Create a SAML App

Define a SAML app in the Google Admin dashboard to which you can connect your WordPress site

Contributors: Alex Fornuto, Daniel Bachhuber.

Discuss in our Forum Discuss in Slack

In this step, we'll create a custom Google Apps SAML application. This will be the gateway between the users in our Google organization and WordPress. We'll also define which Google users have access to the app.

Define a new SAML App

  1. Find the SAML Apps dashboard in the Google Apps admin, and click Add a service/App to your domain:

    Google Apps SAML No Apps

  2. When the modal opens, select SETUP MY OWN CUSTOM APP:

    Google Apps Enable SAML

IdP Information

  1. The Google IdP Information modal provides values and a certificate to pass back to the WP SAML Auth plugin. The key details are in the Option 1 section:

    Google IdP Information

    • SSO URL: URL for WordPress to redirect to when initiating the SSO process.

    • Entity ID: How WordPress knows to recognize Google Apps.

    • Certificate - How Google Apps knows to trust a request coming from WordPress.

  2. Copy the SSO URL and Entity ID values and paste them into the corresponding fields under Identity Provider Settings on the plugin settings page:

    Values from the Google SAML App copied to the WP SAML Auth settings

  3. Download and commit the certificate file to your private directory so it's inaccessible from the web. You can add upload this file over sftp, or commit it to a local clone of the Git repository, then commit and push. If the latter, you will need to first switch the connection mode to Git:

    sftp -o Port=2222 google-saml.1f2a347b....0@appserver.google-saml.1f2a347b....drush.in
    sftp> cd code/private/
    sftp> put GoogleIDPCertificate-mydomain.com.pem
    Uploading GoogleIDPCertificate-mydomain.com.pem to /srv/bindings/972dd.../code/private/GoogleIDPCertificate-mydomain.com.pem
    GoogleIDPCertificate-mydomain.com.pem                                                                            100% 1253    27.6KB/s   00:00
    sftp> quit
    terminus env:commit --message "Added the Google IDP Certificate to a protected path" $site.$env
     [notice] Your code was committed.
    terminus connection:set $site.$env git
    git add private/GoogleIDPCertificate-mydomain.com.pem
    git commit -m "Added the Google IDP Certificate to a protected path"
    git push origin $env #or master, if working on the dev environment
  4. Add the certificate path to the WP SAML Auth plugin settings, using the ABSPATH variable:

    The x509 Certificate Path field, filled out as ABSPATH/private/certfile.pem

  5. Click Save Changes on the plugin settings page, and Next on the Google App modal.

  6. On the Basic Information page, add a name for your app that you'll recognize in a year's time:

    Google App Name

    You can also add a description and logo at this stage. Remember, the more detail you provide now, the easier it will be for you or someone else to review this configuration in the future. Click NEXT to continue.

Service Provider Information

  1. The Service Provider Details modal asks for information from the WP SAML Auth plugin, which is the SAML service provider for our WordPress site. Refer back to the plugin settings page for the ACS (Assertion Consumer Service) URL, Entity ID, and Start URL (listed as Base URL). Copy and paste these values:

    Google App SAML Service Provider Details

    Once you've filled out these fields, click NEXT.

  2. On the Attribute Mapping page, you'll need to specify any attributes you'd like Google Apps to return in the SAML response, and then keys you'd like to use for those attributes.

    Without any additional configuration, WP SAML Auth understands this attribute mapping:

    • SAML IdP (Google Apps) -> WordPress
    • email -> user_email
    • uid -> user_login
    • first_name -> first_name
    • last_name -> last_name

    Click ADD NEW MAPPING, and map at least one identifying attribute. Using email as an example:

    An example of the email attribute mapped to the Primary Email value in the Google SAML App

  3. Click FINISH and your application is created!

    You can safely dismiss the Setting up SSO warning, as we'll provide additional configuration later:

    A warning modal saying You'll need to upload Google IDP data on your app to complete SAML configuration process

See Also