外掛標籤
開發者團隊
② 後台搜尋「SecurePie SSO SAML — Single Sign-On, SAML Login & Enterprise SSO for WordPress」→ 直接安裝(推薦)
原文外掛簡介
SecurePie SSO SAML is a SAML 2.0 Single Sign-On (SSO) plugin for WordPress that provides enterprise SSO login, SAML login, and federated login via any SAML 2.0 Identity Provider — including Azure AD (Entra ID), Okta, Google Workspace, OneLogin, ADFS, Auth0, PingFederate, and Keycloak.
Whether you need SAML SSO for an intranet, an enterprise SSO portal for customers, or federated authentication for your team, this plugin turns your WordPress site into a SAML Service Provider with zero external dependencies.
SecurePie SSO SAML allows you to configure your WordPress site as a SAML 2.0 Service Provider (SP), enabling Single Sign-On with any SAML 2.0 compliant Identity Provider (IdP) such as Azure AD, Okta, Google Workspace, OneLogin, ADFS, and more.
This is a zero-dependency plugin — it uses only PHP’s built-in dom, openssl, and zlib extensions. No Composer, no external libraries, no conflicts with other plugins.
Features
Full SAML 2.0 SSO — AuthnRequest generation, Response validation, user provisioning
SP Metadata Endpoint — Auto-generated metadata XML for easy IdP configuration
IdP Metadata Parsing — Import IdP settings from a metadata URL or XML file
XML Digital Signature Verification — RSA-SHA256 and RSA-SHA1 support
Security Hardened — XXE prevention, signature wrapping attack protection, replay prevention, audience validation
Attribute Mapping — Map SAML attributes to WordPress user fields (username, email, first name, last name, display name)
Role Mapping — Assign WordPress roles based on IdP group/role attributes
Auto User Provisioning — Automatically create WordPress users on first SSO login
SSO Login Button — Customizable SSO button on the WordPress login page
Force SAML Login — Optionally redirect all login attempts through the IdP
Single Logout (SLO) — Send LogoutRequest to the IdP when users log out of WordPress
Test Configuration — Validate your SSO setup and see returned attributes before going live
HTTP-Redirect and HTTP-POST Bindings — Support for both SAML binding types
Clean Admin Interface — Professional tabbed settings page with copy-to-clipboard functionality
Use Cases
Enterprise SSO — Centralize WordPress login through your corporate Identity Provider so employees use one set of credentials.
SAML Login for Customer Portals — Let B2B customers sign in to your WordPress site using their own SAML SSO identity.
Federated Login Across Sites — Use a single SAML IdP to federate authentication across multiple WordPress installs.
SSO Authentication for Membership Sites — Replace WordPress’s default signin flow with SAML SSO login from Azure AD, Okta, or Google Workspace.
Intranet Single Sign-On — Add WordPress to your existing SSO ecosystem alongside other SAML 2.0 enabled apps.
Supported Identity Providers
Microsoft Azure Active Directory (Entra ID)
Okta
Google Workspace
OneLogin
Salesforce
Auth0
PingFederate
Shibboleth
ADFS (Active Directory Federation Services)
Keycloak
Any SAML 2.0 compliant IdP
Setting up SAML SSO with Azure AD (Entra ID)
Connecting WordPress to Azure AD / Entra ID for SAML SSO with SecurePie takes about ten minutes:
In the WordPress admin, open SecurePie SSO → Service Provider and copy the SP Entity ID and ACS URL.
In Azure, create a new Enterprise Application of type “Non-gallery application” and open its Single sign-on → SAML blade.
Paste the SP Entity ID into Azure’s Identifier (Entity ID) field and the ACS URL into the Reply URL (Assertion Consumer Service URL) field.
Under “SAML Signing Certificate”, download the Federation Metadata XML (or copy the Login URL and certificate).
Back in WordPress, open Identity Provider → Quick Setup and either upload the metadata XML or paste the metadata URL. SecurePie auto-fills Entity ID, Login URL and X.509 Certificate.
Assign your Azure users / groups to the Enterprise Application, then run Test Configuration in WordPress to confirm attributes flow through correctly before enabling the SSO button on the login page.
Setting up SAML SSO with Okta
Okta-to-WordPress SAML SSO with SecurePie follows the same pattern:
In the WordPress admin, open SecurePie SSO → Service Provider and copy the SP Entity ID, ACS URL and Single Logout URL.
In the Okta admin, go to Applications → Create App Integration → SAML 2.0, give the app a name, and continue to step 2 of Okta’s wizard.
Paste the SP Entity ID into Okta’s Audience URI (SP Entity ID) field and the ACS URL into the Single Sign-on URL field.
Configure Okta’s attribute statements to send email, firstName, lastName, and optionally a groups claim for role mapping.
After saving, open the Okta Sign On tab, click View SAML setup instructions, and copy the Identity Provider Single Sign-On URL, Identity Provider Issuer and the X.509 Certificate.
Back in WordPress, paste these into Identity Provider Setup (or use Okta’s metadata URL). Run Test Configuration to verify the SAML assertion before going live.
Requirements
PHP 7.4 or higher
PHP extensions: dom, openssl, zlib (enabled by default on most hosts)
WordPress 5.8 or higher
External Services
This plugin implements the SAML 2.0 protocol, which requires communication with an external Identity Provider (IdP) that is configured by the site administrator. No data is sent to any external service without the administrator explicitly configuring the connection.
Identity Provider Communication
When a user initiates SSO login, the plugin redirects the user’s browser to the Identity Provider’s SAML Login URL (configured by the administrator). The following data is sent as part of the standard SAML 2.0 AuthnRequest:
The Service Provider Entity ID (your site’s identifier)
The Assertion Consumer Service URL (your site’s callback URL)
A unique request ID for replay prevention
The Identity Provider then authenticates the user and sends a SAML Response back to your site containing the user’s identity attributes (such as email, name, and group membership).
This communication is entirely between your WordPress site and the IdP that you configure. No data is sent to SecurePie or any other third party.
The terms of service and privacy policy for the Identity Provider depend on which provider you choose to configure (e.g., Microsoft Azure AD, Okta, Google Workspace). Please consult your Identity Provider’s documentation for their specific terms.
IdP Metadata Import (Optional)
The plugin can optionally fetch Identity Provider metadata from a URL provided by the administrator. This is a one-time server-to-server request to retrieve the IdP’s public configuration (Entity ID, Login URL, X.509 Certificate). No user data is sent during this request.
SAML Attribute Namespace URIs
The plugin references standard SAML attribute namespace URIs (e.g., http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress) as identifiers within SAML assertions. These are XML namespace strings used for attribute identification and are not HTTP requests to external services.
