Open Access SSO

Open Access SSO is a SAML 2.0 Service Provider for WordPress. It lets users sign in to your site through any standard SAML identity provider (Microsoft Entra ID, Okta, OneLogin, Keycloak, ADFS, Shibboleth, NetIQ Access Manager, etc.) instead of (or alongside) the built-in WordPress login form.

Built from scratch as a clean-room implementation. Fully open-source under GPLv2+. No paid tier, no telemetry, no external dependencies beyond xmlseclibs (MIT) for XML signature handling.

What it does

• SAML 2.0 SP with HTTP-Redirect and HTTP-POST bindings, signed AuthnRequests, signed/encrypted assertion handling, SP-initiated and IdP-initiated Single Logout.
• Multi-IdP — configure multiple identity providers, let users choose via a button or URL parameter (?idp=slug).
• Attribute mapping — map SAML attributes to WordPress user fields (first name, last name, email, display name, plus arbitrary user_meta).
• Role mapping — assign WordPress roles based on SAML attribute values, with exact / contains / regex match types, per-IdP rule sets, deny-unmapped option, default-role fallback.
• Page access control — restrict pages, posts, and custom post types to specific roles or to “logged in via SSO” users; per-page meta box; [oasso_restrict] shortcode.
• WooCommerce integration (optional) — map SAML attributes to WooCommerce customer fields; auto-link SSO users to existing customers.
• Audit log with configurable retention.
• Force-SSO mode with emergency bypass via OASSO_BYPASS constant in wp-config.php.

Privacy

This plugin’s only outbound HTTP requests go to the IdP metadata URL you enter: once when an administrator clicks “Fetch IdP Metadata from URL”, and — only if you turn on the optional certificate-rotation check for an IdP — on a recurring WP-Cron schedule that re-fetches that same URL. Certificate-rotation checks are disabled by default. No telemetry, no analytics, no calls to any third-party service. All configuration is stored in wp_options on your own site.

Requirements

• WordPress 6.0+
• PHP 8.1+
• A SAML 2.0 identity provider you control or have access to.

External Services

This plugin is a SAML 2.0 Service Provider (SP). It sends no telemetry or analytics and never connects to any service operated by the plugin author. Its only external interactions are with the SAML Identity Provider (IdP) that you, the site administrator, configure — for example Microsoft Entra ID, Okta, OneLogin, Keycloak, ADFS, Shibboleth, or NetIQ Access Manager. There is no built-in or default IdP; the IdP is chosen and operated by you or your organisation.

Identity Provider metadata fetch

When an administrator clicks “Fetch IdP Metadata from URL” in the plugin’s admin screens, the plugin makes a single server-side HTTP GET request to the metadata URL the administrator entered. No site or user data is sent beyond a standard HTTP request; the response (SAML metadata XML) is parsed and stored in your site’s database. This never happens on the front end.

Optionally, you can enable a certificate-rotation check for an IdP (off by default). When enabled, WP-Cron re-fetches that same administrator-entered metadata URL on a schedule (for example daily) so the plugin can warn you before the IdP’s signing certificate expires or changes. This is the only automatic outbound request the plugin makes, it is opt-in per IdP, and it contacts only the metadata URL you configured.

SAML single sign-on flow

When a visitor signs in through SSO, their browser is redirected to your configured IdP (carrying a standard SAML AuthnRequest). After the visitor authenticates, the IdP returns a signed SAML assertion to your site, which the plugin validates and uses to create or update the corresponding WordPress user. The data exchanged is the SAML authentication request and response — which includes the user identifier and whatever attributes your IdP is configured to release. This exchange happens only when a visitor initiates an SSO login.

Because the IdP is a service you select and operate (or that your organisation operates), its terms of service and privacy policy are defined by that provider. Consult your chosen identity provider’s own documentation for those terms (for example, the privacy and terms pages of Microsoft Entra ID, Okta, OneLogin, etc.).