Trusted WordPress tutorials, when you need them most.
Beginner’s Guide to WordPress
WPB Cup
25 Million+
Websites using our plugins
16+
Years of WordPress experience
3000+
WordPress tutorials
by experts

How to Properly Setup SAML Single Sign-On (SSO) in WordPress

We at WPBeginner have a pretty large team working on various projects, so we use WordPress single sign-on (SSO) to simplify access management and improve security. If you want to do the same, you’re in the right place.

SAML single sign-on lets users log in to your site using their existing credentials from another service, like Google Apps. This saves them time and hassle and makes it easier for you to manage user access, especially if you have a team that uses multiple logins.

In this article, we will show you how to set up SAML single sign-on in WordPress, step by step.

How to Properly Setup SAML Single Sign-On (SSO) in WordPress

What Is SAML Single Sign-On?

SAML stands for Security Assertion Markup Language. It’s a secure way for your WordPress site to talk to other services, like Google and Office 365.

By contrast, SSO means single sign-on. This means that users can use one password for multiple services.

With SAML SSO, users can log in to your site using their existing credentials from those services. This means no more remembering extra usernames and passwords – just a single login for everything.

It’s especially handy for organizations and enterprises where people use a lot of different online platforms. For example, at WPBeginner, we use SSO to let our team members easily access their tools with just a single login.

With all that in mind, let’s see how you can easily set up SAML SSO in WordPress. You can use these quick links to navigate through the tutorial:

Step 1: Install miniOrange SAML Single Sign On

The easiest way to enable SAML SSO on your WordPress website is with the miniOrange SAML Single Sign On plugin.

It’s free and lets you connect your site to various identity providers, such as Google Apps, Okta, OneLogin, Salesforce, Azure B2C, Keycloak, ADFS, Shibboleth 2, Auth0, and Sharepoint.

Furthermore, this plugin allows users to access multiple sites and applications using a single login. That being said, you can repeat the same steps below with the rest of the sites that your team should be able to access.

That said, if you run a WordPress multisite network, you only need to do the steps once on your main network site, and the SSO will automatically work on all of your sites.

First, you’ll need to install the plugin. If you’re new to WordPress plugins, we’ve got a handy guide that walks you through installing a WordPress plugin step-by-step.

Once the plugin is installed, head over to your WordPress dashboard and navigate to miniOrange SAML 2.0 SSO » Plugin Configuration.

Then, switch to the ‘Service Provider Metadata’ tab. Keep this page open, as we’ll need the information here in the next step.

Opening the Service Provider Metadata tab in miniOrange

Step 2: Connect Your Site With an Identity Provider

Now that the plugin is installed in WordPress, it’s time to connect your website with a SAML identity provider (SAML IdP).

A SAML IdP is a service that manages user accounts and authenticates users. Think of it like a central hub where users log in once, and that login grants them access to various applications, including your WordPress site.

For this example, we will be using Google Apps as our SAML IdP. However, to use Google Apps as an SAML IdP, you’ll need a Google Admin account, which is different from your regular Gmail account.

A Google Admin account manages users and settings for your organization’s Google Workspace. It also usually doesn’t end in a @gmail.com extension.

Alternative: Want to set up Google SSO but don’t have a Google Admin account? Read our guide on how to set up a one-click Google login instead.

First, head over to the Google Admin Console page.

In the sidebar menu, navigate to the ‘Apps’ section and click on ‘Web and mobile apps.’

Choosing Web and mobile apps menu in Google Admin Console

From here, open the ‘Add app’ dropdown menu.

Then, select ‘Add custom SAML app.’

Adding a new custom SAML app in Google Admin Console

Now, give your custom SAML app a name (something like ‘miniOrange Custom SAML’) and a brief description (like ‘A SAML SSO app for WordPress’).

Once you’re happy, click ‘Continue.’

Setting up a new custom SAML app in Google Admin Console

Here, you’ll see two options to configure WordPress SSO.

We’ll go with the easier option (option 1) which involves downloading IdP metadata. This method is much faster, as you won’t have to enter your IdP metadata manually and copy-paste your x509 certificate later on.

Click on ‘Download Metadata’ to start.

Downloading metadata from Google Admin Console

Then, scroll all the way down.

Click ‘Continue.’

Continuing with the next step in Google Admin Console

On the next page, you’ll see a form for your service provider details.

In our case, that is our WordPress website with the help of miniOrange.

Inserting service provider details in Google Admin Console

Now, switch back to your WordPress dashboard, where you left the miniOrange plugin page open on the ‘Service Provider Metadata’ tab.

Scroll down to find your service provider information (ACS URL and Entity ID). Keep this page open, as you will need to switch back and forth between this page and Google Admin Console.

Copying miniOrange Service Provider Metadata

Now, head back to the Google Admin Console and copy-paste this information into the corresponding fields.

Make sure to tick the ‘Signed response’ box as well.

Pasting miniOrange Service Provider Metadata in Google Admin Console

Moving down the page, select ‘EMAIL’ for the Name ID format and choose ‘Basic Information > Primary email’ for the Name ID.

Then, click ‘Continue.’

