For our implementation of WordPress Shibboleth we’ve made a couple modifications to the stock plugin. This comes in two flavors, a patch to the plugin and a seperate plugin that adds additional functionality:

• shib-uiuc-v1.php
• shib-v1.6-uiuc.patch

WP Shibboleth

The patch adds these features, you will want to search for “XXX: UIUC” to customize to your setup:

• Login form message that allows people to choose Shibboleth or local authentication in WordPress
• Add a “redirect_to” parameter to the Shibboleth login process, so that WordPress can return properly after authentication.

UIUC Shibboleth

The UIUC Shibboleth plugin extends the stock Shibboleth plugin by auto-creating users from LDAP. When we configured our Shibboleth setup we chose to use the eduPersonPrincipalName as the username in WordPress. But this does not mix well with how WordPress expects to add new users from the “site-new.php” and “user-new.php” pages. We replace the “get_user_by” function to create users in WordPress with the eduPersonPrincipalName when a new user or site is added to the system and the Shibboleth user didn’t already exist.

To use the UIUC Shibboleth plugin you will need an LDAP directory that contains all the users Shibboleth with authenticate. Users in the directory will need these attributes:

• LDAP Username: the unscoped username; we use “uid”. This could be “samaccountname” for Active Directory.
• LDAP Email: most likely “mail”.
• Shibboleth Username: what the WP Shibboleth plugin will consider the username, as retrieved from LDAP. Our directory has “edupersonprincipalname” (or eppn) as this attribute. What you place here will depend on how you’ve configured your WP Shibboleth plugin.
• Shibboleth Email: what the WP Shibboleth plugin will consider the email address, as retrieved from LDAP. Our directory uses the same attribute in both cases: “mail”.

Note that all the attribute names are lowercased.