| Both sides previous revision Previous revision Next revision | Previous revision |
| en:2.0:single_sign_on:saml_wordpress [2025/04/26 01:57] – kainhofer | en:2.0:single_sign_on:saml_wordpress [2025/04/27 22:07] (current) – [Configuring the Service Provider (Wordpress)] kainhofer |
|---|
| |
| Starting with version 5.0, Admidio can be used by other applications to authenticate users against Admidios user base. These instructions will guide you through the process of connecting Wordpress to Admidio to use Admidio's login. For general instructions, and other apps, please visit the [[en:2.0:single_sign_on|general Single-Sign-On overview page]]. | Starting with version 5.0, Admidio can be used by other applications to authenticate users against Admidios user base. These instructions will guide you through the process of connecting Wordpress to Admidio to use Admidio's login. For general instructions, and other apps, please visit the [[en:2.0:single_sign_on|general Single-Sign-On overview page]]. |
| | |
| | While the Wordpress plugin directory lists several choices for SAML login, only the [[https://wordpress.org/plugins/onelogin-saml-sso/|OneLogin SAML SOO]] plugin is free and supports permissions depending on the Admidio groups/roles. |
| |
| ===== Prerequisites ===== | ===== Prerequisites ===== |
| |
| Basically, one (1) needs to **create a cryptographic key** to sign message and **choose a unique EntityID**. | Basically, one (1) needs to **create a cryptographic key** to sign message and **choose a unique EntityID**. |
| The page preferences https://admidio.local/adm_program/modules/preferences.php?panel=sso also provides the link to the metadata xml, and the individual settings in case a client does not support auto-configuration via metadata. | The page preferences https://admidio.local/modules/preferences.php?panel=sso also provides the link to the metadata xml, and the individual settings in case a client does not support auto-configuration via metadata. |
| |
| ===== TL;DR; - Quick Overview ===== | ===== TL;DR; - Quick Overview ===== |
| There are several SAML plugins for Wordpress, mostly non-free and quite expensive. A free SAML plugin that provides login, but also profile field and group sync is the plugin "OneLogin SAML SSO", which can be installed directly in the plugin manager. | There are several SAML plugins for Wordpress, mostly non-free and quite expensive. A free SAML plugin that provides login, but also profile field and group sync is the plugin "OneLogin SAML SSO", which can be installed directly in the plugin manager. |
| |
| {{:en:2.0:sso:sso_saml_wp_01_install_saml_plugin.png?direct&380 |}}{{:en:2.0:sso:sso_saml_wp_01b_install_saml_plugin.png?direct&550 |}} | <div style="text-align: center;"> |
| | {{:en:2.0:sso:sso_saml_wp_01_install_saml_plugin.png?direct&450|}} {{:en:2.0:sso:sso_saml_wp_01b_install_saml_plugin.png?direct&800|}} </div> |
| |
| <div style="clear: both;"></div> | |
| |
| | After installation it can be configured in WordPress in the menu "Settings" -> "SSO/SAML Settings". The plugin does not allow auto-configuration from Admidio's metadata file, so one needs to manually enter all IdP information from Admidio's preferences section. It is a good idea to keep two browser windows open so one can easily select and copy the settings. Admidio even provides little "copy" buttons/icons to copy the various settings to the clipboard for easy pasting into Wordpress' configuration. |
| | {{:en:2.0:sso:sso_saml_wp_02_plugin_config.png?direct&900|}} |
| |
| After installation it can be configured in WordPress in the menu "Settings" -> "SSO/SAML Settings". The plugin does not allow auto-configuration from Admidio's metadata file, so one needs to manually enter all IdP information from Admidio's preferences section: | One central setting is the SAML Client EntityID, which uniquely identifies the Wordpress client to Admidio. You need to scroll down to the "Advanced Settings" Section and enter the EntityId of your Wordpress SAML client. It is usually recommended to use the URL of the installation, but any unique string is fine. That EntityID will be copied over to the Admidio configuration. If the SP EntityID entered in Wordpress and in Admidio does not match, login via SAML will NOT be posible! |
| {{:en:2.0:sso:sso_saml_wp_02_plugin_config.png?direct&600|}} | {{ :en:2.0:sso:sso_saml_wp_03b_cliententityid.png?direct&600 |}} |
| |
| Nextcloud does not support automatic configuration from IdP metadata, so one has to copy the correct settings over from the Admidio preferences. It is a good idea to keep two browser windows open so one can easily select and copy the settings. Admidio even provides little "copy" buttons/icons to copy the various settings to the clipboard for easy pasting into Nextcloud's configuration. | Once these basic SAML settings are done, I would recommend to set up the SP in Admidio, and do the remaining settings (transmitted fields and roles, as well as signing/encryption requirements) in parallel in Wordpress and Admidio. |
| |
| This is a typical configuration of the Nextcloud SAML plugin for Admidio as an idP: | |
