Web Hosting - WordPress NetID Login via Shibboleth

This document provides a basic guideline for integrating NetID login via Shibboleth into a custom instance of WordPress.

By default, DoIT Web Hosting provides NetID login integration services and your site should already be NetID Login capable. Web Hosting - Using NetID or Wisconsin Federated login

1. Starting on your equivalent Test environment Web Hosting - Test Site Utilization  

-- Install a trusted SAML/Shibboleth Single Sign plugin via https://wordpress.org/plugins/ or other trusted source.

2.  Follow the instructions on the install of the plugin. 

NOTE: Many plugins will attempt to set the appropriate directives in WordPress’s .htaccess file automatically.  If not, you will need to manually add the entry for Shibboleth and exemption from the default rewrite rules, which can interfere with Shibboleth if not in place.

At the beginning of the .htaccess file:

# Shibboleth quick-exit from rewrite rules
 RewriteEngine on
 RewriteCond %{REQUEST_URI} ^/Shibboleth.sso($|/)
 RewriteRule . - [L]


# Require Lazy Session
AuthType shibboleth
ShibDisable Off
ShibRequestSetting applicationId yourdomain.wisc.edu
ShibRequestSetting requireSession 0


3.  Some of the common settings the plugins will require:

General:

Login URL: https://yourdomain.wisc.edu/Shibboleth.sso/Login

Logout URL: https://yourdomain.wisc.edu/Shibboleth.sso/Logout

Users:

Username: uid
Nickname: uid
Displayname: uid
Email: eppn

NOTES:
  • uid and eppn are Shibboleth attributes that are delivered by default.  If you require custom attributes like email, firstname, lastname, etc. you will need to submit a Identity data integration request via https://it.wisc.edu/services/iam/
  • If you select the managed option you will not be able to manually change them.  An example of when you may not want a a field managed is email address.  eppn is an email address in the form of netid@wisc.edu but is not necessarily the preferred email address of the user.
You will also want to uncheck "Update User Roles" if your site is protected at the root.  And you'll need to add Require valid-user

AuthType shibboleth
ShibRequestSetting requireSession 1
Require valid-user
ShibUseHeaders On

 








Keywords:NetId, login, shibboleth, access, SAML, single sign in, plugin in, IDP, attributes, entity ID, sessions, lazy sessions, rewrite rules   Doc ID:101621
Owner:Jake S.Group:DoIT Web Hosting
Created:2020-05-01 08:38 CDTUpdated:2020-10-06 14:02 CDT
Sites:DoIT Web Hosting
Feedback:  0   0