WordPress SSO Azure AD Office 365

WordPress Single Sign-On using KeyCloak SSO Login as IDP

Enable Keycloak SSO for your WordPress website using our SAML Single Sign On WordPress plugin.  Integrate your users from Keycloak to login to your WordPress blog and map user roles to WordPress.


Within the plugin set Keycloak as your SAML identity provider and enable WordPress single sign on with Keycloak set as your trusted IDP.  Map WordPress user roles based Keycloak users / groups. 

Keycloak WordPress SSO

with WP Cloud SSO

List of Supported SAML Providers for WordPress SSO

Getting Started Setting up WordPress SSO using KeyCloak Logins

Table of Contents

Install KeyCloak Server

Below are the steps to configure Keycloak Single Sign-On (SSO) Login into WordPress (WP)


  • Start Server: Start the keycloak server by running the _standalone.sh_ file


  • Root Directory of keycloak bin standalone.sh

1.) Setup Keycloak as IDP for WordPress

By following the steps below you will be able to configure Keycloak as your Identity Provider for WordPress Single Sign-On.

A) Configure Keycloak as WordPress Identity Provider:

  • In the WordPress WP Cloud  SSO plugin, please go to SP (Service Provider) Metadata tab. In here, you can find the SP metadata such as SP Entity ID and ACS (AssertionConsumerService) URL which are required to configure the keycloak as IdP (Identity Provider).
  • In your Keycloak Admin console, select the realm that you want to use.
  • Click on Clients from the menu on your left and then click on Create button to create a new client/application.
  • Input the following: SP-EntityID / Issuer as the Client ID from the “Service Provider Metadata” Tab and select SAML as the Client Protocol.
  • Click on Save.
  • Configure Keycloak by providing the required details:
Client IDThe SP-EntityID / Issuer from the plugin’s Service Provider Metadata tab
NameProvide a name for this client
DescriptionProvide a description
Name ID FormatEmail
Root URLLeave empty or Provide Base URL from Service Provider Metadata tab
Valid Redirect URIsThe ACS (Assertion Consumer Service) URL from the plugin’s Service Provider Metadata tab
  • In section Fine Grain SAML Endpoint Configuration, Enter the following details:
Assertion Consumer Service POST Binding URLThe ACS (Assertion Consumer Service) URL from the plugin’s Service Provider Metadata tab
Logout Service Redirect Binding URL (Optional)The Single Logout URL from the plugin’s Service Provider Metadata tab
  • Click on Save.

B) Add Mappers

  • Go to Mappers tab and click on Add Builtin button.
  • Select the checkboxes:
  • X500 email,
  • X500 givenNameX500 surname attributes.
  • Click on Add Selected button. You will see the mappings that are added below.

C) Download Setup file

  • Navigate to Realm Settings, click on SAML 2.0 Identity Provider Metadata mentioned as Endpoints in the General Tab.
  • Note the URL and keep it handy. That will provide you with the Endpoints required to configure the plugin.


You have successfully configured Keycloak as SAML IdP ( Identity Provider) for achieving Keycloak login / Keycloak Single Sign-On (SSO), ensuring secure Login into WordPress (WP) Site.

2.) Configure WordPress as SP

In the WordPress WP Cloud SSO plugin, go to the Identity Provider Setup tab of the plugin.


There are 2 ways to configure the WordPress SSO plugin:

A) Uploading IDP Metadata XML

  • Click on Upload IDP metadata button.
  • Enter the Identity Provider Name.
  • You can either upload a metadata file and click on Upload button or use a metadata URL and click on Fetch Metadata.

B) Manual KeyCloak IDP Configuration

  • Input the required settings (i.e. Identity Provider Name, IdP Entity ID or Issuer, SAML Login URL, X.509 Certificate) as provided by your Identity Provider and click on the Save button.

3.) Keycloak Attribute Mapping

  • The Attribute Mapping feature allows you to map the user attributes sent by the IDP during SSO to the user attributes at WordPress.
  • In WordPress WP Cloud SSO plugin, navigate  to Attribute/Role Mapping tab and fill up the following fields in Attribute Mapping section.
  • Custom Attribute Mapping: This feature allows you to map any attribute sent by the IDP to the usermeta table of WordPress.
Attribute Mapping

4.) WordPress Role Mapping using Keycloak SSO

This feature helps you to assign and manage WordPress roles of the users when they perform SSO together with the default WordPress role.


  • From the Attribute Mapping section of the plugin, provide a mapping for the field named Group. This attribute will contain the role related information sent by the IDP and will be used for Role Mapping.
  • Navigate to role mapping section and provide the mappings for the highlighted roles.
  • For example, If you want a user whose Group/Role attribute value is wp-editor to be assigned as an Editor in WordPress, just provide the mapping as wp-editor in the Editor field of Role Mapping section.