WordPress Single Sign-On using KeyCloak SSO Login as IDP
Enable Keycloak SSO for your WordPress website using our SAML Single Sign On WordPress plugin. Integrate your users from Keycloak to login to your WordPress blog and map user roles to WordPress.
Within the plugin set Keycloak as your SAML identity provider and enable WordPress single sign on with Keycloak set as your trusted IDP. Map WordPress user roles based Keycloak users / groups.
By following the steps below you will be able to configure Keycloak as your Identity Provider for WordPress Single Sign-On.
A) Configure Keycloak as WordPress Identity Provider:
In the WordPress WP Cloud SSO plugin, please go to SP (Service Provider) Metadata tab. In here, you can find the SP metadata such as SP Entity ID and ACS (AssertionConsumerService) URL which are required to configure the keycloak as IdP (Identity Provider).
In your Keycloak Admin console, select the realm that you want to use.
Click on Clients from the menu on your left and then click on Create button to create a new client/application.
Input the following: SP-EntityID / Issuer as the Client ID from the “Service Provider Metadata” Tab and select SAML as the Client Protocol.
Click on Save.
Configure Keycloak by providing the required details:
In section Fine Grain SAML Endpoint Configuration, Enter the following details:
Assertion Consumer Service POST Binding URL
The ACS (Assertion Consumer Service) URLfrom the plugin’s Service Provider Metadata tab
Logout Service Redirect Binding URL (Optional)
The Single Logout URLfrom the plugin’s Service Provider Metadata tab
Click on Save.
B) Add Mappers
Go to Mappers tab and click on Add Builtin button.
Select the checkboxes:
X500 email,
X500 givenName, X500 surname attributes.
Click on Add Selected button. You will see the mappings that are added below.
C) Download Setup file
Navigate to Realm Settings, click on SAML 2.0 Identity Provider Metadata mentioned as Endpoints in the General Tab.
Note the URL and keep it handy. That will provide you with the Endpoints required to configure the plugin.
You have successfully configured Keycloak as SAML IdP ( Identity Provider) for achieving Keycloak login / Keycloak Single Sign-On (SSO), ensuring secure Login into WordPress (WP) Site.
2.) Configure WordPress as SP
In the WordPress WP Cloud SSO plugin, go to the Identity Provider Setup tab of the plugin.
There are 2 ways to configure the WordPress SSO plugin:
A) Uploading IDP Metadata XML
Click on Upload IDP metadata button.
Enter the Identity Provider Name.
You can either upload a metadata file and click on Upload button or use a metadata URL and click on Fetch Metadata.
B) Manual KeyCloak IDP Configuration
Input the required settings (i.e. Identity Provider Name, IdP Entity ID or Issuer, SAML Login URL, X.509 Certificate) as provided by your Identity Provider and click on the Save button.
3.) Keycloak Attribute Mapping
The Attribute Mapping feature allows you to map the user attributes sent by the IDP during SSO to the user attributes at WordPress.
In WordPress WP Cloud SSO plugin, navigate to Attribute/Role Mapping tab and fill up the following fields in Attribute Mapping section.
Custom Attribute Mapping: This feature allows you to map any attribute sent by the IDP to the usermeta table of WordPress.
4.) WordPress Role Mapping using Keycloak SSO
This feature helps you to assign and manage WordPress roles of the users when they perform SSO together with the default WordPress role.
From the Attribute Mapping section of the plugin, provide a mapping for the field named Group. This attribute will contain the role related information sent by the IDP and will be used for Role Mapping.
Navigate to role mapping section and provide the mappings for the highlighted roles.
For example, If you want a user whose Group/Role attribute value is wp-editor to be assigned as an Editor in WordPress, just provide the mapping as wp-editor in the Editor field of Role Mapping section.