Single Sign-On (SSO) for WP Engine User Portal

The Single Sign-On (SSO) feature will allow customers to use their own identity provider (like Active Directory, Google, Okta, etc.) to authenticate and log in to WP Engine’s User Portal (my.wpengine.com). SSO will give you the ability to set up custom security rules for the User Portal based on your own internal processes and security practices.


About WP Engine SSO

WP Engine uses SAML 2.0 or Google OIDC to provide SSO to corporate identity systems. When you log in to the WP Engine User Portal, you are first prompted for your email. Our systems then use this email to route authentication to your business’s identity system.

Additionally, if you integrate through SAML, you can use the SAML app from your identity UI to push authentication from your company to WP Engine, so you are automatically logged in to WP Engine’s User Portal. Often this means you click a tile in your identity application to launch the WP Engine User Portal.

Once logged in to the User Portal, your users can additionally utilize WP Engine’s Seamless Login feature to access any WordPress admin dashboards on your account that they have access to.


Enable SSO

Please reach out to the WP Engine Support team to have the SSO feature enabled. Support will get your request to the appropriate team internally to have SSO enabled for your domain.

Please provide the following information with your request:

  • Domain name(s) attached to your email addresses.
  • The name and email of an initial test user.
    • We will use this address to test with prior to enabling SSO for the entire domain.
  • Contact emails and phone numbers of the people doing the SSO setup for your domain.
    • At least one of these should have admin access to your identity management system.
  • Support PIN for an Owner of the hosting account.
    • The Owner user’s email must use the same domain that we’re enabling SSO for.

Our team will respond with the additional meta information required to complete the setup steps below.


Add a New User with SSO

To add a new user using SSO for WP Engine, ensure you’ve added the user to the WP Engine User Portal as well as to your SAML application.

The email address on WP Engine should match the email in your identity system, and should use the domain for which SSO was enabled.

As long as these two requirements are met, the user will automatically be prompted to log in with SSO at my.wpengine.com and can log in remotely from your identity app.


Limitations

  • SSO for WP Engine only supports the login process for accessing the WP Engine User Portal. This feature does not support SFTP, SSH, or API credentials.
  • At this time, we do not support SCIM, Just in Time (JIT) user provisioning, or group integrations.
  • For SAML, we require email, first name, and last name attributes, and can optionally configure a mobile phone attribute to map through SAML. We do not map group attributes.

Setup Instructions by Provider

Below are setup instructions for the top identity providers we see used. Be aware that because these identity providers are third party, the interface may be different than the one shown below, but the settings should remain the same.

NOTE: Be sure you’ve already reached out to WP Engine to enable the User Portal SSO feature. You will receive an email in return with information you need for this setup process.

Active Directory Federation Services

For Microsoft’s official setup guide, see their article Configure a SAML 2.0 provider for portals with AD FS.