| {{ :en:2.0:sso:sso_saml_02-03_nc_saml_setup2.png?direct&600 |}} | |
| |
| Once these basic SAML settings are done, I would recommend to set up the SP in Admidio, and do the remaining settings (transmitted fields and roles, as well as signing/encryption requirements) in parallel in Nextcloud and Admidio. | If the basic settings are valid, the Wordpress plugin provides a link at the top of the page to check the validity of the configuration. At the very top of the config page is also the link to the client (SP) metadata XML file, which can be pasted into Admidio for auto-configuration of the SAML access (right-click on the link and copy the link location to the clipboard). |
| | |
| | {{ :en:2.0:sso:sso_saml_wp_06_spmetadata_link.png?direct |}} |
| |
| If the basic settings are valid, Nextcloud should indicate "Metadata valid" at the bottom of the page next to a button to download the metadata XML. Copy the URL of the metadata XML button (right-click on the "Download metadata XML" button and choose "copy link address"). | |
| {{ :en:2.0:sso:sso_saml_02-04_nc_saml_metadata_link.png?direct&400 |}} | |
| |
| === Setting up encryption === | === Setting up encryption === |
| |
| If encryption is desired for all SAML messages sent by Admidio to Nextcloud, or if Nextcloud should sign all its requests, then Nextcloud needs a private/public key pair to decrypt or sign messages. These need to be entered into the Nextcloud SAML config in PEM format and can be generated by openssl's command line tools, or in Admidio's key administration. Simply create a new Key for Nextcloud (RSA 2048 bits). The certificate can be copied directly from the key's edit page, but the private key is not available in Admidio's GUI for security reason. Instead, it can be downloaded (secured with a password!) from the list of keys in Admidio: | If encryption is desired for all SAML messages sent by Admidio to Wordpress, or if Wordpress should sign all its SAML requests, then Wordpress needs a private/public key pair to decrypt or sign messages. These need to be entered into the Wordpress SAML config in PEM format and can be generated by openssl's command line tools, by sites like https://www.samltool.com/self_signed_certs.php or in Admidio's key administration. Simply create a new Key for Wordpress (RSA 2048 bits). The certificate can be copied directly from the key's edit page, but the private key is not available in Admidio's GUI for security reason. Instead, it can be downloaded (secured with a password!) from the list of keys in Admidio: |
| |
| {{ :en:2.0:sso:sso_saml_02-03a_nc_saml_keysetup1.png?direct&400 |}} | {{ :en:2.0:sso:sso_saml_02-03a_nc_saml_keysetup1.png?direct&400 |}} |
| {{:en:2.0:sso:sso_saml_02-03b_nc_saml_keystoreexplorer1.png?direct&400|}}{{:en:2.0:sso:sso_saml_02-03c_nc_saml_keystoreexplorer2.png?direct&400|}} | {{:en:2.0:sso:sso_saml_02-03b_nc_saml_keystoreexplorer1.png?direct&400|}}{{:en:2.0:sso:sso_saml_02-03c_nc_saml_keystoreexplorer2.png?direct&400|}} |
| |
| {{ :en:2.0:sso:sso_saml_02-03d_nc_saml_keyconfig.png?direct&400 |}} | {{ :en:2.0:sso:sso_saml_wp_03c_cryptokey_wordpress.png?direct |}} |
| | |
| | |
| ==== Setting up the Client (SP) in Admidio ==== | ==== Setting up the Client (SP) in Admidio ==== |
| | |
| |
| Now, return to Admidio's SSO preferences page, go to the "Single-Sign-On Client Administration" (the button right above the "Save" button), and create a new client. | Now, return to Admidio's SSO preferences page, go to the "Single-Sign-On Client Administration" (the button right above the "Save" button), and create a new client. |
| {{ :en:2.0:sso:mma?direct&400 |}} | {{ :en:2.0:sso:sso_saml_03-00_admidio_saml_preferences.png?direct&400 |}} |
| |
| |
| Paste the metadata URL copied from Nextcloud into the corresponding input field at the top and click "Load Client Metadata". This should load all settings from Nextcloud and pre-fill the following fields correctly. Only the Client Name needs to be entered. Choose any name to clearly identify the client in the list of SAML clients. There is no functionality depending on the name. | Paste the metadata URL copied from Wordpress into the corresponding input field at the top and click "Load Client Metadata". This should load all settings from Nextcloud and pre-fill the following fields correctly. Only the Client Name needs to be entered. Choose any name to clearly identify the client in the list of SAML clients. There is no functionality depending on the name. |
| {{ :en:2.0:sso:sso_saml_02-05_nc_admidio_clientsetup1.png?direct&600 |}} | {{ :en:2.0:sso:sso_saml_wp_07_saml_client.png?direct&600 |}} |
| |
| |
| In addition to the Entity ID and URLs to connect SP and IdP and the certificate, which are configured automatically, one also needs to define the attribute and role mapping. The username is the most relevant. To use Admidio's group memberships as Nextcloud groups, make sure to include the "Roles" field and provide the correct field name in Nextcloud. Internally, Nextcloud will add a prefix to the role names, which makes it impossible to assign admin rights to SAML groups (Nextcloud uses the group with internal name "admin" for administrators). If you want to assign admin rights through SAML, too, then you must enter a single space into the prefix field. This causes Nextcloud to take the role names verbatim as Nextcloud group names, including "admin". | ==== Further configuration in Wordpress: Groups and Permissions, Fields, Security / Signing ==== |
