WordPress.org
Get WordPress
WordPress.org

Plugin Directory

SSO & SAML Login — Azure AD / Entra ID

SSO & SAML Login — Azure AD / Entra ID

By meritstory
Download

Description

Microsoft Login for WordPress lets your users sign in to WordPress using their Microsoft Azure AD / Entra ID credentials – no separate password needed. Choose between SAML 2.0 and OpenID Connect (OIDC) to match your organization’s configuration.

Why this plugin?

  • Microsoft-focused. Built specifically for Azure AD / Entra ID.
  • Simple setup. Import SAML metadata or use OIDC discovery to auto-fill endpoints.
  • Clean admin UX. One settings area with guided setup and test tools.
  • Security-first. SAML uses onelogin/php-saml; OIDC validates RS256 tokens against JWKS.

Free Features

  • SAML 2.0 SP login flow (Azure AD / Entra ID as IdP)
  • OpenID Connect Authorization Code + PKCE login flow
  • Auto-create WordPress users on first login (JIT provisioning)
  • Configurable default role for new users
  • SP metadata download and SAML metadata URL import
  • OIDC tenant discovery and endpoint validation tools
  • Emergency admin bypass URL for lockout recovery
  • WP-CLI commands (wp saml status, wp saml import-metadata, wp saml regen-cert, wp saml test)

Pro Features (separate plugin)

  • Role mapping (map Azure AD roles/groups to WordPress roles)
  • SSO enforcement by WordPress role, with per-user bypass exceptions
  • Attribute sync on login (first name, last name, display name)
  • Audit log (login success/failure, user creation, role mapping, SSO enforcement, logout)
  • Audit log CSV export and retention settings
  • Microsoft Graph user sync and import tools:
  • App-only Graph connection test
  • Group member preview/import
  • Daily background sync via WP-Cron
  • Optional deprovisioning (remove role when user is disabled/removed)

Requirements

  • PHP 8.0 or higher
  • PHP extensions: openssl, dom, zlib
  • WordPress 6.3 or higher
  • A Microsoft Azure AD / Entra ID tenant

Setup Overview

SAML:

  1. Install and activate the plugin.
  2. Go to Settings -> SSO & SAML Login.
  3. Copy the SP Entity ID and ACS URL from the SP Information tab.
  4. Create a new Enterprise Application in Azure AD (non-gallery app, enable SAML SSO).
  5. Paste your App Federation Metadata URL into the plugin and click Import Metadata.
  6. Save settings. Your Microsoft login button appears on wp-login.php.

OIDC:

  1. Create an App Registration in Azure and add your site’s /saml/oidc-callback as Redirect URI.
  2. In plugin settings, select OpenID Connect, enter Tenant ID, click Fetch Discovery.
  3. Enter Client ID and Client Secret, then save.

Privacy

This plugin does not send data to third parties except as described in the External services section below. SSO and audit data are stored in your own WordPress database.

External services

This plugin connects to external services to provide authentication and optional paid features. No data is sent to any external service except as described below.

1) Microsoft Azure AD / Entra ID (required for SSO login)

Used for SAML 2.0 and OpenID Connect authentication.

Data sent and when:

  • On SSO login start, the browser is redirected to Microsoft with Azure app/protocol parameters (tenant endpoint, app/client ID, redirect URI, state, scopes, SAML request/relay state as applicable).
  • On OIDC callback, the site sends the one-time authorization code (and PKCE verifier) to Microsoft’s token endpoint.
  • On SAML setup import/test actions, the site fetches your tenant’s federation metadata URL.
  • On logout (if SLO/end-session is enabled), the browser is redirected to Microsoft’s logout endpoint.

Returned identity claims (email, name, subject/object ID, roles/groups) are used to authenticate/provision users and stored in your WordPress database.

  • Service: https://login.microsoftonline.com/
  • Privacy Policy: https://privacy.microsoft.com/en-us/privacystatement
  • Terms of Service: https://www.microsoft.com/en-us/servicesagreement

2) Microsoft Graph API (Pro only; when configured by the site admin)

Used to sync users and groups from Microsoft Entra ID into WordPress.

Data sent and when:

  • When an admin runs a Graph test, import, or sync (manual or scheduled), the site sends requests to Microsoft Graph using app-only access tokens.
  • Requests include query parameters for the configured sync operations (group/member lookups, account status checks, etc.).

