Malcolm 'Max' DeRungs

WordPress

Setup Azure SSO

Make sure the site is already setup for SSL (https)

Update WordPress and update all plugins

Install the SSO for Azure AD plugin

Configure the plugin

Endpoints

  • Copy Redirect URL and Homepage/Login URL
  • Register site in Azure Portal -> App Registry -> new app registration using Endpoints
  • Save Application ID, Client secret, and Directory ID credentials

OAuth

  • Application (client) ID
  • Client secret
  • Directory (tenant) ID
  • Scope: https://graph.microsoft.com/User.Read

Login

  • "Create new users if they don't already exist" => yes
  • Login button text (default) => "Sign in with Azure AD"
  • Save changes
QA tests
  • Go directly to WP site without prior login -> should redirect to Azure AD login page.
  • Go to WP site as a redirect from another site signed in with SSO -> should redirect transparently to destination link page.
  • Go to WP site as a redirect from another site NOT signed in with SSO -> should redirect to Azure AD login page.

Create plugin - force logins and disable emails

Make sure ALL users login and disable BOTH default WordPress new user notification emails with a global PHP function.

<?php
/*
Plugin Name: Local Code Snips
Description: Contains custom functions for site
Version: 1.0.0
Author: me
Author URI: me@here.com
*/

// Force user to login on welcome
function my_force_login() {

	global $post;

	if ( ( is_single() || is_front_page() || is_page() || is_archive()) && !is_page('login') && !is_user_logged_in()){ 
		auth_redirect(); 
	}
}

// Disable BOTH default WordPress new user notification emails
if ( ! function_exists( 'wp_new_user_notification' ) ) :
    function wp_new_user_notification( $user_id, $deprecated = null, $notify = '' ) {
        return;
    }
endif;

Save this function as a PHP file. ZIP up the PHP file, then add the ZIP to WordPress site using wp-admin Plugins -> Add New -> Upload Plugin -> Activate workflow.

Edit the <theme> header file
/wp-content/themes/<theme>/header.php

Add a call to this my_force_login function at the very top of the header file

<!-- Redirect users to login page -->
<?php my_force_login();?>

<!-- Redirecting users to after login based on user role -->
<?php 
function my_login_redirect( $url, $request, $user ){
    if( $user && is_object( $user ) && is_a( $user, 'WP_User' ) ) {
        if( $user->has_cap( 'administrator' ) ) {
            $url = admin_url();
        } else {
            $url = home_url('/blog/');
        }
    }
    return $url;
}
add_filter('login_redirect', 'my_login_redirect', 10, 3 );

Other useful modifications

Disable new user registration emails
https://smartwp.com/disable-wordpress-new-user-notification-email/