Skip to content

Configure CERN SSO

The OpenID Connect Generic Client plugin allows users to login by using their CERN account, and it comes installed by default in our WordPress instance.

To configure it, make sure you have followed the instructions under 1-configure-wordpress.md.

To proceed, on the left side of the window, navigate to Settings > OpenID Connect Client:

image-8.png

In this new window, we will need to configure several fields.

image-14.png

For the Client ID and Client Secret Key fields, we can re-use the ones that come with our namespace. To do so, navigate back to the https://app-catalogue.cern.ch cluster, select your WordPress project, change the environment to Administrator, and under Workloads, go to Secrets. Click under the oidc-client-secret secret resource:

image-9.png

Once in the oidc-client-secret secret window, copy the values from clientID and clientSecret, by clicking on the Reveal values button on the right:

image-10.png

Now, back to the WordPress administration page, paste these values under their corresponding fields:

image-11.png

Other mandatory fields needed:

  • OpenID Scope: openid
  • Login Endpoint URL: https://auth.cern.ch/auth/realms/cern/protocol/openid-connect/auth
  • Userinfo Endpoint URL: https://auth.cern.ch/auth/realms/cern/protocol/openid-connect/userinfo
  • Token Validation Endpoint URL: https://auth.cern.ch/auth/realms/cern/protocol/openid-connect/token
  • End Session Endpoint URL (replace \ by yours): https://auth.cern.ch/auth/realms/cern/protocol/openid-connect/logout?redirect_uri=https://<my-site>.web.cern.ch
  • Link Existing Users: ☑ (checked). This is important, otherwise if your CERN account was set as the WordPress admin email, login with this account will fail if leave unchecked. See troubleshooting section.

Finally, click on Save Changes to persist your changes.

Note that the Redirect URI value is automatically propagated to the application in the application portal by the operator, and no further action is needed.

From now on, if we access https://<my-site>.web.cern.ch/wp-admin, we should see the corresponding OIDC button that will allow us to connect as our CERN account.

image-15png

If we want the CERN SSO login page to appear instead of this, we must set Login Type to Auto Login - SSO under the previous OpenID Connect Client settings.

Info

Note that from now on, if we login with our WordPress admin email set when provisioning the WordPress instance in 2-create-wordpress-instance.md, we will see that our account has been automatically mapped to the admin local account.

Access control for our WordPress site

It might happen that we want our WordPress site to be accessed through CERN SSO, i.e., enforcing users to login in order to access our site. To accomplish this, and after following previous configuration about configuring CERN SSO, we need to do the following:

First, we need to access the administrative part of our WordPress site by going to https://<my-site>.web.cern.ch/wp-admin, and login as administrator.

Once in, we go to Settings > OpenID Connect Client

image-53png

Then, scroll down until you find the Enforce Privacy setting, and ensure it's ☑ (checked). Finally, Save.

image-54png

At this point, if you access https://<my-site>.web.cern.ch/, you will be required to login in order to see the site.

Restrict access control to an specific e-group

Who will be able to login in into our WordPress site? This can be configured by going to our Application portal, and looking for the registered application of our WordPress site. If you WordPress site is called https://<my-site>.web.cern.ch/, then we should look for the application registration webframeworks-app-catalogue-<my-site> (if in the staging cluster, look for webframeworks-app-cat-stg-<my-site>).

By default, there is a default Role called Default Allowed Users, configured with a EduGain with SIRTIFI Level of Assurance. See Role requirements for a more detailed explanation. Basically, this Role ensures that people with a CERN account plus people from institutions part of the EduGain identity federation can login in (can see) your site.

In the case that we want to restrict the access to our WordPress site to an specific e-group, we need to edit the default Role.

image-55png

In the new window, uncheck the part where it says This role applies to all authenticated users and Submit the change.

image-56png

The resulting Role will be as follows. We now just need to click under the Assign role to groups:

image-57png

And finally add the e-group that will be able to access our WordPress site.

image-58png

Voila, only members of the selected e-group will be able to access your https://<my-site>.web.cern.ch/ WordPress site.

Info

You must ensure that administrators of the WordPress site belong to the aforementioned e-group. Otherwise, they won't be able to administer your WordPress site anymore!

Troubleshooting

I've left Link Existing Users unchecked, and when trying to login with my CERN account, I get the following:

image-16.png

This happens when you are using the account that has been provided as the WordPress admin email (when creating the WordPress instance), and the value of the Link Existing Users is unchecked.

To mitigate this, ensure that Link Existing Users under the OpenID Connect Client settings is ☑ (checked).