aad-sso-wordpress icon indicating copy to clipboard operation
aad-sso-wordpress copied to clipboard

Published 20 hours ago verified publisher icon psignoret

Anyway to put Azure AD email field into Wordpress email field?

Open mmahoney812 opened this issue 7 years ago • 12 comments

Is there anyway of taking the email stored in Active Directory and setting it as the email address in wordpress?

mmahoney812 avatar Nov 27 '17 05:11 mmahoney812

Do you mean in Windows Server AD (i.e. on-premises) or Azure AD? (Or both, since you're syncing AD to Azure AD?) Which attribute, specifically, do you mean?

psignoret avatar Nov 27 '17 06:11 psignoret

Well I am syncing from Windows Server AD to Azure and I was wondering if I could use the email field in Server AD to go over to the email field of Wordpress so I could have wordpress send people email's to their own emails. I just looked in Azure and I think it is filtering out that attribute so I'm not sure if it can be done. email ad snip

mmahoney812 avatar Nov 27 '17 06:11 mmahoney812

@psignoret could we offer some hooks to allow other plugins to grab this information?

bradkovach avatar Nov 27 '17 15:11 bradkovach

@mmahoney812 Are you using automated provisioning? Or would you expect this to get updated if the on-premises mail attribute changes?

@bradkovach It's not about exposing it with a hook, it's about whether or not that information is even available in Azure AD to start with.

psignoret avatar Nov 27 '17 15:11 psignoret

@psignoret I am using Azure AD Connect with the password synchronization selected. I did confirm that it does sync that mail attribute because I put in a address that was already in Office 365 and I got an error saying it was already in the directory. dirsync error

mmahoney812 avatar Nov 27 '17 15:11 mmahoney812

@mmahoney812 I meant how you've configured the plugin. Are you using the option to automatically create the user in WordPress is they haven't been created yet?

What would be your expected behaviour if the on-prem mail attribute changes? Would WordPress automatically update as well?

Are your users' UserPrincipalName different from their Mail?

psignoret avatar Nov 27 '17 15:11 psignoret

@psignoret Yes. I am sorry for not understanding the question. I am using the plugin to create the user in wordpress if they do not exist. I would like the mail attribute to change in wordpress if it's changed on prem but if it is not possible then I understand. That option would just be for convenience. The UPN is different from their mail. We do not assign the users that are pulled from on prem a license to office 365 therefore they do not have mailboxes. In the plugin, I created a test account on on prem and entered in a email into the email field. Once it synced to Azure, I tested the login on the website. Once I logged in, the email and username was the full upn name (example: mmahoney@domain)

mmahoney812 avatar Nov 27 '17 16:11 mmahoney812

Hello @psignoret , Another workaround that I was thinking is if you could put in a setting like you did for the groups. Get the attribute id and then tie it in with something in wordpress.

mmahoney812 avatar Nov 28 '17 20:11 mmahoney812

It's not about exposing it with a hook, it's about whether or not that information is even available in Azure AD to start with.

Is it possible to just expose the entire Azure payload and the associated WP_User object to allow for this behavior to be bolted on with another plugin via hook?

bradkovach avatar Nov 29 '17 22:11 bradkovach

@mmahoney812 The only way to get the email for sure (without paid-for features like custom claims mapping) is with an extra call to the Azure AD Graph API, not unlike the call that gets made to retrieve the group membership. This can definitely be added, but it may have a performance impact if not done optimally. I can add it the easy, but possibly less performant way, quickly--if this will unblock you. If you're not blocked, I'd rather do it the slightly more complex (and thus will take me more time to get done), but more performant way. Let me know if this is blocking you at the moment.

@bradkovach In it's current form, the only "payload" we have from Azure AD is the ID Token, which does not contain the contents of the Azure AD Mail attribute. I wanted to get clarity on what attribute we were talking about, because getting it implies an extra inline API call. As to how best to share it--definitely something I'm open to, as long as we're careful about how it's done.

psignoret avatar Nov 29 '17 23:11 psignoret

@psignoret Thank you for getting back to me. This is not at all blocking me and take all the time you need. I need to work out some issues with AD because some users use Office 365 groups and they are putting in guests email's that are also in the email field of AD so that is causing duplication errors. I am going to create a custom attribute and put it in there so it doesn't effect Office 365. If a custom attribute can mapped to the email field, that would be amazing.

Again take your time, Thank you Mike

mmahoney812 avatar Nov 29 '17 23:11 mmahoney812

Hello, Any update on this?

Mike

mmahoney812 avatar Feb 18 '18 05:02 mmahoney812