Though there are a ton of LDAP (LDAPS) plugins in the plugin library, the best one I’ve found for setting up LDAPS on WP Engine (especially for Azure Microsoft Active Directory) is actually not listed there, but on Github here.

Organizations with Office 365 already have Azure Microsoft Active Directory and just need the above plugin to integrate it. With it, you can map security group membership to WordPress user roles while preserving the standard WordPress login.

Typical usage:

  1. A attempts to access the admin section of the blog (wp-admin). At the sign-in page, they are given a link to sign in with their Azure Active Directory organization account (e.g. an Office 365 account) or they are force-redirected to the Azure Active Directory login page externally (defined by a plugin setting).
  2. After signing in, they are redirected back to the blog with a JSON Web Token (JWT), containing a minimal set of claims.
  3. The plugin uses these claims to attempt to find a WordPress user with the Azure AD ID that matches the Azure Active Directory user.
  4. If one is found, the user is authenticated in WordPress as that user.
  5. Membership to certain groups in Azure AD can be mapped to roles in WordPress.

Setting up user roles:

In this case, we will be configuring the plugin to use the user roles which are configured in WordPress.

After installing the plugin, create an Azure Active Directory application:

  1. Sign in to the Azure portal, navigate to the Azure Active Directory section and choose the directory (tenant) that you would like to use. This should be the directory containing the users and (optionally) groups that will have access to your WordPress blog.
  2. Under the APPLICATIONS tab, click ADD to register a new application. Choose ‘Add an application my organization is developing’, and a recognisable name then choose values for sign-in URL and App ID URL. The blog’s URL is usually a good choice.
  3. When the app is created, under the CONFIGURE tab, generate a key and copy the secret value (it will be visible once only, after you save).
  4. Add a reply URL with the format: https://<your blog url>/wp-login.php.
  5. The plugin can be configured in wp-admin > Settings > AAD Settings.
  6. (Optional) Set WordPress roles based on Azure AD group membership

The AADSSO plugin can be configured to set different WordPress roles based on the user’s membership to a set of user-defined groups. This is a great way to control who has access to the blog, and under what role.

You will need to enable the permissions for your Azure Active Directory application. In the ‘CONFIGURE’ tab, Under the ‘permissions to other applications’ heading, it needs to have Delegated Permission to “Read Directory Data” and “Enable sign-on and read users’ profiles”.

Configuring the plugin:

Once your application permissions have been updated, you will need to update the plugin’s configuration in Settings > AAD Settings:

  • Enable role mapping must be checked.
  • There are inputs for several common WordPress roles, Administrator, Editor, Author, Contributor, and Subscriber. The inputs expect the Azure Active Directory group object IDs. You can find the group object IDs under the Active Directory ‘GROUPS’ tab.
  • You will see a listing of any custom groups that exist for that directory.
  • Click on the one you want the ID for.
  • Click on the ‘PROPERTIES’ tab.
  • At the bottom, you’ll see the value you need in the ‘OBJECT ID’ setting.
  • Custom WordPress roles to Active Directory groups can be added in the Custom role mapping box by placing one mapping per line in the format: <wp_role> <aad_group_id>.
  • Users are matched by the Azure AD login IDs in WordPress, and WordPress roles are dictated by membership to a given Azure AD group. If the user is not a part of any of these groups, they are assigned the default new user role in WordPress, or you can specify the default role in the plugin’s configuration settings.
  • One all of the above is in place, contact WP Engine so they can enable the LDAPS configuration required on the server side.

The “S” in LDAPS – a note on SSL:

LDAPS access does not require SSL to be installed on the WP Engine server. It merely requires that an SSL Certificate be installed on the server that you are connecting to for Directory Service. That being the case, WP Engine only need the CA Certificate that signed the SSL Certificate that the Directory Server is using. If you’re unable to provide that certificate, or are unaware of what SSL Certificate the Directory Server is using, a simple test can actually obtain that certificate from the server.

Run this from your terminal (replacing ldap.example.crt with your LDAP service domain):

openssl x509 -in ldap.example.crt -text -noout | grep "CA Issuers"

Then run a wget using the URL that outputs from that above command to grab the cert. Once you have it, create a directory in the root of your site called /cacerts and upload it there.

Next, create a file called ldaprc in the root of your site and paste in the following line (replacing certfilename.cer with the name of the file you uploaded to /cacerts:

TLS_CACERT cacerts/certfilename.cer

At this point it would be a good idea to reach out to WP Engine support and ask them to add these two lines to the nginx configuration so that those directories aren’t publicly accessible:

location /ldaprc { return 403; }
location ~ /cacerts/ { return 403; }

All set! Though you may want to test the LDAPS connection with WP Engine support. They have some steps to assist with this which is best handled through their live chat support.

NOTE: Please use port 636 for LDAPS connections. If that’s not possible do let a member of WP Engine support know and they should be able to help.

Most common errors with Azure not working:

  • Your subscription isn’t expired.
  • The user account is enabled.
  • The user account isn’t locked out.
  • The correct user name and password are used.
  • The password isn’t a temporary password. (This issue may occur if the user account is a new account or if the password was recently reset.)
  • The password isn’t expired.
  • You’re not blocked from signing in.
  • If you’re a federated user, single sign-on (SSO) is working.

Alternative method:

There is also a middle-man service called Bitium that officially integrates WP Engine installs with Microsoft Active Directory. A really cool feature of Bitium is that it has a browser extension for SSO. Interestingly, you can install the WP Engine app within Bitium and have SSO managed exclusively from the Bitium dashboard, without any other Active Directory like Azure.

It is a paid solution but it cuts out most of the technical stuff. It’s cheap enough, the plans currently range from $3 to $8 per month and might be a good solution for ease of use.

More info on this here.

Worth mentioning:

Similar to Bitium, OneLogin includes a WP Engine Customer Portal SSO among a library of over 3,000 apps. Custom connectors can be made but it’s mostly a password store and basic SSO. Not a hugely intuitive setup and doesn’t seem to be kept up to date very well. I wouldn’t recommend it at this point.

More info on this here.

UPDATED: When multiple systems that track your visitors’ IP addresses Azure Active Directory and WP Engine, you may want to check out our article on GDPR and IP Address Logging.

Commercial LDAP services:

Free LDAP services:

Elementor Page Builder

Related Articles

Copyright © 2019 Nodeflame

HOW TO: Set up Azure Active Directory (LDAPS) on WP Engine

by nodeflame time to read: 7 min