WordPress and SSO integration with Okta
Hi. I am new to WordPress and we are thinking of using Okta for our SSO solution. I did not find any Okta plugins for WordPress. Do you have plans for this? If not, is the SAML 2.0 SSO plugin the way to go for this then?
We have successfully used Okta to authenticate for WP. Its simply a matter of creating an SAML2 Template app to handle the authentication and then creating bookmarks that link to that SAML app’s URL in s particular way.
You get the base part of the URL by going to the signup tab of your SAML app, and click the link for the setup instructions. Go down until you find the url for the “Redirect Login URL” and just add the relay state to that.
Contact your account executive to get the exact details. I’ve already asked, “why not make it easier” since its always the same so they could make it a lot simpler.
The ONLY issue I’ve encountered (and its a doozie) is that this plugin doesn’t seems to honor the relaystate. If you are not already logged in when the authentication is resolved, you end up on the wp-admin. If its the second time you followed the link, then you end up where you expect.
Oh, and I can’t logout without manually deleting all my cookies
I should have said that the issues I’ve encountered seem to be with the plugin NOT Okta.
Incidentally, to “fix” the issue with relay state (and you’re going to want to fix it if you’re using Okta, you need to edit lib/classes/saml_client.php at line 150 or so, you’ll see
you want to change it to:
$current_url = (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"]=="on") ? "https://" : "http://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"]; wp_redirect($current_url); // wp_redirect(get_admin_url()); exit();
This will have the saml login reload the current page (if i read the rest of the code correctly, that should be “/”… which may be a bad assumption if its using a string and not asking for the home_url()) rather than wp_login. The reason we’re doing a redirect to the current page is that the simulated signon does not seem to set the current user, it only creates the necessary cookies. By redirecting to some page, it is not necessary to set the current user. So we redirect to the current page. I hate the extra redirect but its the smallest possible change that has the effect we need.
I’m currently working to get your plugin integrated with Okta. I see Mr. Adam was able to get this working successfully but I haven’t been that lucky yet 🙁 I am working with someone from Okta as they’re interested in this being successful as well.
We tried several different config scenarios last week and the best we could do is hit an error page in WordPress. The errors didn’t help too much so my Okta contact wanted to know if you could assist so he could understand exactly what values he needs to provide from his side. Would either the developer or Adam be able to assist in this? Adam might be a better resource since he’s been successful with Okta.
If we can get this working I’d be more than happy to provide the info used so you can build in support for Okta. I haven’t found another plugin comparable so I’m very invested in seeing this continue to be a success moving forward.
Your help is greatly appreciated and I look forward to speaking with someone.
Does anyone check this forum? I still need some help please.
I don’t typically check this forum so I apologize for not getting back to you.
It would be immensely helpful if you would provide information about the errors.
However, having just moved the plugin from a test to a production environment, I can give you a few pointers:
1) Turn on debugging, it can help
2) Check the database for the relevant entry in wp_options. At some point, the options are supposed to change a value from some URL that you won’t recognize (its an obvious place holder) and it should be the value that is set as the URL that identifies this particular IdP. If you get an error along the lines of “IdP does not match” this is the likely source of your problems.
3) in your okta app make sure that your postback url is ‘http://briansdomain.com/wp-content/plugins/saml-20-single-sign-on/saml/www/module.php/saml/sp/saml2-acs.php/1’ the recipient is ‘http://briansdomain.com/wp-content/plugins/saml-20-single-sign-on/saml/www/module.php/saml/sp/saml2-acs.php/1’ and your Audience Restriction is ‘http://briansdomain.com/wp-content/plugins/saml-20-single-sign-on/saml/www/module.php/saml/sp/metadata.php/1’. The last one caused me troubles.
Otherwise, I’m afraid you’re in for a LOT of var_dump and wp_die debugging. Its what I had to do to figure out 2 and 3
Based on your earlier comment (above) where you said you could not logout without manually deleting your cookies, can you please care to comment on the other topic I posted, which sounds similar? http://wordpress.org/support/topic/30-minute-time-out-set-somewhere?replies=1
Okta Community site has an article on this:
- The topic ‘WordPress and SSO integration with Okta’ is closed to new replies.