WordPress SSO using Azure B2C as IDP
WordPress SSO (Single Sign On) using Azure B2C can be integrated using our WP Cloud SSO WordPress Plugin
Establish a trust between Azure B2C and your WordPress blog to enable SSO, so users can login using their Azure AD user account and enable the single sign on experience for your users.
In this guide we will go through the steps to configure WordPress to use Azure B2C using WP Cloud SSO plugin. We will configure Azure AD as your SAML identity provider (IDP) and WordPress as your service provider (SP). WP Cloud SSO allows unlimited user login authentications from Azure AD.
First step is to download our plugin and then Step 1 Setup Azure AD as WordPress IDP
List of Supported SAML Providers for WordPress Single Sign-On
Getting Started Setting up WordPress SSO using Azure B2C
Table of Contents
1) Register Azure B2C Applications
To configure Azure B2C as IdP please follow the steps below:
Register the Identity Experience Framework application
- Log into Azure Portal;
- Switch to your tenant account Azure AD B2C if it is needed;
- Click on Microsoft Azure to go to the home page;
- Select Azure AD B2C from services list;
- From Azure AD B2C tenant, select App registrations, and then select New registration;
- For Name, enter IdentityExperienceFramework;
- For Supported account types, select Accounts in this organizational directory only;
- Under Redirect URI, select Web, and then enter https://your_tenant_name.b2clogin.com/your_tenant_name.onmicrosoft.com. Change your_tenant_name in the link to your Azure AD B2C tenant domain name;
- Under Permissions, select the Grant admin consent to openid and offline_access permissions check box and select Register;
Register the Identity Experience Framework application
- Select Expose an API and select Add a scope in the window that opens then select Save and continue to accept the default application ID URI;
- Enter the following values to create a scope that allows custom policy execution in your Azure AD B2C tenant:
- Scope name: user_impersonation;
- Admin consent display name: Access IdentityExperienceFramework;
- Admin consent description: Allow the application to access IdentityExperienceFramework on behalf of the signed-in user;
- Select Add scope.
Register the ProxyIdentityExperienceFramework application
- From Azure AD B2C tenant, select App registrations and select New registration;
- For Name, enter ProxyIdentityExperienceFramework;
- For Supported account types, select Accounts in this organizational directory only;
- Under Redirect URI, use the drop-down to select Public client/native (mobile & desktop);
- For Redirect URI, enter myapp://auth;
- Under Permissions, select the Grant admin consent to openid and offline_access permissions check box;
- Select Register.
Next, specify that the application should be treated as a public client
- Select Authentication on ProxyIdentityExperienceFramework;
- Find Advanced settings, and select Yes;
- Select Save.
Now, grant permissions to the API scope you exposed earlier in the IdentityExperienceFramework registration
- Select API permissions on ProxyIdentityExperienceFramework;
- In Configured permissions section, select Add a permission;
- Select the My APIs tab, then select the IdentityExperienceFramework application;
- Under Permission, select the user_impersonation scope that you defined earlier and select Add permissions. As directed, wait a few minutes before proceeding to the next step;
- Select Grant admin consent for (your tenant name);
- Select your currently signed-in administrator account, or sign in with an account in your Azure AD B2C tenant that’s been assigned at least the Cloud application administrator role;
- Select Yes;
- Select Refresh, and then verify that “Granted for (your tenant name)” appears under Status for the scopes – offline_access, openid and user_impersonation. It might take a few minutes for the permissions to propagate.
Register the WordPress Application
- Open home page your Azure AD B2C tenant and select App registrations, and then select New registration;
- Enter a Name for the application such as: WordPress-SSO-app (or your option);
- For Supported account types, select Accounts in any organizational directory or any identity provider (for authenticating users with Azure AD B2C);
- For Redirect URI, select Web, and then enter the ACS URL from the Service Provider Metadata tab of the WP Cloud SSO plugin;
- Select Register;
- Click on Expose an API on WordPress-app;
- Click on Set for the Application ID URI and then click on Save, accepting the default value.
