How WordPress Single Sign On Authentication Works
How WordPress Single Sign On Authentication Works. With WordPress Single Sign On (SSO) your website users are automatically logged into your WordPress site by the apps or online services they use every day. It’s one less username password combo they have to remember, and keeps them focused on their tasks.
Table of Contents
What is WordPress Single Sign On?
SSO attribute isn’t a new phenomenon. Even back in the 1990s developers were looking for ways to make things a little easier. Up until then applications exclusively relied on an internal user store to authenticate users and grant access to the application.
But this became a difficult task, as the number of applications increased. Developers had to maintain and secure multiple user stores and users had more credentials to memorize (or, let’s be honest, write down). Hence the birth of what we know today as SSO feature.
WordPress Single Sign-On is a function (read: feature) added to your WordPress website. It allows users to securely access their accounts without having to authenticate directly on your website. Authentication is instead managed by an online service they likely already have an account with, such as:
- Office 365.
- Google Apps / Workspaces.
- Azure AD.
- Azure B2C.
- Okta.
- ADFS.
- Keycloak.
- OneLogin.
- and many more…
Although SSO can be added with custom code, it is typically implemented with a plugin.
How WordPress Single Sign On Authentication Works
At the heart of WordPress SSO is Federated Identity Management (FIDM), which is a trust relationship between a service provider (SP), like your WordPress website, and an Identity Provider (IdP), like any of those listed above.
Driving interaction between the IdP and the SP is what is known as a federated identity protocol. Federated identity links a user’s electronic identities (accounts) across two or more identity management systems. The protocol refers to the rules that govern the exchange of information for authentication and authorization purposes.
WordPress SSO typically uses SAML as its federated identity protocol.
SAML (Security Authentication Markup Language)
In the early 2000s, the open standard SAML was created as a means to facilitate SSO – primarily between web-based applications. SAML provides authentication and authorization.
- Authentication: Verifies who a user claims to be.
- Authorisation: Determines which resources an authenticated user has access to.
How SAML works
In a nutshell, the SAML process flow works thus: authenticate unauthenticated users at the IdP, wherever they request access.
Let’s take a closer look:
Step 1: Authentication
The process starts with a user requesting access to resources provided by the service provider (SP). The SP responds by generating a SAML request for authentication, which is passed to the user agent (the user’s browser).
Step 2: Redirect to IdP
Note: Even if the user is already authenticated, the redirect to the IdP still happens, but the authentication process is skipped. In either case a SAML assertion is generated, encoded, and returned to the browser.
Step 3: Response verification
The user agent sends the SAML assertion to the SP for verification.
If the SP’s verification of the IdP’s SAML assertion is successful, the user is mapped to a local user store and granted access.
One unique feature of SAML is that the method of authentication is recorded in the assertion. In other words, did our user authenticate with a username password combination, multi factor authentication, or some other method?
If the SP (e.g. your WordPress website) requires a stronger method of authentication, the user agent redirects back to the IdP to complete the required authentication process.
SAML uses Extensible Markup Language (XML) for standardized communications between the identity provider and service providers.
Please follow on reading about how WordPress Single Sign On Authentication Works in the case of WP.
The Case for WordPress Single Sign-On
With SSO in place, users enjoy convenient access to the services they use. It also helps organizations cut down on expenses and maintain security.
Case in point: a colleague, Dale, who manages a few WordPress sites.
Among his collection of clients is a professional association. They run a membership multisite – the primary domain carrying the brochure site where visitors can view the usual gamut of information (About, Benefits, a Member Directory, and so on). The subdomain is the members’ area where existing members can log in, read related news, watch videos and perform membership related tasks.
Except, it doesn’t get used.
Members rarely, if ever, log in – they can’t remember their usernames and passwords – and so don’t use the features built into the site. Proof is during the association’s annual vote for new management, where all members have the opportunity to choose who they want in charge of finances, training, and so on. In one month Dale spends more time helping members recover forgotten credentials than in all other months of the year combined.
This has a knock on effect in other areas of the association’s activities. Even though the website supports all the functions members may need, the association’s management has to incur additional expenses on platforms that make those functions more easily accessible (and also less secure).
Benefits of WordPress Single Sign On
According to Gartner 20% – 50% of all support queries are related to password resets. If you take into account that a single password reset can take anything between 20 minutes and 1.5 hours, a cost ranging from $20 to $70 per credential-related support issue is realistic. Forrester research says that enterprises typically budget $1 million per annum for password-related support.
Single Sign-On can help you due to following features:
WordPress SSO Reduces password fatigue
Users have one less password to remember. And since they are already logged in with an IdP they frequently use, they’re automatically logged into your WordPress website.
WordPress SSO Reduces helpdesk workloads
Now that authentication is handled by the IdP, helpdesk staff have can respond faster to users who have queries more relevant to the purpose of your WordPress website.
WordPress SSO Increases security
At a bare minimum IdPs typically require strong passwords. Many of them also require multi factor authentication (MFA), such as a one time pin (OTP) delivered to a user’s handset via text message.
WordPress SSO Ensures current metadata
The federation between your WordPress website and the IdP can be configured to pass additional user data when authentication occurs. This can include title, occupation, and so on.
Introducing WP Cloud Single Sign-On
This part of article how WordPress Single Sign On Authentication Works is to introduce the WP plugin. WP Cloud SSO is developed by Cloud Security Experts and back by more than 20 years’ experience with Identity and Access Management (IAM), Active Directory, SAML, as well as WordPress and IT security.
With WP Cloud SSO your WordPress website (the service provider) can integrate with many different top tier IdPs.
In addition to the benefits listed above, WP Cloud SSO further enhances the SSO experience with these premium features:
Role Mapping
WP Cloud SSO can automatically assign WordPress roles to your users based on IdP user attributes or memberships. This enables centralized access management across multiple platforms.
Automatic User Creation
Automatically create and update users in WordPress from your IdP. Automating the user lifecycle management process by creating and updating user data in connected applications.
Single Login / Logout
WP Cloud SSO makes it easy to add a custom login and logout button. Logging out is as universal as logging in – the session is terminated at both your WordPress site and the IdP.
Profile Picture
WP Cloud SSO can map profile images from the IdP to their respective WordPress accounts. This makes it easy for your users to maintain a consistent presence across different platforms.
Great effort in reading about how WordPress Single Sign On Authentication Works. Let’s summarize.
WordPress Single Sign On Authentication Conclusion
WordPress Single Sign-On has benefits for both the organization and end users that extends beyond convenience. It alleviates password fatigue and can enhance security. When using a premium plugin you’ll also be able to simplify and automate user management, saving valuable time for site administrators and users alike.
