Using Wordpress as identity provider to force.com site

[Lloyd Silver]

I'd like to figure out if I can use Simplesaml with a WordPress site acting as the identity provider to authenticate users into a force.com site. I can't seem to find any information even on using WP as an identity provider. Does anybody know if this is possible and if so, can you point me in the right direction.

Only thing I can think of is possible doing some type of WordPress to OpenID plugin (http://wordpress.org/plugins/openid/) and then setting up simplesaml to use the openid as an identity provider. But that seems like a bit of unnecessary work.

Thanks.

[Sixto Martin]

Hi Lloyd,

Install and configure simpleSAMLphp as an IdP, then use a database authentication backend (connected to your wordpress database).  Then connect your IdP to force.com

This documentation will help you:
https://github.com/pitbulk/tiki-saml/blob/master/doc/tiki_wiki_as_idp.rst

Describes how connect Tiki-Wiki (other CMS) to Salesforce

2013/8/2 Lloyd Silver <lloyd...@gmail.com>

I'd like to figure out if I can use Simplesaml with a WordPress site acting as the identity provider to authenticate users into a force.com site. I can't seem to find any information even on using WP as an identity provider. Does anybody know if this is possible and if so, can you point me in the right direction.

Only thing I can think of is possible doing some type of WordPress to OpenID plugin (http://wordpress.org/plugins/openid/) and then setting up simplesaml to use the openid as an identity provider. But that seems like a bit of unnecessary work.

Thanks.

--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

--
Sixto Pablo Martín García
Ingeniero Informático

Yaco Sistemas SL

Teléfono +34 954 50 00 57
C/Rioja 5-1ª Planta

41001 Sevilla

[Peter Schober]

* Sixto Martin <sma...@yaco.es> [2013-08-03 17:25]:

> Install and configure simpleSAMLphp as an IdP, then use a database
> authentication backend (connected to your wordpress database). Then
> connect your IdP to force.com

While that would enable the reuse of the same credentials for
wordpress this does not provide SSO from wordpress into the SAML SP
(here force.com). For that to work you'd need to write your own SSP
module with a custom auth source, creating a SSP session from a
wordpress session.
Either way, you'd probably also want to pull more data from the
workpress database, such as name, email, etc.
-peter

[Sixto Martin]

While that would enable the reuse of the same credentials for
wordpress this does not provide SSO from wordpress into the SAML SP
(here force.com). For that to work you'd need to write your own SSP
module with a custom auth source, creating a SSP session from a
wordpress session.

You are right Peter.

I suggest that instead implement a custom SSP module, use the Wordpress SAML plugin. This way is easier, he simply set a configuration instead of programming. (maybe Im forgetting something)

Salesforce SP -------------|             SimpleSAMLphp IdP
Wordpress SP -------------|       (wordpress database backend)


That is the integration that I already has in other projects and seems to work fine.

 

--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/groups/opt_out.

[Peter Schober]

* Sixto Martin <sma...@yaco.es> [2013-08-03 17:51]:

> > While that would enable the reuse of the same credentials for
> > wordpress this does not provide SSO from wordpress into the SAML SP
> > (here force.com). For that to work you'd need to write your own SSP
> > module with a custom auth source, creating a SSP session from a
> > wordpress session.
>
> You are right Peter.
>
> I suggest that instead implement a custom SSP module, use the Wordpress

> SAML plugin <http://wordpress.org/plugins/simplesamlphp-authentication/>.

> This way is easier, he simply set a configuration instead of programming.
> (maybe Im forgetting something)
>
> Salesforce SP -------------| SimpleSAMLphp IdP
> Wordpress SP -------------| (wordpress database backend)

Right. If you can turn your wordpress into a SAML SP then login moves
from wordpress to SSP and you'll have SSO into both wordpress as well
as force.com.
Maybe I was taking the question too literal.
-peter

[Lloyd Silver]

Thanks for the replies.

If I'm understanding the recommendation correctly, what you are suggesting is that I install simplesamlphp as an identity provider. Then I can setup Wordpress (using the plulgin referred to) and the force.com site as service providers taking their authentication through the simplesamlphp service.

Correct?

If so, is there a particular authentication module that would work best for this scenario?

And forgive me as I'm learning this as I go, but would it be possible to continue what we are currently doing which is users can register but they do not get access until we give them a particular user role in WP. I'm just not 100% familiar how user registration would work in this scenario.

Thanks!

[Lloyd Silver]

Another thought. I can setup WordPress to be an OpenID provider with a simple plugin. How about doing that and use the OpenID authentication module with simplesamlphp. And then the force.com site can use the simplesamlphp IP?

[Peter Schober]

* Lloyd Silver <lloyd...@gmail.com> [2013-08-05 06:43]:

> If so, is there a particular authentication module that would work
> best for this scenario?

Given that all existing users' passwords will be in a database (from
wordpress) I don't see any other options.

