Prerequisites

1. Install and Activate the Shibboleth Plugin

Configuring Shibboleth Plugin

1. Log in to your WordPress dashboard using an account with the Administrator role
2. Select Settings->Shibboleth from the left sidebar
3. Enter the settings suggested below, or read the inline documentation within the plugin and the notes below if you need to modify the recommended behavior for your use case

General tab settings

• Login URL: <site base url>/Shibboleth.sso/Login
• Logout URL: <site base url>/Shibboleth.sso/Logout
• Password Change https://identity.uillinois.edu
• Password Reset https://identity.uillinois.edu
• Attribute Access: Environment Variables
• Default Login Method: unchecked
• Automatic Login: unchecked
• Disable Local Authentication: unchecked
• Button Text: Illinois Login

Notes:

• If you choose, checking Default Login Method will direct all visitors to shibboleth for logging in
• If you choose, checking Automatic Login will automatically log a user in if they already have a shibboleth session from another website
• If you choose, checking Disable Local Authentication will disable all Local WordPress accounts. This is more secure, but only recommended after shibboleth has been tested. If you check this box when you are initially configuring shibboleth, you may find yourself locked out of your WordPress dashboard
• We recommend Illinois Login for the button text, but you can use any text you think your users will understand and find meaningful

User tab settings

• Username: eppn
• First Name: givenName
• LastName: sn
• Nick Name: eppn
• Display Name: displayName
• Email: eppn
• Automatically Create Accounts:
  • If you are using AD role mapping, check the box.
  •  If you want to manually manage account creation and assignment, do not check the box.
• Combine Local and Shibboleth Accounts: Allow Automatic Account Merging
• Manual Account Merging: Allow Manual Account Merging

Notes:

1. If you choose to check Automatically Create Accounts, be sure to set your "Default Role" in the Authorization tab to "Skip No Role account creation" or "Subscriber". If you do not set up AD Role mapping, you are likely to get large numbers of accounts created by random visitors and bots.

Authorization tab settings

• Header Name
  • member for any roles you are mapping
  • blank for roles you are not mapping
• Header Value
  • urn:mace:uiuc.edu:urbana:your ou:your subfolder:your group for this role
  • blank for roles you are not mapping
  • Make sure that the header value is entered in all lower case.
• Default Role
  
  • check "Update User Roles" if you want to manage roles exclusively through AD (safer)
  • Leave "Update User Roles" unchecked if you want to manage/modify roles directly from the WordPress dashboard

Notes:

• If you are not using Active Directory role mapping, delete any example values given for each of the roles.
• Default Role should only ever be set to Skip no role account creation or Subscriber
• If you check "Update User Roles," removing a user from your active directory group will remove them from that assigned role when they next log in
• If you do not check "Update User Roles," you can change a user's role manually, but changes to their AD groups will not effect their wordPress access after initial account creation

Logging tab settings 

Important Note 1

If you are using BOTH the WordPress shibboleth plugin as described here and also cPanel, Using Shibboleth to control who can see your website, you will need to manually update your .htaccess file after installing the shibboleth plugin. You will need to remove the sections added by the shibboleth plugin. If you do not, the more permissive settings the plugin adds to the .htaccess file will override your access restrictions. These lines will normally be at the very end of your .htaccess file and look like this:

# BEGIN Shibboleth
# The directives (lines) between "BEGIN Shibboleth" and "END Shibboleth" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_shib>
AuthType shibboleth
Require shibboleth
</IfModule>
<IfModule mod_shib.c>
AuthType shibboleth
Require shibboleth
</IfModule>
<IfModule mod_shib.cpp>
AuthType shibboleth
Require shibboleth
</IfModule>
# END Shibboleth

Important Note 2

Some users are members of very many AD groups. Since the member attribute contains all of their group memberships, it is possible for this number to be so large that the web server cannot process the header that is sent for that user. For this reason, we have created a shortened member attribute for you to use. Using the shorter member attribute is preferred, but the configuration is more complicated, as it requires direct modification of the .htaccess file. To use the shortened attribute, edit your .htaccess file so that everywhere you see:

AuthType shibboleth
Require shibboleth

It instead reads:

AuthType shibboleth
ShibRequestSetting applicationId uofi-short-member
Require shibboleth

Then, when specifying your group names in the WordPress plugin, exclude the urn:mace:uiuc.edu portion and begin with the urbana token, so

• urbana:your ou:your subfolder:your group for this role

Group Name Tools

https://listmyadgroups.web.illinois.edu has tools to list the AD groups you are personally a member of in formats needed to make this plugin work. If you are not a member of the group you wish to authorize, you can ask that a member of that group log in to the tool and provide you with the group name[s] needed.