2) Generate SSO Policies
Generate certificate
For Windows
For MacOS
For Ubuntu
For Windows
On Windows, use the New-SelfSignedCertificate cmdlet in PowerShell to generate a certificate.
- Run the following PowerShell command to generate a self-signed certificate. Modify the -Subject argument as appropriate for your application and Azure AD B2C tenant name such as contosowebapp.contoso.onmicrosoft.com;
- Copy;
New-SelfSignedCertificate `
-KeyExportPolicy Exportable `
-Subject "CN=yourappname.yourtenant.onmicrosoft.com" `
-KeyAlgorithm RSA `
-KeyLength 2048 `
-KeyUsage DigitalSignature `
-NotAfter (Get-Date).AddMonths(12) `
-CertStoreLocation "Cert:\CurrentUser\My"
- On Windows computer, search for and select Manage user certificates;
- Under Certificates – Current User, select Personal > Certificates>yourappname.yourtenant.onmicrosoft.com;
- Select the certificate, and then select Action > All Tasks > Export;
- Select Next > Yes, export the private key > Next;
- Accept the defaults for Export File Format, and then select Next;
- Enable Password option, enter a password for the certificate, and then select Next;
- To specify a location to save your certificate, select Browse and navigate to a directory of your choice;
- On the Save As window, enter a File name, and then select Save;
- Select Next>Finish;
- For Azure AD B2C to accept the .pfx file password, the password must be encrypted with the TripleDES-SHA1 option in the Windows Certificate Store Export utility, as opposed to AES256-SHA256;
For MacOS
On macOS, use Certificate Assistant in Keychain Access to generate a certificate;
- Follow the instructions for how to create self-signed certificates in Keychain Access on a Mac;
- In the Keychain Access app on your Mac, select the certificate that you created;
- Select File > Export Items;
- Select a file name to save your certificate. For example: self-signed-certificate.p12;
- For File Format, select Personal Information Exchange (.p12);
- Select Save;
- Enter a password in the Password and Verify boxes;
- Replace the file extension to .pfx. For example: self-signed-certificate.pfx;
For Ubuntu
- You can use OpenSSL to create self-signed certificates. This example will use WSL / Ubuntu and a bash shell with OpenSSL;
- This will generate a .crt and a .key. Change yourtenant on PARENT command to your tenant. For example PARENT=”testb2c.onmicrosoft.com”;
- Copy;
PARENT="yourtenant.com"
openssl req \
-x509 \
-newkey rsa:4096 \
-sha256 \
-days 365 \
-nodes \
-keyout $PARENT.key \
-out $PARENT.crt \
-subj "/CN=${PARENT}" \
-extensions v3_ca \
-extensions v3_req \
-config <( \
echo '[req]'; \
echo 'default_bits= 4096'; \
echo 'distinguished_name=req'; \
echo 'x509_extension = v3_ca'; \
echo 'req_extensions = v3_req'; \
echo '[v3_req]'; \
echo 'basicConstraints = CA:FALSE'; \
echo 'keyUsage = nonRepudiation, digitalSignature, keyEncipherment'; \
echo 'subjectAltName = @alt_names'; \
echo '[ alt_names ]'; \
echo "DNS.1 = www.${PARENT}"; \
echo "DNS.2 = ${PARENT}"; \
echo '[ v3_ca ]'; \
echo 'subjectKeyIdentifier=hash'; \
echo 'authorityKeyIdentifier=keyid:always,issuer'; \
echo 'basicConstraints = critical, CA:TRUE, pathlen:0'; \
echo 'keyUsage = critical, cRLSign, keyCertSign'; \
echo 'extendedKeyUsage = serverAuth, clientAuth')
- Use following command to create .pfx file;
- Openssl and paste: pkcs12 -export -out $PARENT.pfx -inkey $PARENT.key -in $PARENT.crt;
- Сertificate has been successfully generated.
