The Museum has many projects, planned and in production, that rely on WordPress as a content management system. A Shibboleth SSO (Single Sign On) plugin for WordPress already exists that enables WordPress to authenticate via Shibboleth. However, the existing plugin is limited to mapping one key value pair from a Shibboleth attribute to a WordPress role.

This means that if you wish to assign access to a role provided at the SSO level, you are set. However, the Shibboleth plugin does not allow you to assign access to custom group that is not vended by Shibboleth.

The Museum needed a way to easily manage many users and groups of users with varying levels of access to WordPress without introducing another username and password for everyone to remember. So, the UGRM plugin was born.

Shibboleth With LDAP Authorization is a WordPress plugin that extends the existing Shibboleth plugin via the shibboleth_user_role filter hook. We chose this approach as it does not create a Shibboleth plugin fork and is upgrade safe.

The plugin enables WordPress to use Shibboleth for authentication and LDAP for authorization, which is the University of Florida SSO best practice established by the UF Identity Office.

Once activated, the UGRM plugin provides an options page where you map an  Active Directory group to each WordPress role. Thusly, you can manage WordPress access by AD group membership, or any directory service that supports LDAP.

The plugin works with WordPress running single site or multisite.

Check out these nifty screenshots: