Title: Twelve Legs Marketing SSO Author: websitetwelvelegsmarketing Published: October 21, 2025 Last modified: October 22, 2025 --- Search plugins ![](https://ps.w.org/twelve-legs-marketing-sso/assets/icon-256x256.png?rev=3382681) # Twelve Legs Marketing SSO By [websitetwelvelegsmarketing](https://profiles.wordpress.org/websitetwelvelegsmarketing/) [Download](https://downloads.wordpress.org/plugin/twelve-legs-marketing-sso.1.0.2.zip) * [Details](https://wordpress.org/plugins/twelve-legs-marketing-sso/#description) * [Reviews](https://wordpress.org/plugins/twelve-legs-marketing-sso/#reviews) * [Installation](https://wordpress.org/plugins/twelve-legs-marketing-sso/#installation) * [Development](https://wordpress.org/plugins/twelve-legs-marketing-sso/#developers) [Support](https://wordpress.org/support/plugin/twelve-legs-marketing-sso/) ## Description TWL SSO is a secure single sign-on plugin for WordPress that enables seamless authentication using RS256 JWT tokens from an external SSO application. This plugin provides login security features and is designed for allowing Twelve Legs Marketing centralized authentication management. #### Key Features * **Single Sign In**: Agency employees can log into websites they manage from a central dashboard. * **Just-in-Time User Provisioning**: Automatic user creation and role assignment * **JWT Validation**: Full RS256 signature verification with JWKS endpoint integration * **Key Rotation**: Support key rotation through JWKS endpoint * **Role Management**: Flexible role assignment from JWT claims * **Referrer Validation**: Enhanced security through referrer validation * **Audience Validation**: Ensures tokens are valid for the specific WordPress site * **Token Expiration**: Built-in token expiration and clock skew tolerance * **Email Validation**: Comprehensive email validation with optional allowlist * **Caching**: JWKS caching for improved performance #### Security Features * Referrer validation to prevent unauthorized access * JWT signature verification using public key cryptography * Issuer validation to ensure tokens come from trusted sources * Audience validation to prevent token reuse across sites * Token expiration validation with configurable leeway * Email format validation and filtering via hook #### Use Cases * WordPress installations managed centrally by agency * Organization using Google for external identity provider ### Usage #### Authentication Flow 1. User clicks login link from SSO application sso.twelvelegsmarketing.com 2. SSO application redirects to WordPress with JWT token: `/wp-login.php?action=twl_sso& token=JWT_TOKEN` 3. Plugin validates the JWT token signature and claims 4. Plugin extracts user information from JWT claims 5. Plugin creates or retrieves WordPress user 6. Plugin assigns appropriate role based on JWT claims 7. User is logged into WordPress #### JWT Claims The plugin expects the following JWT claims: * `email` or `sub`: User’s email address * `iss`: Issuer (must match allowed issuers) * `aud`: Audience (must match WordPress site URL) * `exp`: Expiration time * `nbf`: Not before time (optional) * `wp_role`: WordPress role to assign (optional) * `name`: User’s display name (optional) * `given_name`: User’s first name (optional) * `family_name`: User’s last name (optional) #### Configuration The plugin automatically configures itself based on the WordPress environment: * **Production**: Only allows `https://sso.twelvelegsmarketing.com` as issuer * **Development/Staging**: Also allows `https://localhost:8443` as issuer #### Customization You can customize the plugin behavior using WordPress filters: * `twl_sso_allow_email`: Filter to control which email addresses are allowed * `twl_sso_allowed_roles`: Filter to control which roles can be assigned * `twl_sso_allowed_issuers`: Filter to control which issuers are allowed ### Support For support, please contact Twelve Legs Marketing at https://twelvelegsmarketing. com ### Privacy Policy This plugin does not collect, store, or transmit any personal data. All authentication is handled through secure JWT tokens from your configured SSO provider. ## Installation 1. Upload the plugin files to the `/wp-content/plugins/twelve-legs-marketing-sso/` directory, or install the plugin through the WordPress plugins screen directly. 