{"id":294515,"date":"2026-05-12T21:16:40","date_gmt":"2026-05-12T21:16:40","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/securepie-sso-saml\/"},"modified":"2026-05-20T18:11:20","modified_gmt":"2026-05-20T18:11:20","slug":"securepie-sso-saml","status":"publish","type":"plugin","link":"https:\/\/ar.wordpress.org\/plugins\/securepie-sso-saml\/","author":23499802,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"1.0.11","stable_tag":"1.0.11","tested":"7.0","requires":"5.8","requires_php":"7.4","requires_plugins":null,"header_name":"SecurePie SSO SAML \u2014 Single Sign-On, SAML Login & Enterprise SSO for WordPress","header_author":"SecurePie","header_description":"SAML 2.0 Single Sign-On (SSO) plugin for WordPress. Configure your site as a SAML Service Provider to enable SSO with any SAML 2.0 compliant Identity Provider.","assets_banners_color":"e8e9ea","last_updated":"2026-05-20 18:11:20","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/securepie.com\/wordpress\/sso","header_author_uri":"https:\/\/securepie.com","rating":0,"author_block_rating":0,"active_installs":0,"downloads":287,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.0.1":{"tag":"1.0.1","author":"secureparrot","date":"2026-05-13 17:05:08"},"1.0.10":{"tag":"1.0.10","author":"secureparrot","date":"2026-05-18 12:51:14"},"1.0.11":{"tag":"1.0.11","author":"secureparrot","date":"2026-05-20 18:11:20"},"1.0.2":{"tag":"1.0.2","author":"secureparrot","date":"2026-05-14 13:08:40"},"1.0.3":{"tag":"1.0.3","author":"secureparrot","date":"2026-05-14 20:50:04"},"1.0.4":{"tag":"1.0.4","author":"secureparrot","date":"2026-05-15 14:25:45"},"1.0.5":{"tag":"1.0.5","author":"secureparrot","date":"2026-05-15 19:52:03"},"1.0.6":{"tag":"1.0.6","author":"secureparrot","date":"2026-05-15 20:30:53"},"1.0.7":{"tag":"1.0.7","author":"secureparrot","date":"2026-05-16 07:33:48"},"1.0.8":{"tag":"1.0.8","author":"secureparrot","date":"2026-05-16 10:21:27"},"1.0.9":{"tag":"1.0.9","author":"secureparrot","date":"2026-05-16 22:39:16"}},"upgrade_notice":{"1.0.0":"<p>Initial release of SecurePie SSO SAML.<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3530386,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3530386,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3530386,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3530386,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0.1","1.0.10","1.0.11","1.0.2","1.0.3","1.0.4","1.0.5","1.0.6","1.0.7","1.0.8","1.0.9"],"block_files":[],"assets_screenshots":[],"screenshots":{"1":"Service Provider Setup - Copy metadata to configure your IdP","2":"Identity Provider Setup - Enter your IdP's SAML details or import metadata","3":"Attribute &amp; Role Mapping - Map SAML attributes to WordPress fields","4":"Test Configuration - Verify your SSO setup and view returned attributes","5":"Redirection &amp; SSO Links - Configure login behavior and SSO button","6":"Test SSO Configuration - Results page showing NameID and the full SAML attribute table","7":"Help &amp; Support - In-plugin contact form with 24\/7 response"}},"plugin_section":[],"plugin_tags":[138854,160675,9213,5136,2469],"plugin_category":[38],"plugin_contributors":[262831],"plugin_business_model":[],"class_list":["post-294515","plugin","type-plugin","status-publish","hentry","plugin_tags-azure-ad","plugin_tags-okta","plugin_tags-saml","plugin_tags-single-sign-on","plugin_tags-sso","plugin_category-authentication","plugin_contributors-secureparrot","plugin_committers-akashrathi","plugin_committers-secureparrot"],"banners":{"banner":"https:\/\/ps.w.org\/securepie-sso-saml\/assets\/banner-772x250.png?rev=3530386","banner_2x":"https:\/\/ps.w.org\/securepie-sso-saml\/assets\/banner-1544x500.png?rev=3530386","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/securepie-sso-saml\/assets\/icon-128x128.png?rev=3530386","icon_2x":"https:\/\/ps.w.org\/securepie-sso-saml\/assets\/icon-256x256.png?rev=3530386","generated":false},"screenshots":[],"raw_content":"<!