IMPORTANT RULES:
- Maintain the original formatting (markdown, HTML tags, links, etc.)
- Keep technical terms and proper nouns as appropriate
- Preserve code blocks and technical syntax exactly
- Maintain the same tone and style
- Only output the translated text, no explanations or comments
You have a website or web application, and let’s assume you’d like to manage your users through a separate user list. There could be many reasons for this need.
Security can be considered the most critical among these reasons. So, what should we do? The answer is quite simple: two-factor authentication (2FA) will be the solution we need at this stage.
As we know, WordPress user information is stored in the database table created during the installation process. However, when working with multiple websites or web applications, we end up having to manage separate user accounts for each one. What we need instead is to synchronize these user accounts, right? Wouldn’t it be great if we could manage all users from a single place and access all websites and web applications using the same user information? So, how?
Secure Authentication with OKTA
I’ll be publishing a detailed article about OKTA. However, for now, briefly: OKTA is a API service that allows you to create and manage user accounts and their associated data, securely stores this data, and enables you to link this data to one or more applications when needed. In addition, it provides a custom login form for each application and a sign-in widget (login widget) that can be properly positioned according to your application’s design.
Your OKTA account users—whether existing or newly created—can log in to all defined web pages and web applications. Once approved, all users will automatically have user accounts created within these web pages and web applications. Additionally, if you enable multi-factor authentication (MFA), when users attempt to start a session, you will be prompted for permission to begin the session, and upon your approval, the user’s login will proceed. So, what is required to perform this action?
WordPress and OKTA Integration Procedures
As mentioned in the heading, for now I will focus on integrating with WordPress. However, the following initial steps are the same for all website installations. Therefore, you can follow the same procedures up to a certain point. Let’s begin. First and foremost, you must sign up for the OKTA service. You can visit the okta/developer page to complete the signup process. After successfully completing the signup, a custom OktaDomain such as dev-123456-admin.okta.com will be created for you, and you will be able to perform console operations via the URL. Please note that the URL contains access to the admin console. However, if your OktaDomain is dev-123456.okta.com, this information will be useful during the setup phase. Yes, now we can proceed to the Application configuration step for our web pages. By clicking the Applications tab on the OKTA console page, you can view your existing applications or define new ones. Since this is the first time we are defining an application, we will proceed by clicking the Add Application button.
We are selecting the Web option since we will be using this setup on our WordPress website. After selecting this option, the application settings will appear, and we will be prompted to enter certain details, including our website’s URL, among others.
The fields that are important for us and require configuration are: Base URIs, Login redirect URIs, and Logout redirect URIs. The Base URIs field defines the web pages accessible through OKTA. We can either leave this field blank or specify the relevant domain names to restrict access. The Login redirect URIs field should contain the URL to which users will be redirected after successful login. For a WordPress installation, this URL should be in the format alanadi.com/wp-login.php. This URL is also specified as the Org URL in the console. The Logout redirect URIs field should contain the URL to which users will be redirected after logging out. For a WordPress installation, we can fill this field with alanadi.com/wp-login.php?action=logout. Of course, you must replace the alanadi.com portion with your own URL. After filling in these details as described above and clicking the Done button to save, our Client Credentials will be provided. The Client ID and Client secret values provided here will be used to establish a relationship between our web pages via OKTA. We can now proceed with the required steps for the WordPress OKTA plugin.
We can easily set up OKTA integration via the WordPress plugin developed by OKTA. To do so, first we download the relevant plugin (okta-wordpress-sign-in-widget) from OKTA’s GitHub account. After uploading the plugin to the WordPress plugins directory, we first need to rename the env.example.php file to env.php.
Then, we need to fill in the OKTA_BASE_URL, OKTA_CLIENT_ID, and OKTA_CLIENT_SECRET fields in the env.php file. OKTA_BASE_URL is the URL we entered in the OKTA Console, which is the URL defined for our application and where we previously removed the admin definition; for example, dev-123456.okta.com. OKTA_CLIENT_ID and OKTA_CLIENT_SECRET are the values shared with us when we created the application. After entering these details, we should end up with something like the following:
define('OKTA_BASE_URL', 'https://dev-123456.okta.com');
define('OKTA_CLIENT_ID', '1ab23defghjiK45lLM6n7');
define('OKTA_CLIENT_SECRET', 'Ab1CdE_2FghIJK3Lm4noPrSTuUvyzXQ5ABCD67Ef');
# If you're using API Access Management, define the auth server ID below.
# Otherwise leave it commented out.
# define('OKTA_AUTH_SERVER_ID', 'default');Yes, now we can associate all of our WordPress websites with the defined extension using the same client ID, and we can also link our websites and applications, which are integrated differently apart from the extension, so that our users can access all these websites and applications using the same user credentials. Don’t forget that you can customize all page and form settings—including login—through the Customization page. So, what should we do if we want to enhance WordPress security further and implement multi-factor authentication?
Multi-Factor Authentication for WordPress
First, we need to enable the multi-factor authentication (MFA) feature. Begin by navigating to the application we created under Applications, and then click on the application name to view its corresponding settings. Next, click on the Sign On tab in the settings page to view the relevant details.
Under the Sign On section, click the Sign On Policy > Add Rule button to initiate the multi-factor authentication process. However, during the initial setup, this option will be inactive by default. Therefore, we must first activate the multi-factor authentication feature by clicking on the Multifactor Authentication link and completing the activation. Additionally, from this page, we can also implement SMS authentication, Google Authenticator, Symantec VIP, On-Prem MFA, and RSA SecurID.
Multifactor Authentication becomes available after the activation process. When we return to the App Sign On Rule section, you will notice that the options Prompt for re-authentication and Prompt for factor: Multifactor Settings become selectable.
After setting up and saving these configurations as needed, multi-factor authentication will be fully active across the entire website and web applications. When a user attempts to log in, after correctly entering and confirming their user credentials, they will receive a push notification from the mobile application. Only after approving this notification will the login process be completed.
Additionally, we can configure this process to apply only to specific user groups. Furthermore, at any time, we can deactivate and/or modify this Rule definition.