Skip to content

Instantly share code, notes, and snippets.

@cmbaughman

cmbaughman/sf_to_wp_sso.md

Created May 1, 2015 19:00
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save cmbaughman/a0a082cad7cbc44d552e to your computer and use it in GitHub Desktop.
Save cmbaughman/a0a082cad7cbc44d552e to your computer and use it in GitHub Desktop.
Download ZIP
Set up Salesforce as an Identity Provider for Single Sign On with Wordpress
Raw
sf_to_wp_sso.md

##Wordpress Side:

  1. On WP install the plugin SAML 2.0 Single Sign-On

  2. Once installed, copy and paste into an email the section “Your SAML Info”

  3. Make sure to check only the box labeled ‘Allow SSO Bypass’.

  4. Click Service Provider tab and put a check in the “Generate new certificate and private key for me.” then click update at the bottom of the page.

  5. Again in the Service Provider tab, click the download link and mail the cert back to us.

Remaining steps cannot be done until a domain is created under Music and memory’s Security controls -> Identity Provider

##Salesforce Side:

  1. Under domain management click My domains and create a new domain.

  2. Security Controls -> Single Sign On Settings -> check the SAML Enabled box.

  3. Security controls -> Identity Provider -> new, generate and download the Certificate and Metadata. Label them appropriately and keep them in a safe place.

  4. Setup -> Create -> Apps -> New Connected App, fill in all the fields you can but when you get to Web App Settings: Start URL: The WP url Enable SAML: checked Entity Id: From the WP SAML plugin “Your SAML Info” section. ACS URL: From the WP SAML plugin “Your SAML Info” section. Subject Name: Username Name Id Format: select the one that ends in persistent Issuer: The new domain created under Identity Provider above Verify Request Signatures: checked and upload the cert from wordpress side Encrypt SAML: unchecked (for debugging then checked)

  5. Save that config and then on the “Apps” screen, beside your app select “Manage”

  6. Add Profiles that are needed! (if you have none it will not work)

  7. Create a new “Custom Attribute” called memberOf and it’s value should be $UserRole.Name. (For now until we determine if they want to use something else as roles to map to WP.)

  8. Click “Download Metadata” save that, then copy the IdP-Initiated Login URL.

##WordPress Revisited:

  1. Click Settings -> Single Sign On -> Identity Provider tab: IdP name: custom domain from SF URL Identifier: custom domain from SF Single Sign-On Url: The url from SF labeled "IdP-Initiated Login URL" Certificate Fingerprint: On the certificate you downloaded from salesforce, run the following command in a terminal: cat YOUR_CERT_FILE.crt | openssl x509 -fingerprint and that will give you the fingerprint value for this field.

  2. Click Service Provider -> for NamedID select the option that ends with emailAddress.

  3. Attribute for username: username

  4. Attribute for email: email

  5. Attribute to be used as Groups: memberOf

  6. Administrators group, and all others the values are the Role names that you want to have those rights in WP.

  7. Check the box labeled 'Allow Unlisted Users’ until we are done testing and satisfied with all the groups and such.

  8. Click the general tab and make certain that “Allow SSO Bypass” is selected. Then also check the "Enable SAML Authentication” box.

To test open up an “Incognito Chrome Window” and type the url of the WP site. Click login and you should be taken to SF to log in. Then you should be redirected to the WP admin.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment