Allows WordPress to externalize user authentication and account creation to a Shibboleth Service Provider.
This plugin is designed to support integrating your WordPress site into your existing identity management infrastructure using a Shibboleth Service Provider.
WordPress can be configured so that all standard login requests will be sent to your configured Shibboleth Identity Provider or Discovery Service. Upon successful authentication, a new WordPress account will be automatically provisioned for the user if one does not already exist. User attributes (username, first name, last name, display name, nickname, and email address) can be synchronized with your enterprise’s system of record each time the user logs into WordPress.
Finally, the user’s role within WordPress can be automatically set (and continually updated) based on any attribute Shibboleth provides. For example, you may decide to give users with an eduPersonAffiliation value of faculty the WordPress role of editor, while the eduPersonAffiliation value of student maps to the WordPress role contributor. Or you may choose to limit access to WordPress altogether using a special eduPersonEntitlement value.
This plugin is actively maintained by michaelryanmcneill and the WordPress community, using GitHub. Contributions are welcome, via pull request, on GitHub. Issues can be submitted on the issue tracker.
First and foremost, this plugin requires you to have a Shibboleth Service Provider installed and functional on your web server. This can be done many ways, but that is outside the scope of this plugin. Once you’ve configured the Shibboleth Service Provider, you can proceed with installing the plugin.
This plugin supports both “lazy sessions” (where requireSession is set to false) and “required sessions” (where requireSession is set to true).
Upon activation, the plugin will attempt to set the appropriate directives in WordPress’s .htaccess
file. You can prevent this from happening by defining the following wp-config.php
constant:
define('SHIBBOLETH_DISALLOW_FILE_MODS', true);
Visit “Plugins > Add New”
Search for “Shibboleth”
Activate the Shibboleth plugin from your Plugins page.
Configure the plugin from the Shibboleth settings page.
OR
Upload the “shibboleth” folder to the /wp-content/plugins/ directory
Activate the Shibboleth plugin from your Plugins page.
Configure the plugin from the Shibboleth settings page.
If for some reason the plugin is unable to add the appropriate directives for Shibboleth, you can add the following to your .htaccess
file.
AuthType shibboleth Require shibboleth
From the Shibboleth Consortium:
Shibboleth is a standards based, open source software package for web single sign-on across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.
For more information on how to install the Native Shibboleth Service Provider on Linux, see this wiki article.
For more information on how to install the Native Shibboleth Service Provider on other operating systems, see this wiki article.
For more information on how to install Shibboleth on Nginx, see this GitHub repo.
Note, we cannot provide support for installation, configuration, or troubleshooting of Shibboleth Service Provider issues.
Yes, the plugin provides a number of new actions and filters that can be used to extend the functionality of the plugin. Search shibboleth.php
for occurrences of the function calls apply_filters
and do_action
to find them all. Then write a new plugin that makes use of the hooks. If your require additional hooks to allow for extending other parts of the plugin, please notify the plugin authors via the support forum.
Before extending the plugin in this manner, please ensure that it is not actually more appropriate to add this logic to Shibboleth. It may make more sense to add a new attribute to your Shibboleth Identity Provider’s attribute store (e.g. LDAP directory), or a new attribute definition to the Identity Provider’s internal attribute resolver or the Shibboleth Service Provider’s internal attribute extractor. In the end, the Shibboleth administrator will have to make that call as to what is most appropriate.
