Setup HarvardKey on a Self-Hosted Pantheon Site

SPH uses the wp-saml-auth WordPress plugin to enable HarvardKey authentication. We use an mu-plugin to define configuration options that should work out of the box for your site. Follow the instructions below to setup HarvardKey on a Pantheon self-hosted site.

Prerequisites

1. Work with a member of the Application Development Team to register the each of the site environments in the HarvardKey Application Registry (i.e. live, dev, multidev1).
   1. This can take a few days, so this should be done first.
2. wp-saml-auth is installed and activated
   1. https://wordpress.org/plugins/wp-saml-auth/
3. SPH's mu-plugin is installed
4. Install the Chrome SAML-tracer extension (or similar tool for viewing SAML requests and responses)
   1. https://chromewebstore.google.com/detail/saml-tracer/mpdajninpobndbfcldcmbpnnbhibjmch?pli=1
   2. Enable it to be used in Incognito mode: https://www.howtogeek.com/702123/how-to-enable-an-extension-in-chromes-incognito-mode/

*Future improvement: add wp-saml-auth and the mu-plugin to the self-hosted-upstream so they're added to new sites automatically.

Dependencies

Always use a person's Harvard Official Email when setting up their WordPress user account. In our default configuration of wp-saml-auth, WordPress authentication will fail if the user_email does not equal their official email.

Use https://directory.harvard.edu to lookup a person's official email.

Setup and Testing Instructions

Assuming the above perquisites and dependencies are followed, the site should be ready to test.

1. In an incognito window, open SAML-tracer
2. In the incognito window enter the admin URL of your site and hit enter
3. Use your HarvardKey to authenticate
4. In the SAML-tracer window, you should see two orange "SAML" badges. One for the request and one for the response. Click on the second one (the SAML response) and click on the "Summary" tab. You should see an attribute statement similar to the one below.