Configuring the Name ID settings in Google Admin Console

The next step involves adding user fields and mapping them between Google Directory and your WordPress site (miniOrange plugin).

This is essentially like picking which information from Google accounts gets transferred to your WordPress site.

Click on ‘Add Mapping’ to star. Then, let’s add the ‘First Name’ field from Google and map it to the ‘firstname’ attribute.

Adding first name attributes in Google Admin Console

Once you’re done mapping the desired fields, scroll down.

Then, click ‘Finish.’

Finishing the custom SAML app setup in Google Admin Console

You’ll now land on the custom SAML app page in your Google Admin Console.

The last step is to activate the app for your users. So go ahead and click on ‘OFF for everyone.’

Clicking OFF for everyone in Google Admin Console

Now, just switch it to ‘ON for everyone.’

Finally, hit ‘Save’ to finalize the configuration.

Turning on the custom SAML app in Google Admin Console

Step 3: Configure WordPress SAML SSO Settings

Let’s head back to the miniOrange SSO plugin page in your WordPress admin area. We will now set up your WordPress SSO configuration.

Now, switch to the ‘Service Provider Setup’ tab and select ‘Google Apps.’

Choosing Google Apps IdP in miniOrange

Scroll down and navigate to the ‘Upload IDP Metadata’ tab.

Here, you’ll need to input the identity provider name (likely something like ‘GoogleApps’) and upload the XML file you downloaded earlier from the Google Admin Console.

Once everything is filled in, click ‘Upload.’

Setting up Google's IdP metadata in miniOrange

Congratulations! You’ve successfully connected your WordPress blog with your Google Apps SAML IdP. Now, let’s configure some additional settings.

First, switch to the ‘Attribute/Role Mapping’ tab.

Here, you can define how user information from Google Apps gets mapped to user accounts in WordPress.

Opening the Attribute/Role Mapping tab in miniOrange

Scroll down to the ‘Role Mapping’ section and select the default user role you want to assign to new users who sign in using the SAML SSO.

In this example, we’ve selected ‘Editor.’ Go ahead and click ‘Update’ once you’ve made your choice.

Choosing a default role for new users signing in using miniOrange SAML SSO

Next, switch to the ‘Redirection & SSO Links’ tab.

This is where you can add a handy single sign-on button to your WordPress login page for user convenience.

Just make sure the option titled ‘Add a Single Sign-On button on the WordPress login page’ is enabled.

Enabling the miniOrange SSO feature in Google Admin Console

This small change will add a ‘Login With [identity provider name’ button to your WordPress login screen, making it easier for users to log in with their existing Google Apps credentials.

Here’s what ours looks like:

SAML SSO login feature in WordPress login page

WordPress SAML Single Sign-On: Frequently Asked Questions

We’ve covered the steps to configure WordPress SAML SSO, but you might still have some questions. Let’s take a look at some common ones:

Are SAML and SSO the same?

No, SAML and SSO are not the same. SAML (Security Assertion Markup Language) is a specific protocol used to implement SSO.

There are other ways to achieve SSO besides using SAML. However, SAML is a popular and secure option for implementing SSO in a variety of applications, including WordPress.

What is the difference between SAML SSO and a one-click login with a plugin?

Yes, there are WordPress login plugins that offer one-click functionality, which is a much simpler option compared to SAML SSO.

The key difference lies in how they work. SAML SSO requires creating a custom app in your Google Admin console for secure communication. It requires more configuration but offers more security and centralized user management.

On the other hand, one-click login plugins use existing protocols like OAuth to connect with services like Google. You don’t need Google Admin privileges, but it might not offer the same level of security as SAML SSO.

Are SSO and social login the same?

Social login is a type of SSO that allows users to log in to your WordPress site using their existing social media credentials (like Facebook). SAML SSO, on the other hand, is a more secure and flexible option that can be used with a wider range of identity providers, not just social media platforms.

For more information on adding social login options to your WordPress site, you can refer to our guide on how to add social login in WordPress.

WordPress Security Tips to Make Login More Secure

While the SAML SSO login is pretty secure, here are some additional tips you can implement to further tighten your WordPress security:

We hope this article helped you learn how to set up SAML SSO in WordPress. You may also want to check out our guide on how to get a free SSL certificate for your website and our expert pick of the must-have WordPress plugins to grow your website.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us. Here's our editorial process.

Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi with over 16 years of experience in WordPress, Web Hosting, eCommerce, SEO, and Marketing. Started in 2009, WPBeginner is now the largest free WordPress resource site in the industry and is often referred to as the Wikipedia for WordPress.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit - a collection of WordPress related products and resources that every professional should have!

Reader Interactions

4 CommentsLeave a Reply

  1. Richard Krone

    Is it possible to use the Google saml SSO on a WordPress multi-site environment to lock down specific sites in the multi-site?

    • WPBeginner Support

      The second plugin in this article has the option to work with multisite, if you reach out to their support they can let you know how to set up what you are looking for :)

      Admin

  2. Alex Hanks

    Does your SSO work for admins / editors as well?

    • WPBeginner Support

      Yes, the SSO would work for those roles as well.

      Admin

Leave A Reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.