| |
| {{ :en:2.0:sso:sso_saml_02-06_nc_admidio_clientsetup1.png?direct&600 |}} | The plugin's configuration page provides a long **section of options**, which can be used to fine-tune the SAML functionality. E.g. one can have new users automatically created when a user logs in the first time via SAML. |
| |
| <WRAP center round todo 60%> | |
| TODO: Describe signing and encryption settings (synced) | The Wordpress SAML configuration also provides **attribute and role mapping** sections. The attribute mapping defines how Admidio's user profile fields are translated to Wordpress profile fields (currently only first and last name and the login name). If you also want to use Admidio's group memberships / roles to determine access permissions in Wordpress, make sure sure include the roles in the mapping! |
| </WRAP> | {{ :en:2.0:sso:sso_saml_wp_03_plugin_fieldmapping.png?direct |}} |
| {{ :en:2.0:sso:sso_saml_02-07_nc_admidio_clientsetup3.png?direct&600 |}} | |
| | |
| | === Role mapping between Admidio and Wordpress, Security Settings === |
| | |
| | To use Admidio's group memberships or roles to define **access permissions to Wordpress**, make sure to include the roles / groups profile field in the field mapping as described in the previous paragraph. In Admidio, you can select which groups should be communicated to Wordpress, and even map them to other names. In the Wordpress SAML configuration, you can choose which group defines rights for Wordpress permissions (Administrator/Editor/Author/Contributor/Subscriber). |
| | {{ :en:2.0:sso:sso_saml_wp_04_plugin_rolemapping.png?direct |}} |
| | |
| | If your users have multiple roles, which are mapped to different permissions, one can even choose which permission level should take precendence, but in most cases this is not needed. |
| | |
| | The final section with advanced settings in Wordpress contains settings to fine-tune also cryptographic capabilities. It is important that the settings in Wordpress and Admidio are consistent and do not collide (e.g. if Wordpress is configured not to sign requests, while Admidio is configure to require signatures). The choices shown in the following Screenshot can be changed, but they need to be consistent in Wordpress and Admidio. |
| | {{ :en:2.0:sso:sso_saml_wp_05_plugin_cryptosettings.png?direct |}} |
| |
| |
| ==== Setup completed, test Single-Sign-On ==== | ==== Setup completed, test Single-Sign-On ==== |
| Admidio and Nextcloud should now be set up to use Admidio for logging in to Nextcloud. If you log out of Nextcloud, you should see the login screen with the choice of logging in with password or via SAML. | Admidio and Wordpress should now be set up to use Admidio for logging in to Wordpress. If you log out of Wordpress (or open Wordpress in an incognito browser window) and go to the wordpress admin location, you should see the login screen with the choice of logging in with password or via SAML. |
| {{ :en:2.0:sso:sso_saml_02-08_nc_saml_login.png?direct&400 |}} | {{ :en:2.0:sso:sso_saml_wp_08_saml_wordpress_login.png?direct&400 |}} |
| |
| After choosing SAML login and loggin in with a user from Admidio, you should be logged in to Nextcloud. | After choosing SAML login and loggin in with a user from Admidio, you should be logged in to Nextcloud. |
| {{:en:2.0:sso:sso_saml_02-09_nc_saml_loggedin.png?direct&200|}} | {{ :en:2.0:sso:sso_saml_wp_08b_saml_admidio_login.png?direct&400 |}}{{ :en:2.0:sso:sso_saml_wp_09_loggedin.png?direct |}} |
| {{:en:2.0:sso:sso_saml_02-10_nc_saml_users.png?direct&600|}} | |
| |
| |
| ==== Caveats and Things to Consider ==== | ==== Caveats and Things to Consider ==== |
| |
| * For security reasons, Nextcloud will prepend **SAML_ prefix to the group names** obtained from the SAML IdP. This makes hybrid environments quite hard in practice, where some users authenticate via SAML, others via local accounts or other network accounts. In these hybrid cases, the SAML-generated groups will be different than the local groups and all group permissions need to be set twice! As a **workaround**, one can **enter a single space into the prefix input box**. This will cause Nextcloud's SAML extension to clear the prefix, but the input field will appear empty in the future, so it is not clarly visible whether the prefix was "cleared" or the default prefix will be applied! | * The permission levels of Wordpress are very limited, so figuring out the proper mapping of groups to permissions is important to prevent accidental admin permissions to users. |
| | * Even though Wordpress has fields for Website, Bio and Profile Picture, the SAML plugin does not provide a way to populate them from Admidio. |
| |
