Main Menu Dept. of Technology Services Search

DTS OpenID Plugin

The DTS OpenID plugin for WordPress provides single sign-on through UtahID. As the name suggest, this plugin provides this feature through OpenID, which is an identity layer on top of the OAuth 2.0 protocol.

Download DTS OpenID Plugin

Note: the following instructions also appear in the plugin settings for your convenience.

Installing

  • Installation
    • Download and install the plugin on the WordPress plugins page.
    • Go to the plugin’s settings (in the settings menu), add client id, pick OpenID Provider, and select Protection Level
    • Activate the plugin (make sure plugin settings are correct because you will be locked out if they are not)
    • Important: If you are locked out by some error when attempting to login please contact dts_ui@utah.gov, or open a ticket to DTS – WordPress
  • Configuration Options
    • Client ID creation
      • Go to ApAdmin
      • Select “Credentials” at the top
      • Create Project
        • Note: skip this step if using one project for all sites (pick the project you want instead of creating a new one); Using one project is what the DTS UI/UX team is doing to make admin security access manageable; (DTS UI/UX team: use the project “DTS UI/UX WordPress Sites (Websites maintained by UI/UX)”))
        • Click the “create” button next to Project (yes, without even typing in a name… there will be a popup…)
        • Type in the title which should be something identifiable like the agency and site name (ie DOH-Maternal-Mental-Health)
        • Description doesn’t matter
        • For co-owners you’ll want to put in the emails of all the people in your group who should have admin access to the apadmin configuration
        • Click create to have the project created
      • Create Client
        • Next to clients, click the “Create” button
        • ApAdmin has the mentality of having several clients for an application (AT/Prod/Dev/etc), but we’ll probably only ever have one and just use that for all environments since apadmin syncs across login.dev and login.dts.*
        • For the title put something descriptive so you can find it later
        • Description is quite irrelevant so be as descriptive as possible
        • Type is Public which is probably the default
        • Add the following four Scopes by typing them individually on to their own line and clicking the “add” button after each one: openid, profile, directory, email
        • Default ACR values can be left blank
        • Auth Method is client_secret_post
        • Implied Consent needs to be turned on. It is on when there is color exposed in the slider. If the color is gray, then it is off. If it’s not gray (orb to the right) then it’s on. Without implied consent then I believe the user is asked if they want to share login information with your site when they first login
        • Grant Types are Implicit, Client Credentials, and Authorization Code; You just select each one individually to have them added
        • Redirection URIs is not a fixed value for every site, but should be https://[my.website.url]/loginComplete where my.website.url is the base url to your site. For example, if you have WordPress hosted at https://devnotes.dts.utah.gov then the Redirection URI that you would enter would be https://devnotes.dts.utah.gov/loginComplete. The plugin uses this url as the destination for OpenID when the login is complete; The plugin is hardcoded to be loginComplete.
        • Post Logout URIs is blank; The plugin uses the login url’s goto parameter instead of the OpenID post logout redirect uri.
        • Click create to have the client created
      • A client ID is now generated and is visible at the top of the client configuration; It can be copy/pasted in to the plugin config
  • All providers are synced through apadmin, so that apadmin changes apply to all of them.
  • Protection Level: Determines if OpenID is protecting the whole wordpress site, or just pages that require a wordpress login
  • Auto user creation: After logging in, this setting determines what to do if the user does not yet exist in the WordPress database. If set to Yes, then a new user will be created with a Subscriber role. If set to No, no user will be created and the user will be considered “Anonymous”. Note that the plugin does create a DTS Anonymous user for the purpose of anonymous login.