Install and Configure OpenID Connect (OIDC) Client for WordPress in an AFS-based Virtual Host

Environment

WordPress CMS, AFS virtual host

Issue

How to install and configure OpenID Connect (OIDC) client for WordPress CMS in an AFS-based virtual host.

Before You Begin

  1. The steps below describe how to install and configure the  OpenID Connect Generic Client WordPress plugin for your WordPress website.
    For an alternative solution, see the ITS Knowledge Article Configure WordPress Site to Restrict Access Using OIDC Logins and MCommunity Groups.  This alternative
    • uses the UMich OIDC Login WordPress Plugin
    • supports restricting access using MCommunity groups
    • does not require visitors to have a WordPress user account on your website in order to authenticate

    Important note:  You can only use one of the two plugins above (UMich OIDC Login and OpenID Connect Generic Client).  Attempting to use both plugins at the same time will break your website.

  2. You will need to obtain OIDC credentials for your site
    • These can be self-provisioned using the OIDC Provisioning and Management (OPaM) tool
    • Provision OIDC service client credentials for your site per the instructions in the following ITS Knowledge Article: How to Provision OIDC Service Client Credentials

Resolution

  1. Install the “OpenID Connect Generic Client” by daggerhart
    1. From the site administrator dashboard, navigate to “Plugins → Add New” and do a keyword search for “daggerhart” in the search bar
    2. Press the 'Install now' button
  2. Again, follow the instructions in the following document to use the ssh-sftp-updater-support plugin to install the OpenID Connect Generic Client: Updating ITS Web Hosting WordPress Sites Within the WP Dashboard
  3. After the plugin is installed, configure it by navigating to “Settings → OpenID Connect Client” in the site administrator dashboard:

View of the configure plugin menu from the site administrator dashboard

  1. Configure the plugin using the following settings:

Setting Name

Setting Value
Login Type Auto Login - SSO
Client ID ${OIDC_ID}
Client Secret Key ${OIDC_SECRET}
OpenID Scope openid email profile
Login Endpoint URL https://weblogin.umich.edu/idp/profile/oidc/authorize
Userinfo Endpoint URL https://weblogin.umich.edu/idp/profile/oidc/userinfo
Token Validation Endpoint URL https://weblogin.umich.edu/idp/profile/oidc/token
End Session Endpoint URL https://weblogin.umich.edu/logout
Enable Refresh Token unchecked
Link Existing Users checked
Redirect Back to Origin Page checked
Redirect to the login screen when session is expired checked
  1. Save the updated settings using the 'Save' button at the bottom of the configuration page

Additional Information

Need additional information or assistance? Contact the ITS Service Center.

Details

Article ID: 8341
Created
Mon 6/27/22 1:06 PM
Modified
Tue 9/5/23 11:29 AM

Related Articles (3)

Configure WordPress Site to Restrict Access Using OIDC Logins and MCommunity Groups
How to configure a WordPress website to restrict access to the whole site or only certain parts based on OpenID Connect (OIDC) login and MCommunity group membership information.