WordPress SSO Azure AD Office 365

WordPress SSO using Azure AD Login

WordPress SSO (Single Sign On) using Azure AD  can be achieved using our WP Cloud SSO WordPress Plugin

Establish a trust between Azure AD and your WordPress blog to enable SSO, so users can login using their Azure AD user account and enable the single sign on experience for your users.

In this guide we will go through the steps to configure WordPress to use Azure AD / Office365 using WP Cloud SSO plugin.  We will configure Azure AD / Office 365 as your identity provider (IDP) and WordPress as your service provider (SP).  WP Cloud SSO allows unlimited user authentications from Azure AD.  

First step is to download our plugin and then Step 1 Setup Azure AD as WordPress IDP

List of Supported Identity Providers using WP Cloud SSO

Getting Started setting up WordPress Azure AD SSO

Table of Contents

1.) Setup Azure AD as WordPress IDP

How to configure Azure Ad as IdP ( steps provided) 

Setup Azure AD as IdP

  • Within WP Cloud SSO plugin go to tab Service Provider Metadata as we will need this data in the next steps. 

Azure AD setup through Enterprise Applications

  • Select Enterprise Application
  • Click on New Application
  • Click to Create your own Application
  • Enter the name for your app and select Non-Gallery application and click on Create button
  • Click on Setup Single sign-on
  • Select the SAML tab
  • Click on Edit and enter SP Entity ID for Identifier (Entity ID) and the ACS (Assertion Consumer Service) URL for Reply URL from Service Provider Metadata tab of the plugin.

Assign AzureAD Groups to WP Cloud SSO Enterprise Application

  • Now we can assign users and groups to your SAML application. This allows you to use WordPress Role Mapping based on yours in your AzureAD Groups.
  • Go to tab Users and groups tab and click on Add user/group
  • Click on Users to choose the required User or Group and click Select 
  • If you get the following message ‘When you assign a group to an application, only users directly in the group will have access. The assignment does not cascade to nested groups.‘ close this message by pressing the X and press Assign.

 

Next click on the properties on your group and copy the Object ID as we will need this later when you add this to our role mappings within our plugin.

2.) Configure WordPress as SP

Azure AD Application Federation Metadata XML

To download your Azure AD enterprise application metadata xml, you will find this under your Azure AD enterprise application ‘Single sign-on‘ properties under Federation Metadata XML.

Also The App Federation Metadata URL you can use as your fetch metadata URL within WP Cloud SSO upload settings.

Download federation metadata xml from the following :

In the WP Cloud SSO plugin there are 2 ways to setup Azure Active Directory with WordPress as your service provider.

A.) Upload Azure AD IDP Federation Metadata XML File

Note: This upload feature is only available to paid plans. Refer to step B.) which allows you to configure manually.

    • Click on Identity Provider Setup
    • Click on Upload IDP Metadata
    • Input Identity Provider Name
    • Either upload a metadata file and click on Upload button or use a metadata URL and click on Fetch Metadata.

B.) Manually add Azure AD Application URL's

  •  

Within your Azure AD Application the URLs are:

 

  1. IdP Entity ID or Issuer = Azure AD Identifier
  2. SAML Login URL = Login URL
  3. SAML Logout URL = Logout URL 

 

Here is an example of my AzureAD application URL settings, yours will be similar:

    • Click on Identity Provider Setup

 

Provide the settings as required ( i.e. Identity Provider Name, IdP Entity  ID or Issuer, SAML Login URL) as provided by your Azure AD application and click on Save Changes.

Manually Adding X.509 Certificate

To add your X.509 Certificate from your AzureAD Enterprise Application, you can get this from your Federation Metadata XML which you can download from your Azure AD Enterprise Application under Single sign-on settings properties. 

 

Here is a screenshot of our AzureAD Enterprise application single sign on settings (SAML Signing Certificate):

Within your Federation Metadata XML file, look for the content within the <X509Certificate> xxxxxx </X509Certificate> brackets.  Copy the content and paste into X.509 Certificate box on WP Cloud SSO plugin.

 

Note: after pasting in your certificate data, make sure to format the contents as follows by adding the following text:

 

—–BEGIN CERTIFICATE—–
XXXXXXXXXXXXXXXXXXXXXXXXXXX
—–END CERTIFICATE—–

As you can see from mine, i’ve added the line —–BEGIN CERTIFICATE—– at the beginning, pasted our certificate data and then place the line —–END CERTIFICATE—– at the end.

