psignoret/aad-sso-wordpress
Stars: 255
Forks: 72
Pull Requests: 54
Issues: 210
Watchers: 30
Last Updated: 2023-05-16 01:08:43
Single Sign-on with Azure Active Directory (for WordPress)
License: Other
Languages: PHP, Shell, CSS
Sign Sign-on with Azure Active Directory (for WordPress)
A WordPress plugin that allows organizations to use their Azure Active Directory user accounts to sign in to WordPress. Organizations with Office 365 already have Azure Active Directory (Azure AD) and can use this plugin for all of their users.
- Azure AD group membership can be used to determine access and role.
- New users can be registered on-the-fly based on their Azure AD profile.
- Can always fall back to regular username and password login.
This is a work in progress, please feel free to contact me for help. This plugin is provided as-is, with no guarantees or assurances.
In the typical flow:
- User attempts to log in to the blog (
wp-admin). At the sign in page, they are given a link to sign in with their Azure Active Directory work or school account (e.g. an Office 365 account). - After signing in, the user is redirected back to the blog with an authorization code, which the plugin exchanges for a ID token, containing a minimal set of claims about the signed in user, and an access token, which can be used to query Azure AD for additional details about the user.
- The plugin uses the claims in the ID token to attempt to find a WordPress user with an email address or login name that matches the Azure AD user.
- If one is found, the user is authenticated in WordPress as that user account. If one is not found, the WordPress user will (optionally) be auto-provisioned on-the-fly.
- (Optional) Membership to certain groups in Azure AD can be mapped to roles in WordPress, and group membership can be used to restrict access.
Getting Started
The following instructions will get you started. In this case, we will be configuring the plugin to use the user roles configured in WordPress.
1. Download and activate the plugin
This plugin is not yet registered in the WordPress plugin directory (coming soon!), but you can still install it manually:
- Download the plugin using
gitor with the 'Download ZIP' link on the right. - Place the
aad-sso-wordpressfolder in your WordPress' plugin folder. Normally, this is<your-blog>/wp-content/plugins. - Activate the plugin in the WordPress admin console, under Plugins > Installed Plugins.
2. Register an Azure Active Directory application
With these steps, you will create an Azure AD app registration. This will provide your WordPress site with an application identity in your organization's Azure AD tenant.
-
Sign in to the Azure portal, and ensure you are signed in to the directory which has the users you'd like to allow to sign in. (This will typically be your organization's directory.) You can view which directory you're signed in to (and switch directories if needed) by clicking on your username in the upper right-hand corner.
-
Navigate to the Azure Active Directory blade, and enter the App registrations section.
-
Choose New registration.
-
Fill out the initial form as follows:
-
Name: Enter your site's name. This will be displayed to users at the Azure AD sign-in page, in the sign-in logs, and in any consent prompt users may come across.
-
Supported account types: Choose "Accounts in this organizational directory" if you only expect users from one organization to sign in to your app. Otherwise, choose "Accounts in any organizational directory" to allow users from any Azure AD tenant to sign in.
Note: This plugin does not yet support the third option, "Accounts in any organizational directory and personal Microsoft accounts".
-
Redirect URI: Leave the redirect URI type set to "Web", and provide a URL matching the format
https://<your blog url>/wp-login.php, or whichever page your blog uses to sign in users.Note: If you're not sure what to enter here, you can leave it empty for now and come back and update this (under Azure AD > App registrations > Authentication) later. The plugin itself will tell you what URL to use.
Note: The page must invoke the
authenticateaction. (By default, this will bewp-login.php.)
-
-
After clicking Register, enter the API permissions section.
-
Verify that the delegated permission User.Read for Microsoft Graph is already be selected. This permission is all you need if you do not require mapping Azure AD group membership to WordPress roles.
Note: If you do wish to map Azure AD groups to WordPress roles, you must also select the delegated permission Directory.Read.All (click "Add a permission" > Microsoft Graph > Delegated > Directory.Read.All).
Important: Some permissions require administrator consent before it can be used, and in some organizations, administrator consent is required for any permission. A tenant administrator can use the Grant admin consent option to grant there permissions (i.e. consent) on behalf of all users in the organization.
-
Under Certificates & secrets, create a new client secret. Provide a description and choose a duration (I recommend no longer than two years). After clicking Add, the secret value will appear. Copy it, as this is the only time it will be available.
-
Switch to the Overview section and keep the tab open, as you will need to copy some fields when configuring the plugin.
