{"id":887,"date":"2024-11-29T09:44:01","date_gmt":"2024-11-29T08:44:01","guid":{"rendered":"https:\/\/sparrow365.de\/?p=887"},"modified":"2024-11-29T09:45:46","modified_gmt":"2024-11-29T08:45:46","slug":"adding-entra-external-id-to-wordpress","status":"publish","type":"post","link":"https:\/\/sparrow365.de\/index.php\/en\/2024\/11\/29\/adding-entra-external-id-to-wordpress\/","title":{"rendered":"Adding Entra External ID to WordPress"},"content":{"rendered":"

After realising that I should really enable comments in my last post<\/a>, I set out to do so in a way that fits my personal requirements. At the outset, the most obvious solution was adding Entra External ID<\/a> Authentication and user management (as one does<\/em> \ud83d\ude09).<\/p>\n

\n

Entra External ID is a version of Entra ID (formerly Azure AD) designed for managing large collections of users who aren\u2019t associated with an organization\u2014typically customers. Hence the Industry Term "Customer Identity and Access Management" (CIAM).<\/em><\/p>\n<\/blockquote>\n

Now, one might think that since wordpress makes up 40% of the Internet, it obviously has a simple and robust commenting system by default. Which would be accurate for 99% of people, but I am a special little snowflake, and I take issue with several points:<\/p>\n

    \n
  1. Allowing anonymous posting is out of the question, since I want to deal with spam even less than I want to hold user Information. For this you could enable and enforce user registration natively but,<\/li>\n
  2. I don’t like the wordpress login page. Especially since I am a big fan of Multi-Factor Authentication, and the free options are not the nicest. I would much rather have an established identity Provider for this purpose<\/li>\n
  3. Adding to this, the registration flow will always require an email address by default. Since I hope to run this blog for a while, I would slowly accumulate user information on my platform. I feel most uncomfortable with Email Addresses and would prefer free choice of usernames.<\/li>\n<\/ol>\n

    Outside of the purely practical points, since I am an Entra ID Admin I was also looking for a (semi) reasonable chance to build up some experience working with Entra External ID. I have always found learning by doing to be the most effective.<\/p>\n

    \n


    <\/p>\n

    Prerequisites<\/h2>\n

    Now, I am no fan of testing in production, even in my personal projects. So the first thing I need is a temporary WordPress instance.<\/p>\n

    As a starting point, I spun up a WordPress Site on Azure App Service<\/a>. For my purposes, the free hosting plan more than sufficed, and the Azure deployment is pretty quick and painless.<\/p>\n

    Once it was up and running, I installed my theme and a test page, just to make sure everything works as it does on my production site. Then the changes from my configuration: <\/p>\n

    First order of operations: Enable WordPress Comments with Login Requirement:<\/strong><\/p>\n

    \"Wordpress<\/p>\n


    <\/p>\n

    What the comment section looks like now:<\/strong>
    \n\"WordpressCommentResults\"<\/p>\n

    Now with the WordPress page ready, it was time to create the Identity Provider (IdP). For this I followed the Tenant Setup Quickstart<\/a> provided by Microsoft.<\/p>\n

    \n

    Reminder: This is a separate new tenant. First step: Create a Breakglass account<\/a> in case you lose access<\/strong><\/p>\n<\/blockquote>\n

    Now that both individual parts\u2014the service provider and the identity provider\u2014are ready, it\u2019s time to make the connection!<\/p>\n

    \n


    <\/p>\n

    Choosing an SSO Plugin<\/h2>\n

    Out of the box, WordPress doesn\u2019t support SAML or OIDC natively. This makes sense\u2014there\u2019s likely little demand for integration with identity providers among the average bloggers or single-page users.<\/p>\n

    Thankfully, WordPress has a large ecosystem of add-ons and plugins that can bridge this gap.<\/p>\n

    My criteria were rather simple: <\/p>\n

      \n
    1. IdP Agnostic<\/strong>: The plugin should work with any identity provider, so tools like the Auth0 Connector Plugin were out<\/li>\n
    2. Open Source<\/strong>: I still strongly believe in using Open Source Software whenever possible <\/li>\n
    3. OIDC Protocol<\/strong>: I prefer using newer standards whenever possible <\/li>\n<\/ol>\n

      The plugin that met all three criteria was Daggerhart OpenID Connect Generic<\/a><\/p>\n

