Important upgrade notice

To trigger the Single Sign-on workflow, the plugin no longer requires access to /wp-admin, the WP REST API or the WP AJAX API. Instead, the plugin adds an additional POST request to initiate the authentication sequence (only when the plugin detects a user that is not yet logged in). This request uses a cache breaker to work-around server-side cache, allowing admins to configure the home url (instead of the WP Admin url) as a Redirect URI for the Azure AD App registration e.g. https://www.example.com/ (but don’t forget the trailing slash).

  • As a result of the new Single Sign-on workflow the option Use server side redirect has been removed.
  • v8.0 When using the “Sign in with Microsoft” shortcode you’re advised to upgrade to version 2 of the shortcode and take advantage of the new Single Sign-on workflow. See https://www.wpo365.com/authentication-shortcode/ for details.
  • v8.0 When using the “Dual Login” feature (previously referred to as “Redirect to login”) you are advised to start using version 2 of the template and take advantage of the new Single Sign-on workflow. See https://www.wpo365.com/redirect-to-login/ for details.
  • v7.18 Please update your Azure AD App registration to avoid “Could not create or retrieve your login. Please contact your System Administrator.” errors and users not being able to have their account created or login into the website. See https://www.wpo365.com/azure-application-registration/ for details.
  • v7.18 When you still see “Could not create or retrieve your login” errors you can enable a fallback that users the older ID token parser by checking the Use older ID token parser option on the miscellaneous tab of the plugin’s wizard.

Table of contents

Introduction
Get support
Plugin installation
Plugin update
Plugin activation and prerequisites
Quick Installation Guide
Capabilities
All settings
Videos

Introduction

This post describes the basic installation of the WordPress + Office 365 login plugin. The plugin uses OpenID Connect and Azure Active Directory to authentifcate users and authorize access to your WordPress website. Hence, to get things working, you first will need to register your WordPress web application with your Azure Active Directory (Azure AD) tenant.

The table below show for each plugin feature the corresponding required settings that you need to configure. For each setting you can follow the link provided to learn how to configure it. Relevant configuration steps for Azure Active Directory are also explained in detail. But first make sure you installed / updated the plugin correctly and the prerequisites are met.

Get support

If you have further questions after reading the online documenation, please consult the troubleshoot guide first. If the plugin is still not working according to expectations, you can always ask for help and expect a reply within 24 hours (or 48 during weekends).

Plugin installation

The following information only applies to customers who purchased an item from our website that is not available from the WordPress Plugin Directory (this applies to all premium plugins).

To install the plugin, simply download the purchased item and then upload it to your WordPress site. Visit Plugins > Add New and click Upload Plugin button at the top of the page. Here you need to click on the Choose file button and select the plugin file you downloaded earlier to your computer. After you have selected the file, you need to click on the Install now button. WordPress will now upload the plugin file from your computer and install it for you. You will see a success message like this after installation is finished. Click Activate plugin to finish the installation.

Plugin update

The following information only applies to customers who purchased an item from our website that is not available from the WordPress Plugin Directory (this applies to all premium plugins).

In case you are updating an existing plugin you can safely deactivate and delete it prior to installing it. The existing configuration remains safely stored in the database and is not deleted.

If you encounter any problems with downloading, installing and / or configuring your items, please don’t hesitate and ask for help.

Plugin activation and prerequisites

Please note that older versions required you to disable server-side caching. However, the latest version – starting with v8.5 – are able to break server-side caching (in most cases). If you see Your login has been tampered with errors, please don’t hesitate and let me know.

Quick Installation Guide

The easiest way to get started is by watching the video tutorial https://youtu.be/fNrwX24p1gU and set up SSO for (manually registered) O365 / Azure AD users.

WordPress + Office 365 Quick Installation Guide

Capabilities

Now you can continue and configure the plugins capabilities (depending on your plugin’s version some capabilities may not be available).