3. Configure the plugin
Once the plugin is activated in WordPress (step 1), update your settings from the WordPress admin console under Settings > Azure AD. Basic settings to include are:
- Display name
- The display name of the organization, used in the link on the WordPress login page which will start the Azure AD sign-in process.
- Client ID
- The Application ID. (Copy this from the Azure AD app registration's **Overview** page.)
- Client Secret
- The client secret. (You copy this from the Azure AD app registration's **Certificates & secrets** page.)
- Reply URL
- The URL that Azure AD will send the user to after authenticating. This is usually the blog's sign-in page, which is the default value. Ensure that the reply URL configured in Azure AD matches this value.
4. (Optional) Set WordPress roles based on Azure AD group membership
The Single Sign-on with Azure AD plugin can be configured to set different WordPress roles based on the user's membership to a set of user-defined groups. This is a great way to control who has access to the site, and under what role.
This is also configured Settings > Azure AD (from the WordPress admin console). The following fields should be included:
- Enable Azure AD group to WP role association
- Check this to enable Azure AD group-based WordPress roles.
- Default WordPress role if not in Azure AD group
- This is the default role that users will be assigned to if matching Azure AD group to WordPress roles is enabled. If this is not set, and the user authenticating does not belong to any of the groups defined, they will be denied access.
- WordPress role to Azure AD group map
- For each of the blog's WordPress roles, there is a field for the ObjectId of the Azure AD group that will be associated with that role.
Note: For the Azure AD group to WordPress role mapping to work, the app in Azure AD needs the delegated permission Directory.Read.All for Microsoft Graph. See step 5 of Register an Azure Active Directory application, above, for more details.
Example settings
The different fields that can be defined in the settings JSON in Settings > Azure AD are documented in Settings.php. The following may give you an idea of the typical scenarios that may be encountered.
Minimal
Users are matched by their email address in WordPress, and whichever role they have in WordPress is maintained.
| Setting | Example value |
|---|---|
| Display name | Contoso |
| Client ID | 9054eff5-bfef-4cc5-82fd-8c35534e48f9 |
| Client Secret | NTY5MmE5YjMwMGY2MWQ0NjU5MzYxNjdjNzE1OGNiZmY= |
| Reply URL | https://www.example.com/blog/wp-login.php |
| Field to match to UPN | Email Address |
Match on username alias
Users are matched by their login names in WordPress and the alias portion of their Azure AD UserPrincipalName. Whichever role they have in WordPress is maintained.
| Setting | Example value |
|---|---|
| Display name | Contoso |
| Client ID | 9054eff5-bfef-4cc5-82fd-8c35534e48f9 |
| Client Secret | NTY5MmE5YjMwMGY2MWQ0NjU5MzYxNjdjNzE1OGNiZmY= |
| Reply URL | https://www.example.com/blog/wp-login.php |
| Field to match to UPN | Login Name |
| Match on alias of the UPN | Yes |
Group membership-based roles, no default role
Users are matched by their login names in WordPress, and WordPress roles are dictated by membership to a given Azure AD group. Access is denied if they are not members of any of these groups.
| Setting | Example value | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Display name | Contoso | ||||||||||
| Client ID | 9054eff5-bfef-4cc5-82fd-8c35534e48f9 | ||||||||||
| Client Secret | NTY5MmE5YjMwMGY2MWQ0NjU5MzYxNjdjNzE1OGNiZmY= | ||||||||||
| Reply URL | https://www.example.com/blog/wp-login.php | ||||||||||
| Field to match to UPN | Login Name | ||||||||||
| Enable Azure AD group to WP role association | Yes | ||||||||||
| Default WordPress role if not in Azure AD group | (None, deny access) | ||||||||||
| WordPress role to Azure AD group map |
|
Group membership-based roles with default role
Users are matched by their login names in WordPress, and WordPress roles are dictated by membership to a given Azure AD group. If the user is not a part of any of these groups, they are assigned the Author role.
| Setting | Example value | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Display name | Contoso | ||||||||||
| Client ID | 9054eff5-bfef-4cc5-82fd-8c35534e48f9 | ||||||||||
| Client Secret | NTY5MmE5YjMwMGY2MWQ0NjU5MzYxNjdjNzE1OGNiZmY= | ||||||||||
| Reply URL | https://www.example.com/blog/wp-login.php | ||||||||||
| Field to match to UPN | Login Name | ||||||||||
| Enable Azure AD group to WordPress role association | Yes | ||||||||||
| Default WordPress role if not in Azure AD group | Author | ||||||||||
| WordPress role to Azure AD group map |
|
Group membership-based roles, default role, auto-provision
Users are matched by their email in WordPress, and WordPress roles are dictated by membership to a given Azure AD group. If the user doesn't exist in WordPress yet, they will be auto-provisioned. If the user is not a part of any of these groups, they are assigned the Subscriber role.