> And forgive me as I'm learning this as I go, but would it be
> possible to continue what we are currently doing which is users can
> register but they do not get access until we give them a particular
> user role in WP. I'm just not 100% familiar how user registration
> would work in this scenario.

Which is why I said "If you can turn your wordpress into a SAML SP".
One way would be to move everything to SSP, including user
registration (see the selfregister module, or one of the forks
available). That has obvious drawbacks, e.g. a completely changed
UI/UX for logging in to the site as well as for signing up to the
site (also technical ones, but those can be overcome). Wordpress
"roles" would continue to being assigned in wordpress but SSP would
pull those via SQL and use that for auth proc filters or SAML
attributes. While wordpress will continue to make use if its database
for role info you'll probably want t prevent anyone signing up to your
wordpress site to be able to use other SPs (force.com). So you'd have
to prevent some users of accessing certain SPs.

All of this can be done but you'll need to become very familiar with
SSP and break the task into smaller steps, for each of which the
documentation has stuff (or you can alwas ask here).

Personally I don't think anything get's easier by introducing yet
another protocol (OpenID is dead, btw) and bridging between those.
-peter

[Sixto Martin]

Recommendation:

• Install and configure simplesSAMLphp as an SP and IdP:
• The IdP will use the database auth backend (that use the wordpress database)
• The SP will be required due you want to enable the Wordpress SAML Plugin
• Connect both IdP and SP (add their metadata,  the IdP's metadata on saml20-idp-remote.php and the SP's metadata on saml20-sp-remote.php)
• Connect the force.com SPs with the IdP (add the force.com metadata to saml20-sp-remote.php and register the IdP's metadata on salesforce and enable SAML)
  

What we are currently doing which is users can register but they do not get access until we give them a particular user role in WP.

You can extend the Wordpress SAML Plugin. In the authenticate function, before return true, check that the user has the expected role (get the attributes with getAttributes)

P.S  Im a freelancer.  If you are interested, I could implement the solution that I described.

2013/8/5 Peter Schober <peter....@univie.ac.at>

[Peter Schober]

* Sixto Martin <sma...@yaco.es> [2013-08-05 10:40]:

> You can extend the Wordpress SAML

> Plugin<http://wordpress.org/plugins/simplesamlphp-authentication/>.

> In the authenticate function, before return true, check that the user has
> the expected role (get the attributes with

> getAttributes<http://simplesamlphp.org/docs/stable/simplesamlphp-sp-api#section_6>
> )

There's no need to change Wordpress as it can continue to use its own
database for all authorization and roles, even if authentication
happens via SAML, no?

Also you'll probably need to perform authorization at the IdP for
other SPs (limit access to force.com based on wordpress roles), as I
described previously. Unless force.com is able to process SAML
attributes and deny access if certain attributes are missing.
I somehow doubt they do that.
-peter

[Sixto Martin]

There's no need to change Wordpres

You are right, he can add a filter on the IdP to deny the authetication process if the expected role is not present.

2013/8/5 Peter Schober <peter....@univie.ac.at>

-peter

--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/groups/opt_out.

[sf geek]

Hi Lloyd,

Were you able to figure out how to use WordPress as identity provider. I'm also trying to implement SSO for Force.com site. Can you please share how did you achieve it.

Thanks

[Lloyd Silver]

So far I haven’t been able to figure it out. I’m actually working on the installation right now. I think the easiest solution, although I’m not done implementing, is to use the SAML 2.0 plugin for WordPress and set WordPress up as a service provider and use Salesforce as the identity provider. So users would actually login through a SFDC portal.

--
You received this message because you are subscribed to a topic in the Google Groups "simpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/naoowyBB7r8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlph...@googlegroups.com.

To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp.

For more options, visit https://groups.google.com/d/optout.

[Lyra Consulting]

Salesforce now supports OpenID connect. So do you think would it be possible to implement SSO making wordpress as identity provider by installing openID plugin for wordpress?

--

You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.

To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.

[Harsh Tiwari]

Hi, as I understand it, you want to enable SSO login into your Force.com site with your WordPress site acting as the identity provider and authenticate users with their WordPress credentials. Not sure if you're still looking for a solution considering this thread is so old, but still.
This is very much doable with the Login with WordPress Users (WP as SAML IDP) plugin. The WordPress IDP plugin enables WordPress to leverage the SAML 2.0 protocol for single sign-on (SSO) login into any SAML compliant service provider (SP) thereby facilitating a smooth and seamless login experience for your users.
This SSO solution will make WordPress SAML 2.0 compliant IDP establishing trust between the WordPress site and Force.com to securely authenticate and login users to the Force.com site. The WordPress IDP Single Sign-On (SSO) solution helps to secure WordPress sites behind the SSO login so that users are authenticated using their WordPress login credentials. Seamless support for advanced SSO features like Attribute & Group Mapping, Synchronize WordPress user’s details with Force.com, Synchronize user details from WordPress to Salesforce too, Intranet SSO / Internet SSO, etc.
You can refer to this link for more information.