# Background

We have a WordPress running in docker on port 8081: http://{your_WordPress_url}:8081. And the docker-compose.yml is like:

version: '3.1'
  wordpress:
    image: wordpress
    depends_on:
      - mysql
    ports:
      - 8081:80
    environment:
      WORDPRESS_DB_PASSWORD: password

  mysql:
    image: mysql:5.7
    environment:
      MYSQL_ROOT_PASSWORD: password

Now we want to deploy Datawiza Access-Broker (DAB) for WordPress.

# Deploy

  1. Config in Datawiza Cloud Management Console (DCMC):

Firstly, we need to create a deployment for WordPress in DCMC. You can follow the instruction on how to config in DCMC. In this tutorial, we use Okta as IdP.

  1. Deploy in host:

After creating the deployment in DCMC, we can use docker-compose file to deploy DAB. We can set Upstream Servers to http://wordpress:80 or http://{your_WordPress_url}:8081:

If we set Upstream Servers to http://wordpress:80, the docker-compose.yml file will be like:

version: '3.1'
services:
  datawiza-access-broker:
    image: registry.gitlab.com/datawiza/access-broker
    container_name: datawiza-access-broker
    restart: always
    ports:
      - "8081:8081"
    environment:
      PROVISIONING_KEY: replace-it-with-your-provisioning-key
      PROVISIONING_SECRET: replace-it-with-your-provisioning-secret

  wordpress:
    image: wordpress
    depends_on:
      - mysql
    environment:
      WORDPRESS_DB_PASSWORD: password

  mysql:
    image: mysql:5.7
    environment:
      MYSQL_ROOT_PASSWORD: password

We need to recreate WordPress to assign 8081 port to DAB.

Use docker-compose -f docker-compose.yml up -d to start service. Then we can visit http://{your_WordPress_url}:8081 and will be redirected to Okta login page.

If we set Upstream Servers to http://{your_WordPress_url}:8081, the docker-compose.yml file will be like:

version: '3.1'
services:
  datawiza-access-broker:
    image: registry.gitlab.com/datawiza/access-broker
    container_name: datawiza-access-broker
    restart: always
    ports:
      - "9772:9772"
    environment:
      PROVISIONING_KEY: replace-it-with-your-provisioning-key
      PROVISIONING_SECRET: replace-it-with-your-provisioning-secret

Use docker-compose -f docker-compose.yml up -d to start service.
Meanwhile, we need to change WordPress configuration: wordpress configuration
The WordPress Address (URL) and Site Address (URL) need to be changed to http://localhost:9772.
Now we can visit http://{your_WordPress_url}:9772 and will be redirected to Okta login page.

  1. Delegate the Authentication to DAB (Optional):

After login Okta, the follow page will be shown: wordpress page
If you go to http://{your_WordPress_url}:{port}/wp-admin/, you will be redirected to WordPress login page. wordpress page
With WordPress plugin Datawiza Proxy Auth Plugin - SSO, here is a way to delegate the authentication to DAB:

Add New Attribute:

We will see four basic attributes in tab Profile. We need to add role since the plugin retrieves email and role from JWT:
DCMC profile

Add Mapping:
In tab Mappings, you will see the default mappings. Also, we need to add mapping for role:
DCMC mappings

Add New Attribute Pass:
We need to add email and role in Attribute Pass for the plugin. And email is necessary, role is optional. DCMC attribute pass
If we didn't config the attributes correctly, error notification will be shown:
Proxy Auth Plugin expects email attribute to identify user, but it does not exist in JWT token. Please check your reverse proxy configuration wordpress error notification

Install Plugin in WordPress:
wordpress plugin configuration
Search for datawiza and click Install Now: wordpress plugin configuration
Activate it: wordpress plugin configuration
In SettingsDatawiza Proxy Auth, input your private secret and save changes:
If you use the plugin with DAB, the private secret should be the PROVISIONING_SECRET in your docker-compose file. wordpress plugin configuration
If the secret is wrong, you may see the error notification:
Proxy Auth Plugin cannot verify JWT token. Please double check your JWT token's private secret is configured correctly
wordpress error notification

Then, click logout and you will be redirected to Okta login page: wordpress configuration
Re-login with Okta and the headline will be shown. wordpress configuration

Assign role to the user in Okta (Optional): Add attribute role:
In UsersProfile Editor, select the profile:
okta profile

Add Attribute:
Assign role to the user:
okta add attr
In UserPeople, select the people:
okta select people
In Profile tab, edit role:
okta edit profile
okta edit profile

NOTES:

  • If admin doesn’t assign role to the user, user’s role will be subscriber by default.
  • If user’s role has been updated in Okta, the plugin will update the role in WordPress accordingly.