Enable WordPress Office 365 Login using WP Cloud SSO Plugin
Enable WordPress Office 365 Logins using WP Cloud SSO WordPress Single Sign On plugin. Establish a trust between WordPress and Office365, allowing you to secure access to WordPress and only allow your Office 365 users SSO authentication to WordPress Logins.
In this guide we will go through the steps to configure WordPress to use Azure AD and Office 365 using WP Cloud SSO plugin. Map WordPress roles to Office 365 security groups, map Azure AD SAML attributes and much more..
Supported SAML Identity Providers using WP Cloud SSO
Getting Started setting up WordPress Office 365 SSO Logins
Table of Contents
1.) Setup Office 365 SSO as WordPress IDP
How to configure Office 365 SSO as IdP ( steps provided)
Setup Office 365 SSO as IdP
- Within WP Cloud SSO plugin go to tab Service Provider Metadata as we will need this data in the next steps.
Office 365 SSO setup through Enterprise Applications
- Log in to Azure Portal;
- Browse to Azure Active Directory;
- Select Enterprise Application;
- Click on New Application;
- Click to Create your own Application;
- Enter the name for your app and select Non-Gallery application and click on Create button;
- Click on Setup Single sign-on;
- Select the SAML tab;
- Click on Edit and enter SP Entity ID for Identifier (Entity ID) and the ACS (Assertion Consumer Service) URL for Reply URL from the Service Provider Metadata tab of the plugin.
Assign Office 365 SSO Groups to WP Cloud SSO Enterprise Application
- Now we can assign users and groups to your SAML application. This allows you to use WordPress Role Mapping based on yours in your Office 365 SSO Groups;
- Go to tab Users and groups tab and click on Add user/group;
- Click on Users to choose the required User or Group and click Select;
- If you get the following message ‘When you assign a group to an application, only users directly in the group will have access. The assignment does not cascade to nested groups.‘ close this message by pressing the X and press Assign;
Next, click on the properties on your group and copy the Object ID as we will need this later when you add this to our role mappings within our plugin.
2.) Configure WordPress as SP
Office 365 SSO Application Federation Metadata XML
- To download your Office 365 SSO enterprise application metadata xml, you will find this under your Office 365 SSO enterprise application ‘Single sign-on‘ properties under Federation Metadata XML;
- Also The App Federation Metadata URL you can use as your fetch metadata URL within WP Cloud SSO upload settings;
- Download federation metadata xml from the following:
In the WP Cloud SSO plugin there are 2 ways to setup Azure Active Directory with WordPress as your service provider.
A.) Upload Office 365 SSO IDP Federation Metadata XML File
Note: This upload feature is only available to paid plans. Refer to step B.) which allows you to configure manually.
- Click on Identity Provider Setup;
- Click on Upload IDP Metadata;
- Input Identity Provider Name;
- Either upload a metadata file and click on Upload button or use a metadata URL and click on Fetch Metadata.
B.) Manually add Office 365 SSO Application URL's
- Within your Office 365 SSO Application the URLs are:
- IdP Entity ID or Issuer = Azure AD Identifier;
- SAML Login URL = Login URL;
- SAML Logout URL = Logout URL.
- Here is an example of my AzureAD application URL settings, yours will be similar:
- Click on Identity Provider Setup;
- Provide the settings as required ( i.e. Identity Provider Name, IdP Entity ID or Issuer, SAML Login URL) as provided by your Office 365 SSO application and click on Save Changes.
Manually Adding X.509 Certificate
- To add your X.509 Certificate from your AzureAD Enterprise Application, you can get this from your Federation Metadata XML which you can download from your Office 365 SSO Enterprise Application under Single sign-on settings properties.
- Here is a screenshot of our AzureAD Enterprise application single sign on settings (SAML Signing Certificate):
- Within your Federation Metadata XML file, look for the content within the xxxxxx brackets. Copy the content and paste into X.509 Certificate box on WP Cloud SSO plugin.