All versions

  • SSO for (manually registered) O365 / Azure AD users more…
  • Make your WordPress (intranet) private more…
  • Support for WordPress multisite more…
  • Request access tokens e.g. for SharePoint and Graph more…
  • Simple API for client-side developers more…
  • Inject Pintra Framework apps into any page or post more…

Professional + Premium version

  • Let users choose to login with O365 or with WordPress more…
  • Require authentication for only a few pages more…
  • Require authentication for all pages but not for the homepage more…
  • Redirect users to a custom login error page more…
  • Automatically register new users from your tenant more…
  • Automatically register new users from other tenants more…
  • Automatically register new users with MSAL accounts more…
  • Send custom new user registration email more…
  • Prevent users changing their password / email more…
  • Redirect manual login attempts to Microsoft more…
  • Sign out from Office 365 more…

Premium only

  • [Sign in with Microsoft] button (shortcode) more…
  • Extra (BuddyPress) profile fields from Azure AD more…
  • Office 365 profile picture as WP Avatar more…
  • Assign WP role(s) based on Azure AD group membership(s) more…
  • Deny / allow access based on Azure AD group membership(s) more…
  • Enroll / Update (new) users to WordPress from Azure AD more…

Settings

Please refer to the following online documentation for detailed information about each and every single wizard setting.

Videos

https://www.youtube.com/channel/UCmcUJkBWDrwSZR1pQZdkINQ/videos

Comments

  1. This instruction does not work, because still I see standard wordpress log on menu.

    The strange is because when I change URL /admin I see redirection to Microsoft.

    I also tried to make some exclusion with Page Blacklist, but it also did not work

    • info@wpo365.com

      Hi and yes, it’s “by design” that you are still able to navigate to the default WordPress login page. After you have installed and activated the plugin and configured the “WPO365 Options” correctly, the plugin will basically intercept all requests to your WordPress Website, as long as the page is not listed on the blacklist (with possible exclusion of the WP-Content / Upload area that you may need to protect separately using rules in your .htaccess file).

      In other words: For blacklisted pages (and wp-login.php is blacklisted by default), the plugin will not intercept any request and try to authenticate the user. For all the other pages the plugin will check first if the user is already logged on to WordPress (either using a normal WordPress login or an Azure AD login). If so, the flow will stop there and the plugin won’t continue trying to authenticate the user with Azure AD / Office 365. If the user is not already logged on to WordPress, it will try and authenticate the user with Azure AD / Office 365 by redirecting him / her to the standard Microsoft login page. When authenticated successfully, the plugin will read the information received from Microsoft and use it to find a corresponding user (by email address). If no corresponding user can be found, it will create one.

      The reason the plugin not “protects” the login page has two reasons. First it allows for mixed logins. For example, in some situations the WordPress Super User is not by default an account that is also in Azure AD. However, if the Super Admin is also in Azure AD then he or she can simply navigate to any page in the WordPress site and be automatically logged on without entering a password. To accomplish this, make sure the Super Admin’s email address in WordPress corresponds to the email address known to Azure AD / Office 365.

      Last but not least: In some cases the plugin detects a faulty login attempt. In that case the user needs to be redirected away from any of the “normal” pages in the site or else he or she will be trapped in an eternal loop of being redirected to Microsoft time and again.

    • Chad

      I should add, the user sees a access_denied. Please contact your System Administrator. error. If the user has a matching email address in wordpress, the Azure AD login works perfect. I keep thinking this is something in the WordPress settings stooping user creation and not the plugin.

    • info@wpo365.com

      From what you tell I can deduct that the after logging in to Azure AD / Office 365, the reply contains an error (namely “access_denied”). This is transparently “echoed” back to the user who is trying to log on and when such an error occurs the plugin redirects that user to the login page with an error message (namely “access_denied” and a message from the plugin to contact the system administrator). An access denied error can occur for two reasons. Most likely, you didn’t “grant permission” as an administrator on behalf of all users to the App registered in Azure AD (see 10th bullet in the paragraph “Configure Azure Directory” here). A somewhat less likely reason may be that there was a wrong value entered for Application ID, Tenant ID or Redirect URI in the WPO365 Options in WordPress Admininistration. What is a bit of a surprise is that the login works for a user that is already in WordPress. That is virtually impossible, because the check whether or not an error was received is the first thing the plugin does. But maybe the difference between both users is their permission level in Azure AD and maybe it works for an Administrator even when no permissions are granted whilst a (new) user who is not a Tenant Admin himself is confronted with the fact that permissions aren’t granted and therefore his access is denied. Looking forward to a reply to see whether this information was sufficient and solved your issue!

  2. Alex

    Hi. Exactly what I was after. To make the instructions even simpler please could you move the bullet point about finding the AAD TenantID to immediately after bullet point 1).

