A couple of weeks ago a client approached us — inquiring about the possibilities of using their existing WordPress installation as an Identity Provider (IdP) for other web based services. They wanted to give their existing users an easy Single Sign-On solution in order to use other sites and services that they provide. Their requirement was to use their existing WordPress user database together with SAML (Security Assertion Markup Language), which is an XML-based data format for exchanging authentication and authorization data.
We could not find any existing plugins or tools for WordPress, so we developed a quick solution as a proof of concept. The result of this development can be found on GitHub. Our code is implemented in PHP and licensed under GNU GENERAL PUBLIC LICENSE Version 2. We used the SimpleSAMLphp authentication module and connected it to the WordPress database as the authentication source. Our code was written for MariaDB/MySQL but could be easily adapted for other databases.
Setup WordPress on Your Webserver
Install SimpleSAMLphp on Your Webserver
Install SimpleSAMLphp and follow the SimpleSAMLphp instructions to set it up as an identity provider (SimpleSAMLphp Identity Provider QuickStart)
Add WordPressAuth Module
Create new directory wordpressauth under the modules directory (simplesaml/modules/wordpressauth) and copy the files from our WordPressAuth GitHub repository to it.
Configure Authentication Source
Edit the configuration file for authentication sources simplesaml/config/authsources.php and add:
'wpauthinstance' => array(
'dsn' => 'mysql:host=localhost;port=3306;dbname=<mysql database name>',
'username' => '<mysql username>',
'password' => '<mysql password>',
'userstable' => 'wp_users',
Replace the placeholders with your MySQL host, username, password and database name (plus change the database prefix if it is not “wp_”).
Set Authentication Source in Metadata File
Edit the metadata file for the hosted SAML 2.0 IdP simplesaml/metadata/saml20-idp-hosted.php and set wpauthinstance as your authentication source:
* Authentication source to use. Must be one that is configured in
'auth' => 'wpauthinstance',