Enabling SSO for WordPress on WHE

Summary

This article discusses how to enable single sign-on (SSO) for your WHE-hosted WordPress website.

Several users of the Web Hosting Environment have enabled single sign-on (SSO), currently via OIDC or Shibboleth, to allow users to log into their WordPress website using the standard UMICH usernames and passwords. This replaces the WordPress login with the more familiar https://weblogin.umich.edu/ page.

Shibboleth and OIDC are the current methods.

Environment

  • WordPress
  • OIDC
  • Shibboleth

Directions

  1. Log into your WordPress administrative interface.
     
  2. Navigate to Plugins → Add New.
     
  3. Search for the WordPress Native PHP Sessions plugin.
     
  4. Click "Install Now."
     
  5. Once it's downloaded, click "Activate."
     
  6. Search for the UMich OIDC Login plugin.
     
  7. Click "Install Now."
     
  8. Once it's downloaded, click "Activate."
     
  9. Navigate to the Settings → UMich OIDC Login Settings → OIDC page.
     
  10. Copy the Redirect URI field contents. It's probably something like https://fqdn/sitename/wp-admin/admin-ajax.php?action=openid-connect-authorize. You will provide this to the Identity Provider (IdP) in Step 18.
     
  11. Navigate to the provisioning site to provision the OIDC Service Client credentials.
     
  12. Click "Provision New OIDC Service Client."
     
  13. Enter the Site Identifier. This must be unique. We recommend an abbreviated version of your site name with either Dev or Prod as a suffix.
     
  14. Select your College or business division from the pull-down list.
     
  15. Select the MCommunity manager group from the pull-down list.
     
  16. Enter a valid shortcode in the Shortcode field.
     
  17. Select the MCommunity group for group-based authentication from the pull-down list.
     
  18. In the "Redirect URL(s)" field, enter the URL you copied in Step 10.
     
  19. Click "Submit."
     
  20. Click on the client ID in the results page for the new client you created. (If you have multiple client IDs look for the current date and time in the Created column.)
     
  21. Copy the OIDC Client ID and OIDC Secret and use them in your web application's configuration in order to configure your web application to authenticate visitors using OIDC in Step 23 and Step 24.
     
  22. Back on your WordPress site's UMich OIDC Login Settings page you visited in Step11, enter the Identity Provider URL:
    https://shibboleth.umich.edu
     
  23. Enter the OIDC Client ID from the provisioning results in Step 21.
     
  24. Enter the OIDC Client Secret from the provisioning results in Step 21.
     
  25. Save your changes: Click "Save Changes."
     
  26. Navigate to the General tab (Settings → UMich OIDC Login → General).
     
  27. For the Post-Login Action field, choose "URL: Login Destination URL if set below, or page they were on when they logged in" from the pull-down list. It may already be selected.
     
  28. For the Post-Logout Action field, choose "Smart: Same page they logged out from if public, or logout URL if set below, or site home" from the pull-down list. It may already be selected.
     
  29. In the "Groups for Authorization" field, enter the "MCommunity groups for group-based authentication" you selected in Step 17.
     
  30. Save your changes: Click "Save Changes."
     
  31. In the "Use OIDC for WordPress Users" field, choose "OPTIONAL:...."
     
  32. Save your changes: Click "Save Changes."
     
  33. Test:
     
    1. In a new Incognito or Private window, visit the WordPress site's Admin page (.../wp-admin).
       
    2. Are you prompted for SSO credentials (either directly or via a "Login with SSO" button)?
       
    3. Can you actually log in?
       
    4. Does it take you to the correct page?
       
    5. Can you log out again?
       
    6. Does it take you to the correct page?
       
  34. Fix any problems before proceeding.
     
  35. Back on your WordPress site's UMich OIDC Login Settings page's General tab, in the "Use OIDC for WordPress Users," choose "YES:...."
     
  36. Save your changes: Click "Save Changes."
     
  37. Repeat the tests from Step 33.
     
  38. Fix any problems before proceeding.
     
  39. Log out of the administrative interface.

You have enabled SSO for your WHE-hosted WordPress website.