Open Access SSO -- WordPress 插件

开发者	idgold
更新时间	2026年6月21日 10:25
捐献地址:	去捐款
PHP版本:	8.1 及以上
WordPress版本:	7.0
版权:	GPLv2 or later
版权网址:	版权信息

Let your team sign in to WordPress with the company login they already use — one click, no extra password to manage, reset, or chase down. Open Access SSO connects your WordPress site to the identity provider your organisation already runs, so people log in through your trusted corporate sign-in instead of juggling yet another WordPress password. It works with any standard SAML 2.0 identity provider — including Microsoft Entra ID (Azure AD), Okta, OneLogin, Keycloak, ADFS, Shibboleth, and NetIQ Access Manager (now OpenText) — and it's completely free and open-source, with no premium tier, no license key, and no upsell. Everything below is included. Nothing is locked, metered, or "Pro." Why site admins choose it

Free, forever. Every feature ships in the GPLv2-or-later codebase — full role mapping, multi-IdP, access control, and more, at no cost. No paid plan, no per-site license, no feature gates.
Privacy-first by design. No telemetry, no analytics, no "phone home," and no external CDN. Your configuration never leaves your site.
Works with the identity provider you already have. Point-and-click setup for any standards-compliant SAML 2.0 IdP — no developer required for normal use.
Emergency admin access. A built-in bypass lets an admin get back in even if SSO is misconfigured — through a constant in wp-config.php or a pre-set bypass key.
Open and original. A clean-room, from-scratch implementation you can read and audit.

Connect it to your identity provider

One-click sign-in via SSO — let users log in through your IdP instead of, or alongside, the WordPress login form, with optional single logout that signs them out of both at once.
Multi-IdP support — connect several identity providers and let users pick with a login button or a simple ?idp=slug link.
Encrypted logins handled out of the box — including the encryption that modern providers (such as NetIQ Access Manager) turn on by default and that stock PHP can't unwrap on its own, so encrypted sign-in just works.
Attribute mapping — map fields from your IdP (name, email, display name, and custom user data) straight onto WordPress profiles.

Control who gets in, and what they see

Powerful role mapping — automatically assign WordPress roles based on a user's groups or attributes, with exact, contains, or regex matching, per-IdP rules, a default-role fallback, and an option to deny anyone who doesn't match. A built-in safeguard means SSO won't hand out admin-level roles unless you explicitly allow it.
Account linking — connect a first SSO login to an existing WordPress account by email (administrators are never auto-linked, for safety).
Page and content access control — restrict pages, posts, and custom post types to chosen roles or to "logged in via SSO" users, with a per-page editor control, the handy [oasso_restrict] shortcode, and category/tag-level rules. The same protection also covers the REST API, feeds, and oEmbed, so restricted content doesn't leak through a side door.
Protected files and blocks — keep uploaded files behind a role check, and show or hide individual Gutenberg blocks by login status or role.
Email-domain and redirect rules — limit SSO sign-in to approved email domains and send users to the right place after login, per IdP.
WooCommerce integration (optional) — map attributes to billing and shipping details and auto-link customers by email; loads only when WooCommerce is active.

Stay in control after go-live

Certificate monitoring — track your IdP's signing-certificate expiry, get warned before it changes, detect rotation on a daily or weekly check, and optionally pin a certificate for change control, with manual, auto-trust, grace-period, or require-approval handling.
Searchable audit log — a database-backed, filterable record of who signed in and when, with CSV export and a retention period you set.
Force-SSO with a safety net — require SSO across the site while keeping an emergency way back in (a constant in wp-config.php or a pre-set bypass key), so a misconfiguration doesn't leave you stranded.
Import / export — back up or move your entire configuration as a single JSON file.