  3. Can anyone help me with this error?

    Fatal error: Uncaught Error: Class ‘Firebase\JWT\BeforeValidException’ not found in /home/adenemyc/public_html/webdev/teste/wp-content/plugins/wpo365-login/Firebase/JWT/JWT.php:127 Stack trace: #0 /home/adenemyc/public_html/webdev/teste/wp-content/plugins/wpo365-login/Wpo/Aad/Auth.php(426): Firebase\JWT\JWT::decode(‘eyJ0eXAiOiJKV1Q…’, ‘—–BEGIN CERT…’, Array) #1 /home/adenemyc/public_html/webdev/teste/wp-content/plugins/wpo365-login/Wpo/Aad/Auth.php(328): Wpo\Aad\Auth::decode_id_token() #2 /home/adenemyc/public_html/webdev/teste/wp-content/plugins/wpo365-login/Wpo/Aad/Auth.php(110): Wpo\Aad\Auth::process_openidconnect_token() #3 /home/adenemyc/public_html/webdev/teste/wp-content/plugins/wpo365-login/wpo365-login.php(78): Wpo\Aad\Auth::validate_current_session() #4 /home/adenemyc/public_html/webdev/teste/wp-includes/class-wp-hook.php(286): {closure}(Object(ReduxFramework)) #5 /home/adenemyc/public_html/webdev/teste/wp-includes/class-wp-hook.php(310): WP_Hook->apply_filters(NULL, Array) #6 /home/adenemyc/public_html/w in /home/adenemyc/public_html/webdev/teste/wp-content/plugins/wpo365-login/Firebase/JWT/JWT.php on line 127

    • mvan

      It is “strange” that the class cannot be found. But it’s even more suspicious that the plugin wants to throw this error. It seems that basically the token you have received from Microsoft upon login is not yet valid. This is normally never the case. However, it happened before when the server time was not correctly configured. So maybe you want to check your server time and ensure it’s set to the precise time (a few minutes off would be enough to cause this error).

  4. Hi. There is a variable called $leeway that is hardcoded to “0” (JWT.php line 30). That means that there is no tollerance for clock differences between AZURE AD anda the webserver. I would suggest to initialize that variable from a configuration parameter, or give it a positive value, enough for typical clock skews.

    • mvan

      In version 3.8 that has just been published, we have added an extra setting for Leeway time with a default value of 300 (seconds = 5 minutes).

  5. R H

    Hello,

    First off, thanks so much for making this plugin. With how many companies need to operate in both Office & WordPress environments, I’m surprised there hasn’t been more widespread development behind this cause.

    We followed the steps and have configured the plugin, however when I try to go to our /wp-admin/ page to log on, I get the following error:

    “Sorry, but we’re having trouble signing you in.

    AADSTS50011: The reply address ‘http://www.xxxxxxxxxx.com/’ does not match the reply addresses configured for the application: ‘512763b8-9da1-41ef-90df-c852298ad77b’. More details: not specified”

    I’ve changed the actual URL, but the error message is what you see above. Unfortunately now i can’t get to the login page for WordPress as it’s locked us out.

    Can you tell us where we’ve gone wrong? Thank you!

    • mvan

      The page wp-login.php is blacklisted by default. This means that you still should be able (as an administrator) to log on and deactivate the plugin, in case any problems arise. However, if you’ve renamed your wp-login.php page you may need to add the new name to the list of blacklisted pages.

      Please make absolutely sure that the address that you’ve entered as part of the configuration of the plugin matches the reply-address you’ve entered when you registered the Azure AD Application. Check for example http vs. https and possible any trailing slashed. There may also be an issue if some kind of URL rewriting or URL redirecting is happening.

  6. R H

    Alright, figured out a way to get back in (just re-naming the plugin folder on the server).

    But still running into the issue that the reply address does not match the reply addresses configured for the application.

    We have two reply addresses on the Azure side, I have tried matching each one exactly but we’re still running into the error when logging in.

    Thank you.

  7. R H

    Got it working, we just created a new app on Azure dashboard and started over. It works!

    Thank you WPO365 team for creating such a fantastic plugin. Much appreciated! πŸ™‚

  8. Noctroxis

    Is there any way to exclude directories or anything from this application? I’m only seeing the ability to exclude certain pages and even that does not seem to work perfectly.

