How to deploy Datawiza Access-Broker for WordPress

# Background

We have a WordPress running in docker on port 8081: http://{your_WordPress_url}:8081. And the docker-compose.yml is like:

version: '3.1'
  wordpress:
    image: wordpress
    depends_on:
      - mysql
    ports:
      - 8081:80
    environment:
      WORDPRESS_DB_PASSWORD: password

  mysql:
    image: mysql:5.7
    environment:
      MYSQL_ROOT_PASSWORD: password

Now we want to deploy Datawiza Access-Broker (DAB) for WordPress.

# Deploy

# 1. Config in Datawiza Cloud Management Console (DCMC):

Firstly, we need to create a deployment for WordPress in DCMC. You can follow the instruction on how to config in DCMC. In this tutorial, we use Okta as IdP.

# 2. Deploy in host:

After creating the deployment in DCMC, we can use docker-compose file to deploy DAB. We can set Upstream Servers to http://wordpress:80 or http://{your_WordPress_url}:8081:

If we set Upstream Servers to http://wordpress:80, the docker-compose.yml file will be like:

version: '3.1'
services:
  datawiza-access-broker:
    image: registry.gitlab.com/datawiza/access-broker
    container_name: datawiza-access-broker
    restart: always
    ports:
      - "8081:8081"
    environment:
      PROVISIONING_KEY: replace-it-with-your-provisioning-key
      PROVISIONING_SECRET: replace-it-with-your-provisioning-secret

  wordpress:
    image: wordpress
    depends_on:
      - mysql
    environment:
      WORDPRESS_DB_PASSWORD: password

  mysql:
    image: mysql:5.7
    environment:
      MYSQL_ROOT_PASSWORD: password

We need to recreate WordPress to assign 8081 port to DAB.

Use docker-compose -f docker-compose.yml up -d to start service. Then we can visit http://{your_WordPress_url}:8081 and will be redirected to Okta login page.

If we set Upstream Servers to http://{your_WordPress_url}:8081, the docker-compose.yml file will be like:

version: '3.1'
services:
  datawiza-access-broker:
    image: registry.gitlab.com/datawiza/access-broker
    container_name: datawiza-access-broker
    restart: always
    ports:
      - "9772:9772"
    environment:
      PROVISIONING_KEY: replace-it-with-your-provisioning-key
      PROVISIONING_SECRET: replace-it-with-your-provisioning-secret

Use docker-compose -f docker-compose.yml up -d to start service.
Meanwhile, we need to change WordPress configuration:
The WordPress Address (URL) and Site Address (URL) need to be changed to http://localhost:9772.
Now we can visit http://{your_WordPress_url}:9772 and will be redirected to Okta login page.

Delegate the Authentication to DAB (Optional):

After login Okta, the follow page will be shown: wordpress page
If you go to http://{your_WordPress_url}:{port}/wp-admin/, you will be redirected to WordPress login page.
With WordPress plugin Datawiza Proxy Auth Plugin - SSO, here is a way to delegate the authentication to DAB:

Add New Attribute:

We will see four basic attributes in tab Profile. We need to add role since the plugin retrieves email and role from JWT:

Add Mapping:
In tab Mappings, you will see the default mappings. Also, we need to add mapping for role:
DCMC mappings

Add New Attribute Pass:
We need to add email and role in Attribute Pass for the plugin. And email is necessary, role is optional. DCMC attribute pass
If we didn't config the attributes correctly, error notification will be shown:
Proxy Auth Plugin expects email attribute to identify user, but it does not exist in JWT token. Please check your reverse proxy configuration wordpress error notification

Install Plugin in WordPress:
wordpress plugin configuration
Search for datawiza and click Install Now:
Activate it:
In Settings → Datawiza Proxy Auth, input your private secret and save changes:
If you use the plugin with DAB, the private secret should be the PROVISIONING_SECRET in your docker-compose file.
If the secret is wrong, you may see the error notification:
Proxy Auth Plugin cannot verify JWT token. Please double check your JWT token's private secret is configured correctly
wordpress error notification

Then, click logout and you will be redirected to Okta login page: wordpress configuration
Re-login with Okta and the headline will be shown.

Assign role to the user in Okta (Optional): Add attribute role:
In Users → Profile Editor, select the profile:

Add Attribute:
Assign role to the user:
okta add attr
In User → People, select the people:
okta select people
In Profile tab, edit role:
okta edit profile

NOTES:

If admin doesn’t assign role to the user, user’s role will be subscriber by default.
If user’s role has been updated in Okta, the plugin will update the role in WordPress accordingly.

# 4. Secure your WordPress with HTTPS (Optional)

If you need DAB to decrypt HTTPS traffic, you can refer to here to configure DAB.

Otherwise, if you already have a Loadbalancer in front of your WordPress to decrypt HTTPS traffic, and the DAB sits between your Loadbalancer and WordPress, you need to:

Set Public Domain to https://your-domain.
Set Listen Port to the port forwarded by your Loadbalancer after decrypting HTTPS traffic. In the example below, the Loadbalancer will decrypt the HTTPS traffic which access to https://localhost. Then forward the decrypted traffic to DAB on port 80. Finally, DAB will forward the traffic to Upstream Server http://host.docker.internal.
Keep the SSL button to off.

← Datawiza Cloud Management Console Rules Configuration Guide