  1. In the AD FS console, under Trust Relationships, select Relying Party Trusts. Then click Add Relying Party Trust.
  1. In the Welcome step, select Claims aware, then Start.
  1. In the Select Data Source step, select Import data about the relying party from a file and upload WP Engine metadata.xml
    • When you requested SSO be enabled by WP Engine you will have received an email in response. Attached to that email will be the file called: WP Engine metadata.xml.
  2. Browse to the WP Engine metadata file and select it, then click Next.
  1. In the Specify Display Name step, set the following, then click Next:
    • Display Name: WP Engine User Portal
    • Notes: The WordPress Digital Experience Platform. Bring your vision to life in breakthrough experiences, built on the best platform for developing and hosting fast, reliable, and secure WordPress sites.
  1. In the Choose Issuance Authorization Rules step, select Permit everyone, then click Next.
  1. In the Ready to Add Trust step, click Next to accept defaults
  1. In the Finish dialog, check Open the Edit Claim Rules dialog for this relying party trust and when the wizard finishes click Close.
  2. In the Edit Claim Rules for WP Engine User Portal dialog, click Add Rule to enter the Add Transform Claim Rule Wizard.
  3. In the Choose Rule Type step, select Send LDAP Attributes as Claims from the Claim rule template drop-down, then click Next.
  4. In the Configure Claim Rule step, enter the following, the click OK:
    • (Row 1) LDAP Attribute: Email Addresses
    • Outgoing Claim Type: E-Mail address
    • (Row 2) LDAP Attribute: Given-Name
    • Outgoing Claim Type: firstName
    • (Row 3) LDAP Attribute: Surame
    • Outgoing Claim Type: lastName
  1. Click Add Rule to enter the Add Transform Claim Rule Wizard
  2. In the Choose Rule Type step, select Transform an Incoming Claim from the Claim rule template drop-down, then click Next.
  3. In the Configure Claim Rule step, enter the following, then click Finish:
    • Claim Rule Name: Transform Rule
    • Incoming claim type: Email Address (matches the name from the outgoing claim type in the LDAP claims rule)
    • Outgoing claim type: Name ID
    • Outgoing name ID format: Email
    • Select Pass through all claim values
  1. Select Properties from the Actions sidebar while you have the relying party trust selected
  2. In the Advanced tab, make sure SHA-256 is specified as the secure hash algorithm, then click OK.
  1. Click on AD FS, Service, then Endpoints.
  1. Locate the URL path in the Metadata section. EX:
  1. Copy the path into a new tab in your browser, and prepend https:// followed by your ADFS hostname.
    • For example: https://adfs.example.com/federationmetadata/2007-06/federationmetadata.xml
  2. Download this metadata to a file on your computer.
  3. After requesting the feature be enabled initially, you will have received an email from WP Engine. Please reply to this email and attach this metadata file.

In some cases you may have multiple certificates configured, and the metadata may not be clear about which certificate will be used. In these cases, you will need to export the ADFS certificate:

  1. Click AD FS Management (Server Manager > Tools), then Service, then Certificates.
  2. In the Token-signing section, right click the certificate and select View Certificate.
  3. On the Details tab, click Copy to file and Next.
  4. Select DER encoded binary X.509 (.CER), and click Next.
  5. Select where you want to save the file and enter a name for the file. Click Save, Next, and Finish.
  6. After requesting the feature be enabled initially, you will have received an email from WP Engine. Please reply to this email and attach this metadata file.

Azure Active Directory

If you have not done so already, this document can help you set up the Azure AD subscription which is included with Microsoft 365.

  1. Go to https://portal.azure.com/#home
  2. In the left hand menu, select Azure Active Directory
  3. Under Create, click Enterprise Application
  4. Select Non-gallery application
  5. In the Add your own application panel, set the Name to: WP Engine User Portal then click Add.
  6. Click Properties and locate Logo.
  7. Download and save the WPEngine-SSO-Azure-Logo.png file here. Then upload this file as the Logo icon.
  1. In the lefthand menu, click Users and Groups, then select Add User.
  2. In Add Assignment, click Users.
  3. Select all of your users. This should match your complete list of users with your SSO email domain, across all WP Engine accounts. Then click Assign. Be sure to verify you see your users added to the app.
  1. In the lefthand menu, click Single Sign-on then select SAML.
  2. Click Upload metadata file and select the WP Engine metadata file WP Engine metadata.xml, then click Add.
    • When you requested SSO be enabled by WP Engine you will have received an email in response. Attached to that email will be the file called: WP Engine metadata.xml.
  3. In Basic SAML configuration box, click Edit then fill in these fields. The information used here will be in an email from WP Engine that you received after requesting the SSO feature be enabled.
    • In the Relay State field, paste the Relay state / start URL you received from WP Engine
    • Verify the metadata import filled the Issuer (Entity ID) field with the Audience URI / entity ID from WP Engine.
    • Verify the metadata import filled the Reply URL (Assertion Consumer Service URL) field with the ACS URL from WP Engine.
    • Click Save, then X to close the window.
  1. Under user Attributes and Claims, click Edit:
    • Click the Required Claim Unique User Identifier (Name ID)
    • Under Choose name identifier format, verify the format is Email address. If not, you may need to change the Source attribute to: user.mail.
    • Click Save if you made changes, then X to close.
  2. Click the user.mail claim and change the name to email.
  3. Then click Save and close.
  4. Click the user.givenname claim and change the name to firstName.
  5. Then click Save and close.
  6. Click the user.surname claim and change the name to lastName.
  7. Then click Save and close.
  8. Delete the claim user.userprincipalname

