Force SSO for some users
We have multiple roles in our WordPress installation. For users having some of these roles, we would like to force use of SSO, and disable other use.
For users logging in from a specific domain, we would like to force use of SSO and disable the “bulit in” login to wordpress.
Any suggestions?Gaurav Singh
If I understood correctly, you only want to allow users belonging to some selected roles to perform SSO into your site. The rest of the users won’t be allowed to log in.
This can be achieved using the Role mapping and restriction features provided in the Premium version of our SSO plugin for WordPress.
The login flow would be like this:
When any user tries to access the built-in login page of WordPress, they will be redirected to the IdP’s login page for authentication.
After authenticating at the IdP login page, the users will be restricted or given access to your site based on their Role attribute information sent by the Identity Provider.
For the above scenario, you will need to have a third-party Identity Provider, in which you will need to have the users mapped to the corresponding roles as they are mapped in your WordPress site.
Let me know which Identity Provider you are using so that I can guide you in the correct direction.
If you have any further queries, please drop an email at email@example.com
Gaurav SinghJan-Erik Larsen
No – this is exactly what i meant. The thing is that I have some users that will have to log inn using the built-in login. But for users having specific wordpress-roles, or having specific email-domains in their usersid – they should be forced to log in using SSO.Gaurav Singh
Depending on your desired login flows, this can be achieved using the following two approaches:
1. Using Role mapping feature provided in the Premium version of the plugin.
In this case, you can configure the roles which would use the default WordPress login page and shouldn’t be allowed to login via SSO.
Next, we will enable the Auto Redirect from WordPress login page to redirect all your users for SSO.
Users whom you want to use the built-in login can use the backdoor URL provided in the plugin to access the WordPress login page.
If a user performs SSO into your site and their role falls under restricted roles list, they will see a customizable error message.
Note that in this case, your IdP must send the role-related information in the SAML Assertion.
2. Using Customization in the Premium plugin.
We can customize the premium plugin so that it will work as per your use case.
In that scenario, when a user lands on the WordPress login page they will see one field for entering their email.
If the user’s WordPress role or email domain falls under a configurable SSO roles/domains list, they will be redirected for SSO. If not, we will show them the password field and they can log in using their WordPress credentials.
If you want to go with the second approach, please confirm if you want to use the user’s WordPress roles or email domain for this restriction?
Also, please send your response to firstname.lastname@example.org so that I can send you a quote for this custom work.
Gaurav SinghJan-Erik Heggholmen# 3 weeks, 6 days ago
We’ll do an internal discussion and get back to you.
Jan-ErikGaurav Singh# 3 weeks, 5 days ago
Sure, I am looking forward to it.
Meanwhile, please feel free to reach out if you have any questions.