--section=description-->\n<p><strong>SecurePie SSO SAML<\/strong> is a SAML 2.0 Single Sign-On (SSO) plugin for WordPress that provides enterprise SSO login, SAML login, and federated login via any SAML 2.0 Identity Provider \u2014 including Azure AD (Entra ID), Okta, Google Workspace, OneLogin, ADFS, Auth0, PingFederate, and Keycloak.<\/p>\n\n<p>Whether you need SAML SSO for an intranet, an enterprise SSO portal for customers, or federated authentication for your team, this plugin turns your WordPress site into a SAML Service Provider with zero external dependencies.<\/p>\n\n<p>SecurePie SSO SAML allows you to configure your WordPress site as a SAML 2.0 Service Provider (SP), enabling Single Sign-On with any SAML 2.0 compliant Identity Provider (IdP) such as Azure AD, Okta, Google Workspace, OneLogin, ADFS, and more.<\/p>\n\n<p>This is a <strong>zero-dependency<\/strong> plugin \u2014 it uses only PHP's built-in <code>dom<\/code>, <code>openssl<\/code>, and <code>zlib<\/code> extensions. No Composer, no external libraries, no conflicts with other plugins.<\/p>\n\n<h4>Features<\/h4>\n\n<ul>\n<li><strong>Full SAML 2.0 SSO<\/strong> \u2014 AuthnRequest generation, Response validation, user provisioning<\/li>\n<li><strong>SP Metadata Endpoint<\/strong> \u2014 Auto-generated metadata XML for easy IdP configuration<\/li>\n<li><strong>IdP Metadata Parsing<\/strong> \u2014 Import IdP settings from a metadata URL or XML file<\/li>\n<li><strong>XML Digital Signature Verification<\/strong> \u2014 RSA-SHA256 and RSA-SHA1 support<\/li>\n<li><strong>Security Hardened<\/strong> \u2014 XXE prevention, signature wrapping attack protection, replay prevention, audience validation<\/li>\n<li><strong>Attribute Mapping<\/strong> \u2014 Map SAML attributes to WordPress user fields (username, email, first name, last name, display name)<\/li>\n<li><strong>Role Mapping<\/strong> \u2014 Assign WordPress roles based on IdP group\/role attributes<\/li>\n<li><strong>Auto User Provisioning<\/strong> \u2014 Automatically create WordPress users on first SSO login<\/li>\n<li><strong>SSO Login Button<\/strong> \u2014 Customizable SSO button on the WordPress login page<\/li>\n<li><strong>Force SAML Login<\/strong> \u2014 Optionally redirect all login attempts through the IdP<\/li>\n<li><strong>Single Logout (SLO)<\/strong> \u2014 Send LogoutRequest to the IdP when users log out of WordPress<\/li>\n<li><strong>Test Configuration<\/strong> \u2014 Validate your SSO setup and see returned attributes before going live<\/li>\n<li><strong>HTTP-Redirect and HTTP-POST Bindings<\/strong> \u2014 Support for both SAML binding types<\/li>\n<li><strong>Clean Admin Interface<\/strong> \u2014 Professional tabbed settings page with copy-to-clipboard functionality<\/li>\n<\/ul>\n\n<h4>Use Cases<\/h4>\n\n<ul>\n<li><strong>Enterprise SSO<\/strong> \u2014 Centralize WordPress login through your corporate Identity Provider so employees use one set of credentials.<\/li>\n<li><strong>SAML Login for Customer Portals<\/strong> \u2014 Let B2B customers sign in to your WordPress site using their own SAML SSO identity.<\/li>\n<li><strong>Federated Login Across Sites<\/strong> \u2014 Use a single SAML IdP to federate authentication across multiple WordPress installs.<\/li>\n<li><strong>SSO Authentication for Membership Sites<\/strong> \u2014 Replace WordPress's default signin flow with SAML SSO login from Azure AD, Okta, or Google Workspace.