Connecting OneLogin to WordPress Groups

by | Aug 24, 2017

Photo |

When it comes to administration, you don’t want to be doing a single task multiple times, and in the same vein, you don’t want to be splitting tasks across multiple sites or platforms. This has been a main concern of mine for a while now, but I have finally found a solution! We are using OneLogin to connect our apps via SSO, and one of them is built in WordPress and uses groups.
The standard procedure is to create your users in OneLogin, then jump over to WordPress and assign them to groups. This is fine for one WP site, but what if you want to manage groups across multiple sites? The answer that I ended up with is to write a plugin that glues the two plugins together. In order to help keep everything updated and functioning correctly, I want to avoid touching the existing plugins as much as possible. Before I flipflop between past and present tense again like nobodies business, let’s get into the solution.
To avoid any confusion, here is the SSO plugin I am using, and here is the Groups plugin I am using.
To begin with, we want to set up OneLogin to send the group names we want to use. To do this, we need to got to OneLogin>Apps>WordPress>Parameters>Add Parameter and fill in the Field name box.

Now if we go to OneLogin>Users>{Your User}>Applications>WordPress we will see we have a box for adding our groups to.

So that’s everything sorted on the OneLogin end of things. Now for WordPress! The first thing we want to find is where the SAML packet is being sent. The easiest way to find this is to dig into the SSO plugin code. Go to WordPress>Admin>Plugins>Editor>Select plugin to edit: OneLogin SAML SSO>Select>OneLogin-saml-sso/php/functions.php and scroll down to the saml_acs( ) function. In here we’ll notice a couple variables being set, namely $auth, and $attrs. $attrs is what we want to pass to our custom plugin, but we want to wait until the user ID has been set. This is done further down the function, right near the bottom. It is also helpful for testing to add exit( ); after your function call. This will mean that when we login using SSO, instead of logging into WordPress, we will instead get a printout of our information instead.

Next we’re going to write our function for joining the plugins. In your plugin’s main php file we need to create link_groups( ){ … }. The Idea of this function is to get the attributes passed from OneLogin and the user ID and create/add the user to the groups passed by OneLogin.
Here is the code I used:
function link_groups() {
$user_id = get_current_user_id();
echo((string)$user_id . " ");

$auth = initialize_saml();
$attrs = $auth->getAttributes();
$myArray = explode(',', $attrs["Group"][0]);

foreach($myArray as $group_name){
// Create Group
Groups_Group::create( array( 'name' => $group_name ) );
// Assign Group
$group = Groups_Group::read_by_name($group_name);
// Fetch Group ID
$group_id = $group->group_id;
echo (" New Group ID: " . (string)$group_id);

// Add User to Group
Groups_User_Group::create(array( "user_id" => $user_id, "group_id" => $group_id ) );

Now, when we login using SSO, we get 1 Array ( [0] => Group1 [1] => Group2 [2] => Group3 ) New Group ID: 6 New Group ID: 7 New Group ID: 8. This tells us our user ID is 1, we have received an array of 3 groups from OneLogin, and we have created 3 new WordPress Groups with the ID’s 6, 7, and 8.
If we use the /wp-login.php?normal and go to Admin>Users we see our user is added to our new groups!

And there we have it! The basic functionality of connecting OneLogin SSO to WordPress Groups. This logic can also be used for other SSO and Groups plugins. It can also be extended to include additional logic and functionality, so have a play around.
From hard data to fluid design – Scott

To read all of our WordPress blogs click here

Submit a Comment

Your email address will not be published. Required fields are marked *