WordPress Single Sign-On using KeyCloak SSO Login as IDP
Enable Keycloak SSO for your WordPress website using our SAML Single Sign On WordPress plugin. Integrate your users from Keycloak to login to your WordPress blog and map user roles to WordPress.
Within the plugin set Keycloak as your SAML identity provider and enable WordPress single sign on with Keycloak set as your trusted IDP. Map WordPress user roles based Keycloak users / groups.
List of Supported SAML Providers for WordPress SSO
Getting Started Setting up WordPress SSO using KeyCloak Logins
Table of Contents
Install KeyCloak Server
Below are the steps to configure Keycloak Single Sign-On (SSO) Login into WordPress (WP):
- Download Keycloak and install it.
- Start Server: Start the keycloak server by running the _standalone.sh_ file
- Root Directory of keycloak -> bin -> standalone.sh
KeyCloak Tutorial:
1.) Setup Keycloak as IDP for WordPress
To configure KeyCloack as IdP please follow the steps below:
- In the WP Cloud SSO plugin, go to Service Provider Metadata section, where you find the SP metadata, such as SP Entity ID and ACS ( AssertionConsumerService) URL which are necessary to configure the Identity Provider;
- In your Keycloak Admin console, select the realm that you want to use.
- Click on Clients from the left menu and then click on Create button to create a new client/application.
- In the next step choose the data source variant and follow the instructions below;
Upload XML file
Manual Configuration
Upload XML file
- Go to Service Provider Metadata tab from the plugin and click on the Download XML metadata button to download the plugin metadata file;
- Click on the Select file and choose downloaded metadata file;
- Click on the Save button;
- Enter the Name of this client;
- Disable the following options:
- Client Signature Required;
- Force Post Binding;
- Force Name ID Format;
- Click on the Save button;
Manual Configuration
- Insert into Client ID value of SP EntityID from Service Provider Metadata page of Plugin;
- Select Client Protocol as saml
- Click on the Save Button;
- Disable the following options:
- Client Signature Required;
- Force Post Binding;
- Force Name ID Format;
- Select Name Id Format as Email;
- Insert into Valid Redirect URIs value of ACS (Assertion Consumer Service) URL field from Service Provider Metadata page of Plugin;
- Expand the Fine Grain SAML Endpoint Configuration section;
- Insert values from the Service Provider Metadata page of the plugin to the fields below:
- Assertion Consumer Service POST Binding URL – ACS (Assertion Consumer Service) URL (plugin)
- Logout Service Redirect Binding URL – SLO (Single Logout) URL (plugin)
- Click on the Save button;
2.) Configure WordPress as SP
In the WordPress WP Cloud SSO plugin, go to the Identity Provider Setup tab of the plugin.
There are 2 ways to configure the WordPress SSO plugin:
Free Plan
Premium/Enterprise Plans
Free Plan
Manual KeyCloak IDP configuration:
- Navigate to the Realm Setting tab of your KeyCloak dashboard;
- Click on the SAML 2.0 identity Provider Metadata link;
- Press CTRL+F and find the EntityId attribute enclosed in the EntityDescriptor tag;
- Copy founded string;
- Go to the Identity Provider Setup page in Plugin and select KeyCloak identity provider;
- Enter Identity Provider Name;
- Insert EntityId to the IdP Entity ID or Issuer field of the plugin;
- Go back to the XML metadata file;
- Press CTRL+F and find SingleSignOnService tag with enclosed Binding attribute as urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;
- Copy value of the Location attribute;
- Go back to the Identity Provider Setup page of the plugin;
- Insert the value of the Location attribute enclosed in the SingleSignOnService tag into the SAML Login URL field in the Plugin;
- Go back to the XML metadata file;
- Press CTRL+F and find SingleLogoutService tag with enclosed Binding attribute as urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;
- Copy value of the Location attribute;
- Go back to the Identity Provider Setup page of the plugin;
- Insert the value of the Location attribute enclosed in the SingleLogoutService tag into the SAML Logout URL field in the Plugin;
- Go back to the XML metadata file;
- Press CTRL+F and find the IDPSSODescriptor tag;
- Find the first KeyDescriptor child tag with enclosed use attribute as signing;
- Copy value of the X509Certificate child tag;
- Go back to the Identity Provider Setup page of the plugin;
- Transform the value of the X509Certificate tag to the following format:
—–BEGIN CERTIFICATE—–
X509Certificate
—–END CERTIFICATE—–
- Insert the transformed value in the previous step into X.509 Certificate field in the Plugin;
- Click on the Save button;
Premium/Enterprise Plans
Upload KeyCloak IDP Federation Metadata XML File by URL:
Note: This upload feature is only available to paid plans.