    • mvan

      To skip authentication for pages you can use the Page Blacklist setting and I’m not sure why you write that it doesn’t work perfectly. What I assume is that you have a requirement and it doesn’t work well with your requirement. For each request the plugin will check the last (= trailing) part of the current path. So when your path is https://www.example.com/etc/ then it would check whether “etc” can be found in the Pages Blacklist. If this is the case, the plugin will not try and validate the current session. So if your Pages Blacklist would be “wp-login.php;wp-cron.php;admin-ajax.php;etc” then it should cancel the current attempt to validate the authentication. If this is not the case, please use the contact form on the website to provide me some more details of what you are trying to achieve and I’ll investigate.

  9. Leif Hurst

    Holy smokes, I’ve been going around with MiniOrange and Auth0 for a month trying to get their stuff to work on our site.

    This took me 2 minutes.

    Thank you!

  10. Benoit

    Hi there
    thanks for this plugin however I can’t see any WPO365 menu as instruct – even after logging back using another browser (tried IE and Chrome)
    Plug ins is installed; no error
    Even got the banner notification for the pluging configuration and the reco to disable anonymous access

    • mvan

      Firstly, Sorry for the late reaction! My guess is that there is a problem with the Redux Framework not loading correctly. Having said that, once you installed and activated the plugin (which you obviously did because you can see the notification that the plugin must be configured) you should also not navigate to your website’s landing page without being logged in, until you finalize the configuration. I recommend you activate debug logging as described here on the troubleshooting page and analyze the log file or send it to us so we can help you analyze the issue.

  11. Bilal Bahij

    Hi, i just installed the plugin last week, and havnt yet configured it.
    But today i recieved and update for the plugin, and i cant login anymore, with my local wp-admin user.

    I have restored my backup to the site, but each time i install the plugin, i cant longer access the site.

  12. Bilal Bahij

    I Just purchased the premium plugin – but as soon as i activate the plugin, its logged me out, and i cant login again.
    It Keeps telling me, that the wp o365 not configured yet, contact system administrator.

    How to fix this? πŸ™

    • mvan

      Hi Bilal – You must navigate to the default login form and then sign in with your WordPress-only (administrator) account. Then you can navigate to the WordPress plugins page, scroll down to the WPO365 plugin in the list and click Configuration to start the configuration.

  13. amir

    we need to create an authentication page that will do the following:
    1. users will authenticate in a simple webpage with a user-name: yyy and password: xxx (all user name and password will be manage in a self managed database) – all login attemptes will be loged to a database to get a report wich user has logged in.
    2. after successful authentication all users will login (SSO – with out the need to login again) to office 365 sharepoint online website with an applicative user name and password (all users will be logged with the same user).
    is this can be done with your plugin?

    • mvan

      Hi Amir. The simple answer is No. The plugin doesn’t work with so-called Application Permissions but with User Delegated Permissions instead. Also, especially for SharePoint you may find that it’s not enough to work with an applicative user. Instead you must register a SharePoint Addin, when you’d like to access SharePoint “offline” (e.g. with an applicative user instead of with a “live” user). So the plugin can provide your users with an access token for SharePoint Online but that user must have been granted access him / her self to SharePoint Online.

  14. BLOCK a.s.

    hello,
    i have Premium version WPO365 and a have problem with WPO365 vs Woo-commerce. When i login to wordpress site via WPO365, error ” web has technical difficulties ” is displayed. If i refresh page (re-enter web address) web is displayed ok without this error.
    If i deactivate Woo-commerce plugin, everything is working OK.
    Can you tell me what the problem might be?
    Thank you.

    • mvan

      Hi. There can be many reasons for this “error”. To be able to determine the error you should have received an email (sent to the admin address) and possibly also check the error log. I’ll have a look whether I can re-produce this behavior as well, because Woo-commerce is widely used and previously – as far as I’m aware of – the plugin would work fine together with Woo-commerce. Ps, are you using a specific theme with Woo-commerce?

      • mvan

        I have tested with WordPress 5.2.2 and the latest version of Woocommerce but cannot reproduce the behaviour you mentioned. This doesn’t mean no error occurs – it obviously does. However, as I cannot reproduce it, I’d like to ask you to see whether you can find out at your system what the exact error is. If you do I happily try and continue the analysis at my end.

Leave a Reply

Your email address will not be published. Required fields are marked *