Single Sign On for Wordpress
miniOrange provides a ready to use solution for Wordpress. This solution ensures that you are ready to roll out secure access to Wordpress to your employees within minutes.

SETUP GUIDE FOR SHIBBOLETH AS IdP

STEP 1: In conf/idp.properties, uncomment and set 'idp.encryption.optional' to true. Example:

idp.encryption.optional = true

STEP 2: In conf/metadata-providers.xml, configure Wordpress as an SP like this:

<MetadataProvider xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:metadata" 
	id="miniOrangeInLineEntity" xsi:type="InlineMetadataProvider" sortKey="1">
	<samlmd:EntityDescriptor ID="entity" entityID="<SP-EntityID / Issuer from Step1 of the plugin under Identity Provider Tab.>" 
			validUntil="2020-09-06T04:13:32Z">
		<samlmd:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" 
			protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
			<samlmd:NameIDFormat>
				urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
			</samlmd:NameIDFormat>
			<samlmd:AssertionConsumerService
				Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
				Location="<ACS (AssertionConsumerService) URL from Step1 of the plugin under Identity Provider Tab.>" 
					index="1" />
		</samlmd:SPSSODescriptor>
	</samlmd:EntityDescriptor>
</MetadataProvider>

STEP 3: In conf/saml-nameid.properties, uncomment and set default NameID as EmailAddress like this:

 idp.nameid.saml2.default=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

STEP 4: In conf/saml-nameid-xml, search for shibboleth.SAML2NameIDGenerators.
Uncomment the shibboleth.SAML2AttributeSourcedGenerator bean and comment all other ref beans. For eg. your SAML 2 NameID Generation tag should look like this:

 <!-- SAML 2 NameID Generation -->
 <util:list id="shibboleth.SAML2NameIDGenerators">
	<!-- <ref bean="shibboleth.SAML2TransientGenerator" /> -->
	<!-- <ref bean="shibboleth.SAML2PersistentGenerator" /> -->
	<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
		p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
		p:attributeSourceIds="#{ {'email'} }" />
</util:list>

STEP 5: Make sure you have defined AttributeDefinition in conf/attribute-resolver.xml.
For eg. you have LDAP configured for authentication then your AttributeDefinition should look like this:

 <!--
	 Note: AttributeDefinition id must be same as what you provided in
	 attributeSourceIds in conf/saml-nameid.xml
 -->
 <resolver:AttributeDefinition xsi:type="ad:Simple" id="email" sourceAttributeID="mail">
	<resolver:Dependency ref="ldapConnector" />
	<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="email" friendlyName="email" />
 </resolver:AttributeDefinition>
 <resolver:DataConnector id="ldapConnector" xsi:type="dc:LDAPDirectory"
	ldapURL="%{idp.authn.LDAP.ldapURL}"
	baseDN="%{idp.authn.LDAP.baseDN}"
	principal="%{idp.authn.LDAP.bindDN}"
	principalCredential="%{idp.authn.LDAP.bindDNCredential}">
	<dc:FilterTemplate>
	<!-- Define you User Search Filter here -->
		<![CDATA[
		(&(objectclass=*)(cn=$requestContext.principalName))
		]]>
	</dc:FilterTemplate>
	<dc:ReturnAttributes>*</dc:ReturnAttributes>
 </resolver:DataConnector>

STEP 6: Make sure you have AttributeFilterPolicy defined in conf/attribute-filter.xml
For eg. attributeID must be same as AttributeDefinition ID defined in previous step.

 <afp:AttributeFilterPolicy id="ldapAttributes">
	<afp:PolicyRequirementRule xsi:type="basic:ANY" />
	<afp:AttributeRule attributeID="email">
		<afp:PermitValueRule xsi:type="basic:ANY"/>
	</afp:AttributeRule>
 </afp:AttributeFilterPolicy>

STEP 7: Restart the Shibboleth Server and go to Service Provider tab in miniOrange SAML plugin. Then enter the following details:

Identity provider Name: Shibboleth
SAML Login URL https://<your domain>/idp/profile/SAML2/Redirect/SSO
IdP Entity ID or Issuer https://<your domain>/idp/shibboleth
X.509 Certificate The public key certificate of your IdP
Response Signed Checked
Assertion Signed Checked