SAML authentication for WordPress, using SimpleSAMLphp.
SAML authentication for WordPress, using the bundled OneLogin SAML library or optionally installed SimpleSAMLphp. OneLogin provides a SAML authentication bridge; SimpleSAMLphp provides SAML plus a variety of other authentication mechanisms. This plugin acts as a bridge between WordPress and the authentication library.
If your organization uses Google Apps, integrating Google Apps with WP SAML Auth takes just a few steps.
The standard user flow looks like this:
- User can log in via SAML using a button added to the standard WordPress login view.
- When the button is clicked, the user is handed off to the authentication library. With OneLogin, the user is redirected to the SAML identity provider. With SimpleSAMLphp, the user is redirected to the SimpleSAMLphp install.
- Once the user is authenticated with the identity provider, they’re redirected back to WordPress and signed in to their account. A new WordPress user will be created if none exists (although this behavior can be disabled).
- When the user logs out of WordPress, they are also logged out of the identity provider.
A set of configuration options allow you to change the plugin’s default behavior. For instance, permit_wp_login=>false will force all authentication to go through the SAML identity provider, bypassing wp-login.php. Similiarly, auto_provision=>false will disable automatic creation of new WordPress users.
See installation instructions for full configuration details.
Installing SimpleSAMLphp
The plugin supports both SimpleSAMLphp v1.x and v2.x. The autoloader is automatically detected:
SimpleSAMLphp v2.x uses vendor/autoload.php
SimpleSAMLphp v1.x uses lib/_autoload.php
Default Search Paths
The plugin automatically searches for SimpleSAMLphp in these locations:
* ABSPATH . 'simplesaml'
* ABSPATH . 'private/simplesamlphp'
* ABSPATH . 'simplesamlphp'
* ABSPATH . 'vendor/simplesamlphp/simplesamlphp' (Composer installation)
* plugin_dir_path . 'simplesamlphp'
For each path, the plugin checks for both vendor/autoload.php (v2.x) and lib/_autoload.php (v1.x).
This means Composer installations work automatically! If you run composer require simplesamlphp/simplesamlphp in your site root, the plugin will find it without any additional configuration.
Composer Installation (Advanced)
If you install SimpleSAMLphp via Composer to a custom location (not the standard vendor/simplesamlphp/simplesamlphp), you can specify the autoloader path:
add_filter( 'wp_saml_auth_option', function( $value, $option_name ) {
if ( 'simplesamlphp_autoload' === $option_name ) {
// Point to your custom Composer vendor autoloader
return '/custom/path/vendor/autoload.php';
}
return $value;
}, 10, 2 );
Custom Installation Paths
If SimpleSAMLphp is installed in a non-default location, you can set custom search paths with the wp_saml_auth_simplesamlphp_path_array filter:
add_filter( 'wp_saml_auth_simplesamlphp_path_array', function( $simplesamlphp_path_array ) {
// Override default paths with custom paths
return [ '/custom/path/to/simplesamlphp' ];
} );
Or define an explicit autoloader path with the wp_saml_auth_ssp_autoloader filter:
add_filter( 'wp_saml_auth_ssp_autoloader', function( $ssp_autoloader ) {
return ABSPATH . 'path/to/simplesamlphp/vendor/autoload.php';
} );<h3>WP-CLI Commands</h3>
This plugin implements a variety of WP-CLI commands. All commands are grouped into the wp saml-auth namespace.
$ wp help saml-auth
NAME
wp saml-auth
DESCRIPTION
Configure and manage the WP SAML Auth plugin.
SYNOPSIS
wp saml-auth <command>
SUBCOMMANDS
scaffold-config Scaffold a configuration filter to customize WP SAML Auth usage.
Use wp help saml-auth <command> to learn more about each command.
Note: The scaffold-config command generates a configuration function with default values. The simplesamlphp_autoload option is not included in the scaffolded output because the plugin auto-detects SimpleSAMLphp installations. Only add this option manually if SimpleSAMLphp is in a non-standard location.
Contributing
See CONTRIBUTING.md for information on contributing.
FAQ
Can I update an existing WordPress user’s data when they log back in?
If you’d like to make sure the user’s display name, first name, and last name are updated in WordPress when they log back in, you can use the following code snippet:
/**
* Update user attributes after a user has logged in via SAML.
*/
add_action( 'wp_saml_auth_existing_user_authenticated', function( $existing_user, $attributes ) {
$user_args = array(
'ID' => $existing_user->ID,
);
foreach ( array( 'display_name', 'first_name', 'last_name' ) as $type ) {
$attribute = \WP_SAML_Auth::get_option( "{$type}_attribute" );
$user_args[ $type ] = ! empty( $attributes[ $attribute ][0] ) ? $attributes[ $attribute ][0] : '';
}
wp_update_user( $user_args );
}, 10, 2 );
The wp_saml_auth_existing_user_authenticated action fires after the user has successfully authenticated with the SAML IdP. The code snippet then uses a pattern similar to WP SAML Auth to fetch display name, first name, and last name from the SAML response. Lastly, the code snippet updates the existing WordPress user object.
How do I use SimpleSAMLphp and WP SAML Auth on a multi web node environment?
Because SimpleSAMLphp uses PHP sessions to manage user authentication, it will work unreliably or not at all on a server configuration with multiple web nodes. This is because PHP’s default session handler uses the filesystem, and each web node has a different filesystem. Fortunately, there’s a way around this.
First, install and activate the WP Native PHP Sessions plugin, which registers a database-based PHP session handler for WordPress to use.
