This plugin is designed to support integrating your WordPress or WordPress MU
blog into your existing identity management infrastructure using a
Shibboleth Service Provider.
WordPress can be configured so that all standard login requests will be sent to
your configured Shibboleth Identity Provider or Discovery Service. Upon
successful authentication, a new WordPress account will be automatically
provisioned for the user if one does not already exist. User attributes
(username, first name, last name, display name, nickname, and email address)
can be synchronized with your enterprise’s system of record each time the user
logs into WordPress.
Finally, the user’s role within WordPress can be automatically set (and
continually updated) based on any attribute Shibboleth provides. For example,
you may decide to give users with an eduPersonAffiliation value of faculty
the WordPress role of editor, while the eduPersonAffiliation value of
student maps to the WordPress role contributor. Or you may choose to limit
access to WordPress altogether using a special eduPersonEntitlement value.
Contribute on GitHub
First and foremost, you must have the Shibboleth Service Provider properly
installed and working. If you don’t have Shibboleth working yet, I assure
you that you won’t get this plugin to work. This plugin expects Shibboleth to
be configured to use “lazy sessions”, so ensure that you have Shibboleth
configured with requireSession set to “false”. Upon activation, the plugin
will attempt to set the appropriate directives in WordPress’s .htaccess file.
If it is unable to do so, you can add this manually:
AuthType shibboleth Require shibboleth
The option to automatically login the users into WordPress also works when not
using the lazy session options as it will force login into WordPress. In other
words, if the user has an active session and you are requiring authentication
to access this WordPress site and they need to be logged into WordPress, then
they will be logged in without having to use the WordPress login page.
This works very well for sites that use WordPress for internal ticketing and
helpdesk functions where any access to content requires authentication.
Consider the following .htaccess options when used in conjunction with the
automatic login feature
AuthType shibboleth ShibRequestSetting requireSession 1 Require valid-user
Authtype shibboleth ShibRequestSetting requireSession 1 Require isMemberOf group1 group2 Require sAMAccountName user1 user 2
NOTE: If the plugin is successful in updating your .htaccess file, it will
place the option between a marked block:
If you add more options, you may want to consider moving all configuration
options out of this block as they will be cleared out upon deactivation
of the plugin.
For single-user WordPress
shibboleth folder to your WordPress plugins folder (probably
/wp-content/plugins), and activate it through the WordPress admin panel.
Configure it from the Shibboleth settings page.
For WordPress MU
Shibboleth works equally well with WordPress MU using either vhosts or folders
for blogs. Upload the
shibboleth folder to your
/wp-content/mu-plugins). Move the file
shibboleth folder up one directory so that it is in
shibboleth folder. No need to activate it, just configure it
from the Shibboleth settings page, found under “Site Admin”.
- What is Shibboleth?
From the Shibboleth homepage:
The Shibboleth System is a standards based, open source software package for
web single sign-on across or within organizational boundaries. It allows
sites to make informed authorization decisions for individual access of
protected online resources in a privacy-preserving manner.
- Can I extend the Shibboleth plugin to provide custom logic?
Yes, the plugin provides a number of new actions and filters that can
be used to extend the functionality of the plugin. Search
occurances of the function calls
do_actionto find them
all. Then write a new plugin that makes use of the hooks. If your require
additional hooks to allow for extending other parts of the plugin, please
notify the plugin authors via the support forum.
Before extending the plugin in this manner, please ensure that it is not
actually more appropriate to add this logic to Shibboleth. It may make more
sense to add a new attribute to your Shibboleth Identity Provider’s attribute
store (e.g. LDAP directory), or a new attribute definition to the Identity
Provider’s internal attribute resolver or the Shibboleth Service Provider’s
internal attribute extractor. In the end, the Shibboleth administrator will
have to make that call as to what is most appropriate.
Contributors & Developers
“Shibboleth” is open source software. The following people have contributed to this plugin.Contributors
version 1.7 (2016-03-20)
- fixed a security vulnerability reported by WordPress security team
- load multisite options correctly; thanks to jdelsemme for reporting
- updated htaccess setting strings; props dericcrago
- fix reauth loop; props jrchamp
- set l10n text domain; props jrchamp
version 1.6 (2014-04-07)
- tested for compatibility with recent WordPress versions; now requires WordPress 3.3
- options screen now limited to admins; props billjojo
- new option to auto-login using Shibboleth; props billjojo
- remove workaround for MU
add_site_option; props billjojo
version 1.5 (2012-10-01)
- Bugfix: check for
Shib_Session_IDas well as
Shib-Session-IDout of the box. Props David Smith
version 1.4 (2010-08-30)
- tested for compatibility with WordPress 3.0
- new hooks for developers to override the default user role mapping controls
- now applies
sanitize_name()to the Shibboleth user’s
version 1.3 (2009-10-02)
- required WordPress version bumped to 2.8
- much cleaner integration with WordPress authentication system
- individual user profile fields can be designated as managed by Shibboleth
- start of support for i18n. If anyone is willing to provide translations, please contact the plugin author
version 1.2 (2009-04-21)
- fix bug where shibboleth users couldn’t update their profile. (props pchapman on bug report)
- fix bug where local logins were being sent to shibboleth
version 1.1 (2009-03-16)
- cleaner integration with WordPress login form (now uses a custom action instead of hijacking the standard login action)
- add option for enterprise password change URL — shown on user profile page.
- add option for enterprise password reset URL — Shibboleth users are auto-redirected here if attempt WP password reset.
- add plugin deactivation hook to remove .htaccess rules
- add option to specify Shibboleth header for user nickname
- add filters for all user attributes and user role (allow other plugins to override these values)
- much cleaner interface on user edit admin page
- fix bug with options being overwritten in WordPress MU
version 1.0 (2009-03-14)
- now works properly with WordPress MU
- move Shibboleth menu to Site Admin for WordPress MU (props: Chris Bland)
- lots of code cleanup and documentation
- initial public release