32 comments

  1. This instruction does not work, because still I see standard wordpress log on menu.

    The strange is because when I change URL /admin I see redirection to Microsoft.

    I also tried to make some exclusion with Page Blacklist, but it also did not work

    1. Hi and yes, it’s “by design” that you are still able to navigate to the default WordPress login page. After you have installed and activated the plugin and configured the “WPO365 Options” correctly, the plugin will basically intercept all requests to your WordPress Website, as long as the page is not listed on the blacklist (with possible exclusion of the WP-Content / Upload area that you may need to protect separately using rules in your .htaccess file).

      In other words: For blacklisted pages (and wp-login.php is blacklisted by default), the plugin will not intercept any request and try to authenticate the user. For all the other pages the plugin will check first if the user is already logged on to WordPress (either using a normal WordPress login or an Azure AD login). If so, the flow will stop there and the plugin won’t continue trying to authenticate the user with Azure AD / Office 365. If the user is not already logged on to WordPress, it will try and authenticate the user with Azure AD / Office 365 by redirecting him / her to the standard Microsoft login page. When authenticated successfully, the plugin will read the information received from Microsoft and use it to find a corresponding user (by email address). If no corresponding user can be found, it will create one.

      The reason the plugin not “protects” the login page has two reasons. First it allows for mixed logins. For example, in some situations the WordPress Super User is not by default an account that is also in Azure AD. However, if the Super Admin is also in Azure AD then he or she can simply navigate to any page in the WordPress site and be automatically logged on without entering a password. To accomplish this, make sure the Super Admin’s email address in WordPress corresponds to the email address known to Azure AD / Office 365.

      Last but not least: In some cases the plugin detects a faulty login attempt. In that case the user needs to be redirected away from any of the “normal” pages in the site or else he or she will be trapped in an eternal loop of being redirected to Microsoft time and again.

    1. I should add, the user sees a access_denied. Please contact your System Administrator. error. If the user has a matching email address in wordpress, the Azure AD login works perfect. I keep thinking this is something in the WordPress settings stooping user creation and not the plugin.

    2. From what you tell I can deduct that the after logging in to Azure AD / Office 365, the reply contains an error (namely “access_denied”). This is transparently “echoed” back to the user who is trying to log on and when such an error occurs the plugin redirects that user to the login page with an error message (namely “access_denied” and a message from the plugin to contact the system administrator). An access denied error can occur for two reasons. Most likely, you didn’t “grant permission” as an administrator on behalf of all users to the App registered in Azure AD (see 10th bullet in the paragraph “Configure Azure Directory” here). A somewhat less likely reason may be that there was a wrong value entered for Application ID, Tenant ID or Redirect URI in the WPO365 Options in WordPress Admininistration. What is a bit of a surprise is that the login works for a user that is already in WordPress. That is virtually impossible, because the check whether or not an error was received is the first thing the plugin does. But maybe the difference between both users is their permission level in Azure AD and maybe it works for an Administrator even when no permissions are granted whilst a (new) user who is not a Tenant Admin himself is confronted with the fact that permissions aren’t granted and therefore his access is denied. Looking forward to a reply to see whether this information was sufficient and solved your issue!

  2. Hi. Exactly what I was after. To make the instructions even simpler please could you move the bullet point about finding the AAD TenantID to immediately after bullet point 1).

