Usage The WPO365 plugin offers two premium authentication scenarios that allow administrators to configure their WordPress website so that visitors are required to sign in with Microsoft but are not automatically signed in as WordPress users. These two scenarios are:
- Intranet (auth. only)
- Internet (auth. only)
These scenarios will be unlocked by the WPO365 | LOGIN+, WPO365 | PREMIUM and WPO365 | INTRANET extensions / bundles (see our website for details and pricing) and work in most ways similar to their non-premium counterparts (see this article) with one important exception: Website visitors are required to sign in with Microsoft but are not automatically signed in as WordPress users.
Server side cache and WPO365 auth.-only cookie based authentication
Many WordPress hosters offer advanced server-side website caching mechanisms. These help to reduce the load on the server by removing the need to process each page individually. Instead a processed page is served from cache. This means that cookies - used for both auth.-only scenarios - are not processed and it is not possible to secure your WordPress posts and pages with cookie-based authentication. However, the plugin tries to work-around this - when you selected one of the auth..only scenarios - by checking if any cookies are present in an attempt to detect whether the page is served from cache or not. If you select one of the two WPO365 auth.-only scenarios then the plugin will process each request as illustrated below.
- Intention The user wants to navigate to https://www.your-site.com/your-page/.
- Validate cookie - Step 1 The plugin will try to validate the WPO365 auth.-only cookie. If this cookie is found, it will be validated by checking its secret token and its expiration date. If the cookie is OK the user will be allowed to view the post or page. If the cookie is not OK, the user will be redirected to the site's login page where an error will be shown. If no cookies are found, the plugin will continue with step 2.
- Validate cookie - Step 2 The plugin can not detect any cookies. Therefore the plugin redirects the user to the login page, adding a redirect_to parameter to hint the page that the user intended to navigate to and a wpo_redirect parameter to hint that the user was redirected by the plugin and that it should repeat the WPO365 auth.-only cookie validation. If the WPO365 auth.-only cookie is not found, the user can now click the Sign in with Microsoft button. If you want to automatically sign in the user with Microsoft then you can click to Enable SSO for the default / custom login page on the plugin's Login / logout configuration page. If, however, a WPO365 auth.-only cookie was found, the plugin will generate a new WPO365 auth.-only cookie-like secret and redirect the user to the post or page he / she intended to navigate to and add the cookie-like string as a parameter. Now the user will again request the post or page he / she intended to navigate to and now the plugin is able to detect the secret token, validates it and finally the user will be allowed to view the post or page.
WP-Admin and WPO365 auth.-only cookie based authentication
Obviously, access to WP-Admin still requires a user to sign in to WordPress. Therefore the plugin will ignore the configured authentication scenario when a user tries to access WP-Admin and instead will fallback to its default behavior, meaning that it will try to sign in the Azure AD / Microsoft as a WordPress user by trying to match the Azure AD user's username with a WordPress user's username and if that fails by trying to match the Azure AD user's email address with a WordPress user's email address and if that fails it will try to create a new WordPress user for you. Please note that if you do not want the plugin to automatically create new WordPress users for you that you can uncheck the option to Create new users on the plugin's User registration configuration page.