This plugin is for a very specific use case: Your WordPress website is part of an organization that uses OpenID Connect (OIDC) for web single-sign-on as well as for group-based authorization. In that case, this plugin will let you restrict access to parts of your WordPress website based on OIDC login and group membership information.
This plugin has been tested with:
- Shibboleth OIDC using the
eduperson_ismemberofattribute for LDAP group membership.
- Allow site visitors to log in via OIDC without needing a WordPress user account.
- Optionally allow WordPress users to log in via OIDC instead of using their WordPress password.
- Optionally restrict access to the entire site to logged-in users or only members of specific groups.
- Optionally restrict access to specific pages and posts to logged-in users or only members of specifc groups.
- Show parts of pages/posts/widgets only to logged in users or members of specific groups.
- Access restrictions apply to site visitors, feeds, the REST API, and XMLRPC.
- Shortcodes (Gutenberg blocks planned for a future release)
umich_oidc_button– Generate a login or logout button.
umich_oidc_link– Generate a login or logout link.
umich_oidc_logged_in– Show content only if the visitor is logged in.
umich_oidc_member– Show content only if the visitor is a member of one or more groups.
umich_oidc_not_logged_in– Show content only if the visitor is NOT logged in.
umich_oidc_not_member– Show content only if the visitor NOT a member of any of the specified groups.
umich_oidc_url– Generate a login or logout URL.
umich_oidc_userinfo– Display information about the currently-logged-in OIDC user.
Restricting private content in search results
You can prevent content from showing up in web search engine results by restricting access to particular pages/posts.
Search results from WordPress’ built-in search will only show content that the searching user has access to.
WARNING: WordPress search plugins may show content that the user does not have access to, leaking private information. Please test search plugin before enabling them. If a search plugin provides an appropriate WordPress hook for limiting search results, contact us and we may be able to add support for it to UMich OIDC Login.
Copyright and license information
Copyright (c) 2022 Regents of the University of Michigan.
This file is part of the UMich OIDC Login WordPress plugin.
UMich OIDC Login is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
UMich OIDC Login is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with UMich OIDC Login. If not, see https://www.gnu.org/licenses/.
- (Recommended but not required) Install the WordPress Native PHP Sessions plugin from the WordPress.org plugin repository or by uploading the files to your web server. For details, see How to Install a WordPress Plugin. UMich OIDC Login strongly recommends using the WordPress Native PHP Sessions plugin to prevent conflicts with other WordPress plugins that also use PHP sessions, and to ensure correct operation when the site resides on multiple web servers.
- Install UMich OIDC Login from the WordPress.org plugin repository or by uploading the files to your web server.
- Activate both the WordPress Native PHP Sessions and the UMich OIDC Login plugins through the ‘Plugins’ menu in WordPress.
- Under the Settings menu in WordPress, navigate to “UMich OIDC Login” and thenclick on the “OIDC” tab. Make a note of the Redirect URI value for use when registering an OIDC client for your WordPress site.
- Register an OIDC client for your WordPress site. On the OIDC tab of the UMich OIDC Login settings page, fill in the information you got when registering your client. At a minimum, this will be the Identity Provider URL, Client ID, and Client Secret. Click the “Save Changes button”.
You can now use the settings on the General tab to control access to the website, as well as login and logout behavior. You can restrict access to individual posts and pages by editing them and changing their document settings. You can also use shortcodes from the Shortcodes tab in your theme and/or website content. Adding the following shortcodes to your theme will display a greeting and a login/logout button.
Hello, [umich_oidc_userinfo type="given_name" default="stranger"]
Why do I have to specify all groups on the settings page?
Currently, UMich OIDC Login is designed to work with OIDC Identity Providers that restrict the groups for which membership information can be released to websites. In addition, only the official names of groups can be used; aliases will not work. By entering the allowed groups on the settings page, the group names onlly have to be correct in a single place and access to individual pages/posts can be controlled by selecting group(s) from a dropdown list.
Help! OIDC stopped working and now I can’t log in to my WordPress dashboard!
Use WP CLI to turn off OIDC for WordPress users:
wp option patch delete umich_oidc_settings use_oidc_for_wp_users
You should then be able to log in to WordPress using your WordPress username and password for your website.
Or, completely turn off the UMich OIDC Login plugin. WARNING: deactivating the plugin will make any restricted content you have publicly viewable.
wp plugin deactivate umich-oidc-login
If you don’t remember your WordPress user account password, you can set a new one:
wp user update YOUR-WORDPRESS-USERNAME --user_pass="PUT-YOUR-NEW-PASSWORD-HERE"
UMich OIDC Login はオープンソースソフトウェアです。以下の人々がこのプラグインに貢献しています。貢献者
“UMich OIDC Login” をあなたの言語に翻訳しましょう。
- Fixed a bug that prevented groups that have apostrophes / single quotes in their names from working.
- Fixed a bug with login/logout URLs being incorrect when WordPress is installed in a subdirectory.
- Completely reimplemented the feature for using OIDC to log into the WordPress dashboard.
- Changed the setting values from no/yes to no/optional/yes. The new setting (“optional”) allows users a choice of whether to log in using OIDC or their WordPress password. Choosing which way to log in looked like it was supported before when it was not, which was confusing.
- The “no” setting previously displayed a “Login in with Single Sign On” button that would only log users into the website but not the WordPress dashboard. This was confusing, and so the button has been removed when OIDC login for WordPress is set to “no”.
- If a user attempts to log in to the WordPress dashboard via OIDC but does not have a WordPress user account, they will now get an “Access Deined” error instead of silently being logged into the website but not logged in to WordPress.
- Fixed a bug where unauthenticated users who tried to access a restricted page/post would sometimes get a “Page Not Found” error instead of being prompted to log in.
- Fixed a bug where users were sometimes not sent to the correct page after authenticating.
- Miscellaneous cleanup and improvements.
- Initial release.