How to Properly Setup SAML Single Sign-On (SSO) in WordPress

At WPBeginner, we’ve always aimed to make things easier for our team and users. When we set up SAML Single Sign-On (SSO) in WordPress, it quickly proved its value for our team and improved our security.

Our team could access all their tools with just one login, and we gained peace of mind knowing our security was stronger.

SAML SSO is a solid solution for any business focused on efficiency and security. It lets your team log in once to access everything while you keep control over user permissions. 

Many companies find that SSO helps reduce password-related support requests and improves productivity by making it easier for users to access the tools they need.

In this guide, we’ll walk you through how to properly setup SAML single sign-on, helping you transform the way your site handles logins.

What Is SAML Single Sign-On (SSO)?

SAML Single Sign-On (SSO) allows users to log in to WordPress using credentials from another trusted service, such as Google Workspace, Okta, or Microsoft Entra ID.

SAML stands for Security Assertion Markup Language. It’s a secure protocol that lets your WordPress website communicate with an identity provider to verify user logins.

With SSO enabled, users only need to sign in once to access multiple apps and platforms without entering separate usernames and passwords each time.

This is especially useful for businesses, schools, membership websites, and remote teams that manage multiple online tools. For example, at WPBeginner, SSO helps team members securely access the tools they need with a single login.

Why Use SAML Single Sign-On in WordPress?

Setting up SAML SSO in WordPress can improve both security and user experience while making account management much easier.

Here are some of the biggest benefits:

• Improve Website Security: SSO reduces password-related risks and lets you use stronger authentication methods like multi-factor authentication (MFA).
• Simplify the Login Experience: Users only need one login to access multiple tools and websites.
• Manage Users More Easily: Administrators can control user access and permissions from one central identity provider.
• Reduce Login Issues and Support Requests: Fewer forgotten passwords means fewer authentication-related support tickets.
• Speed Up Onboarding and Offboarding: You can quickly grant or remove access for employees, students, or team members.

With that in mind, let’s take a look at how to properly set up SAML Single Sign-On (SSO) in WordPress. You can use the quick links below to navigate through the tutorial:

Step 1: Install miniOrange SAML Single Sign On

The easiest way to enable SAML SSO on your WordPress website is with the miniOrange SAML Single Sign On plugin.

It’s free and lets you connect your site to identity providers like Google Apps. The plugin also supports other identity providers such as Okta, OneLogin, Salesforce, Azure B2C, Keycloak, ADFS, Shibboleth 2, Auth0, and Sharepoint in its paid versions.

Furthermore, this plugin allows users to access multiple sites and applications using a single login. That being said, you can repeat the same steps below with the rest of the sites that your team should be able to access.

Note: If you run a WordPress multisite network, multisite support is available in the paid versions of the plugin.

First, you’ll need to install the plugin. If you’re new to WordPress plugins, we’ve got a handy guide that walks you through installing a WordPress plugin step-by-step.

Once the plugin is installed, head over to your WordPress dashboard and navigate to miniOrange SAML 2.0 SSO » Plugin Configuration.

Then, switch to the ‘Service Provider Metadata’ tab. Keep this page open, as we’ll need the information here in the next step.

Step 2: Connect Your Site With an Identity Provider

Now that the plugin is installed in WordPress, it’s time to connect your website with a SAML identity provider (SAML IdP).

A SAML IdP is a service that manages user accounts and authenticates users. Think of it like a central hub where users log in once, and that login grants them access to various applications, including your WordPress site.

For this example, we will be using Google Apps as our SAML IdP. However, to use Google Apps as an SAML IdP, you’ll need a Google Admin account, which is different from your regular Gmail account.

A Google Admin account manages users and settings for your organization’s Google Workspace. It also usually doesn’t end in a @gmail.com extension.

1. Access Google Admin Console & Add Custom SAML App

First, head over to the Google Admin Console page.

In the sidebar menu, navigate to the ‘Apps’ section and click on ‘Web and mobile apps.’

From here, open the ‘Add app’ dropdown menu.

Then, select ‘Add custom SAML app.’

Now, give your custom SAML app a name (something like ‘miniOrange Custom SAML’) and a brief description (like ‘A SAML SSO app for WordPress’).

Once you’re happy, click ‘Continue.’

2. Download IdP Metadata

Here, you’ll see two options to configure WordPress SSO.

We’ll go with the easier option (option 1) which involves downloading IdP metadata. This method is much faster, as you won’t have to enter your IdP metadata manually and copy-paste your x509 certificate later on.

Click on ‘Download Metadata’ to start.

Then, scroll all the way down.

Click ‘Continue.’

3. Configure Service Provider Details

On the next page, you’ll see a form for your service provider details.

In our case, that is our WordPress website with the help of miniOrange.

Now, switch back to your WordPress dashboard, where you left the miniOrange plugin page open on the ‘Service Provider Metadata’ tab.

Scroll down to find your service provider information (ACS URL and Entity ID). Keep this page open, as you will need to switch back and forth between this page and Google Admin Console.