| Setting | Example value | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Display name | Contoso | ||||||||||
| Client ID | 9054eff5-bfef-4cc5-82fd-8c35534e48f9 | ||||||||||
| Client Secret | NTY5MmE5YjMwMGY2MWQ0NjU5MzYxNjdjNzE1OGNiZmY= | ||||||||||
| Reply URL | https://www.example.com/blog/wp-login.php | ||||||||||
| Field to match to UPN | Email Address | ||||||||||
| Enable auto-provisioning | Yes | ||||||||||
| Enable Azure AD group to WP role association | Yes | ||||||||||
| Default WordPress role if not in Azure AD group | Subscriber | ||||||||||
| WordPress role to Azure AD group map |
|
Groups
As described above, you can map Azure AD groups to WordPress roles. Users who are members of the Azure AD group will be granted the WordPress role(s) the groups were mapped to.
There are several ways Azure AD groups can be created/managed. Some of them require the group owner/creator to be a tenant administrator, others not necessarily (depending on your organization's policy):
- Azure portal. The Azure portal (https://portal.azure.com), under Azure Active Directory > Groups > New group, allows admins and (optionally) users to create and manage groups.
- Access Panel. The Azure AD Access Panel (https://myapps.microsoft.com) provides an interface for users to create and manage groups.
- Outlook. The Outlook web interface (https://outlook.office.com/) offers users the option to create Office 365 Groups. These groups are stored in Azure AD and can be used with this plugin.
- Microsoft Teams. Creating a team in Microsoft Teams (https://teams.microsoft.com) also results in an Office 365 Group getting created.
- Azure AD PowerShell. The Azure AD PowerShell module allows admins and (optionally) users to create and manage groups. (e.g. New-AzureADGroup, and Add-AzureADGroupMember cmdlets.)
- On-premises. Many large organizations use Azure AD Connect to sync their on-premises AD to Azure AD. This usually includes all on-premises AD groups and memberships. Once these groups are synced to Azrue AD, they can be used with this plugin.
Advanced
Refreshing the OpenID Connect configuration cache
Most of the OpenID Connect endpoints and configuration (e.g. signing keys, etc.) are obtained from the OpenID Connect configuration endpoint. These values are cached for one hour, but can always be forced to re-load by adding aadsso_reload_openid_config=1 to the query string in the login page. (This shouldn't really be needed, but it has shown to be useful during development.)
Bypassing automatic redirect to Azure AD to prevent lockouts
If you've configured this plugin to automatically redirect to Azure AD for sign-in, but something is misconfigured, you may find yourself locked out of your site's admin dashboard.
To log in to your site without automatically redirecting to Azure AD (thus giving you an opportunity to enter a regular username and password), you can append ?aadsso_no_redirect=please to the login URL. For example, if your login URL is https://example.com/wp-login.php, navigating to https://example.com/wp-login.php?aadsso_no_redirect=please will prevent any automatic redirects.