- Navigate to the Realm Setting tab of your KeyCloak dashboard;
- Click on the SAML 2.0 identity Provider Metadata link;
- Copy URL of the opened file;
- Navigate to the Setup Identity Provider page of the plugin;
- Click on the KeyCloak identity provider;
- Click on the Upload Idp Metadata;
- Enter Identity Provider name, for example, KeyCloak;
- Insert copied KeyCloak metadata URL in the previous step and click on the Fetch Metadata button;
3.) Keycloak Attribute Mapping
Note: Attribute mapping feature is only available to paid plans.
- Go to KeyCloak configured client in previous steps;
- Click on the Clients and select your configured client;
- Click on the Mappers tab;
- Click on the Create button;
- Select the Mapper Type as User Property;
- Enter values for necessary attribute to mapping, for example, firstName as on the screenshot below;
- Click on the Save button;
- Go to the Identity Provider Setup page of Plugin;
- Select configured KeyCloak identity provider;
- Click on the Test Configuration button;
- Login via KeyCloak account;
- See that attribute was successfully fetched from KeyCloak
- Go to the Attribute/Role Mapping page of plugin;
- Insert firstName attribute to the necessary field of the Attribute mapping section related to default WordPress user attributes;
- Click on the Save button;
- Congratulations! You successfully setup attribute mapping for the firstName attribute from KeyClock. After login via KeyCloak identity provider to WordPress user attribute firstName will be successfully mapped to users. Repeat this setup to other necessary attributes;
4.) KeyCloak Role Mapping
WordPress has 7 pre-defined roles :
- Administrator
- Editor
- Author
- Contributor
- Subscriber
- Customer
To configure default role mapping please follow the steps below:
- Go to the Attribute/Role Mapping page of the Plugin;
- In the Role Mapping section select one necessary role of the WordPress predefined roles;
- Click on the Save button;
To configure multiple group mapping based on groups membership follow the steps below:
Note: Multiple mapping feature is only available to paid plans.
- First of all, you need to configure receiving Group attribute (this attribute received all user groups) from KeyCloak;
- Go to the configured client and click on the Mappers tab;
- Click on the Create button;
- Select the Mapper Type as Group List;
- Enter the mapper Name and Group attribute name as on the screenshot below:
- Disable the Full group path option;
- Click on the Save button;
- Go to the Identity Provider Setup page of the plugin;
- Select the configured KeyCloak identity provider;
- Click on the Test Configuration button;
- See that group attributes was successfully fetched;
- In the next step go to Attribute Mapping page of Plugin;
- Insert target Group attribute as source Group attribute from KeyCloak;
- Click on the Save button in Attribute Mapping section;
- Insert the value of target Group attribute from KeyCloak to the necessary role of WordPress;
- Click on the Save button in Role Mapping section;
- After this, all users who have group attributes with Admins value will be assigned to the Administrator role in WordPress, and all users who have group value as Editors will be given the Editor role. If a user has multiple groups as in the screenshot below, the user will be assigned to the first founded role. In the case of a screenshot, the user will be given the Administrator role.
5.) KeyCloak SSO Login Button - Redirect to IDP
Next is to enable your KeyCloak SSO login buttons, which can be found on the SSO Links tab. Follow the SSO Login Widget page for instructions on setting up.
6.) Multiple Environments Feature
For more information about Multiple Environments Feature follow the Multiple Environments SSO page