Name: 10up-test-aad-sso-wordpress
Owner: 10up
Description: Single Sign-on with Azure Active Directory (for WordPress)
Forked from: psignoret/aad-sso-wordpress
Created: 2017-01-21 21:09:17.0
Updated: 2017-01-21 21:12:04.0
Pushed: 2017-01-23 19:58:29.0
Size: 509
Language: PHP
GitHub Committers
User | Most Recent Commit | # Commits |
---|
Other Committers
User | Most Recent Commit | # Commits |
---|
A WordPress plugin that allows organizations to use their Azure Active Directory user accounts to sign in to WordPress. Organizations with Office 365 already have Azure Active Directory and can use this plugin for all of their users.
This is a work in progress, please feel free to contact me for help. This plugin is provided as-is, with no guarantees or assurances.
In the typical flow:
wp-admin
). At the sign in page, they are given a link to sign in with their Azure Active Directory organization account (e.g. an Office 365 account).The following instructions will get you started. In this case, we will be configuring the plugin to use the user roles configured in WordPress.
This plugin is not yet registered in the WordPress plugin directory (coming soon!), but you can still install it manually:
git
or with the 'Download ZIP' link on the right.aad-sso-wordpress
folder in your WordPress' plugin folder. Normally, this is <yourblog>/wp-content/plugins
.For these steps, you must have an Azure subscription with access to the Azure Active Directory tenant that you would like to use with your blog.
https://<your blog url>/wp-login.php
, or whichever page your blog uses to sign in users. (Note: This page must invoke the authenticate
action.)Once the plugin is activated, update your settings from the WordPress admin console under Settings > Azure AD. Basic settings to include are:
The Single Sign-on with Azure AD plugin can be configured to set different WordPress roles based on the user's membership to a set of user-defined groups. This is a great way to control who has access to the blog, and under what role.
This is also configured Settings > Azure AD (from the WordPress admin console). The following fields should be included:
The different fields that can be defined in the settings JSON in Settings > Azure AD are documented in Settings.php. The following may give you an idea of the typical scenarios that may be encountered.
Users are matched by their email address in WordPress, and whichever role they have in WordPress is maintained.
| Setting | Example value | — | — | Display name | Contoso | Client ID | 9054eff5-bfef-4cc5-82fd-8c35534e48f9 | Client Secret | NTY5MmE5YjMwMGY2MWQ0NjU5MzYxNjdjNzE1OGNiZmY= | Reply URL | https://www.example.com/blog/wp-login.php | Field to match to UPN | Email Address
Users are matched by their login names in WordPress and the alias portion of their Azure AD UserPrincipalName. Whichever role they have in WordPress is maintained.
| Setting | Example value | — | — | Display name | Contoso | Client ID | 9054eff5-bfef-4cc5-82fd-8c35534e48f9 | Client Secret | NTY5MmE5YjMwMGY2MWQ0NjU5MzYxNjdjNzE1OGNiZmY= | Reply URL | https://www.example.com/blog/wp-login.php | Field to match to UPN | Login Name | Match on alias of the UPN | Yes
Users are matched by their login names in WordPress, and WordPress roles are dictated by membership to a given Azure AD group. Access is denied if they are not members of any of these groups.
| Setting | Example value | — | — | Display name | Contoso | Client ID | 9054eff5-bfef-4cc5-82fd-8c35534e48f9 | Client Secret | NTY5MmE5YjMwMGY2MWQ0NjU5MzYxNjdjNzE1OGNiZmY= | Reply URL | https://www.example.com/blog/wp-login.php | Field to match to UPN | Login Name | Enable Azure AD group to WP role association | Yes | Default WordPress role if not in Azure AD group | (None, deny access) | WordPress role to Azure AD group map |
Administrator | 5d1915c4-2373-42ba-9796-7c092fa1dfc6 |
Editor | 21c0f87b-4b65-48c1-9231-2f9295ef601c |
Author | f5784693-11e5-4812-87db-8c6e51a18ffd |
Contributor | 780e055f-7e64-4e34-9ff3-012910b7e5ad |
Subscriber | f1be9515-0aeb-458a-8c0a-30a03c1afb67 |
Users are matched by their login names in WordPress, and WordPress roles are dictated by membership to a given Azure AD group. If the user is not a part of any of these groups, they are assigned the Author role.
| Setting | Example value | — | — | Display name | Contoso | Client ID | 9054eff5-bfef-4cc5-82fd-8c35534e48f9 | Client Secret | NTY5MmE5YjMwMGY2MWQ0NjU5MzYxNjdjNzE1OGNiZmY= | Reply URL | https://www.example.com/blog/wp-login.php | Field to match to UPN | Login Name | Enable Azure AD group to WordPress role association | Yes | Default WordPress role if not in Azure AD group | Author | WordPress role to Azure AD group map |
Administrator | 5d1915c4-2373-42ba-9796-7c092fa1dfc6 |
Editor | 21c0f87b-4b65-48c1-9231-2f9295ef601c |
Author | f5784693-11e5-4812-87db-8c6e51a18ffd |
Contributor | 780e055f-7e64-4e34-9ff3-012910b7e5ad |
Subscriber | f1be9515-0aeb-458a-8c0a-30a03c1afb67 |
Users are matched by their email in WordPress, and WordPress roles are dictated by membership to a given Azure AD group. If the user doesn't exist in WordPress yet, they will be auto-provisioned. If the user is not a part of any of these groups, they are assigned the Subscriber role.
| Setting | Example value | — | — | Display name | Contoso | Client ID | 9054eff5-bfef-4cc5-82fd-8c35534e48f9 | Client Secret | NTY5MmE5YjMwMGY2MWQ0NjU5MzYxNjdjNzE1OGNiZmY= | Reply URL | https://www.example.com/blog/wp-login.php | Field to match to UPN | Email Address | Enable auto-provisioning | Yes | Enable Azure AD group to WP role association | Yes | Default WordPress role if not in Azure AD group | Subscriber | WordPress role to Azure AD group map |
Administrator | 5d1915c4-2373-42ba-9796-7c092fa1dfc6 |
Editor | 21c0f87b-4b65-48c1-9231-2f9295ef601c |
Author | f5784693-11e5-4812-87db-8c6e51a18ffd |
Contributor | 780e055f-7e64-4e34-9ff3-012910b7e5ad |
Subscriber | f1be9515-0aeb-458a-8c0a-30a03c1afb67 |
Most of the OpenID Connect endpoints and configuration (e.g. signing keys, etc.) are obtained from the OpenID Connect configuration endpoint. These values are cached for one hour, but can always be forced to re-load by adding aadsso_reload_openid_config=1
to the query string in the login page. (This shouldn't really be needed, but it has shown to be useful during development.)