Rabu, 16 Oktober 2019

Keycloak wordpress

KeyCloak SAML SSSO with WordPress

This blog discusses about the wordpress SAML SSO woth KeyCloak IAM
  1. Start wordpress install miniOrange SSO using SAML 2.0 plugin.
  2. Start keycloak server in administartor mode.
  3. In your Keycloak admin console, select the realm that you want to use.
  4. From left menu, select Clients.

  1. Create a new client/application. Configure the following:

Client ID                                –           The SP-EntityID / Issuer from the wordpress plugin under                                        Identity Provider tab
Name                                      –           Provide a name for this client (Eg. WordPress)
Description                            –           Provide a description (Eg. WordPress site)
Enabled                                  –           ON
Client Protocol                      –           SAML
Include AuthnStatement      –           ON
Sign Documents                    –           ON
Sign Assertions                      –           ON
Signature Algorithm             –           RSA_SHA256
Canonicalization Method     –           EXCLUSIVE
Force Name ID Format        –           ON
Name ID Format                   –           Email
Root URL                              –           The ACS (Assertion Consumer Service) URL from the                                                          wordpress plugin under Identity Provider tab.
Valid Redirect URIs              –           The ACS (Assertion Consumer Service) URL from the                                                          wordpress plugin under Identity Provider tab.

  1. Under Fine Grain SAML Endpoint Configuration, configure the following:

Assertion Consumer Service –         The ACS (Assertion Consumer Service) URL from the        POST Binding URL                            wordpress plugin under Identity Provider tab.

  1. Click on Save.


  1. Configuring WordPress as SP in WordPress

  1. Go to,
http://<YOUR_DOMAIN>>/auth/realms/{YOUR_REALM}/ protocol/ saml/ descriptor.           This will open an XML in the browser.

  1. In miniOrange SAML plugin, go to Service Provider Tab. Enter the following values:
Identity Provider Name   –           Keycloak
IdP Entity ID or Issuer     –           Search for entityID. Enter it’s value in this textbox.
SAML Login URL            –           Search for SingleSignOnService Binding=                                                                                                      “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect”.                                          Enter the Location value in the textbox.
X.509 Certificate               –           Enter the X509Certificate tag value in this textbox

  1. In miniOrange SAML plugin, go to Attribute/RoleMapping tab. Enter the following values:

Username         –              Name of the username attribute from IdP (Keep NameID by default)
Email                –              Name of the email attribute from IdP (Keep NameID by default)
FirstName        –              Name of the firstname attribute from IdP
LastName        –               Name of the lastname attribute from IdP

  1. Under the Role Mapping section, configure which GROUP value coming in the SAML response needs to be mapped to which role in WordPress. The Group value coming in the SAML response will be mapped to the Role assigned here and the user will be assigned that role in WordPress.
Keep all values as it is. Click Save.
  1. Go to SSO Login Settings tab. Enable Check this option if you want to add a Widget to your page under Use a Widget.

11.1. Go to Appearances > Widgets.
11.2. Select “Login with Keycloak“. Drag and drop to your favourite location and save.

  1. Hit the URL : http://localhost/wordpress


  1. Click on login with Keycloak, you will be directed to Keycloak Authentication page.


  1. Login with registered email and password.

You will see it redirects to word press and user is logged in.

Tidak ada komentar:

Posting Komentar