The fusionSpan Blog

Single Sign On with Fonteva and WordPress For Members

By Jason Cookman |July 24, 2020

Salesforce solutions and WordPress are two of the most widely used platforms globally, and that is certainly true for membership-based organizations. The ability to create a seamless, personalized experience across both platforms requires a type of integration commonly referred to as Single Sign-On (SSO).

For fusionSpan and our customers, this process can take one of several forms, but the basic tenets of each are rooted in two principles:

1) Expertise in the platforms involved (including Salesforce’s Fonteva platform and WordPress), and

2) Best practices for integration

While there are “out of the box” plugins available for SSO, the complexity of some digital spaces and desired experiences sometimes require a specialized solution. The following highlights our method for a custom SSO solution that leverages standard capabilities.

Single Sign On with Fonteva and WordPress for your Members

As we know, SSO is an authentication scheme that allows a user to log in with a single set of ID and password credentials to access any of several related, yet independent, software systems. As we have mentioned in previous blogs, SSO can take the form of a “Sign up with Google” or “Log in with Facebook” action button on your browser page.

Security Assertion Markup Language (SAML) is the technique used which is an open standard for exchanging authentication and authorization data between parties. In particular, between an identity provider (a trusted provider that lets you use single sign-on to access other websites) and a service provider (in this case, one that needs the authentication from the identity provider to grant authorization to the user).

In the following steps we will explore the process to leverage SSO connection between Fonteva and WordPress, where Fonteva acts as an identity provider (IdP), and WordPress acts as a Service Provider (SP).

Setup Fonteva as an Identity Provider

Log in to Salesforce and navigate to Setup.
From the left menu, navigate to Security Controls » Identity Provider, present under Administer menu option.
Click on the Enable Identity Provider button. After enabling the Identity Provider, you should be able to see Salesforce metadata endpoints and certificate details. Click on the Download Metadata to get the information used in WordPress settings to do the Identity Provider set up.

Enter Connected App Name, API Name, and Contact Email.

Under the Service Providers Section, click on Service Providers are now created via Connected Apps. Click here.
Enter Connected App Name, API Name, and Contact Email.

Under Web App Settings, check the Enable SAML checkbox and enter the following values:
- Entity ID: SP-EntityID from Service Provider Metadata tab of the plugin (urn:)
- ACS URL: ACS (AssertionConsumerService) URL from Service Provider Settings tab of the plugin
- Subject Type: Username
- Name ID Format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
Click Save.

Name ID Format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

Now from the left menu, under Administer, select Manage Apps » Connected Apps. Click on the App you just created
Under the Profiles section, click on the Manage Profiles button and select the profiles you want to give access to login through this app.

Configuring WordPress as a Service Provider

Setup SP entity identifier
Setup URL where the response from the IdP should be returned (usually the login URL)

Setup IdP entity identifier
Setup URL of te IdP where the SP will send the authentication request
Setup URL of te IdP where the SP will send the logout request
Path to the x509 certificate file, used for verifying the request
If not using the x509 certificate, then use the certificate fingerprint
Specify fingerprint algorithm

If we need to get any custom information about the user (i.e. the member status), then we would need to make some customization in the WordPress SAML Auth plugin (to include the custom information from Fonteva), and then map it as a user role in WordPress. Any custom information required needs to be set as a custom attribute under the Connected App that will be used on the WordPress site.

Connected App that will be used on the WordPress site

Leverage fusionSpan for your Salesforce Org today!

After going through these steps, SSO should be enabled for your Salesforce org. However, as mentioned earlier, the complexity of some digital spaces and desired experiences sometimes require a specialized solution. If your platforms require extra attention, do not hesitate to reach out to fusionSpan for further assistance!

Jason Cookman

Jason is a Senior Salesforce Architect and has been with fusionSpan since June 2014. He has multiple Salesforce Certifications and has led the solution architecture on dozens of Salesforce implementations. In addition, he has created apps on a variety of platforms and frameworks including MuleSoft, Spring Boot, AngularJs, and Drupal. He has been coding in Java, PHP, and JavaScript for more than eight years and has over six years of experience developing on the Salesforce Platform in Apex, Visualforce, and Lightning. He is a graduate of the University of Maryland with a double bachelor’s degree in Computer Science and Accounting. Jason’s favorite foods are ramen, ramen, and more ramen.