Now, head back to the Google Admin Console and copy-paste your ACS URL into the ‘ACS URL’ field and your Entity ID into the ‘Entity ID’ field.

Make sure to tick the ‘Signed response’ box as well.

4. Set Name ID Format

Moving down the page, select ‘EMAIL’ for the Name ID format and choose ‘Basic Information > Primary email’ for the Name ID.

Then, click ‘Continue.’

5. Map User Attributes

The next step involves adding user fields and mapping them between Google Directory and your WordPress site (miniOrange plugin).

This is essentially like picking which information from Google accounts gets transferred to your WordPress site.

Click on ‘Add Mapping’ to start. Then, let’s add the ‘First Name’ field from Google and map it to the ‘firstname’ attribute.

You can add other common mappings like ‘Last Name’ to ‘lastname’ and ‘Email’ to ‘email’ if desired.

Once you’re done mapping the desired fields, scroll down.

Then, click ‘Finish.’

6. Activate App for Users

You’ll now land on the custom SAML app page in your Google Admin Console.

The last step is to activate the app for your users. So go ahead and click on ‘OFF for everyone.’

Now, just switch it to ‘ON for everyone.’

Finally, hit ‘Save’ to finalize the configuration.

Step 3: Configure WordPress SAML SSO Settings

Let’s head back to the miniOrange SSO plugin page in your WordPress admin area. We will now set up your WordPress SSO configuration.

Now, switch to the ‘Service Provider Setup’ tab and select ‘Google Apps.’

Scroll down and navigate to the ‘Upload IDP Metadata’ tab.

Here, you’ll need to input the identity provider name (likely something like ‘GoogleApps’) and upload the XML file you downloaded earlier from the Google Admin Console.

Once everything is filled in, click ‘Upload.’

Congratulations! You’ve successfully connected your WordPress blog with your Google Apps SAML IdP. Now, let’s configure some additional settings.

First, switch to the ‘Attribute/Role Mapping’ tab.

Here, you can define how user information from Google Apps gets mapped to user accounts in WordPress.

Scroll down to the ‘Role Mapping’ section and select the default user role you want to assign to new users who sign in using the SAML SSO.

In this example, we’ve selected ‘Subscriber,’ which is a low-privilege role suitable for many websites. Go ahead and click ‘Update’ once you’ve made your choice.

📍Important: Choose the lowest user role that fits your use case. Every user who signs in through SAML SSO can inherit this role automatically. Assigning Editor or Administrator privileges by default could give users more access than intended.

Next, switch to the ‘Redirection & SSO Links’ tab.

This is where you can add a handy single sign-on button to your WordPress login page for user convenience.

Just make sure the option titled ‘Add a Single Sign-On button on the WordPress login page’ is enabled.

This small change will add a ‘Login With [identity provider name]’ button to your WordPress login screen, making it easier for users to log in with their existing Google Apps credentials.

Here’s what ours looks like:

WordPress SAML Single Sign-On: Frequently Asked Questions

We’ve covered the steps to configure WordPress SAML SSO, but you might still have some questions. Let’s take a look at some common ones:

Are SAML and SSO the same?

No, SAML and SSO are not the same. SAML (Security Assertion Markup Language) is a specific protocol used to implement SSO.

There are other ways to achieve SSO besides using SAML. However, SAML is a popular and secure option for implementing SSO in a variety of applications, including WordPress.

What is the difference between SAML SSO and a one-click login with a plugin?

SAML SSO uses a secure authentication protocol and connects WordPress to an identity provider like Google Workspace or Okta. This offers stronger security and centralized user management.

One-click login plugins are usually easier to set up and often rely on OAuth, but they may not provide the same level of enterprise security and access control as SAML SSO.

Does WordPress offer single sign-on (SSO)?

WordPress does not include built-in SSO support by default. However, you can easily add SAML SSO functionality using WordPress plugins like miniOrange SAML Single Sign On.

Are SSO and social login the same?

No, social login is a type of SSO, but they are not exactly the same. Social login lets users sign in with accounts like Google or Facebook, while SAML SSO supports a wider range of enterprise identity providers and offers more advanced security features.

For more details, see our guide on how to add social login in WordPress.

WordPress Security Tips to Make Login More Secure

While the SAML SSO login is pretty secure, here are some additional tips you can implement to further tighten your WordPress security:

• Enforce strong passwords for your WordPress users.
• Enable two-factor authentication (2FA) for an extra layer of protection.
• Restrict the number of login attempts to prevent brute-force attacks.
• Keep an eye out for suspicious login attempts by monitoring your login logs.
• Restrict access to your WordPress admin area by IP address.
• Regularly back up your WordPress site in case of any security breaches.
• Keep your WordPress core, plugins, and themes updated to address any security vulnerabilities.
• Force logout on all users and have them change passwords in WordPress from time to time.

We hope this article helped you learn how to set up SAML SSO in WordPress. You may also want to check out our guide on how to get a free SSL certificate for your website and our expert pick of the must-have WordPress plugins to grow your website.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.