  3. Can anyone help me with this error?

    Fatal error: Uncaught Error: Class ‘Firebase\JWT\BeforeValidException’ not found in /home/adenemyc/public_html/webdev/teste/wp-content/plugins/wpo365-login/Firebase/JWT/JWT.php:127 Stack trace: #0 /home/adenemyc/public_html/webdev/teste/wp-content/plugins/wpo365-login/Wpo/Aad/Auth.php(426): Firebase\JWT\JWT::decode(‘eyJ0eXAiOiJKV1Q…’, ‘—–BEGIN CERT…’, Array) #1 /home/adenemyc/public_html/webdev/teste/wp-content/plugins/wpo365-login/Wpo/Aad/Auth.php(328): Wpo\Aad\Auth::decode_id_token() #2 /home/adenemyc/public_html/webdev/teste/wp-content/plugins/wpo365-login/Wpo/Aad/Auth.php(110): Wpo\Aad\Auth::process_openidconnect_token() #3 /home/adenemyc/public_html/webdev/teste/wp-content/plugins/wpo365-login/wpo365-login.php(78): Wpo\Aad\Auth::validate_current_session() #4 /home/adenemyc/public_html/webdev/teste/wp-includes/class-wp-hook.php(286): {closure}(Object(ReduxFramework)) #5 /home/adenemyc/public_html/webdev/teste/wp-includes/class-wp-hook.php(310): WP_Hook->apply_filters(NULL, Array) #6 /home/adenemyc/public_html/w in /home/adenemyc/public_html/webdev/teste/wp-content/plugins/wpo365-login/Firebase/JWT/JWT.php on line 127

    1. It is “strange” that the class cannot be found. But it’s even more suspicious that the plugin wants to throw this error. It seems that basically the token you have received from Microsoft upon login is not yet valid. This is normally never the case. However, it happened before when the server time was not correctly configured. So maybe you want to check your server time and ensure it’s set to the precise time (a few minutes off would be enough to cause this error).

  4. Hi. There is a variable called $leeway that is hardcoded to “0” (JWT.php line 30). That means that there is no tollerance for clock differences between AZURE AD anda the webserver. I would suggest to initialize that variable from a configuration parameter, or give it a positive value, enough for typical clock skews.

    1. In version 3.8 that has just been published, we have added an extra setting for Leeway time with a default value of 300 (seconds = 5 minutes).

  5. Hello,

    First off, thanks so much for making this plugin. With how many companies need to operate in both Office & WordPress environments, I’m surprised there hasn’t been more widespread development behind this cause.

    We followed the steps and have configured the plugin, however when I try to go to our /wp-admin/ page to log on, I get the following error:

    “Sorry, but we’re having trouble signing you in.

    AADSTS50011: The reply address ‘http://www.xxxxxxxxxx.com/’ does not match the reply addresses configured for the application: ‘512763b8-9da1-41ef-90df-c852298ad77b’. More details: not specified”

    I’ve changed the actual URL, but the error message is what you see above. Unfortunately now i can’t get to the login page for WordPress as it’s locked us out.

    Can you tell us where we’ve gone wrong? Thank you!

    1. The page wp-login.php is blacklisted by default. This means that you still should be able (as an administrator) to log on and deactivate the plugin, in case any problems arise. However, if you’ve renamed your wp-login.php page you may need to add the new name to the list of blacklisted pages.

      Please make absolutely sure that the address that you’ve entered as part of the configuration of the plugin matches the reply-address you’ve entered when you registered the Azure AD Application. Check for example http vs. https and possible any trailing slashed. There may also be an issue if some kind of URL rewriting or URL redirecting is happening.

  6. Alright, figured out a way to get back in (just re-naming the plugin folder on the server).

    But still running into the issue that the reply address does not match the reply addresses configured for the application.

    We have two reply addresses on the Azure side, I have tried matching each one exactly but we’re still running into the error when logging in.

    Thank you.

  7. Got it working, we just created a new app on Azure dashboard and started over. It works!

    Thank you WPO365 team for creating such a fantastic plugin. Much appreciated! πŸ™‚

  8. Is there any way to exclude directories or anything from this application? I’m only seeing the ability to exclude certain pages and even that does not seem to work perfectly.

