內容簡介
總結:TWL SSO 是用於 WordPress 的安全單一登入外掛程式,可使用來自外部 SSO 應用程式的 RS256 JWT 憑證進行無縫驗證。此外掛程式提供登入安全功能,旨在允許 Twelve Legs Marketing 進行集中式身分驗證管理。
問題與答案:
1. TWL SSO 是什麼?
- TWL SSO 是用於 WordPress 的安全單一登入外掛程式,可使用 RS256 JWT 憑證從外部 SSO 應用程式進行驗證。
2. 提到的 TWL SSO 主要特點有哪些?
- 單一登入、及時使用者提供、JWT 驗證、金鑰旋轉、角色管理、參考者驗證、受眾驗證、憑證過期、郵件驗證以及快取。
3. TWL SSO 的使用情境有哪些?
- 由機構中心管理的 WordPress 安裝、以及使用 Google 作為外部身分提供者的組織。
4. 使用 TWL SSO 的驗證流程是怎樣的?
- 使用者從 SSO 應用程式 sso.twelvelegsmarketing.com 點擊登入連結後,SSO 應用程式將使用 JWT 憑證重定向到 WordPress。外掛程式驗證JWT憑證簽名和申索,萃取使用者資訊並建立或擷取 WordPress 使用者,基於JWT 索索的聲稱分配適當角色,並將使用者登入 WordPress。
5. TWL SSO 期望的 JWT 帳權主要有哪些?
- 電子郵件或 sub (使用者電子郵件地址)、iss(發行者)、aud(受眾)、exp(過期時間)等。
外掛標籤
開發者團隊
原文外掛簡介
TWL SSO is a secure single sign-on plugin for WordPress that enables seamless authentication using RS256 JWT tokens from an external SSO application.
This plugin provides login security features and is designed for allowing Twelve Legs Marketing centralized authentication management.
Key Features
Single Sign In: Agency employees can log into websites they manage from a central dashboard.
Just-in-Time User Provisioning: Automatic user creation and role assignment
JWT Validation: Full RS256 signature verification with JWKS endpoint integration
Key Rotation: Support key rotation through JWKS endpoint
Role Management: Flexible role assignment from JWT claims
Referrer Validation: Enhanced security through referrer validation
Audience Validation: Ensures tokens are valid for the specific WordPress site
Token Expiration: Built-in token expiration and clock skew tolerance
Email Validation: Comprehensive email validation with optional allowlist
Caching: JWKS caching for improved performance
Security Features
Referrer validation to prevent unauthorized access
JWT signature verification using public key cryptography
Issuer validation to ensure tokens come from trusted sources
Audience validation to prevent token reuse across sites
Token expiration validation with configurable leeway
Email format validation and filtering via hook
Use Cases
WordPress installations managed centrally by agency
Organization using Google for external identity provider
Usage
Authentication Flow
User clicks login link from SSO application sso.twelvelegsmarketing.com
SSO application redirects to WordPress with JWT token: /wp-login.php?action=twl_sso&token=JWT_TOKEN
Plugin validates the JWT token signature and claims
Plugin extracts user information from JWT claims
Plugin creates or retrieves WordPress user
Plugin assigns appropriate role based on JWT claims
User is logged into WordPress
JWT Claims
The plugin expects the following JWT claims:
email or sub: User’s email address
iss: Issuer (must match allowed issuers)
aud: Audience (must match WordPress site URL)
exp: Expiration time
nbf: Not before time (optional)
wp_role: WordPress role to assign (optional)
name: User’s display name (optional)
given_name: User’s first name (optional)
family_name: User’s last name (optional)
Configuration
The plugin automatically configures itself based on the WordPress environment:
Production: Only allows https://sso.twelvelegsmarketing.com as issuer
Development/Staging: Also allows https://localhost:8443 as issuer
Customization
You can customize the plugin behavior using WordPress filters:
twl_sso_allow_email: Filter to control which email addresses are allowed
twl_sso_allowed_roles: Filter to control which roles can be assigned
twl_sso_allowed_issuers: Filter to control which issuers are allowed
Support
For support, please contact Twelve Legs Marketing at https://twelvelegsmarketing.com
Privacy Policy
This plugin does not collect, store, or transmit any personal data. All authentication is handled through secure JWT tokens from your configured SSO provider.
