cPanel, configuring the WordPress Shibboleth Plugin

Prerequisites

1. Install and Activate the Shibboleth Plugin

Configuring Shibboleth Plugin

1. Log in to your WordPress dashboard using an account with the Administrator role
2. Select Settings->Shibboleth from the left sidebar
3. Enter the settings suggested below, or read the inline documentation within the plugin and the notes below if you need to modify the recommended behavior for your use case

General tab settings

• Login URL: <site base url>/Shibboleth.sso/Login
• Logout URL: <site base url>/Shibboleth.sso/Logout
• Password Change https://identity.uillinois.edu
• Password Reset https://identity.uillinois.edu
• Attribute Access: Environment Variables
• Default Login Method: unchecked
• Automatic Login: unchecked
• Disable Local Authentication: unchecked
• Button Text: Illinois Login

Notes:

• If you choose, checking Default Login Method will direct all visitors to shibboleth for logging in
• If you choose, checking Automatic Login will automatically log a user in if they already have a shibboleth session from another website
• If you choose, checking Disable Local Authentication will disable all Local WordPress accounts. This is more secure, but only recommended after shibboleth has been tested. If you check this box when you are initially configuring shibboleth, you may find yourself locked out of your WordPress dashboard
• We recommend Illinois Login for the button text, but you can use any text you think your users will understand and find meaningful

User tab settings

• Username: eppn
• First Name: givenName
• LastName: sn
• Nick Name: eppn
• Display Name: displayName
• Email: eppn
• Automatically Create Accounts:
  • If you are using AD role mapping, check the box.
  •  If you want to manually manage account creation and assignment, do not check the box.
• Combine Local and Shibboleth Accounts: Allow Automatic Account Merging
• Manual Account Merging: Allow Manual Account Merging

Notes:

1. If you choose to check Automatically Create Accounts, be sure to set your "Default Role" in the Authorization tab to "Skip No Role account creation" or "Subscriber". If you do not set up AD Role mapping, you are likely to get large numbers of accounts created by random visitors and bots.

Authorization tab settings

• Header Name
  • member for any roles you are mapping
  • blank for roles you are not mapping
• Header Value
  • urn:mace:uiuc.edu:urbana:YOUR OU:YOUR SUBFOLDER:YOUR GROUP FOR THIS ROLE
  • blank for roles you are not mapping
  • Make sure that the urn:mace part is entered in all lower case in your actual entry.
• Default Role
  
  • check "Update User Roles" if you want to manage roles exclusively through AD (safer)
  • Leave "Update User Roles" unchecked if you want to manage/modify roles directly from the WordPress dashboard

Notes:

• If you are not using Active Directory role mapping, delete any example values given for each of the roles.
• Default Role should only ever be set to Skip no role account creation or Subscriber
• If you check "Update User Roles," removing a user from your active directory group will remove them from that assigned role when they next log in
• If you do not check "Update User Roles," you can change a user's role manually, but changes to their AD groups will not effect their wordPress access after initial account creation

Logging tab settings