How to Properly Setup SAML Single Sign-On (SSO) in WordPress

Are you interested in learning how to set up SAML single sign-on (SSO) in WordPress?

By enabling single sign-on in WordPress, your users will be able to log in to your site quickly and securely without having to remember a username and password.

They can instead use Google, Okta, or one of the many other SSO services.

We’ll show you how to set up SAML single sign-on in WordPress step by step in this article.

How to set up SAML Single Sign-On (SSO) in WordPress correctly

Why should you use SAML for single sign-on in WordPress?

SAML SSO is an open protocol that allows users to use the same credentials to log in to multiple websites. For example, you can use your Google account to log in to WordPress using a single sign on.

Users will be happier because they will not have to go through the password reset process and can instead use an existing login.

From the perspective of a website owner, it allows you to verify your users’ identities during login via a trusted provider, thereby improving WordPress security.

For internal company websites, a single sign-on is extremely useful. It’s popular among the company’s admin and HR teams because it makes onboarding new team members to multiple websites simple.

At Awesome Motive, we use single-sign on for our internal company websites so that our employees can use their company Gmail account to log in to multiple sites without having to remember multiple passwords.

Option for a Google sign-in screen

As a result, we’re going to show you how to set up SAML SSO in WordPress using two different WordPress plugins.

Method 1: Integrate Google Apps Login with SAML SSO

To easily set up SAML single sign-on in WordPress, we recommend using the Google Apps Login plugin. It’s what we use at WPBeginner so that our team members can use their Google accounts to log into WordPress.

The plugin is simple to set up and allows you to provide your users, employees, or students with the option of signing in quickly with a secure Google account.

The first step is to install and activate the plugin. See our step-by-step guide to installing a WordPress plugin for more information.

After you’ve installed the plugin, you’ll need to go to the Google Cloud Platform Console and create a new API to connect your Google account to WordPress.

To make a new API, go to the top of the screen and click the ‘Select a project’ drop-down menu.

If you’ve already created a Google developer project, your screen may look slightly different, but you can still create a new project by clicking the same drop-down arrow.

Choose a brand-new Google project.

A popup window will appear as a result of this.

Then, in the right-hand corner, click the ‘New Project’ button.

Select "New Project" from the drop-down menu.

In the ‘Project name’ box on the next screen, give your project a name. This will help you remember the project’s purpose, but it will not be visible to your visitors.

You should also double-check that the ‘Organization’ and ‘Location’ fields match the domain name of your website.

Create a new project and give it a name.

Click the ‘Create’ button after that.

Following the creation of the project, a drop-down notifications menu will appear, displaying your new project.

To open the project, click the ‘Select Project’ button.

Open a new project from the Notifications menu.

Then, in the left-hand menu, select ‘OAuth consent screen.’

There are two options available to you here. If you have a membership site or sell online courses and want to allow your users to log in with Google, the ‘External’ option makes sense.

Users within your company can only use the Google login if you select the ‘Internal’ option. You’ll need a premium Google Workspace account and your users must be added as team members to use this option.

Regardless of whether you choose Internal or External, every user who needs to log in must already have a WordPress account linked to their Gmail address. They won’t be able to log in otherwise.

See our guide on how to add new users to WordPress for more information.

With that in mind, we’ll go with the ‘External’ option because it gives us more control over who can log in.

Select external from the oauth content screen.

Click the ‘Create’ button after that.

This will take you to a screen where you can enter your app’s information. To begin, type your ‘App name’ and choose ‘User support email’ from the drop-down menu.

Enter the app's name and the user's email address for support.

Then, fill in the information for your ‘App domain.’ You must complete all three fields.

This information is required by Google to ensure that your website complies with online privacy laws and user consent.

Fill in the app's domain information.

Scroll down to the ‘Authorized domains’ section after that.

Then, on the ‘Add Domain’ button, enter your domain name in the box that appears.

Add a domain name that is authorized.

Make sure you don’t include the http:// or https:// in your domain name.

Then, in the ‘Developer contact information box,’ enter your email address so Google can contact you if there’s a problem with your project.

Fill in the contact information for the developer.

Then, on the ‘Save and Continue’ tab, click the ‘Save and Continue button.

Then, in the navigation menu on the left-hand side of the page, select ‘Credentials’, and then ‘Create Credentials.’

Make your credentials.

This activates a drop-down menu.

The ‘OAuth client ID’ option must be chosen.

choose an oauth client ID

On the next screen, select ‘Application type’ from the drop-down menu.

Then choose ‘Web application’ from the drop-down menu.

From the drop-down menu, select web application.

This will take you to a form where you can name your web app.

The name is only for your own use; it will not be visible to your visitors.

Name of the web application

Scroll down to the section titled “Authorized Javascript origins.”

Then, on the ‘Add URL’ button, type in the address of your website.

Enter the URL for the origins of Javascript.

Then, in the ‘Authorized redirect URLs’ section, click the ‘Add URL’ button and enter your login redirect URL.

This is the web address for your login page. This will be ‘yoursite.com/wp-login.php’ for most WordPress websites.

Include a redirect URL.

Click the ‘Create’ button after that.

This displays your ‘Client ID’ and ‘Client Secret’ in a popup window. Both of these must be copied into your preferred text editor.

Copy the client's ID and secret ID.

Return to your WordPress admin panel and select Settings » Google Apps Login from the drop-down menu.

On this screen, paste the ‘Client ID’ and ‘Client Secret’ strings from the previous screen.

Enter the client ID and the secret ID for the client.