Yes, the plugin allows for all settings to be controlled via constants in wp-config.php
. If set, the constant will override the value that exists in the WordPress options table. The available constants are detailed (with their available options) below:
SHIBBOLETH_ATTRIBUTE_ACCESS_METHOD
'standard'
for the default “Environment Variables” option, 'redirect'
for the “Redirected Environment Variables” option, and 'http'
for the “HTTP Headers” option.define('SHIBBOLETH_ATTRIBUTE_ACCESS_METHOD', 'standard');
SHIBBOLETH_ATTRIBUTE_ACCESS_METHOD_FALLBACK
true
to fallback to the standard “Environment Variables” options when the selected attribute access method does not return results or false
to not fallback.define('SHIBBOLETH_ATTRIBUTE_ACCESS_METHOD_FALLBACK', true);
SHIBBOLETH_LOGIN_URL
define('SHIBBOLETH_LOGIN_URL', 'https://example.com/Shibboleth.sso/Login');
SHIBBOLETH_LOGOUT_URL
define('SHIBBOLETH_LOGOUT_URL', 'https://example.com/Shibboleth.sso/Logout');
SHIBBOLETH_PASSWORD_CHANGE_URL
define('SHIBBOLETH_PASSWORD_CHANGE_URL', 'https://sso.example.com/account/update');
SHIBBOLETH_PASSWORD_RESET_URL
define('SHIBBOLETH_PASSWORD_RESET_URL', 'https://sso.example.com/account/reset');
SHIBBOLETH_SPOOF_KEY
define('SHIBBOLETH_SPOOF_KEY', 'abcdefghijklmnopqrstuvwxyz');
SHIBBOLETH_DEFAULT_TO_SHIB_LOGIN
true
to automatically default to Shibboleth login or false
to not default to Shibboleth login.define('SHIBBOLETH_DEFAULT_TO_SHIB_LOGIN', true);
SHIBBOLETH_AUTO_LOGIN
true
to automatically login users with an existing Shibboleth session or false
to not check for an existing Shibboleth session.define('SHIBBOLETH_AUTO_LOGIN', true);
SHIBBOLETH_BUTTON_TEXT
define('SHIBBOLETH_BUTTON_TEXT', 'Login with Shibboleth');
SHIBBOLETH_DISABLE_LOCAL_AUTH
true
to prevent users logging in using WordPress local authentication or false
allow WordPress local authentication AND Shibboleth authentication.define('SHIBBOLETH_DISABLE_LOCAL_AUTH', true);
SHIBBOLETH_HEADERS
define( 'SHIBBOLETH_HEADERS', serialize( array( 'username' => array( 'name' => 'eppn' ), 'first_name' => array( 'name' => 'givenName', 'managed' => 'on' ), 'last_name' => array( 'name' => 'sn', 'managed' => 'on' ), 'nickname' => array( 'name' => 'eppn', 'managed' => 'off' ), 'display_name' => array( 'name' => 'displayName', 'managed' => 'off' ), 'email' => array( 'name' => 'mail', 'managed' => 'on' ) ) ) );
const SHIBBOLETH_HEADERS = array( 'username' => array( 'name' => 'eppn' ), 'first_name' => array( 'name' => 'givenName', 'managed' => 'on' ), 'last_name' => array( 'name' => 'sn', 'managed' => 'on' ), 'nickname' => array( 'name' => 'eppn', 'managed' => 'off' ), 'display_name' => array( 'name' => 'displayName', 'managed' => 'off' ), 'email' => array( 'name' => 'mail', 'managed' => 'on' ) );
define('SHIBBOLETH_HEADERS', array( 'username' => array( 'name' => 'eppn' ), 'first_name' => array( 'name' => 'givenName', 'managed' => 'on' ), 'last_name' => array( 'name' => 'sn', 'managed' => 'on' ), 'nickname' => array( 'name' => 'eppn', 'managed' => 'off' ), 'display_name' => array( 'name' => 'displayName', 'managed' => 'off' ), 'email' => array( 'name' => 'mail', 'managed' => 'on' ) ) );
SHIBBOLETH_CREATE_ACCOUNTS
true
to automatically create new users if they do not exist in the WordPress database or false
to only allow existing users to authenticate.define('SHIBBOLETH_CREATE_ACCOUNTS', true);
SHIBBOLETH_AUTO_COMBINE_ACCOUNTS
'disallow'
for the default “Prevent Automatic Account Merging” option, 'allow'
for the “Allow Automatic Account Merging” option, and 'bypass'
