WordPress OpenAM Authentication plugin

WordPress is one of the most popular content management systems to create websites and blogs.  It is pluggable and many of these plugins help to add functionality and beauty.  OpenAM on the other hand is, amongst other things, a popular Access Management and Federation system that can be used to authenticate users that want to access a site powered by WordPress.

Until recently, the only option was to install a Policy Agent in the Apache Web Server that hosted the WordPress.  There were no UPDATED WordPress plugins to add the authentication capabilities of OpenAM directly, only some outdated versions that worked with its predecessor OpenSSO.

Last month a new plugin was released, and today it was enhanced with support of older versions of OpenAM, like 10.x.

You can install the plugin directly from WordPress, just go to the plugins option, look for OpenAM Authentication, install, configure and voilà!

The key features of the plugin are:

  • Authenticates directly from the WordPress login screen without the need to redirect to OpenAM.
  • If the authentication module or Service Chain configured requires more than user and password, you can opt to redirect to OpenAM
  • No OpenAM Policy Agent needed.
  • Implements SSO if there is already a valid session in OpenAM in the same domain as the WordPress installation.
  • Lightweight implementation using REST.
  • Easy to configure

Here the link to find more information about it: https://wordpress.org/plugins/openam-authentication/

Code on GitHub: https://github.com/ForgeRock/openam-authentication

A screen-shot of the configuration page of the plugin here:

Screen Shot 2014-10-23 at 12.05.21 PM

If you have WordPress, go and give it a try!


Comments are closed.

  1. Chris Lee 8 years ago

    Is this plugin being used by this site for authentication?

  2. Marius @ForgeRock 8 years ago

    @chris-lee Indeed it is :)

    Although for the next week and a half we have a special OpenAM instance we are using it against. As soon as the summit in Dublin is over we will click off the “redirect to OpenAM for Login” box.

  3. Sarris Overbosch 8 years ago

    Thanks for this plugin!
    Currently trying to set it up and have one remark. Our site is hosted on websitename.nl and this makes the DOMAIN value .nl and thus the iPLanetDirectoryPro cookie is not set which causes the sso to fail. So the logic which decides the value of DOMAIN should be enhanced or maybe also an option with a proposal value.

  4. Marius @ForgeRock 8 years ago

    Thanks Sarris, glad you liked it. The code is located at https://github.com/forgerock1/openam-authentication btw, if you want to push something to it.

    @victor – perhaps you could have a look as well?

  5. Marius @ForgeRock 8 years ago

    @sarris-overboscheverett-nl we encountered the same issue here, so as a temp fix I edited line 80 to be

    define( ‘DOMAIN’, $_SERVER[‘HTTP_HOST’]);

    And now the cookie is all good to go. I’m sure we will get an update to the plugin in the repo as well.

  6. Sarris Overbosch 8 years ago

    Yeah my temp fix was a bit rougher, is just put the value I wanted in there for now ;-)

  7. Marius @ForgeRock 8 years ago

    Since parsing for a reliable domain to set the cookie on from php’s parse_url() or $_SERVER can be tricky it should probably be a user configurable variable?

  8. Sarris Overbosch 8 years ago

    I’ve configured the plugin, login to OpenAM as EndUser and then when I navigate to http://site.nl/wp-login.php everything works like a charm (the EndUser is admininstrator in the wordpress site). But when I navigate to http://site.nl/wp-admin/index.php I get redirected to http://site.nl/wp-login.php?redirect_to=http%3A%2F%2Fsite.nl%2Fwp-admin%2Findex.php&reauth=1 which show me the standard WordPress login screen. But if i change it to http://site.nl/wp-login.php?redirect_to=http%3A%2F%2Fsite.nl%2Fwp-admin%2Findex.php&reauth=0 I am logged in successfully :S
    So the reauth=1 seams to cause the problem, does anyone know how to change this behaviour?

  9. Marius @ForgeRock 8 years ago

    Are you on a multi-site installation?

    Surfing https://wordpress.org/tags/reauth1 gives a few hints but no straight solution.

    Do you get any errors with define(‘WP_DEBUG’, true); in config?

  10. Author
    Victor Ake 8 years ago

    I have been overlooking these messages, for some reason I didn’t get them to my email. I see there are some things to do with the plugin regarding the domain. I will add, as Marius proposed, the line to define the domain.

  11. Author
    Victor Ake 8 years ago

    BTW, Quentin Castell has also contributed with some flexibility regarding the uid, email attributes that were “hardcoded” in the plugin. I will push that also and will test agains WordPress 4.1

  12. Author
    Victor Ake 8 years ago

    OK. Version 1.2 has been committed into the WordPress SVN, so it is ready to download, or update from your WordPress installation. It includes an additional option to specify the domain name. By default the domain name is the last 2 components (if available) of the server name. But in your case Sarris and Marius, you can now override and specify whatever suits your deployment.
    Also, we moved the github repo, from “forgerock1” to “forgerock”.

  13. Marius @ForgeRock 8 years ago

    Thanks @victor, I’ll give it a go on the stage server on Monday :)

  14. Marius @ForgeRock 8 years ago

    Updated to version 1.2 here and it works like a charm. Thanks!

  15. atandrea 7 years ago

    HI, I am using verion 1.2 of the OpenAM Authentication plugin and I have a question regarding the checkbox for
    option: “Redirect to OpenAM for Login” When I check this off, it redirects me to OPenAM’s login page, however, after I successfully login there, it then directs me to wordpress’s login page. If I login to wordpress’s login page with an openam ID, it seems to work ok. but I was hoping I could use just the OpenAM login page and for it to NOT need wordpress’s login page. Is there a way it could exclusively use OPenAM’s login page when that option is checked and if that authentication succeeds, then login the user without requiring wordpress’s login page? is this possible ?
    can someone please advise.


  16. Marius @ForgeRock 7 years ago

    Hi atandrea,

    The SSO part of the plugin needs a fix to work as you described. Luckily Sarris Overbosch (https://github.com/soverbosch) has coded the SSO part in this commit:


    This will enable you to log in to WordPress using the OpenAM cookie only. Thus never seeing the WordPress login screen.

    Hope it helps,

  17. alantandrea 7 years ago

    thanks Marius, when will this fix be available officially from ForgeRock ? Also, I have modified the openam plugin
    to read firstname and lastname from Openam ( givenName , sn ) and set them on wordpress and I am happy to share that contribution if it helps anyone.

    If we could get the official fix from ForgeRock asap, that would be great as we have a client that needs to go into production with this on June 2.


  18. atandrea 7 years ago

    One thing to Note: I tried the changes from Sarris OverBosch, however, on my version of wordpress (WordPress 4.2.2),
    every time, I click edit profile I get an error with that plugin. Not sure if its compatable with version 4.2.2 ?
    When I revert to the old version, edit profile works fine. Also, the redirect to Openam for login still results in going back to the wordpress login screen after it gets passed openam’s login page. Any suggestions ?


  19. Marius @ForgeRock 7 years ago

    Hi Alan,

    We’re in the process of pushing the plugin code we use on this site to the official repository. The pull request is here: https://github.com/ForgeRock/openam-authentication/pull/3

    Still in review but perhaps you can test it out? It now also supports translations.

    It’s not an ‘official fix from ForgeRock’ since this is not a supported product, but it is what we use right here.

    We don’t use “redirect to OpenAM” on this site and we don’t touch that code in the pull request, but the SSO component is there and working well. We are also on the latest WordPress.


©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?