cd-simplesamlphp-auth-wp-plugin

tested with WordPress -v 5.5.3, simplesamlphp -v 1.19.0, configured for use on Pantheon servers only

Logs a user into WordPress using simplesamlphp

This plugin uses add_filter to modify the authentication function and uses simplesamlphp, instead of login form credentials.

An alternative plugin with additional features can be found here WP SAML Auth

resources: Shibboleth at Cornell Page, saml-20-adp-remote.php

Get Started

Install SimpleSAMLphp using download method with symbolic link for Pantheon

wget https://simplesamlphp.org/download?latest -O simplesamlphp-latest.tar.gz
mkdir -p private/simplesamlphp
tar -zxf simplesamlphp-latest.tar.gz -C private/simplesamlphp --strip-components 1
ln -s private/simplesamlphp/www simplesaml

Download cd-simplesamlphp-auth-wp-plugin and copy default config

wget https://github.com/CU-CommunityApps/cd-simplesamlphp-auth-wp-plugin/archive/main.zip
unzip main.zip -d ./wp-content/plugins
mv wp-content/plugins/cd-simplesamlphp-auth-wp-plugin-main wp-content/plugins/cd-simplesamlphp-auth-wp-plugin
mkdir -p private/simplesaml
cp -r wp-content/plugins/cd-simplesamlphp-auth-wp-plugin/docs/config private/simplesaml
cp -r wp-content/plugins/cd-simplesamlphp-auth-wp-plugin/docs/metadata private/simplesaml

Generate certs and add them to private/simplesamlphp/cert.

mkdir private/simplesaml/cert
cd private/simplesaml/cert
openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem
cd ../../../
rm -r private/simplesamlphp/cert
cp -r private/simplesaml/cert private/simplesamlphp/cert

Copy the backed up config to the simpleaml directory

rm -r private/simplesamlphp/config
rm -r private/simplesamlphp/metadata
cp -r ./private/simplesaml/config ./private/simplesamlphp/config
cp -r ./private/simplesaml/metadata ./private/simplesamlphp/metadata

Clean up and remove the downloaded files

rm main.zip
rm simplesamlphp-latest.tar.gz

• Login into the website and activate the plugin.
  

• settings can be configured under settings -> Simplesamlphp auth

  • example configuration:

• Logout and then Log into site and should be redirected to simplesamlphp auth.

To apply updates to simplesamlphp

rm - r private/simplesamlphp
rm - r simplesaml

wget https://simplesamlphp.org/download?latest -O simplesamlphp-latest.tar.gz
mkdir -p private/simplesamlphp
tar -zxf simplesamlphp-latest.tar.gz -C private/simplesamlphp --strip-components 1
ln -s private/simplesamlphp/www simplesaml

rm -r private/simplesamlphp/cert
cp -r private/simplesaml/cert private/simplesamlphp/cert

rm -r private/simplesamlphp/config
rm -r private/simplesamlphp/metadata
cp -r ./private/simplesaml/config ./private/simplesamlphp/config
cp -r ./private/simplesaml/metadata ./private/simplesamlphp/metadata

#clean up
rm simplesamlphp-la

Go Live

• Make sure your certs are on the live site, by going to SITE_URL/simplesaml/module.php/saml/sp/metadata.php/cornell?output=xhtml and verify the metadata matches the saml.cert file.

• register your saml.cert metadata with Cornell IDM https://confluence.cornell.edu/display/SHIBBOLETH/Shibboleth+at+Cornell+Page

• Test authentication sources before enabling the plugin by going to SITE_URL/simplesaml/module.php/core/authenticate.php?as=cornell

• If you can login successfully using Test authentication cornell source then you can enable the plugin on the live site.

Sites using this plugin.

• Engaged Cornell
• The Intergroup Dialogue Project (IDP)
• Cornell University Graduate School
• Cornell University Graduate School Intranet