<\/li>\n<li><strong>Intranet Single Sign-On<\/strong> \u2014 Add WordPress to your existing SSO ecosystem alongside other SAML 2.0 enabled apps.<\/li>\n<\/ul>\n\n<h4>Supported Identity Providers<\/h4>\n\n<ul>\n<li>Microsoft Azure Active Directory (Entra ID)<\/li>\n<li>Okta<\/li>\n<li>Google Workspace<\/li>\n<li>OneLogin<\/li>\n<li>Salesforce<\/li>\n<li>Auth0<\/li>\n<li>PingFederate<\/li>\n<li>Shibboleth<\/li>\n<li>ADFS (Active Directory Federation Services)<\/li>\n<li>Keycloak<\/li>\n<li>Any SAML 2.0 compliant IdP<\/li>\n<\/ul>\n\n<h4>Setting up SAML SSO with Azure AD (Entra ID)<\/h4>\n\n<p>Connecting WordPress to Azure AD \/ Entra ID for SAML SSO with SecurePie takes about ten minutes:<\/p>\n\n<ol>\n<li>In the WordPress admin, open <strong>SecurePie SSO \u2192 Service Provider<\/strong> and copy the <strong>SP Entity ID<\/strong> and <strong>ACS URL<\/strong>.<\/li>\n<li>In Azure, create a new <strong>Enterprise Application<\/strong> of type \"Non-gallery application\" and open its <strong>Single sign-on \u2192 SAML<\/strong> blade.<\/li>\n<li>Paste the SP Entity ID into Azure's <strong>Identifier (Entity ID)<\/strong> field and the ACS URL into the <strong>Reply URL (Assertion Consumer Service URL)<\/strong> field.<\/li>\n<li>Under \"SAML Signing Certificate\", download the <strong>Federation Metadata XML<\/strong> (or copy the Login URL and certificate).<\/li>\n<li>Back in WordPress, open <strong>Identity Provider \u2192 Quick Setup<\/strong> and either upload the metadata XML or paste the metadata URL. SecurePie auto-fills Entity ID, Login URL and X.509 Certificate.<\/li>\n<li>Assign your Azure users \/ groups to the Enterprise Application, then run <strong>Test Configuration<\/strong> in WordPress to confirm attributes flow through correctly before enabling the SSO button on the login page.<\/li>\n<\/ol>\n\n<h4>Setting up SAML SSO with Okta<\/h4>\n\n<p>Okta-to-WordPress SAML SSO with SecurePie follows the same pattern:<\/p>\n\n<ol>\n<li>In the WordPress admin, open <strong>SecurePie SSO \u2192 Service Provider<\/strong> and copy the <strong>SP Entity ID<\/strong>, <strong>ACS URL<\/strong> and <strong>Single Logout URL<\/strong>.<\/li>\n<li>In the Okta admin, go to <strong>Applications \u2192 Create App Integration \u2192 SAML 2.0<\/strong>, give the app a name, and continue to step 2 of Okta's wizard.<\/li>\n<li>Paste the SP Entity ID into Okta's <strong>Audience URI (SP Entity ID)<\/strong> field and the ACS URL into the <strong>Single Sign-on URL<\/strong> field.<\/li>\n<li>Configure Okta's attribute statements to send <code>email<\/code>, <code>firstName<\/code>, <code>lastName<\/code>, and optionally a <code>groups<\/code> claim for role mapping.<\/li>\n<li>After saving, open the Okta <strong>Sign On<\/strong> tab, click <strong>View SAML setup instructions<\/strong>, and copy the <strong>Identity Provider Single Sign-On URL<\/strong>, <strong>Identity Provider Issuer<\/strong> and the <strong>X.509 Certificate<\/strong>.<\/li>\n<li>Back in WordPress, paste these into <strong>Identity Provider Setup<\/strong> (or use Okta's metadata URL). Run <strong>Test Configuration<\/strong> to verify the SAML assertion before going live.<\/li>\n<\/ol>\n\n<h4>Requirements<\/h4>\n\n<ul>\n<li>PHP 7.4 or higher<\/li>\n<li>PHP extensions: <code>dom<\/code>, <code>openssl<\/code>, <code>zlib<\/code> (enabled by default on most hosts)<\/li>\n<li>WordPress 5.8 or higher<\/li>\n<\/ul>\n\n<h3>External Services<\/h3>\n\n<p>This plugin implements the SAML 2.0 protocol, which requires communication with an external Identity Provider (IdP) that is configured by the site administrator. No data is sent to any external service without the administrator explicitly configuring the connection.