This site requires JavaScript to be enabled
Recent searches

Integrating Enterprise Authentication on WordPress for Texas sites hosted on Pantheon

Number of views : 15
Article Number : KB0014812
Published on : 2023-11-29
Last modified : 2023-11-29 16:56:18
Knowledge Base : IT Public Self Help

This article explains how to enable EID authentication on a Pantheon-hosted WordPress site that uses the WordPress for Texas custom upstream. If you are NOT using the WordPress for Texas upstream, see:

IMPORTANT: Pantheon and WordPress do not natively support restriction of content based on EIDs, roles, or affiliations.

Required Plugins

There are a few plugins included in the WordPress for Texas bundle that are required for EID authentication on Pantheon-hosted WordPress sites. These plugins are:

  • UTexas EID Authentication (SAML)
  • WP SAML Auth
  • Force SSL Admin (listed under "must-use" plugins)

These plugins MUST remain activated for EID authentication to work. The codebase also includes the SimpleSAMLphp library in the document root's /private directory which MUST remain as well.

Module Options and Configuration

Configurations and settings come bundled with the WordPress for Texas upstream and no changes are required once integration is complete.

Modification to Upstream Code

Customizations to the upstream SAML Authentication code is highly discouraged. In addition to merge conflicts that might cause problems for downstream repos, the plugin could begin to malfunction causing WordPress accounts to authenticate locally in the application rather than backed by UT Login. Please consult service stewards with further questions.

Quarterly User Reviews 

It is the site owner's responsibility on a quarterly basis to review the users who have access to the WordPress site, and when necessary, remove or adjust the privileges of any users who should no longer have access to the site. Users and roles assigned can be reviewed through the Site Administrator Dashboard.

User roles can be reviewed either through the Site Administrator Dashboard ( under Users ). Roles can be reassigned by clicking "edit" next to the user's EID and finding the "Role" dropdown.

Roles can be reassigned by clicking "edit" next to the user's EID and finding the "Role" dropdown. User accounts can be removed in a similar process. Please note that user account de-provisioning must be performed manually and the users account deleted out of WordPress.

Additionally, users and their capabilities can be exported out of the site database using the following query for automated processing:

SELECT user.ID, user.user_login, user.user_email FROM wp_users user INNER JOIN wp_usermeta meta ON meta.user_id = user.ID WHERE meta.meta_key = 'wp_capabilities';


Other considerations

WordPress makes no distinction between local and EID based user accounts in WordPress.

Both are identical in the database and are handled by UT Login instead when the WP SAML Auth is activated.

Accounts are otherwise functional as local WordPress accounts and will behave as such when WP SAML Auth is deactivated.

Maintaining User Accounts Over Time

Updating First and Last Name

A Site Administrator or the EID owner themselves can log into the WordPress site and viewing their profile page. The profile page does offer the ability to update this information.

Handling EID Changes

In the unusual circumstance that a user's EID were to change, the owner will need to contact the Site Administrator. The Site Administrator will create a new account using the new EID, reassign all the original EID's content to the target, and delete the user account with the original EID from WordPress.




Thank You! Your feedback has been submitted.