WordPress Multi-site with Single Sign On (SSO)

Step 1: Login
  • Access the correct environment using wp_admin login with the DevOps standard password:
    • PROD: https://kimconnect.com/wp-admin
    • STAGE: https://stage.kimconnect.com/wp-admin
    • QA: https://qa.kimconnect.com/wp-admin
    • DEV: https://dev.kimconnect.com/wp-admin
 
Step 2: Create DNS Entries
  • Ensure that a new site name, to be created, would resolve to the host’s IP via one of these two methods:
    • 1. Create a DNS CNAME record of {URL} with IP of {HOST-IP}
    • 2. Edit /etc/hosts of client machine to include sample sites (please review the “Sample Sites” section)
 
Step 3: Add SSO Metadata to IdP Server & SP Client
Please review the SSO Metadata section to ensure that records exist to associate each newly created site to be recognized by the SSO server.
 
Step 4: Create New Site
  • On the top navigation > hover cursor over {My Sites} > {Network Admin} > {Sites} > Click {Add New} > fill in text fields:
     
    • Site = {project-name}.web01.{env}.kimconnect.com
    • Site Title = {Project Name}
    • Admin = admin@kimconnect.com
    • Click {Add Site}
       
      By default, WordPress multi-site removes the second ‘:’ portion of the URL, which would render the non-standard port configuration as broken. Thus it is not possible to access the generated site without fixing its associated entries in the database. Moreover, editing http/https & port numbering options must be done via SQL.
# Check the list of sites to locate the {blod_id} associated with newly created site:
mysql -uwebadmin -pPASSWORD –execute=”select * from wp_stage.wp_blogs where domain like ‘%stage.kimconnect%’;”
 
# Adapt the following commands to update the site according to its {blog_id}, {partner-ID} and {Project-Name}
 
mysql -uwebadmin -p –execute=”
UPDATE wp_stage.wp_blogs
set domain = replace(domain, ‘com8443’, ‘com:8443’)
WHERE domain LIKE ‘%com8443’;
UPDATE wp_stage.wp_{blog_id}_options
SET option_value = replace(option_value, ‘com8443’, ‘com:8443’)
WHERE option_value LIKE ‘%com8443’;
UPDATE wp_stage.wp_{blog_id}_options
SET option_value = replace(option_value, ‘http’, ‘https’)
WHERE option_value like ‘http://%’;
UPDATE wp_stage.wp_{blog_id}_options
SET option_value = ‘{Project_Name}’
WHERE option_name = ‘blogname’;
UPDATE wp_stage.wp_{blog_id}_options
SET option_value = ‘TEST’
WHERE option_name = ‘blogdescription’;
UPDATE wp_stage.wp_{blog_id}_options
SET option_value = ‘admin@kimconnect.com’
WHERE option_name like ‘%admin_email%’;
UPDATE wp_stage.wp_{blog_id}_options
SET option_value = ‘/index.php/%year%/%monthnum%/%day%/%postname%/’
WHERE option_name = ‘permalink_structure’;
UPDATE wp_stage.wp_{blog_id}_options
SET option_value = ‘pdci-ui’
WHERE option_name = ‘template’;
UPDATE wp_stage.wp_{blog_id}_options
SET option_value = ‘pdci-ui’
WHERE option_name = ‘stylesheet’;
INSERT INTO wp_stage.wp_{blog_id}_options (option_name,option_value,autoload) VALUES
    (‘host’,’https://stage.kimconnect.com:8443′,’yes’),
    (‘partner_id’,’XX’,’yes’),
    (‘eua’,’true’,’yes’),
    (‘elasticsearch’,’https://prod.kimconnect.com:9200′,’yes’),
    (‘theme_mods’,’a:3:{i:0;b:0;s:18:”nav_menu_locations”;a:1:{s:8:”leftmenu”;i:2;}s:18:”custom_css_post_id”;i:-1;}’,’yes’),
    (‘sso_host’,’sso.kimconnect.com’,’yes’);”
 