Easy setup, no coding Add your identity provider three ways — upload its metadata XML, paste a metadata URL, or type the details in by hand — then register your site with the IdP using the SP metadata it generates for you. It's all in the WordPress admin. (Developers also get a documented, stable hook API when they want it.) Privacy you can verify The plugin keeps to itself. The only time it reaches out to the network is when you ask it to fetch your IdP's metadata from a URL, plus an optional, off-by-default certificate-rotation check that re-fetches that same address you entered. It never contacts the author or any third party, and every setting stays in your own site's database. The two bundled libraries it relies on (both MIT-licensed) make no network calls at all. Security without the homework Incoming logins are fully validated before anyone is signed in — the plugin checks the digital signature, the sender, the intended audience, expiry, and replay protection, and accepts only strong, modern cryptography by default. Your SP private keys are encrypted at rest, and the public endpoints are guarded against common abuse. Sensible, secure defaults are on out of the box; the deeper knobs are documented for the rare cases you need them. Free and open-source Open Access SSO is licensed GPLv2 or later, with the full source available on Codeberg. There is no premium edition and nothing to buy — what you install is the complete plugin. Its only third-party libraries (xmlseclibs and phpseclib, both MIT-licensed) are bundled and make no network calls. Requirements

WordPress 6.0 or newer
PHP 8.1 or newer
A SAML 2.0 identity provider you control or have access to

2.2.0

Security (Force SSO): when Force SSO is enabled it is now enforced at the authentication layer, not just on the login page. Native username/password sign-in (including over XML-RPC) is rejected, and Application Passwords and XML-RPC are disabled, so a leftover local password, an XML-RPC client, or an Application Password can no longer bypass single sign-on and the central deprovisioning and MFA it provides (CWE-287). The emergency bypass still restores local access (the OASSO_BYPASS wp-config constant or the bypass secret key), and sign-in is never enforced while no Identity Provider is enabled, so a misconfiguration cannot lock you out.
New: two opt-in settings under General Settings, both off by default — "Allow Application Passwords" and "Allow XML-RPC" — re-enable those API surfaces while Force SSO is on, for a site that relies on a trusted integration. Re-enabling XML-RPC also restores its username/password (basic) authentication, the classic brute-force surface, so leave it off unless a legacy integration needs it.
Hardening: the SSO error message shown on the login screen after a failed sign-in is now carried by a short-lived signed token, so an arbitrary ?oasso_error= value can no longer suppress the Force-SSO redirect or render chosen text on the login page.
Note: this does not change a site that does not use Force SSO. Real SSO sign-in, the bypass paths, and existing logged-in sessions are unaffected.

2.1.5

Security (access control): restricted media and posts no longer leak through secondary read paths. The REST media endpoint now hides a restricted attachment's metadata and real file URL, including when the restriction is inherited from the attachment's parent post (CWE-639); and restricted posts are excluded from REST search results and the XML sitemap (wp-sitemap.xml) for visitors who are not allowed to see them (CWE-200).
Security (media): new optional "Require SSO for the protected directory" setting under Access Control (off by default). When enabled, files in the protected uploads directory may be downloaded only by users who signed in through SSO — enforced on both the oasso-protected/ and oasso-file/ delivery routes (CWE-276).
Security (SAML replay): the replay-protection record for a consumed assertion now lives at least as long as the assertion's own validity window, closing a small window in which a captured response could otherwise be replayed after the record expired (CWE-294). The record lifetime is capped to a safe maximum.
Hardening: SSO attribute mapping can no longer write to WordPress privilege or session storage keys (wp_capabilities, wp_user_level, session_tokens, and their multisite variants), even if such a mapping is configured — refused at both the settings save and the login write.
Fix (multi-IdP): when more than one Identity Provider is configured, an SSO response is now matched to the correct IdP by its Issuer before signature verification, instead of assuming the first enabled IdP. This restores sign-in for a non-first IdP whose response would otherwise be verified against the wrong certificate.
Change: SSO now auto-creates a WordPress account only when an email address can be resolved from the Identity Provider's attribute mapping. It no longer guesses the email from the NameID or from loose attribute keys, because what a new account's email should be is the administrator's mapping decision. The default SAML email-claim mapping still applies, so conventional IdPs are unaffected; if accounts stop being created after upgrading, map an email attribute to the email field in that IdP's Attribute Mapping.
Fix (diagnostics): when a user cannot be created because no email address could be resolved from the assertion (for example, the IdP's email attribute is not mapped to a WordPress field), the debug log now records an actionable reason that names the attributes the IdP sent and points to the Attribute Mapping, instead of a generic "could not create user" message.
The new access-control setting is off by default; the bundle also refreshes the plugin documentation and listing.

