SecurePie SSO SAML

SecurePie SSO SAML allows you to configure your WordPress site as a SAML 2.0 Service Provider (SP), enabling Single Sign-On with any SAML 2.0 compliant Identity Provider (IdP) such as Azure AD, Okta, Google Workspace, OneLogin, ADFS, and more.

This is a zero-dependency plugin — it uses only PHP’s built-in dom, openssl, and zlib extensions. No Composer, no external libraries, no conflicts with other plugins.

Features

• Full SAML 2.0 SSO — AuthnRequest generation, Response validation, user provisioning
• SP Metadata Endpoint — Auto-generated metadata XML for easy IdP configuration
• IdP Metadata Parsing — Import IdP settings from a metadata URL or XML file
• XML Digital Signature Verification — RSA-SHA256 and RSA-SHA1 support
• Security Hardened — XXE prevention, signature wrapping attack protection, replay prevention, audience validation
• Attribute Mapping — Map SAML attributes to WordPress user fields (username, email, first name, last name, display name)
• Role Mapping — Assign WordPress roles based on IdP group/role attributes
• Auto User Provisioning — Automatically create WordPress users on first SSO login
• SSO Login Button — Customizable SSO button on the WordPress login page
• Force SAML Login — Optionally redirect all login attempts through the IdP
• Single Logout (SLO) — Send LogoutRequest to the IdP when users log out of WordPress
• Test Configuration — Validate your SSO setup and see returned attributes before going live
• HTTP-Redirect and HTTP-POST Bindings — Support for both SAML binding types
• Clean Admin Interface — Professional tabbed settings page with copy-to-clipboard functionality

Supported Identity Providers

• Microsoft Azure Active Directory (Entra ID)
• Okta
• Google Workspace
• OneLogin
• Salesforce
• Auth0
• PingFederate
• Shibboleth
• ADFS (Active Directory Federation Services)
• Keycloak
• Any SAML 2.0 compliant IdP

Requirements

• PHP 7.4 or higher
• PHP extensions: dom, openssl, zlib (enabled by default on most hosts)
• WordPress 5.8 or higher

External Services

This plugin implements the SAML 2.0 protocol, which requires communication with an external Identity Provider (IdP) that is configured by the site administrator. No data is sent to any external service without the administrator explicitly configuring the connection.

Identity Provider Communication

When a user initiates SSO login, the plugin redirects the user’s browser to the Identity Provider’s SAML Login URL (configured by the administrator). The following data is sent as part of the standard SAML 2.0 AuthnRequest:

• The Service Provider Entity ID (your site’s identifier)
• The Assertion Consumer Service URL (your site’s callback URL)
• A unique request ID for replay prevention

The Identity Provider then authenticates the user and sends a SAML Response back to your site containing the user’s identity attributes (such as email, name, and group membership).

This communication is entirely between your WordPress site and the IdP that you configure. No data is sent to SecurePie or any other third party.

The terms of service and privacy policy for the Identity Provider depend on which provider you choose to configure (e.g., Microsoft Azure AD, Okta, Google Workspace). Please consult your Identity Provider’s documentation for their specific terms.

IdP Metadata Import (Optional)

The plugin can optionally fetch Identity Provider metadata from a URL provided by the administrator. This is a one-time server-to-server request to retrieve the IdP’s public configuration (Entity ID, Login URL, X.509 Certificate). No user data is sent during this request.

SAML Attribute Namespace URIs

The plugin references standard SAML attribute namespace URIs (e.g., http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress) as identifiers within SAML assertions. These are XML namespace strings used for attribute identification and are not HTTP requests to external services.