprise Application under Single sign-on settings properties;
Here is a screenshot of our AzureAD Enterprise application single sign on settings (SAML Signing Certificate):
Within your Federation Metadata XML file, look for the content within the xxxxxx brackets. Copy the content and paste into X.509 Certificate box on WP Cloud SSO plugin;
Note: After pasting in your certificate data, make sure to format the contents as follows by adding the following text:
As you can see from mine, i’ve added the line —–BEGIN CERTIFICATE—– at the beginning, pasted our certificate data and then place the line —–END CERTIFICATE—– at the end.
3.) Azure AD Attribute Mapping
With Attribute Mapping, you can map attributes from Azure AD users to their WordPress profile;
In WP Cloud SSO SAML plugin, click on Attribute Mapping;
Only the attribute claim of NameID is supported for Email and Username attributes of the WordPress user. Upgrade to map other attributes via custom attributes;
Users logging in will use their Azure email address as the WordPress user login ID;
Setting up Azure AD Enterprise Application Attributes & Claims
You can map any Azure AD attribute or group. In my example i will map the following:
Givenname;
Surname;
Job Title;
Azure AD Groups;
Department;
Display Name;
Office Location;
Navigate to Single Sign-on with SAML within your Azure Enterprise Application. From Attributes & Claims click on Edit;
Adding New User Attribute Claim
Click on Add new claim and give it a name, for example in my example givenname. In the namespaceenter the following URL: http://schemas.xmlsoap.org/ws/2005/05/identity/claims;
Next under Source, selecting Attribute check box and from the down down menu of Source attribute select user.givenname thensave;
As per the following screenshot;
Repeat this process of adding any other attribute claims as you need. Another example below is of the JobTitle attribute;
Go to Attribute Mapping page;
Insert values from Azure AD into Attribute mapping section and Custom Attributes;
Adding Azure AD / Office 365 Group Claims
When configuring which attributes to sync from your Azure AD / Office 365, Set the NAMEID as the claim name and the value to sync should be user.mail as the following screenshot of Azure AD;
This is found within your Azure tenant > Azure AD / Enterprise Applications / Name of your Azure application you’ve setup / Set up Single Sign-On with SAML / Attributes & Claims;
Click on Add a group claim;
Select Groups assigned to the application in which groups associated with the user should be returned in the claim dropdown;
Select Source attribute as group ID;
Click Save.
4.) WordPress Role Mapping
This feature lets you assign and manage WordPress roles of the users when they login using Azure AD. Here, you set the default WordPress role and then assign Azure AD Groups to each WordPress Role. By role mapping functionality, user, you define the permissions that the users after successful login using provider.
Setting up group roles
To be able to use these options, please make sure that you configured the Attribute Mapping in the section of the plugin, and enter a mapping for the field named Group. This attribute will contain the role-related information sent by the IDP and will be used for Role Mapping;
Go to the role mapping section and enter the Group ID for the highlighted roles;
WordPress default roles
WordPress uses a concept of Roles, designed to give the site owner the ability to control what users can and cannot do within the site. The site owner can manage the user access to such tasks as writing and editing posts, creating Pages, creating categories, moderating comments, managing plugins, etc.
This feature is working only for Azure AD identity provider.
Go to Azure Active Directory;
Go to App Registrations;
Select you app;
In the Overview tab copy client_id field ;
Go to Certificates & Secrets tab;
Click on New client secret;
Fill secret key description and expires date
Click Add;
Copy secret key value (client_secret)
Go to API Permissions tab;
Click Add new;
Click on Microsoft Graph;
Click on Application permissions;
Search User permissions type and select User.Read.All permission;
Click Add;
Click on Grant admin consent for InfraSOS-US;
Go to WP-Cloud-SSO plugin page;
Click on Avatar Mapping;
Insert into client_id, client_secret.
6.) Azure AD SSO Login Button - Redirect to IDP
Next is to enable your Azure AD SSO login buttons, which can be found on the SSO Links tab. Follow the SSO Login Widget page for instructions on setting up.