Configure WordPress Site to Restrict Access Using OIDC Logins and MCommunity Groups

Environment

WordPress CMS

Issue

How to configure a WordPress website to restrict access to the whole site or only certain parts based on OpenID Connect (OIDC) login and MCommunity group membership information.

Resolution

The steps below describe how to install and configure the UMich OIDC Login WordPress plugin for your WordPress website.

For an alternative solution, see the ITS Knowledge Article Install and Configure OpenID Connect (OIDC) Client for WordPress in an AFS-based Virtual Host.  This alternative

• uses the OpenID Connect Generic Client WordPress Plugin
• is simpler to set up and use than the UMich OIDC Login WordPress plugin
• is more mature than the UMich OIDC Login WordPress plugin
• does not support restricting access using MCommunity groups

Important note:  You can only use one of the two plugins above (UMich OIDC Login and OpenID Connect Generic Client).  Attempting to use both plugins at the same time will break your website.

Steps:

1. You will need to have WordPress installed and functioning correctly
   1. If you are setting up a NEW WordPress website in ITS AFS Web Virtual Hosting, perform the following steps:
      1. Install WordPress according to the instructions in the ITS Knowledge Article "Install WordPress CMS in an AFS-Based Virtual Host"
      2. Skip the step to configure cosign, since you will be configuring OIDC for authentication instead
      3. Install the SSH SFTP Updater to allow you to update WordPress, plugins, and themes using your WordPress dashboard instead of using SFTP or wp-cli.  Follow the instructions in ITS Knowledge Article: Updating ITS Web Hosting WordPress Sites Within the WP Dashboard
2. Install the WordPress Native PHP Sessions plugin from the WordPress.org plugin repository
   1. From your WordPress dashboard, navigate to “Plugins → Add New”
   2. Do a keyword search for "PHP Sessions"
   3. Click the "Install Now" button for the "WordPress Native PHP Sessions" plugin
      Note: ITS strongly recommends using the WordPress Native PHP Sessions plugin to prevent conflicts with other WordPress plugins that also use PHP sessions, and to ensure that everything functions correctly when the site resides on multiple web servers. However, using the WordPress Native PHP Sessions plugin is not strictly required
3. Install the UMich OIDC Login plugin from the WordPress.org plugin repository
   1. From your WordPress dashboard, navigate to “Plugins → Add New”
   2. Do a keyword search for "UMich OIDC"
   3. Click the "Install Now" button for the "WordPress Native PHP Sessions" plugin
4. Activate both the WordPress Native PHP Sessions and the UMich OIDC Login plugins
   1. From your WordPress dashboard, click on “Plugins"
   2. Click the "Activate" link for "WordPress Native PHP Sessions"
   3. Click the "Activate" link for "UMich OIDC Login"
5. Register an OIDC client for your WordPress site.
   1. From your WordPress dashboard, navigate to "Settings → UMich OIDC Login → OIDC" and copy the value for "Redirect URI".  You will need this in the next step
   2. Follow the steps in the ITS Knowledge Article: How to Provision OIDC Service Client Credentials
      NOTE: In the "MCommunity groups for group-based authentication" section, select the groups you want to use to restrict access to either the entire WordPress website or to restrict access to only certain pages. Only groups that you own will show up.  Your WordPress site will receive a yes/no answer for whether the logged in user is a member of each group even if membership in the group can only be viewed by members
   3. Click on the client you created in the OIDC Provisioning and Management Tool in the step above in order to get the OIDC Client ID and OIDC Secret for use in the next step
6. Configure the UMich OIDC Login plugin
   1. From your WordPress dashboard, navigate to "Settings → UMich OIDC Login → OIDC"
   2. Enter the following values and click the "Save Changes" button:
      1. Identity Provider URL: https://weblogin.umich.edu
      2. Client ID: (paste the OIDC Client ID you obtained above)
      3. Client Secret: (paste the OIDC Secret you obtained above)
   3. Enter your group information:
      1. Click the "General" tab for the UMich OIDC Login settings
      2. In the "Groups for Authorization" field, enter the names of each of the "MCommunity groups for group-based authentication" that you selected when registering the OIDC client. Separate multiple group names with commas
      3. Here is an example with two groups:
         its-web-hosting,CAEN Web Hosting Contacts
         IMPORTANT NOTE: only the official name of the group will work. The "also known as" names for the group will not work. You can find the official name for a group on the group's MCommunity page, in large type at the top of the main section:
         
      4. Click the "Save Changes" button
   4. Customize the other settings on the "General" tab of the UMich OIDC Login settings page as you like for your website
   5. Restrict access to individual pages or posts by editing them and changing the value for "Access" at the bottom of the page/post document settings
   6. Use the information on the "Shortcodes" tab of the UMich OIDC Login settings page to customize your theme and/or website content.
      1. For example, the following will display either "Hello, stranger" with a "Log in" button if the visitor to the website is not logged in, or "Hello, <First-Name>" with a "Log out" button if they are logged in
         Hello, [umich_oidc_userinfo type="given_name" default="stranger"]
[umich_oidc_button]

Additional Information

For assistance with the UMICH OIDC Login plugin for WordPress on university websites, contact webmaster@umich.edu.

Need additional information or assistance? Contact the ITS Service Center.