Returned directory fields (user principal name, email, display name, object IDs, group membership, account status) are used to create, update, or deprovision WordPress users per plugin settings.

  • Service: https://graph.microsoft.com/
  • Privacy Policy: https://privacy.microsoft.com/en-us/privacystatement
  • Terms of Service: https://www.microsoft.com/en-us/servicesagreement

3) Freemius (optional; only when admin opts in or activates a paid license)

Used for licensing, upgrade flow, and optional analytics.

Data sent and when:

  • On activation, an opt-in prompt is shown; no data is sent unless the admin consents.
  • On license activation/validation, the site exchanges license, account, and site information with Freemius servers.

  • If telemetry opt-in is accepted, usage and diagnostic events may be sent per Freemius configuration.

  • Service: https://freemius.com/

  • Privacy Policy: https://freemius.com/privacy/
  • Terms of Service: https://freemius.com/terms/

Screenshots

  • SP Information tab with Entity ID, ACS URL, and metadata/certificate data.
  • Configuration tab for SAML or OIDC setup and connection tests.
  • WordPress login page with Microsoft sign-in button.

Installation

Automatic Installation

  1. In WordPress admin, go to Plugins -> Add New.
  2. Search for Microsoft Login for WordPress.
  3. Click Install Now, then Activate.

Manual Installation

  1. Download the plugin ZIP.
  2. Go to Plugins -> Add New -> Upload Plugin.
  3. Upload the ZIP and activate.
  4. Go to Settings -> SSO & SAML Login.

FAQ

Does this work with Microsoft Entra ID (formerly Azure Active Directory)?

Yes. Azure AD was renamed to Entra ID. This plugin supports both naming conventions.

Do I need external software?

No. SAML parsing is handled by bundled onelogin/php-saml. OIDC validation uses built-in PHP OpenSSL.

SAML or OIDC – which should I choose?

For most teams, OIDC is simpler to configure. Choose SAML if your organization already standardizes on SAML or requires SAML-specific controls.

Can users still log in with WordPress passwords?

Yes by default. If Pro SSO enforcement is enabled for selected roles, password login is blocked for those roles.

What happens on first login?

If auto-create is enabled, a new WordPress account is created from IdP identity data and assigned your configured default role.

I am locked out. How do I recover?

Use the emergency bypass URL shown in Settings -> SSO & SAML Login -> Misc / Reset.

What is the difference between Free and Pro?

Free includes core SAML/OIDC login and provisioning for unlimited users.

Pro (a separate plugin) adds role mapping, SSO enforcement, attribute sync, audit log (with CSV export/retention), and Microsoft Graph import/sync/deprovision features.

How do I upgrade from Free to Pro?

Use the Upgrade to Pro links inside plugin settings or the account/upgrade entry in the plugin UI.

What developer hooks are available?

Available in all plans

ssosamlentra_login_success

Fires after a successful SSO login.

ssosamlentra_login_failed

Fires when an SSO login attempt fails.

ssosamlentra_after_provision_user

Fires after JIT provisioning completes.

Pro-only hooks (active with valid Pro license)

ssosamlentra_user_attributes *(filter)*

Filter normalized attributes before provisioning.

ssosamlentra_pre_role_mapping *(filter)*

Filter resolved WordPress role before applying role mapping.

ssosamlentra_role_mapped

Fires after mapped role is applied.

ssosamlentra_sso_enforced

Fires when password login is blocked due to SSO enforcement.

ssosamlentra_graph_sync_user *(filter)*

Filter whether an individual Graph user should be synced.

Reviews

There are no reviews for this plugin.

Contributors & Developers

“SSO & SAML Login — Azure AD / Entra ID” is open source software. The following people have contributed to this plugin.

Contributors

Translate “SSO & SAML Login — Azure AD / Entra ID” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

1.0.1

  • Documentation and compliance updates.

1.0.0

  • Initial release.
  • SAML 2.0 SP flow using onelogin/php-saml.
  • OIDC + PKCE flow with RS256 JWT validation.
  • JIT user provisioning and default role assignment.
  • Metadata import/discovery tools.
  • Pro features (separate plugin): role mapping, SSO enforcement, attribute sync, audit log, and Graph user sync.
  • WP-CLI commands and emergency bypass URL.

Meta

Ratings

No reviews have been submitted yet.

Your review

See all reviews

Support

Got something to say? Need help?

View support forum