The resulting claims should appear as follows:

Before continuing to the last steps, your final settings should look like:

  1. Under Step 3 “SAML Signing Certificate”, download the Federation Metadata XML file.
  2. After requesting the feature be enabled initially, you will have received an email from WP Engine. Please reply to this email and attach this metadata file.

OneLogin SSO

  1. Log in to the OneLogin Dashboard, and click Applications > Add App
  2. Search for SAML, and select SAML Test Connector (Advanced) to set up SAML 2.0
  3. On the initial screen and Info tab:
    • Display Name: WP Engine User Portal
    • Enable Visible in Portal
    • Logo: Download and save the WPEngine-SSO-Okta-Logo.png file here, then upload this file as the rectangular icon. Download and save the WPEngine-SSO-Google-Logo.png file here, then upload this as the square icon.
    • Description: The WordPress Digital Experience Platform. Bring your vision to life in breakthrough experiences, built on the best platform for developing and hosting fast, reliable, and secure WordPress sites.
    • Click Save
  4. In the Configuration tab, set up the SAML connection. The information used here will be in an email from WP Engine that you received after requesting the SSO feature be enabled.
    • Relay State: Paste the “RelayState / Start URL” provided
    • Audience: Paste the “Audience URI / Entity ID” provided
    • Recipient: Paste the “Assertion Consumer Service URL” provided
    • ACS (Consumer) URL Validator: This could be .* or for more security you could escape characters in the provided ACS URL for additional security. Generally, this would mean putting a backslash in front of each forward slash / and period . However, it may vary if there are other special characters. For eample, the final URL validator could come out like: https://identity.wpengine.com/sso/saml2/restofacs
    • ACS (Consumer) URL: Paste the “Assertion Consumer Service URL” provided
    • The logout URL can remain blank. WP Engine log out should not log you out of your corporate identity system.
    • The SAML Signature Element should be set to “Both” so that both the assertion and response are signed
    • Other values can use the defaults.
  1. On the parameters tab:
    • Under Credentials are, select Configured by admin
    • Select Add parameter, and create and map custom parameters for each field name used to identify user details.
    • The default value includes the NameID (fka Email) field, with a value of Email. WP Engine requires email as the NameID.
    • Click the plus to add a parameter:
      • Select Include in SAML assertion
      • Field Name: email
    • Click Save
    • Value: email
    • Leave Include in SAML assertion checked
    • Click Save
  2. Click the plus to add another parameter:
    • Select Include in SAML assertion
    • Field Name: firstName
    • Click Save
    • Value: First Name
    • Leave Include in SAML assertion checked
    • Click Save
  3. Click the plus to add another parameter:
    • Select Include in SAML assertion
    • FieldName: lastName
    • Click Save
    • Value: Last Name
    • Leave Include in SAML assertion checked
    • Click Save
  4. Back on the Parameters tab, you should now have 4 entries, click save. For example:
  1. Go to the SSO tab:
    • Set SAML Signature Algorithm encryption to SHA-256
    • Be sure Enable login hint is checked
    • Click Save
  2. Click the More Actions dropdown at the upper right
  3. Click to Download SAML Metadata. This will download and save the metadata file to your computer. It should have a filename like: onelogin_metadata_<number>.xml
  4. When you requested SSO be enabled by WP Engine you will have received an email in response. Reply to that email and provide this metadata file back to us so we can configure our end.
  5. Assign users to the SAML app:
    • Customers often set up a group for this.
    • Initially, at a minimum assign the app to the identified test user
    • Prior to going live for all users in your SSO email domain(s), get a complete list of users by going to the Users > Account Users tab in all accounts, and assign the app to each user.