  • Logon to hosting server as webadmin to create a symlink for SimpleSaml
# Verify whether SimpleSaml has been deployed to this server
 
# This is an example of a broken SimpleSaml (missing items)
[webadmin@server01 plugins]$ ls /home/webadmin/pkg/share/simplesamlphp/
locales
 
# This is another example of SimpleSaml with expected settings
[webadmin@server01 plugins]$ ls /home/webadmin/pkg/share/simplesamlphp/
attributemap cert config COPYING extra locales metadata-templates schemas tests www
bin composer.json config-templates dictionaries lib log modules templates tools
cache composer.lock CONTRIBUTING.md docs LICENSE metadata README.md TESTING.md vendor
 
[webadmin@server01 plugins]$ ls /home/webadmin/pkg/share/simplesamlphp/config
acl.php authmemcookie.php authsources.php config.php
 
[webadmin@server01 simplesamlphp]$ ls /home/webadmin/pkg/share/simplesamlphp/metadata
adfs-idp-hosted.php saml20-idp-hosted.php saml20-sp-remote.php shib13-idp-remote.php shib13-sp-remote.php wsfed-sp-hosted.php
adfs-sp-remote.php saml20-idp-remote.php shib13-idp-hosted.php shib13-sp-hosted.php wsfed-idp-remote.php
 
# This is a correct settings for authsources.php
— Truncated —
// The entity ID of this SP.
// Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
#’entityID’ => null,
 
‘entityID’ => ‘https://’.$_SERVER[‘HTTP_HOST’].’/simplesaml/module.php/saml/sp/metadata.php/default-sp’,
// The entity ID of the IdP this should SP should contact.
// Can be NULL/unset, in which case the user will be shown a list of available IdPs.
#’idp’ => null,
#’RelayState’ => ‘https://’.$_SERVER[‘HTTP_HOST’],
‘idp’ => ‘https://sso.kimconnect.com/simplesaml/saml2/idp/metadata.php’,
// The URL to the discovery service.
// Can be NULL/unset, in which case a builtin discovery service will be used.
‘discoURL’ => null,
— Truncated —
 
# This is a correct settings for /home/webadmin/pkg/share/simplesamlphp/metadata/saml20-idp-remote.php
$metadata[‘https://sso.kimconnect.com/simplesaml/saml2/idp/metadata.php’] = array (
‘metadata-set’ => ‘saml20-idp-remote’,
‘entityid’ => ‘https://sso.kimconnect.com/simplesaml/saml2/idp/metadata.php’,
‘SingleSignOnService’ =>
array (
0 =>
array (
‘Binding’ => ‘urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect’,
‘Location’ => ‘https://sso.kimconnect.com/simplesaml/saml2/idp/SSOService.php’,
),
),
‘SingleLogoutService’ =>
array (
0 =>
array (
‘Binding’ => ‘urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect’,
‘Location’ => ‘https://sso.kimconnect.com/simplesaml/saml2/idp/SingleLogoutService.php’,
),
),
‘certData’ => ’89ZBnI55YPBZSgwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAneuW+0GfIrgxSQrvphWw9ShhrsY78HWXPI4RKteLuT0USj8sDKcGoDF9mqzFjGjruJreDUn9WKIuCsRCfaFUO4LFpAI8mFfaAQqAKQSJySEYk8XCR4C6iDsYvmdpRkX7NGmsYmU2dmdbKXeTlZagkuBLHP5nwur7iV+dfC,
‘NameIDFormat’ => ‘urn:oasis:names:tc:SAML:2.0:nameid-format:transient’,
);
 
# Assuming that the “WP SAML Auth” plugin is installed and activated, this is the command to link the WordPress SimpleSaml to the prepared instance of such plugin
rm -rf /home/webadmin/pkg/share/httpd/htdocs/wp-content/plugins/wp-saml-auth
ln -s /home/webadmin/pkg/share/simplesamlphp/ /home/webadmin/pkg/share/httpd/htdocs/wp-content/plugins/wp-saml-auth/simplesamlphp
 

Leave a Reply

Your email address will not be published. Required fields are marked *