for the “Allow Automatic Account Merging (Bypass Username Management)” option.define('SHIBBOLETH_AUTO_COMBINE_ACCOUNTS', 'disallow');
SHIBBOLETH_MANUALLY_COMBINE_ACCOUNTS
'disallow'
for the default “Prevent Manual Account Merging” option, 'allow'
for the “Allow Manual Account Merging” option, and 'bypass'
for the “Allow Manual Account Merging (Bypass Username Management)” option.define('SHIBBOLETH_MANUALLY_COMBINE_ACCOUNTS', 'disallow');
SHIBBOLETH_ROLES
define( 'SHIBBOLETH_ROLES', serialize( array( 'administrator' => array( 'header' => 'entitlement', 'value' => 'urn:mace:example.edu:entitlement:wordpress:admin' ), 'author' => array( 'header' => 'affiliation', 'value' => 'faculty' ) ) ) );
const SHIBBOLETH_ROLES = array( 'administrator' => array( 'header' => 'entitlement', 'value' => 'urn:mace:example.edu:entitlement:wordpress:admin' ), 'author' => array( 'header' => 'affiliation', 'value' => 'faculty' ) );
define('SHIBBOLETH_ROLES', array( 'administrator' => array( 'header' => 'entitlement', 'value' => 'urn:mace:example.edu:entitlement:wordpress:admin' ), 'author' => array( 'header' => 'affiliation', 'value' => 'faculty' ) ) );
SHIBBOLETH_DEFAULT_ROLE
'administrator'
, 'subscriber'
, 'author'
, 'editor'
, and 'contributor'
. Leave this constant empty ''
to make the default no allowed access.define('SHIBBOLETH_DEFAULT_ROLE', 'subscriber');
SHIBBOLETH_UPDATE_ROLES
true
to automatically use Shibboleth data to update user role mappings each time the user logs in or false
to only update role mappings when a user is initally created.define('SHIBBOLETH_UPDATE_ROLES', true);
SHIBBOLETH_LOGGING
define( 'SHIBBOLETH_LOGGING', serialize( array( 'account_merge', 'account_create', 'auth', 'role_update' ) ) );
const SHIBBOLETH_LOGGING = array( 'account_merge', 'account_create', 'auth', 'role_update' );
define('SHIBBOLETH_LOGGING', array( 'account_merge', 'account_create', 'auth', 'role_update' ) );
SHIBBOLETH_DISALLOW_FILE_MODS
true
to disable the Shibboleth plugin from attempting to add .htaccess
directives or false
to allow the Shibboleth plugin to add the necessary .htaccess
directives.define('SHIBBOLETH_DISALLOW_FILE_MODS', true);
create_function()
from use. options-user.php
. mod_shib
, mod_shib.c
, and mod_shib.cpp
. If you run into issues related to this change, please open an issue on GitHub.REDIRECT_
while selecting the “HTTP Headers” option will look for attributes in environment variables (populated by HTTP Headers) prefixed with HTTP_
. Most users should be fine leaving the default option selected; thanks to @jrchamp for reporting.wp_users
table. This is configurable by an administrator.shibboleth-mu.php
file as it is no longer relevant.__FILE__
; props @jrchamp.$_SERVER
in shibboleth_getenv()
to handle use cases where getenv()
doesn’t return data; thanks to @jmdemuth for reporting.The Shibboleth plugin is now being maintained by michaelryanmcneill. Contributions are welcome on GitHub!
.htaccess
modifications with a wp-config.php
constant (SHIBBOLETH_DISALLOW_FILE_MODS
).shibboleth_getenv()
to support various prefixed environment variables from Shibboleth, includingREDIRECT_
and HTTP_
; props @cjbnc and @jrchamp.update_usermeta()
and get_userdatabylogin()
; props @skoranda.shibboleth_session_initiator_url()
; props @skoranda.shibboleth_authenticate_user
filter; props @boonebgorges.admin-options.php
; props @HirotoKagotani, @jrchamp, and @stepmeul.add_site_option
; props billjojoShib_Session_ID
as well as Shib-Session-ID
out of the box. Props David Smithsanitize_name()
to the Shibboleth user’s nicename
column