<\/p>\n\n<h4>Identity Provider Communication<\/h4>\n\n<p>When a user initiates SSO login, the plugin redirects the user's browser to the Identity Provider's SAML Login URL (configured by the administrator). The following data is sent as part of the standard SAML 2.0 AuthnRequest:<\/p>\n\n<ul>\n<li>The Service Provider Entity ID (your site's identifier)<\/li>\n<li>The Assertion Consumer Service URL (your site's callback URL)<\/li>\n<li>A unique request ID for replay prevention<\/li>\n<\/ul>\n\n<p>The Identity Provider then authenticates the user and sends a SAML Response back to your site containing the user's identity attributes (such as email, name, and group membership).<\/p>\n\n<p>This communication is entirely between your WordPress site and the IdP that you configure. No data is sent to SecurePie or any other third party.<\/p>\n\n<p>The terms of service and privacy policy for the Identity Provider depend on which provider you choose to configure (e.g., Microsoft Azure AD, Okta, Google Workspace). Please consult your Identity Provider's documentation for their specific terms.<\/p>\n\n<h4>IdP Metadata Import (Optional)<\/h4>\n\n<p>The plugin can optionally fetch Identity Provider metadata from a URL provided by the administrator. This is a one-time server-to-server request to retrieve the IdP's public configuration (Entity ID, Login URL, X.509 Certificate). No user data is sent during this request.<\/p>\n\n<h4>SAML Attribute Namespace URIs<\/h4>\n\n<p>The plugin references standard SAML attribute namespace URIs (e.g., <code>http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/emailaddress<\/code>) as identifiers within SAML assertions. These are XML namespace strings used for attribute identification and are not HTTP requests to external services.<\/p>\n\n<!--section=installation-->\n<ol>\n<li>Upload the <code>securepie-sso-saml<\/code> folder to the <code>\/wp-content\/plugins\/<\/code> directory, or install the plugin through the WordPress plugins screen.<\/li>\n<li>Activate the plugin through the 'Plugins' screen in WordPress.<\/li>\n<li>Navigate to <strong>SecurePie SSO<\/strong> in the admin menu.<\/li>\n<li>Copy the SP metadata URL from the <strong>Service Provider<\/strong> tab and register it with your Identity Provider.<\/li>\n<li>Enter your IdP's SAML details in the <strong>Identity Provider Setup<\/strong> tab (or use the metadata import feature).<\/li>\n<li>Configure <strong>Attribute Mapping<\/strong> to match your IdP's attribute names.<\/li>\n<li>Use the <strong>Test Configuration<\/strong> tab to verify your SSO setup.<\/li>\n<li>Enable the SSO button on the login page from the <strong>Redirection &amp; SSO<\/strong> tab.<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"what%20is%20saml%20sso%3F\"><h3>What is SAML SSO?<\/h3><\/dt>\n<dd><p>SAML (Security Assertion Markup Language) Single Sign-On allows users to log in to WordPress using their existing organizational credentials from an Identity Provider like Azure AD, Okta, or Google Workspace.<\/p><\/dd>\n<dt id=\"which%20identity%20providers%20are%20supported%3F\"><h3>Which Identity Providers are supported?<\/h3><\/dt>\n<dd><p>SecurePie SSO SAML works with any SAML 2.0 compliant Identity Provider.<\/p><\/dd>\n<dt id=\"where%20do%20i%20find%20my%20idp%27s%20saml%20settings%3F\"><h3>Where do I find my IdP's SAML settings?<\/h3><\/dt>\n<dd><p>Your Identity Provider's admin console will provide the Entity ID, Login URL, Logout URL, and X.509 Certificate needed for configuration. You can also import these from the IdP's metadata URL.