2. Activate the plugin through the ‘Plugins’ screen in WordPress #### Manual Installation 1. Download the plugin files 2. Extract the files to your `/wp-content/plugins/twelve-legs-marketing-sso/` directory ## FAQ ### How does this plugin work? The plugin intercepts login requests with a special action parameter and JWT token. It validates the JWT signature using public keys from a JWKS endpoint, extracts user information from the token claims, and creates or updates the WordPress user accordingly. ### What JWT algorithm does this plugin support? This plugin supports RS256 (RSA with SHA-256) JWT signatures only. This provides strong security through public key cryptography. ### Can I use this with any SSO provider? The plugin is designed to work with any SSO provider that can issue RS256 JWTs and provide a JWKS endpoint. You’ll need to configure your SSO provider to issue tokens with the correct audience and claims. ### How do I configure the allowed issuers? The plugin automatically configures allowed issuers based on the WordPress environment. In production, only `https://sso.twelvelegsmarketing.com` is allowed. In development/ staging, `https://localhost:8443` is also allowed. ### What happens if a user doesn’t exist? The plugin will automatically create a new WordPress user with the information from the JWT claims. The username is generated from the email address, and a random password is assigned. ### How are user roles assigned? User roles can be assigned in two ways: 1. Through the `wp_role` claim in the JWT token 2. Using the WordPress default role if no role is specified in the token ### Is this plugin secure? Yes, the plugin implements multiple security layers including JWT signature verification, referrer validation, issuer validation, audience validation, and token expiration checking. ## Reviews There are no reviews for this plugin. ## Contributors & Developers “Twelve Legs Marketing SSO” is open source software. The following people have contributed to this plugin. Contributors * [ websitetwelvelegsmarketing ](https://profiles.wordpress.org/websitetwelvelegsmarketing/) * [ jeremyjsimmons ](https://profiles.wordpress.org/jeremyjsimmons/) [Translate “Twelve Legs Marketing SSO” into your language.](https://translate.wordpress.org/projects/wp-plugins/twelve-legs-marketing-sso) ### Interested in development? [Browse the code](https://plugins.trac.wordpress.org/browser/twelve-legs-marketing-sso/), check out the [SVN repository](https://plugins.svn.wordpress.org/twelve-legs-marketing-sso/), or subscribe to the [development log](https://plugins.trac.wordpress.org/log/twelve-legs-marketing-sso/) by [RSS](https://plugins.trac.wordpress.org/log/twelve-legs-marketing-sso/?limit=100&mode=stop_on_copy&format=rss). ## Changelog #### 1.0.2 * Version bump to sync plugin file with readme.txt #### 1.0.1 * Update install instructions * Updated Required versions #### 1.0 * Initial release * JWT validation with RS256 signature verification * JWKS endpoint integration * Environment-based issuer validation * Just-in-time user provisioning * Role assignment from JWT claims * Referrer validation for security * Comprehensive test suite with 39 tests ## Meta * Version **1.0.2** * Last updated **8 months ago** * Active installations **10+** * WordPress version ** 5.8 or higher ** * Tested up to **6.8.5** * PHP version ** 8.0 or higher ** * Tags * [authentication](https://wordpress.org/plugins/tags/authentication/)[jwt](https://wordpress.org/plugins/tags/jwt/) [login](https://wordpress.org/plugins/tags/login/)[Single Sign-on](https://wordpress.org/plugins/tags/single-sign-on/) [sso](https://wordpress.org/plugins/tags/sso/) * [Advanced View](https://wordpress.org/plugins/twelve-legs-marketing-sso/advanced/) ## Ratings No reviews have been submitted yet. [Your review](https://wordpress.org/support/plugin/twelve-legs-marketing-sso/reviews/#new-post) [See all reviews](https://wordpress.org/support/plugin/twelve-legs-marketing-sso/reviews/) ## Contributors * [ websitetwelvelegsmarketing ](https://profiles.wordpress.org/websitetwelvelegsmarketing/) * [ jeremyjsimmons ](https://profiles.wordpress.org/jeremyjsimmons/) ## Support Got something to say? Need help? [View support forum](https://wordpress.org/support/plugin/twelve-legs-marketing-sso/)