Windmill near Helsingor Denmark

Using your G Suite SAML SSO with your WordPress

Are you using G Suite and WordPress, did you know that you can implement SAML with G Suite and set up single sign-on authentication with your WordPress site without introducing a third-party service such as Okta or OneLogin.

This article will guide you through the steps of setting up a new SAML app for your Google Apps domain and how to install the WordPress plugin SAML Single Sign On.

We are setting up Google as the identity provider, and WordPress as your service provider.

SAML Apps in G Suite

As an administrator on your G Suite account, go to the admin portal and click through to Apps > SAML Apps.

You will see a list of any existing SAML apps.

Add a new WordPress app

Click the big plus sign in the bottom right to add a new one, a popup window will open. Choose the option “Setup my own custom app” near the bottom of the popup window.

Google IDP Information

You’ll then see your specific Identity Provider information. You will need the info in Option 1 to configure your service provider in the “Adding your IDP to WordPress” section below. Open a new browser window so you can keep both handy.

Custom App Information

Add some descriptive information about the new SAML app. This is used to identify the app for everyone on your Google Apps domain. You can also add a logo of the service provider application that you adding, it makes it easier to find when you are logging in to the service provider app you adding.

Attribute Mapping

In the final step, you will need to map metadata attributes to your Google Apps users. They are case sensitive and tell the service provider which fields to use for user data. Example:

  • Email: Basic Information > Primary Email

Attribute mapping will be different depending on which service provider you set up.

SAML Attribute mapping, in basic form when someone asks for your “email address”, is the attribute that should use the “Email” attribute in your SAML Identity Provider. Group membership might be an attribute, if supported. Access control levels are something that directory services (i.e. LDAP) are better at managing.

SAML is more a managed authentication and attributes (i.e. “What Apps can this person log in to”).

Adding your IDP to WordPress

To enable SSO for WordPress, I choose the free version of the WordPress plugin SAML Single Sign-On by miniOrange.

You need to set up the Service Provider in miniOrange, most service providers want to know your Entity ID and SSO URL.

Add the Certificate, that you downloaded from Google SAML App you created in previous steps. You may also alter the sign-in settings.

Now that you’ve added your service provider to your identity provider, you’ll want to complete the connection by configuring your service provider directly.

Enable the app for everyone

Once the app is configured, it will not work until you turn it on for your domain. You can turn in on for everyone in your organization or for specific organizations.

When turned on, your new app will show up in all your users’ app dropdown along with other apps and existing SAML apps. You may need to click “More” first to see the complete list of available apps. Clicking on this link starts an IDP-initiated workflow, and will open your app with the current user authenticated.

Sample Workflow

Conclusion

As you noticed, this is very easy to set up – if you are a small to medium size organization, you do not have any need of using a third-party IAM solution, you could use G Suite, and then add your other applications to the G Suite SAML App.

Providing SSO to all users in your organization. If users require access to different apps, you can set up OU in G Suite, and enable the SAML App Service Provider for the OU that requires the SSO for a service.

You can go a step further with the G Suite, to make your users enable Two Factor Authentication(2FA) for their G Suite account.

If you have any questions or comments, feel free to add them below.


Posted

in

,

by

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *