SSO & SAML Login — Azure AD / Entra ID

开发者	karolismerit meritstory
更新时间	2026年4月29日 17:23
PHP版本:	8.0 及以上
WordPress版本:	6.9
版权:	GPLv2 or later
版权网址:	版权信息

下载

1.0.3

详情介绍:

Microsoft Login for WordPress lets your users sign in to WordPress using their Microsoft Azure AD / Entra ID credentials - no separate password needed. Choose between SAML 2.0 and OpenID Connect (OIDC) to match your organization's configuration. Why this plugin?

Microsoft-focused. Built specifically for Azure AD / Entra ID.
Simple setup. Import SAML metadata or use OIDC discovery to auto-fill endpoints.
Clean admin UX. One settings area with guided setup and test tools.
Security-first. SAML uses onelogin/php-saml; OIDC validates RS256 tokens against JWKS.

Free Features

SAML 2.0 SP login flow (Azure AD / Entra ID as IdP)
OpenID Connect Authorization Code + PKCE login flow
Auto-create WordPress users on first login (JIT provisioning)
Configurable default role for new users
SP metadata download and SAML metadata URL import
OIDC tenant discovery and endpoint validation tools
Emergency admin bypass URL for lockout recovery
WP-CLI commands (wp saml status, wp saml import-metadata, wp saml regen-cert, wp saml test)

Pro Features (separate plugin)

Role mapping (map Azure AD roles/groups to WordPress roles)
SSO enforcement by WordPress role, with per-user bypass exceptions
Attribute sync on login (first name, last name, display name)
Audit log (login success/failure, user creation, role mapping, SSO enforcement, logout)
Audit log CSV export and retention settings
Microsoft Graph user sync and import tools:
App-only Graph connection test
Group member preview/import
Daily background sync via WP-Cron
Optional deprovisioning (remove role when user is disabled/removed)

Requirements

PHP 8.0 or higher
PHP extensions: openssl, dom, zlib
WordPress 6.3 or higher
A Microsoft Azure AD / Entra ID tenant

Setup Overview SAML:

Install and activate the plugin.
Go to Settings -> SSO & SAML Login.
Copy the SP Entity ID and ACS URL from the SP Information tab.
Create a new Enterprise Application in Azure AD (non-gallery app, enable SAML SSO).
Paste your App Federation Metadata URL into the plugin and click Import Metadata.
Save settings. Your Microsoft login button appears on wp-login.php.

OIDC:

Create an App Registration in Azure and add your site's /saml/oidc-callback as Redirect URI.
In plugin settings, select OpenID Connect, enter Tenant ID, click Fetch Discovery.
Enter Client ID and Client Secret, then save.

Privacy This plugin does not send data to third parties except as described in the External services section below. SSO and audit data are stored in your own WordPress database.

安装:

Automatic Installation

In WordPress admin, go to Plugins -> Add New.
Search for Microsoft Login for WordPress.
Click Install Now, then Activate.

Manual Installation

Download the plugin ZIP.
Go to Plugins -> Add New -> Upload Plugin.
Upload the ZIP and activate.
Go to Settings -> SSO & SAML Login.

屏幕截图:

升级注意事项:

1.0.1 Readme and compliance updates. No manual migration steps required.

常见问题:

Does this work with Microsoft Entra ID (formerly Azure Active Directory)?

Yes. Azure AD was renamed to Entra ID. This plugin supports both naming conventions.

Do I need external software?

No. SAML parsing is handled by bundled onelogin/php-saml. OIDC validation uses built-in PHP OpenSSL.

SAML or OIDC - which should I choose?

For most teams, OIDC is simpler to configure. Choose SAML if your organization already standardizes on SAML or requires SAML-specific controls.

Can users still log in with WordPress passwords?

Yes by default. If Pro SSO enforcement is enabled for selected roles, password login is blocked for those roles.

What happens on first login?

If auto-create is enabled, a new WordPress account is created from IdP identity data and assigned your configured default role.

I am locked out. How do I recover?

Use the emergency bypass URL shown in Settings -> SSO & SAML Login -> Misc / Reset.

What is the difference between Free and Pro?

Free includes core SAML/OIDC login and provisioning for unlimited users. Pro (a separate plugin) adds role mapping, SSO enforcement, attribute sync, audit log (with CSV export/retention), and Microsoft Graph import/sync/deprovision features.

How do I upgrade from Free to Pro?

Use the Upgrade to Pro links inside plugin settings or the account/upgrade entry in the plugin UI.

What developer hooks are available?

Available in all plans ssosamlentra_login_success Fires after a successful SSO login. ssosamlentra_login_failed Fires when an SSO login attempt fails. ssosamlentra_after_provision_user Fires after JIT provisioning completes. Pro-only hooks (active with valid Pro license) ssosamlentra_user_attributes (filter) Filter normalized attributes before provisioning. ssosamlentra_pre_role_mapping (filter) Filter resolved WordPress role before applying role mapping. ssosamlentra_role_mapped Fires after mapped role is applied. ssosamlentra_sso_enforced Fires when password login is blocked due to SSO enforcement. ssosamlentra_graph_sync_user (filter) Filter whether an individual Graph user should be synced.

更新日志:

1.0.1

Documentation and compliance updates.

1.0.0

Initial release.
SAML 2.0 SP flow using onelogin/php-saml.
OIDC + PKCE flow with RS256 JWT validation.
JIT user provisioning and default role assignment.
Metadata import/discovery tools.
Pro features (separate plugin): role mapping, SSO enforcement, attribute sync, audit log, and Graph user sync.
WP-CLI commands and emergency bypass URL.