Note: After pasting in your certificate data, make sure to format the contents as follows by adding the following text:
—–BEGIN CERTIFICATE—–
XXXXXXXXXXXXXXXXXXXXXXXXXXX
—–END CERTIFICATE—–
- As you can see from mine, I’ve added the line —–BEGIN CERTIFICATE—– in the beginning, pasted our certificate data, and then place the line —–END CERTIFICATE—– at the end.
3.) Office 365 SSO Attribute Mapping
With Attribute Mapping, you can map attributes from Office 365 SSO users to their WordPress profile.
- In WP Cloud SSO SAML plugin, click on Attribute Mapping;
- Only the attribute claim of NameID is supported for Email and Username attributes of the WordPress user. Upgrade to map other attributes via custom attributes;
- Users logging in will use their Azure email address as the WordPress user login ID;
Setting up Azure AD Enterprise Application Attributes & Claims
You can map any Azure AD attribute or group. In my example i will map the following:
- Givenname;
- Surname;
- Job Title;
- Azure AD Groups;
- Department;
- Display Name;
- Office Location;
- Navigate to Single Sign-on with SAML within your Azure Enterprise Application. From Attributes & Claims click on Edit.
Adding New User Attribute Claim
- Click on Add new claim and give it a name, for example in my example givenname. In thenamespace enter the following URL http://schemas.xmlsoap.org/ws/2005/05/identity/claims
- Next under Source, select Attribute check box, and from the down-down menu of Source attribute select user.givenname then save.
- As per the following screenshot.
- Go to Attribute Mapping page;
- Insert values from Azure AD into Attribute mapping section;
- When configuring which attributes to sync from your Office 365 SSO, Set the NAMEID as the claim name and the value to sync should be user.mail as the following screenshot of Azure AD;
- This is found within your Azure tenant > Azure AD / Enterprise Applications / Name of your Azure application you’ve setup / Set up Single Sign-On with SAML / Attributes & Claims;
- Click on Add a group claim;
- Select Groups assigned to the application in which groups associated with the user should be returned in the claim dropdown;
- Select Source attribute as group ID;
- Click Save.
4.) WordPress Role Mapping
- This feature lets you assign and manage WordPress roles of the users when they login using Office 365. Here, you set the default WordPress role and then assign Azure AD Groups to each WordPress Role. By role mapping functionality, user, you define the permissions that the users after successful login using provider.
Setting up group roles
- To be able to use these options, please make sure that you configured the Attribute Mapping in the section of the plugin, and enter a mapping for the field named Group. This attribute will contain the role-related information sent by the IDP and will be used for Role Mapping;
- Open Enterprise applications and select our configure application;
- Click Roles and administrator;
- Select our configure group from list;
- Copy Object Id;
- Go to the role mapping section and enter the Group ID for the highlighted roles;
WordPress default roles
- WordPress uses a concept of Roles, designed to give the site owner the ability to control what users can and cannot do within the site. The site owner can manage the user access to such tasks as writing and editing posts, creating Pages, creating categories, moderating comments, managing plugins, etc.
WordPress has 7 pre-defined roles :
- Administrator;
- Editor;
- Author;
- Contributor;
- Subscriber;
- Customer.
For more information about WordPress, roles follow the link: https://wordpress.org/support/article/roles-and-capabilities/.
5.) Avatar mapping
This feature is working only for Azure AD identity provider.
- Go to Azure Active Directory;
- Go to App Registrations;
- Select you app;
- In the Overview tab copy client_id field;
- Go to Certificates & Secrets tab;
- Click on New client secret;
- Fill secret key description and expires date & click Add;
- Copy secret key value (client_secret);
- Go to Api Permissions tab & click Add new;
- Click on Microsoft Graph;
- Click on Application permissions;
- Search User permissions type and select User.Read.All permission and click Add;
- Click on Grant admin consent (your tenant name);
- Go to WP-Cloud-SSO plugin page;
- Click on Avatar mapping;
- Insert into client_id, client_secret;
6.) Office 365 SSO Login Button - Redirect to IDP
Next is to enable your Office 365 SSO login buttons, which can be found on the SSO Links tab. Follow the SSO Login Widget page for instructions on setting up.
7.) Multiple Environments Feature
For more information about Multiple Environments Feature follow the Multiple Environments SSO page.