Configure custom policies
- To configure custom policies we need: Azure B2C tenant Name, IdentityExperienceFramework app ID, ProxyIdentityExperienceFramework app ID;
- To get the Azure B2C tenant Name open the Azure AD B2C portal, select Overview, and record your tenant name;
Note: For example, if your Azure B2C domain is testb2cdomain.onmicrosoft.com, then your tenant name is testb2cdomain.
- To get the IdentityExperienceFramework app ID open the Azure AD B2C portal, select App registrations, select IdentityExperienceFramework and copy the Application (client) ID;
- To get ProxyIdentityExperienceFramework app ID open Azure AD B2C portal, select App registrations, select ProxyIdentityExperienceFramework and copy Application (client) ID;
- Download tamplates of custome policies here;
- Extract archive and open extracted folder;
- Open PasswordReset file in text editor and change yourtenant to your tenant Name;
- Save the file and close text editor;
- Open ProfileEdit file in a text editor and change yourtenant to your tenant Name;
- Save the file and close the text editor;
- Open the SingUpOrSingnin file in the text editor and change yourtenant to your tenant Name;
- Save the file and close the text editor;
- Open the SingUpOrSingninSAML file in the text editor and change yourtenant to your tenant Name;
- Save the file and close the text editor;
- Open the TrustFrameworkBase file in the text editor and change yourtenant to your tenant Name;
- Save the file and close the text editor;
- Open the TrustFrameworkExtensions file in the text editor and change yourtenant to your tenant Name, change IdentityExperienceFrameworkAppId to your IdentityExperienceFramework app ID, and change ProxyIdentityExperienceFrameworkAppId to your ProxyIdentityExperienceFramework app ID;
- Save the file and close the text editor;
- Open the TrustFrameworkLocalization file in the text editor and change yourtenant to your tenant Name;
- Save the file and close the text editor;
- Сustom policies has been successfully configured.
3) Upload Azure AD B2C SSO Policies
Upload certificate
- Click the Identity Experience Framework in your Azure AD B2C tenant;
- Click Policy keys, select Add;
- Select Options > Upload;
- Name > SamlIdpCert;
- Filet upload > select the certificate that you configured;
- Password > enter the certificate’s password;
- Click Create. SamlIdpCert successfully configured;
- On the Policy keys page click Add;
- Options > select Generate;
- Name > TokenSigningKeyContainer;
- Key type > select RSA;
- Key usage > select Signature;
- Click Create. TokenSigningKeyContainer successfully configured;
- On the Policy keys page click Add ;
- Options > select Generate;
- Name > TokenEncryptionKeyContainer;
- Key type > select RSA;
- Key usage > select Encryption;
- Click Create. TokenEncryptionKeyContainer successfully configured.
Upload certificate
- Click the Identity Experience Framework in your Azure AD B2C tenant;
- Click Upload custom policy
- As per the following order, upload the policy files configured in the above steps:
- TrustFrameworkBase.xml;
- TrustFrameworkExtensions.xml;
- SignUpOrSignin.xml;
- ProfileEdit.xml;
- PasswordReset.xml;
- SignUpOrSigninSAML.xml.
4) Configure the plugin
- Open Identity Provider Setup select Azure AD B2C and click the Upload IDP Metadata button;
- Enter Identity Provider Name;
- Enter the Metadata URL as https://tenant_name.b2clogin.com/tenant_name.onmicrosoft.com/B2C_1A_signup_signin_saml/Samlp/metadata;
- Click Fetch Metadata;
- Open Azure AD B2C portal;
- Select Azure B2C tenant, click App registrations, and click on your app;
- Select Expose an API and copy Application ID URI;
- Open WP Cloud SSO plugin, select configured Azure AD B2C provider, select Saml Settings and paste Application ID URI into Custom SP Entity ID field;
- Click Save;
- Provider successfully configured.
5) Azure AD B2C SSO Login Button - Redirect to IDP
Next is to enable your Azure AD B2C SSO login buttons, which can be found on the SSO Links tab. Follow the SSO Login Widget page for instructions on setting up.
6) Multiple Environments Feature
For more information about Multiple Environments Feature follow the Multiple Environments SSO page.