{"id":1580,"date":"2025-05-02T10:09:04","date_gmt":"2025-05-02T09:09:04","guid":{"rendered":"https:\/\/wearesmile.com\/help\/?post_type=ht_kb&#038;p=1580"},"modified":"2025-05-02T10:09:06","modified_gmt":"2025-05-02T09:09:06","slug":"configuring-sso-with-satellite-network","status":"publish","type":"ht_kb","link":"https:\/\/wearesmile.com\/help\/documentation\/configuring-sso-with-satellite-network\/","title":{"rendered":"Configuring SSO with Satellite Network"},"content":{"rendered":"\n<p>Satellite Network supports <strong>SAML 2.0-based Single Sign-On (SSO)<\/strong> using the <strong>WP SAML Auth<\/strong> plugin, maintained by Pantheon. This allows your users to authenticate via your institution\u2019s identity provider (IdP), providing a seamless and secure login experience.<\/p>\n\n\n\n<p>This guide walks through the full integration process, including requirements, configuration steps, and optional group mapping.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Requirements<\/strong><\/h2>\n\n\n\n<p>Before beginning the setup, ensure you have the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An active Satellite Network instance<\/li>\n\n\n\n<li>Admin access to your IdP (e.g. Azure AD, Shibboleth, ADFS, etc.)<\/li>\n\n\n\n<li>You have requested SSO set-up from SMILE<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Configuration<\/strong><\/h2>\n\n\n\n<p>Once the SSO is enabled on your network, you\u2019ll need to configure it to point to your IdP.<\/p>\n\n\n\n<p>This following function will be added to your child theme &#8211; please copy this and update all instances of <code>[INSERT_YOUR_DATA_HERE]<\/code> with your values:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>function wpsax_filter_option( $value, $option_name ) {\n  $defaults = array(\n    \/**\n     * Type of SAML connection bridge to use.\n     *\n     * 'internal' uses OneLogin bundled library; 'simplesamlphp' uses SimpleSAMLphp.\n     *\n     * Defaults to SimpleSAMLphp for backwards compatibility.\n     *\n     * @param string\n     *\/\n    'connection_type'        => 'internal',\n    \/**\n     * Configuration options for OneLogin library use.\n     *\n     * See comments with \"Required:\" for values you absolutely need to configure.\n     *\n     * @param array\n     *\/\n    'internal_config'        => array(\n      \/\/ Validation of SAML responses is required.\n      'strict'  => true,\n      'debug'   => defined( 'WP_DEBUG' ) &amp;&amp; WP_DEBUG ? true : false,\n      'baseurl' => home_url(),\n      'sp'      => array(\n        'entityId'                 => 'spn:c2d249d5-1f05-498d-b1bb-765e6ef5d8b3',\n        'assertionConsumerService' => array(\n          'url'     => wp_login_url(),\n          'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',\n        ),\n      ),\n      'idp'     => array(\n        \/\/ Required: Set based on provider's supplied value.\n        'entityId'                 => '&#91;INSERT_YOUR_DATA_HERE]',\n        'singleSignOnService'      => array(\n          \/\/ Required: Set based on provider's supplied value.\n          'url'     => '&#91;INSERT_YOUR_DATA_HERE]',\n          'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',\n        ),\n        'singleLogoutService'      => array(\n          \/\/ Required: Set based on provider's supplied value.\n          'url'     => '&#91;INSERT_YOUR_DATA_HERE]',\n          'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',\n        ),\n        \/\/ Required: Contents of the IDP's public x509 certificate.\n        \/\/ Optional: Instead of using the x509 cert, you can specify the fingerprint and algorithm.\n        'certFingerprint'          => '&#91;INSERT_YOUR_DATA_HERE]',\n        'certFingerprintAlgorithm' => 'SHA-256',\n      ),\n    ),\n    \/**\n     * Path to SimpleSAMLphp autoloader.\n     *\n     * Follow the standard implementation by installing SimpleSAMLphp\n     * alongside the plugin, and provide the path to its autoloader.\n     * Alternatively, this plugin will work if it can find the\n     * `SimpleSAML_Auth_Simple` class.\n     *\n     * @param string\n     *\/\n    'simplesamlphp_autoload' => dirname( __FILE__ ) . '\/simplesamlphp\/lib\/_autoload.php',\n    \/**\n     * Authentication source to pass to SimpleSAMLphp\n     *\n     * This must be one of your configured identity providers in\n     * SimpleSAMLphp. If the identity provider isn't configured\n     * properly, the plugin will not work properly.\n     *\n     * @param string\n     *\/\n    'auth_source'            => 'default-sp',\n    \/**\n     * Whether or not to automatically provision new WordPress users.\n     *\n     * When WordPress is presented with a SAML user without a\n     * corresponding WordPress account, it can either create a new user\n     * or display an error that the user needs to contact the site\n     * administrator.\n     *\n     * @param bool\n     *\/\n    'auto_provision'         => true,\n    \/**\n     * Whether or not to permit logging in with username and password.\n     *\n     * If this feature is disabled, all authentication requests will be\n     * channeled through SimpleSAMLphp.\n     *\n     * @param bool\n     *\/\n    'permit_wp_login'        => true,\n    \/**\n     * Attribute by which to get a WordPress user for a SAML user.