    1. To skip authentication for pages you can use the Page Blacklist setting and I’m not sure why you write that it doesn’t work perfectly. What I assume is that you have a requirement and it doesn’t work well with your requirement. For each request the plugin will check the last (= trailing) part of the current path. So when your path is https://www.example.com/etc/ then it would check whether “etc” can be found in the Pages Blacklist. If this is the case, the plugin will not try and validate the current session. So if your Pages Blacklist would be “wp-login.php;wp-cron.php;admin-ajax.php;etc” then it should cancel the current attempt to validate the authentication. If this is not the case, please use the contact form on the website to provide me some more details of what you are trying to achieve and I’ll investigate.

  9. Holy smokes, I’ve been going around with MiniOrange and Auth0 for a month trying to get their stuff to work on our site.

    This took me 2 minutes.

    Thank you!

  10. Hi there
    thanks for this plugin however I can’t see any WPO365 menu as instruct – even after logging back using another browser (tried IE and Chrome)
    Plug ins is installed; no error
    Even got the banner notification for the pluging configuration and the reco to disable anonymous access

    1. Firstly, Sorry for the late reaction! My guess is that there is a problem with the Redux Framework not loading correctly. Having said that, once you installed and activated the plugin (which you obviously did because you can see the notification that the plugin must be configured) you should also not navigate to your website’s landing page without being logged in, until you finalize the configuration. I recommend you activate debug logging as described here on the troubleshooting page and analyze the log file or send it to us so we can help you analyze the issue.

  11. Hi, i just installed the plugin last week, and havnt yet configured it.
    But today i recieved and update for the plugin, and i cant login anymore, with my local wp-admin user.

    I have restored my backup to the site, but each time i install the plugin, i cant longer access the site.

  12. I Just purchased the premium plugin – but as soon as i activate the plugin, its logged me out, and i cant login again.
    It Keeps telling me, that the wp o365 not configured yet, contact system administrator.

    How to fix this? πŸ™

    1. Hi Bilal – You must navigate to the default login form and then sign in with your WordPress-only (administrator) account. Then you can navigate to the WordPress plugins page, scroll down to the WPO365 plugin in the list and click Configuration to start the configuration.

  13. we need to create an authentication page that will do the following:
    1. users will authenticate in a simple webpage with a user-name: yyy and password: xxx (all user name and password will be manage in a self managed database) – all login attemptes will be loged to a database to get a report wich user has logged in.
    2. after successful authentication all users will login (SSO – with out the need to login again) to office 365 sharepoint online website with an applicative user name and password (all users will be logged with the same user).
    is this can be done with your plugin?

    1. Hi Amir. The simple answer is No. The plugin doesn’t work with so-called Application Permissions but with User Delegated Permissions instead. Also, especially for SharePoint you may find that it’s not enough to work with an applicative user. Instead you must register a SharePoint Addin, when you’d like to access SharePoint “offline” (e.g. with an applicative user instead of with a “live” user). So the plugin can provide your users with an access token for SharePoint Online but that user must have been granted access him / her self to SharePoint Online.

  14. hello,
    i have Premium version WPO365 and a have problem with WPO365 vs Woo-commerce. When i login to wordpress site via WPO365, error ” web has technical difficulties ” is displayed. If i refresh page (re-enter web address) web is displayed ok without this error.
    If i deactivate Woo-commerce plugin, everything is working OK.
    Can you tell me what the problem might be?
    Thank you.

    1. Hi. There can be many reasons for this “error”. To be able to determine the error you should have received an email (sent to the admin address) and possibly also check the error log. I’ll have a look whether I can re-produce this behavior as well, because Woo-commerce is widely used and previously – as far as I’m aware of – the plugin would work fine together with Woo-commerce. Ps, are you using a specific theme with Woo-commerce?

      1. I have tested with WordPress 5.2.2 and the latest version of Woocommerce but cannot reproduce the behaviour you mentioned. This doesn’t mean no error occurs – it obviously does. However, as I cannot reproduce it, I’d like to ask you to see whether you can find out at your system what the exact error is. If you do I happily try and continue the analysis at my end.

Leave a Reply

Your email address will not be published. Required fields are marked *