Satellite Network supports SAML 2.0-based Single Sign-On (SSO) using the WP SAML Auth plugin, maintained by Pantheon. This allows your users to authenticate via your institution’s identity provider (IdP), providing a seamless and secure login experience.
This guide walks through the full integration process, including requirements, configuration steps, and optional group mapping.
Requirements
Before beginning the setup, ensure you have the following:
- An active Satellite Network instance
- Admin access to your IdP (e.g. Azure AD, Shibboleth, ADFS, etc.)
- You have requested SSO set-up from SMILE
Configuration
Once the SSO is enabled on your network, you’ll need to configure it to point to your IdP.
This following function will be added to your child theme – please copy this and update all instances of [INSERT_YOUR_DATA_HERE] with your values:
function wpsax_filter_option( $value, $option_name ) {
$defaults = array(
/**
* Type of SAML connection bridge to use.
*
* 'internal' uses OneLogin bundled library; 'simplesamlphp' uses SimpleSAMLphp.
*
* Defaults to SimpleSAMLphp for backwards compatibility.
*
* @param string
*/
'connection_type' => 'internal',
/**
* Configuration options for OneLogin library use.
*
* See comments with "Required:" for values you absolutely need to configure.
*
* @param array
*/
'internal_config' => array(
// Validation of SAML responses is required.
'strict' => true,
'debug' => defined( 'WP_DEBUG' ) && WP_DEBUG ? true : false,
'baseurl' => home_url(),
'sp' => array(
'entityId' => 'spn:c2d249d5-1f05-498d-b1bb-765e6ef5d8b3',
'assertionConsumerService' => array(
'url' => wp_login_url(),
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
),
),
'idp' => array(
// Required: Set based on provider's supplied value.
'entityId' => '[INSERT_YOUR_DATA_HERE]',
'singleSignOnService' => array(
// Required: Set based on provider's supplied value.
'url' => '[INSERT_YOUR_DATA_HERE]',
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
),
'singleLogoutService' => array(
// Required: Set based on provider's supplied value.
'url' => '[INSERT_YOUR_DATA_HERE]',
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
),
// Required: Contents of the IDP's public x509 certificate.
// Optional: Instead of using the x509 cert, you can specify the fingerprint and algorithm.
'certFingerprint' => '[INSERT_YOUR_DATA_HERE]',
'certFingerprintAlgorithm' => 'SHA-256',
),
),
/**
* Path to SimpleSAMLphp autoloader.
*
* Follow the standard implementation by installing SimpleSAMLphp
* alongside the plugin, and provide the path to its autoloader.
* Alternatively, this plugin will work if it can find the
* `SimpleSAML_Auth_Simple` class.
*
* @param string
*/
'simplesamlphp_autoload' => dirname( __FILE__ ) . '/simplesamlphp/lib/_autoload.php',
/**
* Authentication source to pass to SimpleSAMLphp
*
* This must be one of your configured identity providers in
* SimpleSAMLphp. If the identity provider isn't configured
* properly, the plugin will not work properly.
*
* @param string
*/
'auth_source' => 'default-sp',
/**
* Whether or not to automatically provision new WordPress users.
*
* When WordPress is presented with a SAML user without a
* corresponding WordPress account, it can either create a new user
* or display an error that the user needs to contact the site
* administrator.
*
* @param bool
*/
'auto_provision' => true,
/**
* Whether or not to permit logging in with username and password.
*
* If this feature is disabled, all authentication requests will be
* channeled through SimpleSAMLphp.
*
* @param bool
*/
'permit_wp_login' => true,
/**
* Attribute by which to get a WordPress user for a SAML user.
*
* @param string Supported options are 'email' and 'login'.
*/
'get_user_by' => 'email',
/**
* SAML attribute which includes the user_login value for a user.
*
* @param string
*/
'user_login_attribute' => '[INSERT_YOUR_DATA_HERE]',
/**
* SAML attribute which includes the user_email value for a user.
*
* @param string
*/
'user_email_attribute' => '[INSERT_YOUR_DATA_HERE]',
/**
* SAML attribute which includes the display_name value for a user.
*
* @param string
*/
'display_name_attribute' => '[INSERT_YOUR_DATA_HERE]',
/**
* SAML attribute which includes the first_name value for a user.
*
* @param string
*/
'first_name_attribute' => '[INSERT_YOUR_DATA_HERE]',
/**
* SAML attribute which includes the last_name value for a user.
*
* @param string
*/
'last_name_attribute' => '[INSERT_YOUR_DATA_HERE]',
/**
* Default WordPress role to grant when provisioning new users.
*
* @param string
*/
'default_role' => get_option( 'default_role' ),
);
$value = isset( $defaults[ $option_name ] ) ? $defaults[ $option_name ] : $value;
return $value;
}Mapping Roles
In order to map your roles to WordPress roles, please update the following function and send it back to us for implementation in your child theme:
if ( ! function_exists( 'role_array' ) ) {
/**
* Set role mapping
*/
function role_array() {
return array(
'[INSERT_YOUR_DATA_HERE]' => 'administrator',
'[INSERT_YOUR_DATA_HERE]' => 'editor',
'[INSERT_YOUR_DATA_HERE]' => 'author',
'[INSERT_YOUR_DATA_HERE]' => 'contributor',
'[INSERT_YOUR_DATA_HERE]' => 'subscriber',
);
}
}Testing
Once you have sent those back to us and we’ve implemented them:
- Visit your login page (e.g. yoursite.satellite.network/login)
- You should see an option to log in via your institution
- If login fails, ensure:
- Your IdP metadata is correct
- Your certificate is valid
- The correct SAML attributes are being passed
If you’re seeing the error message “You are not authorised to access this site”, it’s likely due to failed group matching.
Need Help?
If you run into issues, we recommend:
- Opening a support ticket with detailed logs and screenshots
- Asking your IT team to confirm the user’s SAML attributes
- Sharing a SAML trace using a browser plugin such as SAML-tracer (Firefox/Chrome)