<\/p><\/dd>\n<dt id=\"can%20i%20still%20log%20in%20with%20wordpress%20credentials%3F\"><h3>Can I still log in with WordPress credentials?<\/h3><\/dt>\n<dd><p>Yes. Even with Force SAML Login enabled, you can access the standard WordPress login at <code>wp-login.php?normal=1<\/code>.<\/p><\/dd>\n<dt id=\"does%20this%20plugin%20create%20wordpress%20users%20automatically%3F\"><h3>Does this plugin create WordPress users automatically?<\/h3><\/dt>\n<dd><p>Yes. When a user authenticates via SAML for the first time, the plugin creates a WordPress user account with the configured default role and mapped attributes.<\/p><\/dd>\n<dt id=\"what%20security%20measures%20are%20in%20place%3F\"><h3>What security measures are in place?<\/h3><\/dt>\n<dd><p>The plugin validates XML digital signatures (RSA-SHA256\/SHA1), prevents XXE attacks, guards against signature wrapping attacks, validates audience restrictions, checks assertion timestamps with clock skew tolerance, and uses single-use transients for replay prevention.<\/p><\/dd>\n<dt id=\"does%20this%20plugin%20require%20composer%20or%20external%20libraries%3F\"><h3>Does this plugin require Composer or external libraries?<\/h3><\/dt>\n<dd><p>No. SecurePie SSO SAML is built entirely with PHP's built-in extensions (<code>dom<\/code>, <code>openssl<\/code>, <code>zlib<\/code>) and has zero external dependencies.<\/p><\/dd>\n<dt id=\"does%20this%20plugin%20support%20enterprise%20sso%20and%20federated%20login%3F\"><h3>Does this plugin support enterprise SSO and federated login?<\/h3><\/dt>\n<dd><p>Yes. SecurePie SSO SAML is built for enterprise SSO and federated login scenarios. It implements the SAML 2.0 Web Browser SSO profile, which is the industry standard for federated authentication used by Azure AD, Okta, OneLogin, Google Workspace, and other enterprise Identity Providers.<\/p><\/dd>\n<dt id=\"how%20is%20this%20different%20from%20oauth%20or%20oidc%20login%20plugins%3F\"><h3>How is this different from OAuth or OIDC login plugins?<\/h3><\/dt>\n<dd><p>This plugin implements SAML 2.0 only \u2014 the protocol most enterprise Identity Providers use for SSO. If your IdP only supports OAuth 2.0 or OpenID Connect (OIDC), you will need a different plugin. SAML is the standard for enterprise federation; OAuth\/OIDC is more common for consumer login.<\/p><\/dd>\n<dt id=\"how%20do%20i%20set%20up%20saml%20sso%20with%20azure%20ad%20on%20wordpress%3F\"><h3>How do I set up SAML SSO with Azure AD on WordPress?<\/h3><\/dt>\n<dd><p>Copy the SP Entity ID and ACS URL from the <strong>Service Provider<\/strong> tab, paste them into a new Azure AD \/ Entra ID Enterprise Application (SAML), and download Azure's Federation Metadata XML. Upload the XML in <strong>Identity Provider \u2192 Quick Setup<\/strong> \u2014 SecurePie auto-fills the Entity ID, Login URL and X.509 Certificate. Run <strong>Test Configuration<\/strong> to confirm the attributes are flowing, then enable the SSO button on the WordPress login page.<\/p><\/dd>\n<dt id=\"how%20do%20i%20set%20up%20saml%20sso%20with%20okta%20on%20wordpress%3F\"><h3>How do I set up SAML SSO with Okta on WordPress?<\/h3><\/dt>\n<dd><p>In Okta, create a new <strong>SAML 2.0 App Integration<\/strong>, then paste the SP Entity ID into Okta's \"Audience URI\" field and the ACS URL into \"Single Sign-on URL\". Configure attribute statements for email, firstName, lastName, and groups. After saving, copy Okta's IdP Issuer, IdP Single Sign-On URL and X.509 Certificate (or use the metadata URL) into the <strong>Identity Provider Setup<\/strong> tab in WordPress. Verify with <strong>Test Configuration<\/strong>.