2.1.4

New: support for IdPs that encrypt the assertion session key with RSA-OAEP using a SHA-256 (or SHA-384/512) digest, via the bundled phpseclib library. PHP's OpenSSL only unwraps RSA-OAEP with SHA-1; the plugin now honours the exact OAEP digest declared in the encrypted assertion, so encrypted-assertion SSO works with NetIQ Access Manager and other IdPs that default to OAEP-SHA-256. AES-CBC/GCM data decryption is unchanged.
Security (DoS): all SAML XML parsers now reject documents carrying a DOCTYPE / inline DTD, closing an unauthenticated XML internal-entity-expansion denial-of-service reachable at the ACS/SLO endpoints before signature verification (CWE-776). Inbound SAML messages are size-capped before decoding and DEFLATE-compressed redirect-binding messages are inflated with a bounded buffer, closing a decompression-bomb DoS (CWE-409). The cap is filterable via oasso_max_saml_message_bytes.
Security (encryption): encrypted-assertion and EncryptedID decryption now checks the key-transport and data-encryption algorithms against an allowlist before any decryption runs — RSA-OAEP for key transport (RSA-1.5 refused) and AES-CBC/GCM for data (TripleDES refused), mirroring the signature-algorithm allowlist (CWE-780/327). Legacy RSA-1.5 / TripleDES can be re-enabled only via the import-only allow_legacy_decryption_algorithms setting (off by default), and any such acceptance is audit-logged.
Security (assertions): an assertion must now carry an enforceable expiry boundary (a Conditions or bearer SubjectConfirmationData NotOnOrAfter); one with none is rejected (CWE-613). The new "Require assertion expiry" Service Provider setting (on by default) lets you relax this for a non-conforming IdP.
Security (admin): IdP-supplied SAML attribute names shown in the redirect-rule editor are now HTML-escaped at the rendering sink and hex-encoded in the inline configuration, closing a stored DOM cross-site-scripting issue a malicious or compromised IdP could trigger in an administrator's browser (CWE-79).
Security (audit export): audit-log CSV export now neutralises spreadsheet formula triggers (a leading =, +, -, @, tab or carriage return, plus their full-width Unicode variants) in IdP-controlled fields, preventing CSV / formula injection when an exported log is opened in a spreadsheet (CWE-1236).
Maintenance: non-Success SAML responses now surface the nested StatusCode and StatusMessage for clearer diagnostics, and the SP metadata advertises the supported assertion-encryption algorithms (RSA-OAEP key transport, AES-GCM/CBC data) for IdPs that consume them.

2.1.2

Security: SSO no longer assigns administrator-level roles (any role carrying capabilities such as manage_options or edit_users) unless you explicitly enable the new "Allow Administrator-Level Roles via SSO" setting in General Settings (off by default). This prevents a role-mapping rule from silently elevating an auto-provisioned SSO user to a role that can take over the site. Users who would have received such a role get the default role instead. If you deliberately map an IdP identity or group to an administrator-level role, enable this setting; the configuration importer enables it automatically when an imported config already maps to such a role.
Fix: term (category/tag/custom taxonomy) restriction fields now authorise against each taxonomy's own editing capability via the edit_term meta capability, instead of a hardcoded manage_categories. Custom taxonomies that use their own capabilities now save restriction settings correctly.