      After installing this plugin, my WordPress test instance became OIDC-capable. From here on out, it’s just your usual Entra SSO Integration.<\/p>\n

      \n


      <\/p>\n

      Configuring SSO in Entra (External) ID<\/h2>\n

      First, we need the redirect URI of our plugin so we can complete the Entra Enterprise App configuration (In my case in Settings > OpenID Connect Client)<\/em><\/p>\n

      \"WordpressRedirectURL\"<\/p>\n

      Then, we complete the required base settings on the Entra ID side.
      \nThis is in my opinion the main advantage of using Entra External ID, if you are an Entra ID admin you have seen these configurations a million times.<\/p>\n

      \"EntraAuthSettings\"<\/p>\n


      <\/p>\n

      \"EntraAuthSettings\"<\/p>\n

      \n

      We add our standard OIDC permissions <\/p>\n

      \"EntraPermissions\"<\/p>\n

      \n

      \ud83d\uddb9 Don’t grant admin consent – if you are onboarding end-users (e.g., blog readers) and not your employees it is very helpful to have explicit consent – Explicit user consent ensures transparency and makes data collection explicit, which is especially crucial for GDPR compliance in Europe.<\/em><\/p>\n<\/blockquote>\n

      \n


      <\/p>\n

      Configuring the OIDC Plugin<\/h2>\n

      Important! In the plugin I am using the following fields are Mandatory! Otherwise the SSO Sign-In button does nothing!<\/u><\/p>\n

      \n

      Ideally, the userinfo<\/code> and end session<\/code> URLs should be dynamically read from the configuration URL: https:\/\/[TenantURL].ciamlogin.com\/[TENANTID]\/v2.0\/.well-known\/openid-configuration<\/code>
      \nbut developers don’t always get along with standards. <\/p>\n<\/blockquote>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
      Setting<\/th>\nValue<\/th>\n<\/tr>\n<\/thead>\n
      Client ID<\/td>\n[Your Client ID]<\/td>\n<\/tr>\n
      Client Secret Key<\/td>\n[Your Client Secret]<\/td>\n<\/tr>\n
      OpenID Scope<\/td>\nprofile<\/code> openid<\/code> offline_access<\/code><\/td>\n<\/tr>\n
      Login Endpoint URL<\/td>\nhttps:\/\/[TENANTNAME].ciamlogin.com\/[TENANTID]\/oauth2\/v2.0\/authorize<\/a><\/td>\n<\/tr>\n
      Userinfo Endpoint URL<\/td>\nhttps:\/\/graph.microsoft.com\/oidc\/userinfo<\/a><\/td>\n<\/tr>\n
      Token Validation Endpoint URL<\/td>\nhttps:\/\/[TENANTNAME].ciamlogin.com\/[TENANTID]\/oauth2\/v2.0\/token<\/a><\/td>\n<\/tr>\n
      End Session Endpoint URL<\/td>\nhttps:\/\/[TENANTNAME].ciamlogin.com\/[TENANTID]\/oauth2\/v2.0\/logout<\/a><\/td>\n<\/tr>\n
      Identity Key<\/td>\nsub<\/code><\/td>\n<\/tr>\n
      Nickname Key<\/td>\nname<\/code><\/td>\n<\/tr>\n
      Email Formatting<\/td>\nCleared, since I don’t want emails in my database<\/td>\n<\/tr>\n
      Display Name Formatting<\/td>\n{name}<\/code>, or the claims from wich to build the Display name<\/td>\n<\/tr>\n
      State Time Limit<\/td>\n360 s ( With the Default 180 I was getting "invalid state" too often for my taste<\/em> \ud83d\ude09)<\/td>\n<\/tr>\n
      Identity with User Name<\/td>\nYes<\/td>\n<\/tr>\n
      Enable Refresh Token<\/td>\nYes (This is what the scope offline_access<\/code> is for)<\/td>\n<\/tr>\n
      Create user if does not exist<\/td>\nYes<\/td>\n<\/tr>\n
      Redirect Back to Origin Page<\/td>\nYes<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

      I always prefer using userprincipalname<\/code> or preferred_username<\/code> as the identifier, sadly the plugin I use still uses the userinfo Endpoint. This is always a bad sign for integration with Entra ID, since we can’t change the Information from the userinfo Endpoint<\/a> in Entra ID.<\/p>\n

