WordPress MFA and SSO with PhenixID Authentication Services

Warning

Please note, this document is using the legacy authenticators - in order to use the new protocol agnostic authenticators, you need to apply relevant modifications to the configuration examples outlined in this article.

Summary

This document will guide you through the steps to enable multi-factor authentication and SSO for the CMS system WordPress ( https://wordpress.com/)

System Requirements

• PhenixID Authentication Server 3.0 or higher
• WordPress instance administrative rights

Overview

This step-by-step-guide is based on the MiniOrange SSO SAML SP Plugin for WordPress. The plugin supports IdP-initiated SAML out-of-the box. For SP-initiated SAML, the premium version is required.

Instruction

Configure PhenixID Authentication Services as Identity Provider

1. Setup PhenixID Authentication Services as a SAML IdP.

2. Go to Scenarios->Federation-><YOUR_IDP>->Identity Provider

3. Add a Post SLO url: https://<your_phenixid_domain>/saml/authenticate/logout

4. Go to Scenarios->Federation-><YOUR_IDP>->Execution Flow

5. Make sure these attributes (they may be named differently based on your user store environment) are fetched from the user store:

   • givenName
   • sn
   • mail

   (Also, if you plan to control the WordPress user role from the Identity Provider, fetch the appropriate data, such as group membership, to be able to configure appropriate role value).

6. If your attributes are named differently than above, add PropertyAddValve(s) to populate values according to the names above.Example:

   • PropertyAddValve
   • name=givenName
   • value={{item.firstName}}

7. Make the following adjustments to the execution flow.

   1. Click AssertionProvider

      1. Set NameID Attribute = mail

      2. Set additional attributes = mail,givenName,sn,role

         Example:

         

   2. Save

8. Go to Scenarios->Federation-> <newly_added_scenario> -> Identity Provider. Deselect “Require signed requests”.

9. Save.

10. Go to Scenarios->Federation-> <newly_added_scenario> -> Identity Provider

11. Click View SAML Metadata

12. Download the displayed SAML IdP metadata to a xml file.

Configure WordPress

Follow this guide. Use the following options:

1. Step 1 – use the B option to download the SP metadata file. Name the file sp.xml.

2. Step 2 Use the A option and upload the IdP metadata file downloaded in previous step.

   • Set Identity Provider Name = Organization IdP. Change Organization to your organization name

3. Step 3 – Attribute mapping. Use these values:

   • Username = mail
   • Email = mail
   • First Name = givenName
   • Last Name = sn
   • Group/role  = role [OPTIONAL]

4. Step 4 – Role mappning [OPTIONAL]

   Follow the instructions.

5. Step 5 – SSO settings. Enable if possible (only if Premium). Follow the instructions.

Add WordPress as trusted Service Provider in PhenixID Authentication Services

1. Login to configuration manager
2. Scenarios->Federation
3. SAML Metadata upload
4. Upload the file sp.xml.

Add configuration for IdP-initiated SAML on PhenixID Authentication Services

1. Open sp.xml in a text editor

2. Copy the entityID value

3. Login to configuration manager

4. Scenarios->Federation->Your IdP

5. Execution Flow

6. Expand AssertionProvider

7. Add the copied entityID value to the Source ID field.

   

8. Save

Test

IdP-initiated

1. Browse to the IdP SSOService-location URL (found in the IdP metadata)
2. Authenticate
3. You should now be redirected to WordPress and be logged in (with the correct role if the IdP controls the role)

SP-initiated

(Only with the premium version of the Miniorange SSO plugin)

1. Browse to your WordPress URL
2. Select to login with the IdP
3. Authenticate
4. You should now be redirected to WordPress and be logged in (with the correct role if the IdP controls the role)

Tags

SAML 2 Single Sign-On Identity Provider Use Case: Federation of web services Use Case: Integrate with external systems Federation Step by Step