Okta SSO

For official documentation, see Okta’s guide here: https://developer.okta.com/docs/guides/build-sso-integration/saml2/create-your-app/#create-a-saml-integration

  1. Navigate to Okta > Admin > Classic UI > Applications
  2. Click Add Application
  3. Click Create New App
  4. For Platform, leave Web selected
  5. For Sign on method, select SAML 2.0
  6. Click Create
  1. Under General settings:
    • App Name: WP Engine User Portal
    • App Logo: Download and save the WPEngine-SSO-Okta-Logo.png file here. Then upload this file as the app logo.
    • App visibility: Leave both unchecked
    • Click Next
  2. In the Configure SAML tab fill in the following. The information used here will be in an email from WP Engine that you received after requesting the SSO feature be enabled.
    • Single Sign on URL: Fill in with the Assertion Consumer Service URL from the email
    • Use this for Recipient URL and Destination URL: Leave default checked
    • Allow this app to request other SSO URLs: Leave default unchecked
    • Audience URI: Fill in with the Audience URI from the email
    • Default Relay State: Fill in with the Relay State / App Embed link from the email
    • Name ID format: Email Address
    • Application username: Okta username
    • Update application username on: Create and Update
    • Attribute Statements:
      1. FirstName / user.firstName
      2. LastName / user.lastName
      3. Email / user.email
    • Group attribute statements: none
    • Click Next
  1. On the Feedback page, you don’t have to select anything.
  2. Click Finish
  3. Select the Assignments tab and assign your WP Engine users
  4. Under the application, click Sign On, then under settings select View Setup Instructions
  1. When you requested SSO be enabled by WP Engine you will have received an email in response. Reply to that email and provide the requested fields back to us so we can configure our identity system to talk to your SAML app.
    • Either: Copy the metadata from the Optional section, paste it into a file and attach it to the email.
    • OR: Copy the “Identity Provider Single Sign-On URL” and “Identity Provider Issuer” and paste into the email, then download and attach the certificate.

Google Single Sign-on

For Google’s official documentation, see their guide here: https://support.google.com/a/answer/60224

  1. From your Google Apps menu, launch the Admin app
  2. Click the Apps icon
  3. Select Web and mobile apps
  4. Click Add App then select Add custom SAML app
  5. Fill in the following App details:
    • App Name: WP Engine User Portal
    • Description: The WordPress Digital Experience Platform. Bring your vision to life in breakthrough experiences, built on the best platform for developing and hosting fast, reliable, and secure WordPress sites.
    • App Icon: Download and save the WPEngine-SSO-Google-Logo.png file here. Then upload this file as the app icon.
  6. Under Google Identity Provider Details, click Download Metadata. Save this XML file to your computer, you’ll need it later.
  7. Under Service Provider Details, fill in the following information. The information used here will be in an email from WP Engine that you received after requesting the SSO feature be enabled.
    • ACS URL: Paste the “Assertion Consumer Service URL” provided
    • Entity ID: Paste the “Audience URI / Entity ID” provided
    • Start URL: Paste the “RelayState / Start URL” provided
    • Check the Signed Response checkbox
    • Name ID Format: EMAIL
    • Name ID: Basic Information > Primary email
  8. Set up the needed attribute mapping. The values need to match exactly on both sides. EX:
  1. Click Finish
  2. After requesting the feature be enabled initially, you will have received an email from WP Engine. Please reply to this email and attach the metadata file from step 6.

Once we have completed the SSO setup on the WP Engine side, we can begin testing. For the “Test launching User Portal from your system” step, you will need to pick this app from your Google Apps menu:


NEXT STEP: Enable seamless login to WordPress

Still need help? Contact support!

We offer support 24 hours a day, 7 days a week, 365 days a year. Log in to your account to get expert one-on-one help.

The best in WordPress hosting.

See why more customers prefer WP Engine over the competition.