<\/p><\/dd>\n<dt id=\"does%20securepie%20sso%20support%20wordpress%20multisite%3F\"><h3>Does SecurePie SSO support WordPress MultiSite?<\/h3><\/dt>\n<dd><p>Yes for per-site activation. Each subsite in a MultiSite install can be configured as its own SAML Service Provider with its own IdP. If you need a single SAML configuration shared across the network (network-level activation, cross-site SSO federation, or domain-based IdP routing), upgrade to SecurePie SSO Premium \u2014 those federation features are not included in the free plugin.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.0.11<\/h4>\n\n<ul>\n<li>Compat: Declared compatibility with WordPress 7.0 (no functional changes \u2014 verified against the WP 7.0 release notes: no block-editor \/ iframed-editor touchpoints, PHP 7.4 minimum already met, no deprecated function calls).<\/li>\n<\/ul>\n\n<h4>1.0.10<\/h4>\n\n<ul>\n<li>SEO: Optimised the 5 indexable tag slots toward high-intent brand-name searches (Okta, Azure AD).<\/li>\n<li>SEO: Expanded the short description to name OneLogin and ADFS alongside Azure AD, Okta and Google Workspace.<\/li>\n<li>Docs: Added Azure AD (Entra ID) and Okta SAML SSO setup walkthroughs to the Description.<\/li>\n<li>Docs: Three new FAQ entries \u2014 Azure AD setup, Okta setup, MultiSite support.<\/li>\n<li>Docs: Added two new captioned screenshot entries (Test SSO Configuration results, Help &amp; Support form).<\/li>\n<li>No functional or SAML-protocol changes.<\/li>\n<\/ul>\n\n<h4>1.0.9<\/h4>\n\n<ul>\n<li>New: Bundled \"Need Help?\" support panel with embedded contact form on the configuration page, accompanied by a custom headphones icon (replaces the dashicons SOS glyph).<\/li>\n<li>New: \"Try Live Demo\" button in the plugin header for one-click access to the live demo and pricing page.<\/li>\n<li>Change: Tightened free-tier scope. Attribute Mapping, Role Mapping, Group-to-Role Mapping and the Redirect &amp; SSO settings are now Premium features; the free tier renders these sections as locked teasers with an Upgrade-to-Premium call-to-action. The SSO login button on wp-login.php uses the fixed text \"SSO Login\" in the free tier.<\/li>\n<li>Change: Removed the \"Configured Identity Providers\" list and the \"Add More Identity Providers\" teaser from the free tier \u2014 the free plan supports a single Identity Provider only.<\/li>\n<li>Security: SHA-1 SAML signatures and digests are permanently rejected in the free tier. IdP-initiated SSO and email-based account linking are hard-disabled in the free tier (admin toggles removed; direct writes to wp_options have no effect).<\/li>\n<li>Fix: \"Test SSO Configuration\" button no longer falls through to a real login that would invalidate the admin's existing session. The test flow is now tracked via a server-side request-ID marker that survives the cross-site SameSite=Lax ACS POST returning from the IdP.<\/li>\n<li>UX: Right-side persistent help and contact panel on the configuration page. Service Provider tab values stay inside the card on narrower viewports (responsive flex-wrap + min-width fixes). Settings-saved notice renders with a light-green background and auto-dismisses after five seconds.<\/li>\n<li>Cleanup: Dropped register_setting() calls and sanitiser callbacks for the locked options so admin tweaks via the Settings API are not possible.<\/li>\n<\/ul>\n\n<h4>1.0.8<\/h4>\n\n<ul>\n<li>Free plan now includes 100 lifetime SAML SSO logins per install. Once consumed, further SAML logins are paused and the admin is directed to upgrade. WordPress password login continues to work normally \u2014 administrators are never locked out.