Using VMware’s Workspace One solution I wanted to provide a way that users could SSO into a WordPress blog, this very blog.
I looked everywhere online and couldn’t find any documentation around how to accomplish this, so I went through the long drawn out process and figured it out! It’s worth noting that I’m doing this using SaaS based vIDM (VMware Identity Manager) and a WordPress site hosted on our own Ubuntu server running php 7.2.
To begin with you’ll need to install a plugin that will support the SSO and SAML authentication into your blog. I chose miniOrange SAML 2.0 SSO.
After installing the plugin it’s time to configure.
Open the plugin from your left panel and select ‘Plugin Configuration’
What you’ll need to configure the application is the idp.xml file or the URL to it. You can grab this by opening a new tab, navigating to your vIDM admin panel, selecting webapps..
Clicking on Settings..
Selecting SAML Metadata and either right-clicking on ‘idp meta’ and saving as or copying the link..
You’ll now need to head back to you miniOrange SAML plugin and add that metadata. Do this by hitting the button ‘Upload IDP Metadata’. This should then pull in all the required URL’s along with your certificate.
You’ll now need to export the SP metadata from the miniOrange SSO plugin and setup the application within Workspace One. Copy the https://YOURDOMAIN/?option=mosaml_metadata link, you’ll need it shortly.
Navigate back to your vIDM console and create a new application under Catalogue->Web Apps->New . Choose a name for you application, this will be the name that users will see when they login to your Workspace One Portal. Under the configuration section, paste the link to the miniOrange metadata that we just copied.
After hitting next, the relevant information should be pulled in from the miniOrange SAML metadata URL. Save the application and make sure you assign it to the users that need it.
I’ve played around with some of the settings in my environment so any user’s not currently listed within the WordPress site with have account automatically added when single signing in and have a default permission level set of contributor.
One issue I did encounter in this process was an initial error when attempting to SSO from vIDM: ‘Assertion has been sent for the future – Unable to sign in’ or something along those lines. After many hours troubleshooting this, I found that within the assertion the: “saml:Conditions NotBefore=” was 1 minute ahead of my ubuntu server time. I nudge the time ahead by 30 seconds and everything worked! Happy days!
Sales Engineer specialising in Unified Endpoint Management (UEM) and the Digital Workspace.