      \n

      If your solution allows working with ID tokens: I recommend this Article \/ Tool for Claim Testing<\/a> from Martin Rublik, while I did fear that my plugin used userinfo from the get-go, I used the tool to verify the ID token to be correct when the SSO did not work<\/em><\/p>\n<\/blockquote>\n

      With this configuration, users Can<\/strong> provide their email, but don’t have to – and we have successfully achieved SSO. But let’s look at the result in more detail.<\/p>\n

      \n


      <\/p>\n

      User Experience<\/h2>\n

      If we press the login Button that would usually redirect to the default WordPress Login, we are now immediately redirected to the Entra External ID Login experience. <\/p>\n

      \"pressLoginButton\"<\/p>\n

      \"loginMas\"<\/p>\n

      \n

      Then we try logging in with a previously invited User, and can sign in with authenticator MFA, after Consenting to sharing of our information.<\/p>\n\n\n\n\n\n
      1: MFA Prompt<\/th>\n2: Consent Request<\/th>\n<\/tr>\n<\/thead>\n
      \"mfaPrompt\"<\/td>\n\"consentREquest\"<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
      \n

      The User is logged in successfully, and could provide an Email Address, but it is empty by default.<\/p>\n

      \"consentPrompt\"<\/p>\n

      \"noMailInProfile\"<\/p>\n

      \n

      On Logout, the Microsoft Account Picker is used.<\/p>\n

      \"logout\"<\/p>\n

      \n


      <\/p>\n

      Was it worth it?<\/h2>\n

      If you try commenting on my blog, you’ll now find a very different experience. After testing, I decided to use a plugin which specialises in Social Logins<\/a>. This solution has a much larger selection of social providers (including dedicated Login buttons) and also allows me to leave it open to the user what information he shares.<\/p>\n

      I did not go in depth on the integration with other identity providers in this blog, since the configuration and end user experience is really not what I was looking for – but that’s okay, since Entra External ID is not meant for my use case.<\/p>\n

      For my little blog, managing login flows, user management processes, or building custom pages is overkill. However, for developers or organizations requiring robust identity infrastructure, Entra External ID offers significant benefits by handling much of the heavy lifting.<\/p>\n

      That said, Entra External ID still lags behind its predecessor, Entra B2C<\/a><\/strong>, in several areas\u2014particularly user provisioning. For example, I know of recent CIAM projects where teams, after a detailed comparison, opted for B2C due to these limitations and hope for future migration paths to External ID.<\/p>\n

      For me personally, the primary goal of gaining experience with Entra External ID was met. I learned a great deal and gained valuable hands-on practice.<\/p>\n

      I\u2019m excited to see where Entra External ID might be in the next couple of years\u2014perhaps it will close the gaps and become even more compelling for a wider range of use cases. \ud83d\ude0a<\/p>\n","protected":false},"excerpt":{"rendered":"

      After realising that I should really enable comments in my last post, I set out to do so in a way that fits my personal requirements. At the outset, the most obvious solution was adding Entra External ID Authentication and user management (as one does \ud83d\ude09). Entra External ID is a version of Entra ID… » weiterlesen<\/a><\/p>\n","protected":false},"author":2,"featured_media":889,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[76],"tags":[80,426,88,430,424,422,222,428],"class_list":["post-887","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-me-id-en","tag-aad-en","tag-ciam","tag-entra-en","tag-entra-b2c","tag-entra-external-id","tag-oew","tag-oidc-en","tag-wordpress"],"_links":{"self":[{"href":"https:\/\/sparrow365.de\/index.php\/wp-json\/wp\/v2\/posts\/887","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sparrow365.de\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sparrow365.de\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sparrow365.de\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sparrow365.de\/index.php\/wp-json\/wp\/v2\/comments?post=887"}],"version-history":[{"count":1,"href":"https:\/\/sparrow365.de\/index.php\/wp-json\/wp\/v2\/posts\/887\/revisions"}],"predecessor-version":[{"id":888,"href":"https:\/\/sparrow365.de\/index.php\/wp-json\/wp\/v2\/posts\/887\/revisions\/888"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sparrow365.de\/index.php\/wp-json\/wp\/v2\/media\/889"}],"wp:attachment":[{"href":"https:\/\/sparrow365.de\/index.php\/wp-json\/wp\/v2\/media?parent=887"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sparrow365.de\/index.php\/wp-json\/wp\/v2\/categories?post=887"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sparrow365.de\/index.php\/wp-json\/wp\/v2\/tags?post=887"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}