<\/li>\n<li>Added a Free plan card to the pricing tab with live usage progress (green \/ yellow \/ red).<\/li>\n<li>Identity Provider tab shows a warning banner at 80% of the free allowance and a red banner once the cap is reached.<\/li>\n<li>Rewrote Standard \/ Premium \/ Enterprise feature descriptions and unified the call-to-action button to \"Upgrade Now\" linking to https:\/\/securepie.com\/wordpress\/sso\/pricing.<\/li>\n<li>Pricing aligned with the broader SAML SSO market: Standard $175 \/ Premium $225 \/ Enterprise $275 (per year).<\/li>\n<\/ul>\n\n<h4>1.0.7 \u2014 Security Release<\/h4>\n\n<p>This release addresses one critical and several high-severity findings from an independent security audit. All sites are strongly encouraged to update.<\/p>\n\n<ul>\n<li>(Critical) Hardened SAML Response parsing against XML Signature Wrapping (XSW) attacks. All NameID, attribute, and condition reads are now bound to the signature-verified Assertion node. Responses containing more than one Assertion element are rejected.<\/li>\n<li>(High) Email-based account linking is now opt-in (off by default). Admin accounts are never auto-linked by email \u2014 a previously-bound NameID is required.<\/li>\n<li>(High) The Default Role dropdown no longer offers Administrator or Super Admin, and the sanitize callback rejects these values defensively.<\/li>\n<li>(High) Assertions without a NotOnOrAfter are now rejected. Replay-cache TTL is keyed to the assertion's actual expiry plus a 5-minute skew, bounded to 24 hours.<\/li>\n<li>(High) IdP-initiated SSO (empty InResponseTo) is now opt-in (off by default).<\/li>\n<li>(High) Identity Provider metadata import now enforces https:\/\/, rejects loopback\/private\/link-local IP addresses, caps the response at 1 MiB, and verifies the Content-Type.<\/li>\n<li>(Medium) SHA-1 signatures are now opt-in (off by default). The plugin defaults to SHA-256\/384\/512.<\/li>\n<li>(Medium) Signature verification now runs before any other validation, so unsigned XML content is never consulted before crypto verification.<\/li>\n<\/ul>\n\n<h4>1.0.6<\/h4>\n\n<ul>\n<li>Plugin admin UI is now fully responsive \u2014 pricing grid, Identity Provider grid, attribute mapping rows and Update Required modal adapt cleanly to tablet and phone widths<\/li>\n<li>Plugin admin now fills the full screen width on large monitors (removed the previous 1100px cap)<\/li>\n<li>Wide tables (Help page, multi-IdP listing) scroll horizontally on narrow screens instead of overflowing the layout<\/li>\n<li>No functional \/ SAML changes<\/li>\n<\/ul>\n\n<h4>1.0.5<\/h4>\n\n<ul>\n<li>Added an \"Update Required\" modal on the plugin's admin pages when a newer version is available on WordPress.org<\/li>\n<li>The modal locks the plugin settings UI (Service Provider, IdP, Attribute Mapping, etc.) until the user updates, with a one-click link to WordPress's standard plugin updater<\/li>\n<li>SAML SSO login continues to work normally while the admin UI is locked \u2014 no risk of locking users out of WordPress<\/li>\n<li>Uses WordPress's existing update-check transient (no external API calls, no new permissions)<\/li>\n<\/ul>\n\n<h4>1.0.4<\/h4>\n\n<ul>\n<li>Premium page: removed the Free tier and repriced \u2014 Single IdP ($199\/yr), Premium ($299\/yr), Enterprise ($399\/yr)<\/li>\n<li>Premium page: added \"Current Plan\" indicator driven by the <code>securepie_current_plan<\/code> WP option (empty by default, so unpaid users see buy\/upgrade buttons as before)<\/li>\n<\/ul>\n\n<h4>1.0.3<\/h4>\n\n<ul>\n<li>SEO metadata update: refreshed title, short description, tags, and use-case documentation<\/li>\n<li>Added \"Use Cases\" section covering enterprise SSO, SAML login, federated