3.) Azure AD Attribute Mapping

With Attribute Mapping, you can map attributes from Azure AD users to their WordPress profile.

 

  • In WP Cloud SSO SAML plugin, click on Attribute Mapping 
  • Only the attribute claim of NameID is supported for Email and Username attributes of the WordPress user.  Upgrade to map other attributes via custom attributes. 
  • Users logging in will use their Azure email address as the WordPress user login ID.

Setting up Azure AD Enterprise Application Attributes & Claims

You can map any Azure AD attribute or group. In my example i will map the following:

 

  • Givenname
  • Surname
  • Job Title
  • Azure AD Groups
  • Department
  • Display Name
  • Office Location

Navigate to Single Sign-on with SAML within your Azure Enterprise ApplicationFrom Attributes & Claims click on Edit.

Adding New User Attribute Claim

Click on Add new claim and give it a name, for example in my example givennameIn the namespace enter the following URL:

 

http://schemas.xmlsoap.org/ws/2005/05/identity/claims

 

Next under Source, selecting Attribute check box and from the down down menu of Source attribute select user.givenname then save.

 

As per the following screenshot.

Repeat this process of adding any other attribute claims as you need. Another example below is of the JobTitle attribute

Azure AD User Attribute Claim
  • Go to Attribute Mapping page
  • Insert values from Azure AD into Attribute mapping section

Adding Azure AD / Office 365 Group Claims

When configuring which attributes to sync from your Azure AD / Office 365, Set the NAMEID as the claim name and the value to sync should be user.mail as the following screenshot of Azure AD. 

 

This is found within your Azure tenant > Azure AD / Enterprise Applications / Name of your Azure application you’ve setup / Set up Single Sign-On with SAML / Attributes & Claims

  • Click on Add a group claim
  • Select Groups assigned to the application in which groups associated with the user should be returned in the claim dropdown
  • Select Source attribute as group ID
  • Click Save

4.) WordPress Role Mapping

  • This feature lets you assign and manage WordPress roles of the users when they login using Azure AD. Here, you set the default WordPress role and then assign Azure AD Groups to each WordPress Role. By role mapping functionality, user, you define the permissions that the users after successful login using provider.

Setting up group roles

  • To be able to use these options, please make sure that you configured the Attribute Mapping in the section of the plugin, and enter a mapping for the field named Group. This attribute will contain the role-related information sent by the IDP and will be used for Role Mapping.
  • Click Roles and administrator:
  • Select our configure group from list:
  • Copy Object Id:
  • Go to the role mapping section and enter the Group ID for the highlighted roles.

WordPress default roles

  • WordPress uses a concept of Roles, designed to give the site owner the ability to control what users can and cannot do within the site. The site owner can manage the user access to such tasks as writing and editing posts, creating Pages, creating categories, moderating comments, managing plugins, etc.

WordPress has 7 pre-defined roles :

  1. Administrator
  2.  Editor
  3. Author
  4. Contributor
  5.  Subscriber
  6. Customer 
 

For more information about WordPress roles follow the link: https://wordpress.org/support/article/roles-and-capabilities/.

5.) Avatar mapping

This feature is working only for Azure AD identity provider

  • Go to Azure Active Directory
  • Go to App Registrations
  • Select you app
  • In the Overview tab copy client_id field 
  • Go to Certificates & Secrets tab
  • Click on New client secret
  • Fill secret key description and expires date & click Add
  • Copy secret key value (client_secret)
  • Go to Api Permissions tab & click Add new
  • Click on Microsoft Graph
  • Click on Application permissions 
  • Search User permissions type and select User.Read.All permission and click Add
  • Click on Grant admin consent for InfraSOS-US
  • Go to WP-Cloud-SSO plugin page 
  • Click on avatar mapping 
  • Insert into client_id, client_secret

6.) SSO Links

Next is to enable your Office 365 SSO login buttons, which can be found on the SSO Links tab.  Follow the SSO Login Widget page for instructions on setting up.

7.) Multiple Environments Feature

For more information about Multiple Environments Feature follow the Multiple Environments SSO page