Enabling Cosign for WordPress on WHE

Tags Web

Objective

Several users of the Web Hosting Environment have enabled Cosign for their Wordpress website. Cosign is one method to allow users to login to your site using the standard UMICH usernames and passwords. This replaces the WordPress login with the more familiar https://weblogin.umich.edu/ page.

To utilize cosign please make sure Cosign is enabled on your site. If you did not request Cosign in your initial request, you can send an email to lsait-infrastructure@umich.edu to request that it be enabled. Please include your site's name in the request.

 Note
Cosign is being deprecated in favor of Shibboleth. These instructions will soon be revised.

Environment

  • Wordpress
  • Cosign

Install HTTP Authentication Plugin

  1. After installing WordPress log into your site with an administrator account. Go to the plugins section of the left toolbar and click Add New
  2. Use the search field on the right side and search for a plugin named HTTP Authentication. It should be the first result. Click Install Now:
  3. Once installed click Activate Plugin:
  4. In the left side menu, click on the Setting section and click on HTTP Authentication:
  5. Leave the Default Logout URI. However, please note that the logout URI can be whatever, but it doesn't work. You can logout of cosign but log right back in as the same user into WordPress. Therefore, this setup is not recommended in a situation where you may have have multiple users using the same account on the same computer.
    • You will probably want users to be automatically created as they login, rather than prepopulating every user. To make this happen you need to check the checkbox for the 'Automatically create accounts' option.
    • By default people with umich uniqnames will automatically be added as a Subscriber. You can change their default role by editing your general settings page at https://YOUR-SITE-NAME.lsa.umich.edu/wp-admin/options-general.php section of your WordPress admin page.
    • You may also want to add the email domain as @umich.edu
      Wordpress authentication settings
  6. Finally, the last thing is that you'll want to create your own account and set it to be an administrator. You will want to do this before you logout of the admin page, otherwise you won't be able to login as an administrator to your site. In the left side menu, click Users and then Add user.
  7. Use your uniqname and your email address. If you registered your email address as the 'admin' account you may get the following error:
    Error: This email is already registered, please choose another one
    • If you get this error, you can enter your email address as uniqname@go.itd.umich.edu where you replace uniqname with your own uniqname. @go.itd.umich.edu is just an alternate name for your gmail address (see "Forwarding Your U-M Email Using the MCommunity Directory"). This should let you create your account.

Modify .htaccess file

Now you will need to the .htaccess file inside of your WordPress installation folder to enable Cosign on the wp-login.php file. You can do this using the File Manager or you can do this via ssh. If you've installed WordPress to the root of your site, the .htaccess file will be inside /home/accountname/public_html where accountname is your cPanel account name. If you installed WordPress into a subdirectory such as 'wp' it will be inside /home/accountname/public_html/wp. You need to add the following to the beginning of the file:

RewriteEngine On
# Allow Cosign auth URLs - do not remove, must be first rule, must have a [L] to stop processing other cosign URLs
RewriteRule ^cosign - [L]

<Files wp-login.php>
CosignProtected On
AuthType Cosign
</Files>

If you've installed WP at the root or your site, your .htaccess file should look similar to this:

RewriteEngine On
# Allow Cosign auth URLs - do not remove, must be first rule, must have a [L] to stop processing other cosign URLs
RewriteRule ^cosign - [L]
<Files wp-login.php>
CosignProtected on
AuthType Cosign
Require valid-user
</Files>

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

Or if you have installed to a subfolder such as /wp/ your .htaccess file should look similar to this:

RewriteEngine On
# Allow Cosign auth URLs - do not remove, must be first rule, must have a [L] to stop processing other cosign URLs
RewriteRule ^cosign - [L]
<Files wp-login.php>
CosignProtected on
AuthType Cosign
Require valid-user
</Files>

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /wp/
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /wp/index.php [L]
</IfModule>

# END WordPress

The WordPress rewrite rules for WordPress permalinks can sometimes break cosign. The >code>RewriteRule ^cosign - [L] rule is an attempt to stop that from happening and is persistent across changes to your WordPress permalinks.

An alternate way to fix that would be to add the line

RewriteCond %{REQUEST_URI} !=/cosign/valid

above the

RewriteCond %{REQUEST_FILENAME} !-f

depending on how you have your WordPress permalinks configured. If this solution works for you, any time you update your theme or permalinks you will want to verify your .htaccess file looks as expected to function as expected.

Troubleshooting

If you logout before creating your uniqname (or some uniqname) as an administrator, you'll be locked out of WordPress and will need to remove the changes you made to your .htaccess file. Once you do that, you will be able to login with the normal WordPress login screen to fix things.

If you are using the file manager and do not see a .htaccess file, make sure you have it set to “Show Hidden Files (dotfiles)”. You can change this by clicking the Settings button in the top right:

WHE WP Cosign Troubleshooting.png

 

 Note
If your site doesn't seem to be working with Cosign anymore, make sure that the .htaccess file contains the cosign parts. Changing the permalinks setting or installing some third-party plugins can cause this file to update, and it may delete your Cosign changes.

Details

Article ID: 1612
Created
Wed 5/27/20 8:26 AM
Modified
Tue 6/23/20 11:28 AM