-
Notifications
You must be signed in to change notification settings - Fork 0
/
README.txt
142 lines (101 loc) · 4.92 KB
/
README.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
Deploy and Configure instructions Wordpress Conext
==================================================
In order to install Wordpress with Conext authentication and authorization,
the following tasks need to be performed:
1) Install and configure the SimpleSAMLphp for use with THIS Wordpress
installation
2) Install and configure Wordpress
3) Add the SimpleSAMLphp Wordpress plugin, and configure this
4) Add the Conext Group AuthZ Wordpress plugin and configure this
Important!
Keep the URN of the group that assigns Administrator access at hand at this point!
1) Installing SimpleSAMLphp for Wordpress
First, copy the simplesaml/-directory to some place, for example /var/simplesaml-wordpress
For configuring SimpleSAML, make sure the following changes are made:
config/config.php changes:
- Change 'baseurlpath' into a sub-path of the wordpress installation
If Wordpress is is installed in http://hostname.com/wordpress
make sure that SimpleSAML is reached through
http://hostname.com/wordpress/simplesaml
- Other default config changes, 'auth.adminpassword', 'secretsalt',
'technicalcontact_name' and -'_email'
- Attribute Mappings:
1) Get the AuthnResponse:NameID-value into the uid-attribute
2) Expose values for these attributes: 'givenName', 'sn' and 'mail'
Insert in authproc.sp array with this settings:
...
20 => array(
'class' => 'saml:NameIDAttribute',
'attribute' => 'uid',
'format' => '%V',
),
22 => array(
'class' => 'core:AttributeMap',
'urn:mace:dir:attribute-def:mail' => 'mail',
'urn:mace:dir:attribute-def:givenName' => 'givenName',
'urn:mace:dir:attribute-def:sn' => 'sn'
),
...
config/authsources.php
- Install own certificate and key for our 'default-sp' profile, as
well as add optional default EntityID of the IDP to use here
(for example: shown is the EntityID of the dev conext federation):
...
'default-sp' => array(
'saml:SP',
'privatekey' => 'eplconext.key',
'certificate' => 'eplconext.crt',
...
'idp' => 'https://engine.dev.surfconext.nl/authentication/idp/metadata',
...
metadata/saml20-idp-remote.php
- Add metadata for IDP that is going to authenticate
Apache configuration
Add an alias to the (virtual) host configuration that defines the host that
Wordpress is being hosted from.
For example, in /etc/apache2/sites-available/default
Add the following line in the <VirtualHost> .. </VirtualHost> section:
Alias /wordpress/simplesaml /var/www/simplesaml-1.8.0-wordpress/www
SimpleSAMLphp should now be setup.
2) Wordpress Installation
Perform a default Wordpress installation by
- prepare a database with login for Wordpress
- download the latest Wordpress version from Wordpress.org
- unpacking it to /var/www/wordpress
- point browser to http://host/wordpress
And follow the installation instructions.
3) Add SimpleSAMLphp Wordpress plugin
Make sure to take the plugin from the repository, as the changes made to it
were not yet committed to the publicly available plugin version!
Copy the simplesamlphp-authentication.php file to the wp-contents/plugins
directory; log in to Wordpress with the admin account, and go to the Plugins
section and configure the plugin with these options:
- User Registration : enable this for auto-provisioning
- Full-name as display-name : enable this for human readable display-names
- Path to simpleSAMLphp : update this to the path where SimpleSAMLphp is
installed to (/var/simplesaml-wordpress or something like that?)
After enabling the plugin, DO NOT LOG OUT OR CLOSE BROWSER
What you DO need to have at this point, is the URN of the Group that assigns
administrator role to a user!
4) Add conext-group-authz Wordpress plugin
Copy the conext-group-authz/-directory to the wp-content/plugins directory
Edit the conext-group-authz/config.ini file to enter the appropriate
OpenSocial/SURFconext endpoints, as well as the OAuth consumer_key and
consumer_secret.
Now, in the Wordpress plugin admin, enable the Conext AuthZ plugin, and go
to the settings of the plugin.
Enter the URN of the Group that assigns administrator authorization in the
'Admin Group Identifier' setting.
MAKE SURE THAT YOU ARE MEMBER OF THIS GROUP!
When appropriate, also configure the groups that authorize other roles.
* If login fails ...
If there is no way to log in and get administrative credentials, you have to
disable the simplesaml-plugin manually.
One way to do this, is to move both the
simplesamlphp-authentication.php file as well as the
conext-group-authz/ directory
out of the wp-content/plugins directory.
This way you can login with the admin account that you specified during login
Do note that this exposes every account with the root-password of the
SimpleSAMLphp authentication plugin, so only perform this operation in a
controlled situation!