Media Realm’s Radio Websites platform has a number of security features. Users on our Premium Plans have access to Single Sign-On (SSO) – allowing seamless login via Microsoft or Google Accounts. This article shows you how to enable Single Sign-On for Microsoft and Google, as well as how to configure advanced Single Sign-On connections to your Azure AD or Google Cloud accounts.
Once configured, your login screen will have additional “Sign in with Microsoft” or “Sign in with Google” buttons:
Enabling Basic SSO
The easiest way to get started with SSO is to enable Basic mode.
Login to WordPress, and go to WP Admin > Users > Single Sign-On.
Under “SSO Mode”, select “Basic”.
Then, check the boxes to enable Microsoft and/or Google login.
In Basic Mode, only users who already have an account in WordPress will be able to login to your site. Unregistered users will not be able to login.
Ensure your users know to login with the same email address as their profile in WordPress.
Deny Local Login
Some station may wish to force users to login via SSO exclusively. Under the heading “Deny Local Login” you can select which user roles will be required to login via SSO.
This option is often used as a security measure, to ensure all logins are controlled via your directory such as Azure AD.
Advanced SSO Connections
Some stations may wish to authenticate against their Azure AD tenants or Google Cloud accounts using advanced settings.
Under “SSO Mode”, select “Advanced”.
In this mode, you can add specific SSO providers (the default providers will not be available). Click “Add New Provider” to add a login method.
Configuring these providers is an advanced topic. It requires high-level IT Administration access to your Azure or Google accounts. It also requires some knowledge about how OAuth works.
Azure AD
In the Azure Portal, go to Azure AD > App Registrations.
Microsoft has a detailed guide on this procedure – please follow this procedure.
You will need to select the access level (often you’ll want to select the first choice – single tenant):
- Accounts in this organizational directory only (Single tenant)
- Accounts in any organizational directory (Any Azure AD directory – Multitenant)
- Accounts in any organizational directory (Any Azure AD directory – Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
- Personal Microsoft accounts only
The Web Redirect URI is shown in WordPress on the SSO screen, and is in this format:
https://www.example.com/mrwp-sso/Once you have finished setup, take the ‘Application (client) ID’ from Azure AD and paste it into the ‘Client ID’ field in WordPress. Generate a Client Secret in Azure AD, and paste it into the Client Secret field in WordPress.
Important: Ensure you set a reminder to rotate the Client Secret on a periodic basis. Microsoft forces these secrets to expire after a maximum period of 2 years.
Google Cloud
Create a OAuth consent screen within your Google Cloud account.
The Web Redirect URI is shown in WordPress on the SSO screen, and is in this format:
https://www.example.com/mrwp-sso/Once you have finished setup, take the ‘Application ID’ from Google Cloud and paste it into the ‘Client ID’ field in WordPress. Generate a Client Secret in Google Cloud, and paste it into the Client Secret field in WordPress.
Additional Advanced Settings
Advanced identity providers have two additional settings available.
Allow Creating New Users – this setting allows new users to be created the first time they attempt to login via Google or Microsoft. They will be created with the ‘Subscriber’ user level.
Restrict to Certain Domains – this setting can ensure users have an email address with a specific domain. You may wish to use this setting if you have enable multi-tenant logins but still wish to ensure only company-issued accounts can login.