Topics Map > WordPress
Topics Map > Application Hosting > Shibboleth (NetID) Login

Web Hosting - WordPress NetID Login via Shibboleth

This document provides a basic guideline for integrating NetID login via Shibboleth into a custom instance of WordPress.

By default, DoIT Web Hosting provides NetID login integration services and your site will already be NetID Login capable. Web Hosting - Using NetID or Wisconsin Federated login

Install a trusted SAML/Shibboleth Single Sign plugin via https://wordpress.org/plugins/ or another trusted source.
Do not use the defunct UW Communications plugin. It is not compatible with modern versions of PHP and has other issues.
miniOrange can also provide SAML authentication for a WordPress site.

Follow the instructions of the Shibboleth Plugin and we recommend starting on your Test environment Web Hosting - Test Site Utilization

NOTE: Many plugins will attempt to set the appropriate directives in WordPress’s .htaccess file automatically. If not, you will need to manually add the entry for Shibboleth and exemption from the default rewrite rules, which can interfere with Shibboleth if not in place.

At the beginning of the .htaccess file:

# Shibboleth quick-exit from rewrite rules
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/Shibboleth.sso($|/)
RewriteRule . - [L]

# Require Lazy Session

AuthType shibboleth
ShibDisable Off
ShibRequestSetting applicationId yourdomain.wisc.edu

ShibRequestSetting requireSession 0

Some of the common settings the plugins will require:

General:

Logout URL: https://yourdomain.wisc.edu/Shibboleth.sso/Logout

Users:

Username: uid

Nickname: uid

Displayname: uid

Email: eppn

NOTES:

uid and eppn are Shibboleth attributes that are delivered by default. If you require custom attributes like email, firstname, lastname, etc. you will need to submit an Identity data integration request
- https://it.wisc.edu/services/identity-access-management-work-request/
If you select the managed option, you cannot manually change them. An example of when you may not want a field managed is an email address. eppn is an email address in the form of netid@wisc.edu but is not necessarily the preferred email address of the user.

You will also want to uncheck "Update User Roles" if your site is protected at the root and add Require valid-user:

AuthType shibboleth
ShibRequestSetting requireSession 1
Require valid-user
ShibUseHeaders On

miniOrange install:

- Download and install the miniOrange plugin
- To configure with the IDP enter https://login.wisc.edu/idp/shibboleth for prod and https://loginqa.wisc.edu/idp/shibboleth for the Metadata URL and fetch.
- Download the Metadata XML file, which will need to modified.
  - Set the NameIDFormat attribute to emailAddress: <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> and from the "EntityDescriptor" line, remove validUntil and cacheDuration.
- Contact IAM to upload to the campus IDP.

Keywords:

NetId, login, shibboleth, access, SAML, single sign in, plugin in, IDP, attributes, entity ID, sessions, lazy sessions, rewrite rules

Doc ID:

101621

Owned by:

Jake S. in DoIT Web Hosting

Created:

2020-05-01

Updated:

2025-08-12

Sites:

DoIT Web Hosting

0 0 Comment Suggest new doc