SSO & SAML Login — Azure AD / Entra ID

Microsoft Login for WordPress lets your users sign in to WordPress using their Microsoft Azure AD / Entra ID credentials – no separate password needed. Choose between SAML 2.0 and OpenID Connect (OIDC) to match your organization’s configuration.

Why this plugin?

• Microsoft-focused. Built specifically for Azure AD / Entra ID.
• Simple setup. Import SAML metadata or use OIDC discovery to auto-fill endpoints.
• Clean admin UX. One settings area with guided setup and test tools.
• Security-first. SAML uses onelogin/php-saml; OIDC validates RS256 tokens against JWKS.

Free Features

• SAML 2.0 SP login flow (Azure AD / Entra ID as IdP)
• OpenID Connect Authorization Code + PKCE login flow
• Auto-create WordPress users on first login (JIT provisioning)
• Configurable default role for new users
• SP metadata download and SAML metadata URL import
• OIDC tenant discovery and endpoint validation tools
• Emergency admin bypass URL for lockout recovery
• WP-CLI commands (wp saml status, wp saml import-metadata, wp saml regen-cert, wp saml test)

Pro Features (separate plugin)

• Role mapping (map Azure AD roles/groups to WordPress roles)
• SSO enforcement by WordPress role, with per-user bypass exceptions
• Attribute sync on login (first name, last name, display name)
• Audit log (login success/failure, user creation, role mapping, SSO enforcement, logout)
• Audit log CSV export and retention settings
• Microsoft Graph user sync and import tools:
• App-only Graph connection test
• Group member preview/import
• Daily background sync via WP-Cron
• Optional deprovisioning (remove role when user is disabled/removed)

Requirements

• PHP 8.0 or higher
• PHP extensions: openssl, dom, zlib
• WordPress 6.3 or higher
• A Microsoft Azure AD / Entra ID tenant

Setup Overview

SAML:

1. Install and activate the plugin.
2. Go to Settings -> SSO & SAML Login.
3. Copy the SP Entity ID and ACS URL from the SP Information tab.
4. Create a new Enterprise Application in Azure AD (non-gallery app, enable SAML SSO).
5. Paste your App Federation Metadata URL into the plugin and click Import Metadata.
6. Save settings. Your Microsoft login button appears on wp-login.php.

OIDC:

1. Create an App Registration in Azure and add your site’s /saml/oidc-callback as Redirect URI.
2. In plugin settings, select OpenID Connect, enter Tenant ID, click Fetch Discovery.
3. Enter Client ID and Client Secret, then save.

Privacy

This plugin does not send data to third parties except as described in the External services section below. SSO and audit data are stored in your own WordPress database.

External services

This plugin connects to external services to provide authentication and optional paid features. No data is sent to any external service except as described below.

1) Microsoft Azure AD / Entra ID (required for SSO login)

Used for SAML 2.0 and OpenID Connect authentication.

Data sent and when:

• On SSO login start, the browser is redirected to Microsoft with Azure app/protocol parameters (tenant endpoint, app/client ID, redirect URI, state, scopes, SAML request/relay state as applicable).
• On OIDC callback, the site sends the one-time authorization code (and PKCE verifier) to Microsoft’s token endpoint.
• On SAML setup import/test actions, the site fetches your tenant’s federation metadata URL.
• On logout (if SLO/end-session is enabled), the browser is redirected to Microsoft’s logout endpoint.

Returned identity claims (email, name, subject/object ID, roles/groups) are used to authenticate/provision users and stored in your WordPress database.

• Service: https://login.microsoftonline.com/
• Privacy Policy: https://privacy.microsoft.com/en-us/privacystatement
• Terms of Service: https://www.microsoft.com/en-us/servicesagreement

2) Microsoft Graph API (Pro only; when configured by the site admin)

Used to sync users and groups from Microsoft Entra ID into WordPress.

Data sent and when:

• When an admin runs a Graph test, import, or sync (manual or scheduled), the site sends requests to Microsoft Graph using app-only access tokens.
• Requests include query parameters for the configured sync operations (group/member lookups, account status checks, etc.).

Returned directory fields (user principal name, email, display name, object IDs, group membership, account status) are used to create, update, or deprovision WordPress users per plugin settings.

• Service: https://graph.microsoft.com/
• Privacy Policy: https://privacy.microsoft.com/en-us/privacystatement
• Terms of Service: https://www.microsoft.com/en-us/servicesagreement

3) Freemius (optional; only when admin opts in or activates a paid license)

Used for licensing, upgrade flow, and optional analytics.

Data sent and when:

• On activation, an opt-in prompt is shown; no data is sent unless the admin consents.
• On license activation/validation, the site exchanges license, account, and site information with Freemius servers.

• If telemetry opt-in is accepted, usage and diagnostic events may be sent per Freemius configuration.

• Service: https://freemius.com/

• Privacy Policy: https://freemius.com/privacy/
• Terms of Service: https://freemius.com/terms/