\n     *\n     * @param string Supported options are 'email' and 'login'.\n     *\/\n    'get_user_by'            => 'email',\n    \/**\n     * SAML attribute which includes the user_login value for a user.\n     *\n     * @param string\n     *\/\n    'user_login_attribute'   => '&#91;INSERT_YOUR_DATA_HERE]',\n    \/**\n     * SAML attribute which includes the user_email value for a user.\n     *\n     * @param string\n     *\/\n    'user_email_attribute'   => '&#91;INSERT_YOUR_DATA_HERE]',\n    \/**\n     * SAML attribute which includes the display_name value for a user.\n     *\n     * @param string\n     *\/\n    'display_name_attribute' => '&#91;INSERT_YOUR_DATA_HERE]',\n    \/**\n     * SAML attribute which includes the first_name value for a user.\n     *\n     * @param string\n     *\/\n    'first_name_attribute'   => '&#91;INSERT_YOUR_DATA_HERE]',\n    \/**\n     * SAML attribute which includes the last_name value for a user.\n     *\n     * @param string\n     *\/\n    'last_name_attribute'    => '&#91;INSERT_YOUR_DATA_HERE]',\n    \/**\n     * Default WordPress role to grant when provisioning new users.\n     *\n     * @param string\n     *\/\n    'default_role'           => get_option( 'default_role' ),\n  );\n  $value = isset( $defaults&#91; $option_name ] ) ? $defaults&#91; $option_name ] : $value;\n  return $value;\n}<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Mapping Roles<\/h3>\n\n\n\n<p>In order to map your roles to WordPress roles, please update the following function and send it back to us for implementation in your child theme:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>if ( ! function_exists( 'role_array' ) ) {\n\t\/**\n\t * Set role mapping\n\t *\/\n\tfunction role_array() {\n\t\treturn array(\n\t\t\t'&#91;INSERT_YOUR_DATA_HERE]' => 'administrator',\n\t\t\t'&#91;INSERT_YOUR_DATA_HERE]' => 'editor',\n\t\t\t'&#91;INSERT_YOUR_DATA_HERE]' => 'author',\n\t\t\t'&#91;INSERT_YOUR_DATA_HERE]' => 'contributor',\n\t\t\t'&#91;INSERT_YOUR_DATA_HERE]' => 'subscriber',\n\t\t);\n\t}\n}<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Testing<\/strong><\/h2>\n\n\n\n<p>Once you have sent those back to us and we&#8217;ve implemented them:<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Visit your login page (e.g. yoursite.satellite.network\/login)<\/li>\n\n\n\n<li>You should see an option to <strong>log in via your institution<\/strong><\/li>\n\n\n\n<li>If login fails, ensure:\n<ul class=\"wp-block-list\">\n<li>Your IdP metadata is correct<\/li>\n\n\n\n<li>Your certificate is valid<\/li>\n\n\n\n<li>The correct SAML attributes are being passed<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p>If you\u2019re seeing the error message \u201cYou are not authorised to access this site\u201d, it\u2019s likely due to failed group matching.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Need Help?<\/strong><\/h2>\n\n\n\n<p>If you run into issues, we recommend:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Opening a <a href=\"https:\/\/wearesmile.com\/help\/start-a-support-ticket\/\">support ticket<\/a> with detailed logs and screenshots<\/li>\n\n\n\n<li>Asking your IT team to confirm the user\u2019s SAML attributes<\/li>\n\n\n\n<li>Sharing a SAML trace using a browser plugin such as <a href=\"https:\/\/addons.mozilla.org\/en-GB\/firefox\/addon\/saml-tracer\/\">SAML-tracer (Firefox\/Chrome)<\/a><\/li>\n\n\n\n<li><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Satellite Network supports SAML 2.0-based Single Sign-On (SSO) using the WP SAML Auth plugin, maintained by Pantheon. This allows your users to authenticate via your institution\u2019s identity provider (IdP), providing a seamless and secure login experience. This guide walks through the full integration process, including requirements, configuration steps, and optional&#8230;<\/p>\n","protected":false},"author":1,"comment_status":"open","ping_status":"closed","template":"","format":"standard","meta":{"_searchwp_excluded":"","footnotes":""},"ht-kb-category":[116],"ht-kb-tag":[],"class_list":["post-1580","ht_kb","type-ht_kb","status-publish","format-standard","hentry","ht_kb_category-satellite-network"],"_links":{"self":[{"href":"https:\/\/wearesmile.com\/help\/wp-json\/wp\/v2\/ht-kb\/1580","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wearesmile.com\/help\/wp-json\/wp\/v2\/ht-kb"}],"about":[{"href":"https:\/\/wearesmile.com\/help\/wp-json\/wp\/v2\/types\/ht_kb"}],"author":[{"embeddable":true,"href":"https:\/\/wearesmile.com\/help\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wearesmile.com\/help\/wp-json\/wp\/v2\/comments?post=1580"}],"version-history":[{"count":1,"href":"https:\/\/wearesmile.com\/help\/wp-json\/wp\/v2\/ht-kb\/1580\/revisions"}],"predecessor-version":[{"id":1581,"href":"https:\/\/wearesmile.com\/help\/wp-json\/wp\/v2\/ht-kb\/1580\/revisions\/1581"}],"wp:attachment":[{"href":"https:\/\/wearesmile.com\/help\/wp-json\/wp\/v2\/media?parent=1580"}],"wp:term":[{"taxonomy":"ht_kb_category","embeddable":true,"href":"https:\/\/wearesmile.com\/help\/wp-json\/wp\/v2\/ht-kb-category?post=1580"},{"taxonomy":"ht_kb_tag","embeddable":true,"href":"https:\/\/wearesmile.com\/help\/wp-json\/wp\/v2\/ht-kb-tag?post=1580"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}