SecurePie SSO SAML — Single Sign-On, SAML Login & Enterprise SSO for WordPress

SecurePie SSO SAML is a SAML 2.0 Single Sign-On (SSO) plugin for WordPress that provides enterprise SSO login, SAML login, and federated login via any SAML 2.0 Identity Provider — including Azure AD (Entra ID), Okta, Google Workspace, OneLogin, ADFS, Auth0, PingFederate, and Keycloak.

Whether you need SAML SSO for an intranet, an enterprise SSO portal for customers, or federated authentication for your team, this plugin turns your WordPress site into a SAML Service Provider with zero external dependencies.

SecurePie SSO SAML allows you to configure your WordPress site as a SAML 2.0 Service Provider (SP), enabling Single Sign-On with any SAML 2.0 compliant Identity Provider (IdP) such as Azure AD, Okta, Google Workspace, OneLogin, ADFS, and more.

This is a zero-dependency plugin — it uses only PHP’s built-in dom, openssl, and zlib extensions. No Composer, no external libraries, no conflicts with other plugins.

Features

• Full SAML 2.0 SSO — AuthnRequest generation, Response validation, user provisioning
• SP Metadata Endpoint — Auto-generated metadata XML for easy IdP configuration
• IdP Metadata Parsing — Import IdP settings from a metadata URL or XML file
• XML Digital Signature Verification — RSA-SHA256 and RSA-SHA1 support
• Security Hardened — XXE prevention, signature wrapping attack protection, replay prevention, audience validation
• Attribute Mapping — Map SAML attributes to WordPress user fields (username, email, first name, last name, display name)
• Role Mapping — Assign WordPress roles based on IdP group/role attributes
• Auto User Provisioning — Automatically create WordPress users on first SSO login
• SSO Login Button — Customizable SSO button on the WordPress login page
• Force SAML Login — Optionally redirect all login attempts through the IdP
• Single Logout (SLO) — Send LogoutRequest to the IdP when users log out of WordPress
• Test Configuration — Validate your SSO setup and see returned attributes before going live
• HTTP-Redirect and HTTP-POST Bindings — Support for both SAML binding types
• Clean Admin Interface — Professional tabbed settings page with copy-to-clipboard functionality

Use Cases

• Enterprise SSO — Centralize WordPress login through your corporate Identity Provider so employees use one set of credentials.
• SAML Login for Customer Portals — Let B2B customers sign in to your WordPress site using their own SAML SSO identity.
• Federated Login Across Sites — Use a single SAML IdP to federate authentication across multiple WordPress installs.
• SSO Authentication for Membership Sites — Replace WordPress’s default signin flow with SAML SSO login from Azure AD, Okta, or Google Workspace.
• Intranet Single Sign-On — Add WordPress to your existing SSO ecosystem alongside other SAML 2.0 enabled apps.

Supported Identity Providers

• Microsoft Azure Active Directory (Entra ID)
• Okta
• Google Workspace
• OneLogin
• Salesforce
• Auth0
• PingFederate
• Shibboleth
• ADFS (Active Directory Federation Services)
• Keycloak
• Any SAML 2.0 compliant IdP

Setting up SAML SSO with Azure AD (Entra ID)

Connecting WordPress to Azure AD / Entra ID for SAML SSO with SecurePie takes about ten minutes:

1. In the WordPress admin, open SecurePie SSO → Service Provider and copy the SP Entity ID and ACS URL.
2. In Azure, create a new Enterprise Application of type “Non-gallery application” and open its Single sign-on → SAML blade.
3. Paste the SP Entity ID into Azure’s Identifier (Entity ID) field and the ACS URL into the Reply URL (Assertion Consumer Service URL) field.
4. Under “SAML Signing Certificate”, download the Federation Metadata XML (or copy the Login URL and certificate).
5. Back in WordPress, open Identity Provider → Quick Setup and either upload the metadata XML or paste the metadata URL. SecurePie auto-fills Entity ID, Login URL and X.509 Certificate.
6. Assign your Azure users / groups to the Enterprise Application, then run Test Configuration in WordPress to confirm attributes flow through correctly before enabling the SSO button on the login page.

Setting up SAML SSO with Okta

Okta-to-WordPress SAML SSO with SecurePie follows the same pattern:

1. In the WordPress admin, open SecurePie SSO → Service Provider and copy the SP Entity ID, ACS URL and Single Logout URL.
2. In the Okta admin, go to Applications → Create App Integration → SAML 2.0, give the app a name, and continue to step 2 of Okta’s wizard.
3. Paste the SP Entity ID into Okta’s Audience URI (SP Entity ID) field and the ACS URL into the Single Sign-on URL field.
4. Configure Okta’s attribute statements to send email, firstName, lastName, and optionally a groups claim for role mapping.
5. After saving, open the Okta Sign On tab, click View SAML setup instructions, and copy the Identity Provider Single Sign-On URL, Identity Provider Issuer and the X.509 Certificate.
6. Back in WordPress, paste these into Identity Provider Setup (or use Okta’s metadata URL). Run Test Configuration to verify the SAML assertion before going live.

Requirements

• PHP 7.4 or higher
• PHP extensions: dom, openssl, zlib (enabled by default on most hosts)
• WordPress 5.8 or higher

External Services

This plugin implements the SAML 2.0 protocol, which requires communication with an external Identity Provider (IdP) that is configured by the site administrator. No data is sent to any external service without the administrator explicitly configuring the connection.

Identity Provider Communication

When a user initiates SSO login, the plugin redirects the user’s browser to the Identity Provider’s SAML Login URL (configured by the administrator). The following data is sent as part of the standard SAML 2.0 AuthnRequest:

• The Service Provider Entity ID (your site’s identifier)
• The Assertion Consumer Service URL (your site’s callback URL)
• A unique request ID for replay prevention

The Identity Provider then authenticates the user and sends a SAML Response back to your site containing the user’s identity attributes (such as email, name, and group membership).

This communication is entirely between your WordPress site and the IdP that you configure. No data is sent to SecurePie or any other third party.

The terms of service and privacy policy for the Identity Provider depend on which provider you choose to configure (e.g., Microsoft Azure AD, Okta, Google Workspace). Please consult your Identity Provider’s documentation for their specific terms.

IdP Metadata Import (Optional)

The plugin can optionally fetch Identity Provider metadata from a URL provided by the administrator. This is a one-time server-to-server request to retrieve the IdP’s public configuration (Entity ID, Login URL, X.509 Certificate). No user data is sent during this request.

SAML Attribute Namespace URIs

The plugin references standard SAML attribute namespace URIs (e.g., http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress) as identifiers within SAML assertions. These are XML namespace strings used for attribute identification and are not HTTP requests to external services.