Click ‘Save Changes’ after that.

After that, you’ll be able to use Google single sign-on. When you or a visitor visits the WordPress login page, they can now log in using their Google account in just a few clicks.

Option for a Google sign-in screen

Method 2: Use SAML Single Sign On to set up SAML SSO.

The SAML Single Sign On plugin is used in this method. This plugin adds SAML SSO to WordPress and supports a variety of login methods.

SSO can be used with Google, Salesforce, Microsoft Office 365, OneLogin, Azure, and other services. It’s better suited for businesses that want to restrict access to only team members because it supports a variety of business tools.

The first step is to install and activate the plugin. See our beginner’s guide to installing a WordPress plugin for more information.

To access the plugin settings screen, go to miniOrange SAML 2.0 SSO » Plugin Configuration after activation.

You must choose a service provider here. This is the login service that your users will use.

Choose an identity provider.

We’ll use ‘Google Apps’ for this tutorial, but you can choose the best provider for your website. The steps for integration will be similar.

You’ll need a Google Workspace account to set up SSO with Google Apps. Google Workspace is a suite of Google’s premium products and business tools.

You must also create a WordPress account for each user to whom you wish to grant login access. Each user’s email address must be a Gmail account or a Google Workspace team member email address.

See our guide on how to add new users and authors to WordPress for more information.

You can proceed with setting up SSO in WordPress once you have a premium Google Workspace account.

Then select ‘Service Provider Metadata’ from the menu.

Go to the metadata menu for the service provider.

Then scroll down the page until you see the chart that lists your ‘SP-EntityID/Issuer’ and ‘ACS URL.’

Copy and paste both of these into your favorite text editor.

Copy the entity ID as well as the ACS URL.

After that, you’ll need to open a new tab in your Google Admin console.

Then, in the left-hand navigation menu, go to Apps » Web and mobile apps.

Web and mobile apps for the Google Admin console

Then select ‘Add App’ from the drop-down menu.

Then, under ‘Add custom SAML app,’ select the ‘Add custom SAML app’ option.

Add your own SAML app.

You’ll need to name your app on the next screen, and you can upload a custom logo if you want.

After that, press the ‘Continue’ button.

Continue by typing the app's name.

You have two options for the following step.

Option 1 is the most straightforward; all you have to do is click the ‘Download Metadata’ button. At a later time, you’ll need to upload this data to WordPress.

Metadata can be downloaded.

Then, at the bottom of the screen, click ‘Continue.’

This will take you to a screen where you can paste your previously copied ‘ACS URL’ and ‘Entity ID’.

Then select ‘Signed response’ from the drop-down menu.

Enter the ACS URL as well as the Entity ID.

Then, from the ‘Name ID format’ drop down, choose ‘EMAIL.’

Then, at the bottom of the screen, click ‘Continue.’

Select an email nameid.

On the following screen, click the ‘Add Mapping’ button.

The data from your WordPress login form will be mapped to Google.

Add a mapping by clicking the button.

Then, in the ‘Basic information section, select the ‘First name’ field and type ‘firstname’ into the ‘App attributes’ box.

Then, select the ‘Last name’ field and type ‘lastname’ into the ‘App attributes’ box by clicking the ‘Add Mapping’ button.

Set the attributes of the Google directory

Click the ‘Finish’ button when you’re finished.

You’ll now be returned to the SAML app you just created. After that, go to the ‘User access’ section and select your app.

User access can be accessed by clicking on the link.

Then select the ‘ON for everyone’ radio button in the ‘Service status’ box.

Then press the ‘Save’ button.

Switch it on for everyone.

Your SAML SSO app has now been successfully created and enabled.

Return to your WordPress admin panel and select miniOrange SAML 2.0 SSO » Plugin Configuration from the drop-down menu.

Make sure ‘Google Apps’ is selected on this screen, then scroll down to the ‘Configure Service Provider’ section and select the ‘Upload IDP Metadata File/XML’ button.

Section for configuring service providers

Now, in the ‘Identity Provider Name’ box, type ‘Google’ and click the ‘Choose File’ button.

Then, on the ‘Upload’ button, select the XML file you downloaded earlier.

Metadata file to be uploaded

Then select ‘Attribute/Role Mapping’ from the menu.

You must use the default attribute options with the free version of the plugin.

Section on attribute and role mapping

Then scroll down to the section titled “Role Mapping.”

You can change the default role that all non-admin users will be assigned when they log in with SSO.

Select ‘Subscriber’ from the drop down list if it isn’t already selected, and then click the ‘Save’ button at the bottom of the screen.

Subscriber roles are mapped to subscriber roles.

Now you must add a straightforward login link to your WordPress blog.

To do so, go to Appearance » Widgets and find the widget area where you want to add your login link. We’ll add our login widget to the Right Sidebar widget area in this tutorial.

To add a new block, click the ‘+’ icon in the widget area.

Create a new widget block.

Then, in the search bar, type ‘Login’ to locate and select the ‘Login with Google’ widget.

A ‘Login with Google’ link will be added to the widget area as a result of this.

Using the Google Login Widget

If you want, you can also give the login block a title.

Before you leave the page, make sure to click the ‘Update’ button.

Make changes to the widget block.

When your users visit your website, they can now log in using their Google accounts.

They’ll be taken to the Google login screen to select their account after clicking the link.

https://wpxpert.b-cdn.net/Aaa/January/1/javascript-origins-enter-url.webpLogin with your Google account.

We hope you found this article useful in learning how to set up SAML single sign-on in WordPress.