login, and intranet SSO scenarios<\/li>\n<li>Added FAQ entries on enterprise SSO \/ federated login and SAML vs OAuth\/OIDC differences<\/li>\n<li>No functional changes<\/li>\n<\/ul>\n\n<h4>1.0.2<\/h4>\n\n<ul>\n<li>Added \"Send us your query\" support form on both the plugin Help page and the main Configuration page<\/li>\n<li>Support form submissions are routed via the SecurePie support API, removing the dependency on the host's wp_mail() configuration<\/li>\n<li>Form sends diagnostic context (site URL, plugin\/WP\/PHP versions) to help SecurePie respond faster<\/li>\n<li>No new permissions, dependencies, or external libraries \u2014 uses WordPress's built-in HTTP API<\/li>\n<\/ul>\n\n<h4>1.0.1<\/h4>\n\n<ul>\n<li>Improved metadata file upload with auto-parse on file selection<\/li>\n<li>Added inline status messages for metadata parsing feedback<\/li>\n<li>Fixed double-escaped HTML entities in Identity Provider tab<\/li>\n<li>Added proper output escaping on all template ternary expressions<\/li>\n<li>Enhanced SAML Response validation security<\/li>\n<li>Fixed SSO button alignment on WordPress login page<\/li>\n<li>Removed duplicate settings saved notice<\/li>\n<li>Added HTTPS enforcement for Identity Provider URLs<\/li>\n<li>Improved role mapping validation against registered WordPress roles<\/li>\n<li>Better error handling for SLO response validation<\/li>\n<\/ul>\n\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial release<\/li>\n<li>Full SAML 2.0 Web Browser SSO Profile implementation<\/li>\n<li>AuthnRequest generation with HTTP-Redirect and HTTP-POST bindings<\/li>\n<li>SAML Response validation with XML digital signature verification<\/li>\n<li>SP metadata endpoint for IdP registration<\/li>\n<li>IdP metadata parsing from URL or XML file<\/li>\n<li>Automatic user provisioning and profile updates<\/li>\n<li>Attribute mapping for username, email, first name, last name, display name<\/li>\n<li>Role mapping based on IdP group attributes<\/li>\n<li>SSO button on WordPress login page<\/li>\n<li>Force SAML login option with emergency bypass<\/li>\n<li>Single Logout (SLO) support<\/li>\n<li>Test configuration tool with detailed results display<\/li>\n<li>Admin interface with 5 configuration tabs<\/li>\n<li>Copy-to-clipboard for SP metadata values<\/li>\n<\/ul>","raw_excerpt":"SAML 2.0 SSO for WordPress. Enterprise login with Azure AD, Okta, Google Workspace, OneLogin, ADFS &amp; any SAML 2.0 Identity Provider.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ar.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/294515","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ar.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/ar.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/ar.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=294515"}],"author":[{"embeddable":true,"href":"https:\/\/ar.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/secureparrot"}],"wp:attachment":[{"href":"https:\/\/ar.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=294515"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/ar.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=294515"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/ar.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=294515"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/ar.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=294515"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/ar.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=294515"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/ar.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=294515"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}