2.1.1

Security hardening (SAML signature handling): the IdP's signature algorithm is now read before XML-DSig reference processing and checked against an explicit allowlist of RSA algorithms (RSA-SHA256/384/512; RSA-SHA1 only when the SHA-1 fallback is enabled). This makes the protection against signature-algorithm confusion explicit and robust, and lets IdPs that sign with RSA-SHA384/512 verify (previously only RSA-SHA256 was accepted). The same SHA-1 opt-in now also gates Redirect-binding signatures.
Security hardening: the assertion-level Issuer is now required and must match the configured IdP, and assertions must carry an AudienceRestriction naming this Service Provider. A new "Require audience restriction" Service Provider setting (on by default) lets you relax the audience check for an IdP that legitimately omits it.
Fix: the Service Provider screen showed outdated ?ossa=acs / ?ossa=slo URLs; it now shows the correct ?oasso_acs=1 / ?oasso_slo=1 endpoints. Removed a non-functional metadata "Download" button (copy the metadata from the field shown instead).
Maintenance: uninstall now also removes term-level restriction settings; the optional certificate-rotation cron is documented in the External Services section; assorted internal identifier and PHP-requirement cleanups.

2.1.0

WordPress.org review compliance: the plugin's internal prefix was renamed from the 3-character oas_ / OAS_ to oasso_ / OASSO_ across all options, hooks, transients, cron events, user/post meta, AJAX actions, nonces, asset handles, and custom tables. The PHP namespace (OpenAccessSSO) and plugin slug (open-access-sso) are unchanged.
The content-restriction shortcodes are renamed [oas_restrict] → [oasso_restrict] and [oas_login_button] → [oasso_login_button].
Security: the [oasso_restrict] shortcode now passes its returned content through wp_kses_post().
Security: the admin "Test Connection" link now carries and verifies a nonce.
Because the internal prefix changed, this is NOT a drop-in upgrade. Export your configuration first, then reinstall and re-import — see the Upgrade Notice below for the exact steps.

2.0.4

Maintenance release addressing WordPress.org plugin review feedback. All inline scripts and styles are now delivered through the WordPress enqueue APIs (wp_add_inline_script, wp_add_inline_style, wp_get_inline_script_tag) or a linked stylesheet, instead of raw <script>/<style> tags.
Removed obsolete pre-PHP-8.0 libxml_disable_entity_loader() calls. The plugin requires PHP 8.1+, where libxml ≥ 2.9 already disables external-entity loading by default and LIBXML_NONET blocks network access; the calls were dead code and deprecated in PHP 8.0.
Documented the SAML Identity Provider external-service interaction in a dedicated readme section.
No functional or behavioural change.

2.0.3

Added an optional "support development" link (Ko-fi) in the admin footer of the plugin's own pages, plus a Donate link in the readme. No functional change; the link opens externally and the plugin makes no network calls of its own.
Compatibility: declared tested up to WordPress 7.0.

2.0.2

PCP polish: WordPress Plugin Check now reports zero findings for the distributable zip. Two real sanitiser additions in the admin settings form; the rest are inline phpcs:ignore annotations with reason comments at intentional sites (cross-origin POST at the SAML ACS endpoint, PCRE limit hardening before user-supplied regex evaluation, table DROP on uninstall, internal-only DB query composition). No behaviour change.
Build: README.md (GitHub-only readme) is no longer shipped in the distributable zip; composer.json is now included so the bundled vendor/ directory is transparent to plugin reviewers.

2.0.1

Fix: Test Connection now populates results and attribute dropdowns reliably regardless of how long the admin has been logged in. The admin's identity is now recorded at initiate-time in a server-side transient keyed by the AuthnRequest ID, and looked up at the ACS callback via the response's InResponseTo. The previous flow depended on the WP auth cookie surviving the cross-origin POST from the IdP, which modern browsers block under SameSite=Lax outside a brief carveout window.

2.0.0

Initial release on WordPress.org. (Project formerly known internally as OpenSSO Access; renamed to Open Access SSO ahead of public release.)
Full SAML 2.0 SP with multi-IdP support.
Attribute mapping, role mapping, page access control, WooCommerce integration.
Audit log, force-SSO mode, emergency bypass via OAS_BYPASS.

Open Access SSO

标签

下载

详情介绍:

安装:

屏幕截图:

升级注意事项:

常见问题:

更新日志: