Configure WordPress Site to Restrict Access Using OIDC Logins and MCommunity Groups

Environment

WordPress Content Management System

Issue

How to configure a WordPress website to restrict access to the whole site or only certain parts based on OpenID Connect (OIDC) login and MCommunity group membership information.

Resolution

The steps below describe how to install and configure the UMich OIDC Login WordPress plugin for your WordPress website.

For an alternative solution, see the ITS Knowledge Article Install and Configure OpenID Connect (OIDC) Client for WordPress.  This alternative

Important note:  You can only use one of the two plugins above (UMich OIDC Login and OpenID Connect Generic Client).  Attempting to use both plugins at the same time will break your website.

Steps:

  1. Make sure you have WordPress installed and functioning correctly before proceeding.
  2. Install and activate the WordPress Native PHP Sessions plugin
    1. From your WordPress dashboard, navigate to “Plugins → Add New”
    2. Do a keyword search for "PHP Sessions"
    3. Click the "Install Now" button for the "WordPress Native PHP Sessions" plugin
      Note: ITS strongly recommends using the WordPress Native PHP Sessions plugin to prevent conflicts with other WordPress plugins that also use PHP sessions, and to ensure that everything functions correctly when the site resides on multiple web servers. However, using the WordPress Native PHP Sessions plugin is not strictly required
    4. Click on “Plugins" in the left sidebar
    5. Click the "Activate" link for "WordPress Native PHP Sessions"
  3. Install the UMich OIDC Login plugin from GitHub. This plugin is not available through wordpress.org.  Use one of the following three methods of installing the plugin:
    1. WP Admin Dashboard Method -- this requires that your site has write access to the plugins folder:
      1. Download the umich-oidc-login.zip file for the latest package from https://github.com/its-webhosting/umich-oidc-login/releases/latest
          Important: do not download the source code (the source code has to be built before it can be used on a site)
      2. Go to the WordPress admin dashboard -> Plugins -> Add New -> Upload Plugin
      3. Select the zip file you downloaded file and click Upload
      4. Activate the plugin

    2. Manual Method
      1. Download the umich-oidc-login.zip file for the latest package from https://github.com/its-webhosting/umich-oidc-login/releases/latest
          Important: do not download the source code (the source code has to be built before it can be used on a site)
      2. Extract the contents of the zip file
      3. Upload the umich-oidc-login folder to the wp-content/plugins/ folder in your site.  The final location should be wp-content/plugins/umch-oidc-login
      4. Activate the plugin using the WordPress admin dashboard

    3. WP CLI Method (if you have the wp and jq commands installed):
      plugin_repo="its-webhosting/umich-oidc-login"
      plugin_url=$(curl -s "https://api.github.com/repos/${plugin_repo}/releases/latest" | jq -r '.assets[0].browser_download_url')
      wp plugin install "${plugin_url}" --activate
      
  4. Register an OIDC client for your WordPress site.
    1. From your WordPress dashboard, navigate to "Settings → UMich OIDC Login → OIDC" and copy the value for "Redirect URI".  You will need this in the next step
    2. Follow the steps in the ITS Knowledge Article: How to Provision OIDC Service Client Credentials
      NOTE: In the "MCommunity groups for group-based authentication" section, select the groups you want to use to restrict access to either the entire WordPress website or to restrict access to only certain pages. Only groups that you own will show up.  Your WordPress site will receive a yes/no answer for whether the logged in user is a member of each group even if membership in the group can only be viewed by members
    3. Click on the client you created in the OIDC Provisioning and Management Tool in the step above in order to get the OIDC Client ID and OIDC Secret for use in the next step
  5. Configure the UMich OIDC Login plugin
    1. From your WordPress dashboard, navigate to "Settings → UMich OIDC Login → OIDC"
    2. Enter the following values and click the "Save Changes" button:
      1. Identity Provider URL: https://weblogin.umich.edu
      2. Client ID: (paste the OIDC Client ID you obtained above)
      3. Client Secret: (paste the OIDC Secret you obtained above)
    3. Enter your group information:
      1. Click the "General" tab for the UMich OIDC Login settings
      2. In the "Groups for Authorization" field, enter the names of each of the "MCommunity groups for group-based authentication" that you selected when registering the OIDC client. Separate multiple group names with commas
      3. Here is an example with two groups:
        its-web-hosting,CAEN Web Hosting Contacts
        IMPORTANT NOTE: only the official name of the group will work. The "also known as" names for the group will not work. You can find the official name for a group on the group's MCommunity page, in large type at the top of the main section:
        A screenshot of mcommuity.umich.edu showing the official group name in the header at the upper left
      4. Click the "Save Changes" button
    4. Customize the other settings on the "General" tab of the UMich OIDC Login settings page as you like for your website
    5. Restrict access to individual pages or posts by editing them and changing the value for "Access" at the bottom of the page/post document settings
    6. Use the information on the "Shortcodes" tab of the UMich OIDC Login settings page to customize your theme and/or website content.
      1. For example, the following will display either "Hello, stranger" with a "Log in" button if the visitor to the website is not logged in, or "Hello, <First-Name>" with a "Log out" button if they are logged in
        Hello, [umich_oidc_userinfo type="given_name" default="stranger"]
        [umich_oidc_button]

Additional Information

For assistance with the UMICH OIDC Login plugin for WordPress on university websites, contact webmaster@umich.edu.

Need additional information or assistance? Contact the ITS Service Center.