OPEN ISSUES
See all- Groups picker/search in settings page by @psignoret
- Advanced settings (default hidden) by @psignoret
- Autoprovision fails when matching by login because email can be taken by @psignoret
- Error messages not always displaying at login form by @psignoret
- When matching by email, users can lock themselves out by changing their profile by @psignoret
- Use email properties for email when auto-provisioning by @psignoret
- Switch user permissions to subscriber when user deleted from AD by @blobaugh
- Document that sessions affinity is required by @psignoret
- Please add steps for granting Azure permissions on behalf of users by @richthomsen
- Flip AAD groups to WP roles map in settings by @psignoret
- Discussion: Automated Testing by @bradkovach
- Create README.txt by @psignoret
- Bad resource requests in login page can cause state value to reset by @psignoret
- Add support for B2C directories by @psignoret
- Pass the key array to JWT::decode so it can choose it's own key by @psignoret
- Link to request admin consent by @psignoret
- Rename files to match WP style by @psignoret
- Environment variables for settings by @stephen-kainos
- Fatal error on activate Plugin by @knightfabio
- HTTP 500 error after login on AAD by @Jamesits
- Compatibility with WordPress 2FA providers by @Jamesits
- Support for Windows Server 2016 and ADFS by @ravicini
- Bypass First Authentication Page by @mrdenny
- Get and Store AD Attributes for users by @zeechaudhry
- Conflict with VigilanTor plugin by @psignoret
- Detect overly-long URL and possibly switch to Form Post Response Mode by @psignoret
- Detect empty or invalid cached OpenID config contents by @psignoret
- Access token by @tarpey
- A mechanism to share obtained tokens with other plugins by @psignoret
- Cannot log out user by @teocomi
- Feature Request: Improve versioning; add reference to repo in plugin header by @bradkovach
- aad-sso-wordpress and ithemes security results in 414 by @mottersen
- I am not able to login with the plugin by @warnubis
- User is created in WordPress even if the user can't login by @sudar
- usage with Network Sites by @acds
- Other Users can still Register for the Site by @warnubis
- How to get Azure User Data? by @anormore
- Cannot Login WordPress site by @ajowi
- Constant state of re-direct by @tghastings
- Having issues with aad-sso-wordpress by @abilashls
- Link redirecting to the login page by @MajesticComputerTechnology
- User cannot login by @payneauj
- Multiple Reply/Redirect URLs by @jjacobs1
- Azure AD + Microsoft Credentials coming across invalid by @divemaster2533
- login url on another page keeps getting ANTIFORGERY_ID mismatch by @mounirface3
- Anyway to put Azure AD email field into Wordpress email field? by @mmahoney812
- Users cannot sign-into website by @mmahoney812
- How to get login and logout urls by @leviatorkilsheyggi
- There is the possibility to pull all Azure Active Directory users??? by @Alencarxx
- [Question] Bypass Authentication from local account by @vanxy
- Can one promote a MultiSite Super Admin into an AD authenticated user ? by @acds
- Incompatible with "Login No Captcha reCAPTCHA" plugin by @ShadowXVII
- Add plugin to WordPress.org plugin repository by @hajekj
- [Question] login without redirect by @bluejab
- User cannot log in "AADSTS65005" by @hironihashi
- Anti-forgery mismatch by @brandontravis
- Users no admin rights by @benjaminCFD
- Add ability for users that have valid, active AD tokens to be auto-logged in. by @ghost
- Redirecting user to specified URL after login by @brm252
- Azure AD (B2C) - issue in OpenID connector by @grzegorzszypa
- Locked Out of Wordpress Admin by @alissaisenberg
- Guest by @donsaliery
- Dumping users back to login without logging in by @evanpalumbo
- Login stuck at login.microsoftonline.com by @freewings89
- Additional attribute mapping by @hy-itops
- Is there a way to pull Azure AD Profile pic and map to Wordpress? by @hai2rnr
- Add option to change logout url by @filipliwinski
- signing out by @spaceship12
- two separate AAD login issues by @spaceship12
- Custom Domain Name in Azure Web App - Auth Errors by @mmggIThub
- users get redirected to profile.php by @danielH0514
- We should hide the default login-UI (usename and password) .. by @akkaneko-ms
- Auto-Provision Usernames as Alias, Rather than Email Address by @mrjarbenne
- AD Base URL automatically changed by @Tamilselvand
- For those struggling with custom login page by @8biteric
- Italian translation by @ignazios
- Problems with External User by @Iojanseba
- determine_current_user by @jrmcdona
- Too many redirects with WordPress 5.4 by @Ssy3
- WooCommerce Login by @StuartBall-Scouts
- ANTIFORGERY_ID_mismatch. Expecting... by @planet4
- Auto Login Possible? by @tbmccg
- ANTIFORGERY_ID mismatch. Expecting {ISSUE_NUMBER_HERE} by @bst003
- ERROR 403: Options.php by @mmirandab
- Error when signing in - "Session does not contain antiforgery ID." #200 by @stefanie-sidekick
- User token? by @stefanie-sidekick
- Wrong redirect URL by @mrdenny
- One user unable to auth to WordPress by @mrdenny
- Support for OAuth2 Authorization Code Flow by @hkusulja
- Implement support for PKCE by @psignoret
- Session does not contain antiforgery ID by @oliverchambers
- Slowing down site by @kieranlee999
- I get Session does not contain antiforgery ID when logging in by @emmigereb
- Too many redirect URL error by @amarvora