By default, user accounts on WordPress sites use a local username/password combination for authentication. Sites may switch to EID authentication using the university's Enterprise Authentication system as detailed below.

Table of Contents

• Steps for setting up EID authentication
  • 1. Request Enterprise Authentication Integration from ITS
  • 2. Ensure all WordPress user accounts are using EIDs as usernames
  • 3. Ensure that the site is running PHP 8
  • 4. Add required code to WordPress site codebase using Composer
  • 5. Enable and test EID authentication
• Updating the packages installed by the Pantheon SAML Integration plugin
• Quarterly user review

This article explains how to enable EID authentication on a Pantheon-hosted WordPress site that is NOT using the WordPress for Texas custom upstream. If you are using the WordPress for Texas upstream, see: https://ut.service-now.com/sp?id=kb_article&number=KB0014812

IMPORTANT: Pantheon and WordPress do not natively support restriction of content based on EIDs, roles, or affiliations.

Steps for setting up EID authentication

1. Request Enterprise Authentication Integration from ITS

ITS must add metadata about your Pantheon site for it to leverage Enterprise Authentication. To complete this process, fill out the Pantheon SAML Integration request form, which will create a support ticket in ServiceNow. Turnaround time for Enterprise Authentication integration requests is 2-3 business days.

After ITS staff respond that the integration process has been initiated, it may take up to 12 hours for all of the required automated processes to complete. Please wait to proceed with the following steps until then.

2. Ensure all WordPress user accounts are using EIDs as usernames

Once the plugin has been enabled, any account which is not using a valid UT EID as the username will not be able to login. Make certain that all user accounts are using the user's UT EID as the username.

WordPress does not natively support updating usernames after they are created, so owners of sites with existing users whose usernames do not match their UT EID may need to create new accounts and transfer existing content to the new username.

3. Ensure that the WordPress site is running PHP 8

The required libraries and plugins for EID authentication all require PHP 8. For documentation on updating a Pantheon site's PHP version, see Upgrade PHP versions

4. Add required code to WordPress site codebase using Composer

UT EID authentication for WordPress requires specific versions of multiple WordPress plugins and a third-party PHP library, so ITS has created a single Composer plugin which can install all of them at once in the correct locations, and will facilitate future updates.

• WP SAML Auth - A WordPress plugin maintained by Pantheon
• SimpleSAMLphp - A PHP library required by the WP SAML Auth plugin
• WordPress Native PHP Sessions - A WordPress plugin maintained by Pantheon
• UTexas EID Authentication - A custom WordPress plugin maintained by ITS

IMPORTANT: If the WordPress site was migrated from another platform using the "Pantheon Migrations" plugin, there may already be another copy of the "WordPress Native PHP Sessions" plugin in the site's wp-content/mu-plugins directory. This copy should be DELETED before proceeding, to avoid a conflict with the copy of the plugin that will be installed by Composer.

While Composer is not currently used in the management of WordPress codebases on Pantheon, it can be used to manage non-core dependencies in a WordPress site. For more background on this approach, please see the Pantheon documentation article "Manage Some Dependencies with Composer."

To install the Pantheon SAML Integration plugin, clone your Pantheon site's Git repository to a local workstation and run the following series of commands from a terminal prompt in the root of the repository:

if [ ! -f composer.json ]; then echo "{}" > composer.json; fi &&
  composer config extra.enable-patching true &&
  composer config extra.composer-exit-on-patch-failure true &&
  composer config allow-plugins.cweagans/composer-patches true &&
  composer config allow-plugins.composer/installers true &&
  composer config allow-plugins.simplesamlphp/composer-module-installer true &&
  composer config allow-plugins.utexas/pantheon_saml_integration_wp true &&
  composer --no-interaction require utexas/pantheon_saml_integration_wp:"^2"

After the Composer process completes, commit all of the added files to the site's Git repository and push the changes to the Pantheon repository. After pushing the changes to the Pantheon repository, everything will be automatically deployed to the site's DEV environment.

5. Enable and test EID authentication

Once you have your changes deployed, go to https://your.pantheonsite.io/wp-admin/plugins.php and activate the "UTexas EID Authentication (SAML)" plugin. This will automatically enable the other required plugins.

To test authentication, go to https://your.pantheonsite.io/wp-login.php. If everything is working correctly, you should be redirected to the UT EID login screen, where you can login with the EID of an active WordPress user account on the site. After successful login, you should be redirected to the site.

This configuration does not support auto-provisioning of user accounts, so all users must have their WordPress accounts created with the UT EID as the username by an administrator on the site before attempting to login.

Updating the packages installed by the Pantheon SAML Integration plugin

More information coming soon.

Quarterly User Review

It is the site owner's responsibility to periodically review the users who have access to the site, and when necessary, remove or adjust the privileges of any users who should no longer have access to the site. This review should be performed at least once every 3 months.

To begin this process, a user with the "Administrator" role should navigate to the "Users" page (https://your.pantheonsite.io/wp-admin/users.php) from the site dashboard, and review all users for their currently authorized roles.

If a user no longer needs access to your site, we recommend deleting the account.