Next, modify SimpleSAMLphp’s www/_include.php file to require wp-load.php. If you installed SimpleSAMLphp within the wp-saml-auth directory, you’d edit wp-saml-auth/simplesamlphp/www/_include.php to include:
<?php
require_once dirname( dirname( dirname( dirname( dirname( dirname( __FILE__ ) ) ) ) ) ) . '/wp-load.php';
Note: the declaration does need to be at the top of _include.php, to ensure WordPress (and thus the session handling) is loaded before SimpleSAMLphp.
There is no third step. Because SimpleSAMLphp loads WordPress, which has WP Native PHP Sessions active, SimpleSAMLphp and WP SAML Auth will be able to communicate to one another on a multi web node environment.
Where do I report security bugs found in this plugin?
Please report security bugs found in the source code of the WP SAML Auth plugin through the Patchstack Vulnerability Disclosure Program. The Patchstack team will assist you with verification, CVE assignment, and notify the developers of this plugin.
What are the security requirements for SimpleSAMLphp?
If you’re using the SimpleSAMLphp connection type:
* Critical Security Requirement: Version 2.0.0 or later is required to fix CVE-2023-26881 (XML signature validation bypass vulnerability).
* Recommended Security Requirement: Version 2.3.7 or later is recommended for additional security fixes.
* Authentication will be blocked for versions below 2.0.0 when “Enforce Security Requirements” is enabled.
* It’s always recommended to use the latest stable version of SimpleSAMLphp for security and compatibility.
ChangeLog
2.3.1 (March 6, 2026)
- Adds
wp_saml_auth_auto_add_to_blog filter to control whether auto-provisioned users are added to sites in multisite environments [#465].
- When
wp_saml_auth_auto_add_to_blog returns false, the wp_saml_auth_new_user_authenticated action will receive a user with no role on the current site. Hooks relying on $user->roles being non-empty should account for this [#465].
2.3.0 (January 8, 2026)
- Adds PHP 8.4 compatibility [#410].
- Increases minimum supported PHP version to 7.4.
- Compatible with WordPress 6.9
- Fix warning message on the plugin’s settings page for users who aren’t using SimpleSAML [#445][#451].
- Skip SimpleSAMLphp autoloader discovery when the SimpleSAML\Auth\Simple class is already loaded [#444].
- Adds
wp_saml_auth_internal_config filter to allow customization of the OneLogin SAML configuration [#497].
- Fix autoloader detection logic for Composer-installed SimpleSAMLphp.[#452]
- Fix incorrect warning display when SimpleSAMLphp version detection succeeds. [#455]
2.2.0 (9 June 2024)
- Add a hook to modify returned attributes. [#379]
- Updates
onelogin/php-saml to 4.2.0. [#402]
- Adds warnings and the option to disable SAML when using a vulnerable version of simplesamlphp [#402]
2.1.4 (November 27, 2023)
- Fix typo in the label for the certificate path [#352]
- Updates Pantheon WP Coding Standards to 2.0 [#357]
- Fix logged-out auth issue [#359] (props Snicco)
2.1.3 (April 8, 2023)
- Fixes missing vendor/ directory in previous release [#336]
2.1.2 (April 7, 2023)
- Bump yoast/phpunit-polyfills from 1.0.4 to 1.0.5 [#334].
- Updates tested up to version
- Removes unused NPM dependencies
2.1.1 (March 15, 2023)
2.1.0 (November 29, 2022)
- Adds Github Actions for building tag and deploying to wp.org. Add CONTRIBUTING.md. [#311]
2.0.1 (January 24, 2022)
- Rebuilds platform dependencies to accommodate PHP 7.3 [#278].
2.0.0 (January 6, 2022)
- BREAKING: Updates
onelogin/php-saml to v4.0.0, which requires PHP 7.3 or higher [#275].
1.2.7 (December 9, 2021)
- Adds a
wp_saml_auth_pre_logout action that fires before logout [#274].
1.2.6 (October 12, 2021)
- Adds a
wp_saml_auth_login_parameters filter to allow login parameters to be filtered [#262].
1.2.5 (August 18, 2021)
- Fixes undefined index notice introduced in 1.2.4 [#257].
1.2.4 (August 18, 2021)
- Adds a
wp_saml_auth_internal_logout_args filter to allow the internal logout args to be filterable [#255].
1.2.3 (May 25, 2021)
- Adds a
wp_saml_auth_force_authn filter to allow forceAuthn=”true” to be enabled [#248].
1.2.2 (Apr 26, 2021)
- Ensures SAML button and explanations are only added to the login screen [#242].
1.2.1 (Mar 2, 2021)
- Updates
onelogin/php-saml to v3.6.1 [#236].
1.2.0 (Feb 22, 2021)
- Updates
onelogin/php-saml to v3.6.0 [#233].
1.1.1 (Feb 3, 2021)
- Updates French localization and ensures localizations are loaded [#230].
1.1.0 (Dec 1, 2020)
- Updates
onelogin/php-saml to v3.5.0 [#218].
1.0.2 (May 27, 2020)
- Avoid undesired
session_start() when using SimpleSAMLphp [#196].
1.0.1 (May 26, 2020)
- Allows redirecting back to
wp-login.php while avoiding redirect loop [#192].
1.0.0 (March 2, 2020)
0.8.3 (February 3, 2020)
- Removes unused
placeholder value that’s causing PHP notices [#178].
0.8.2 (January 22, 2020)
- Fixes method declaration for methods used statically [#176].
0.8.1 (November 25, 2019)
- Updates
onelogin/php-saml to v3.4.1 [#174].
0.8.0 (November 20, 2019)
- Updates
onelogin/php-saml to v3.4.0 [#173].
0.7.3 (November 7, 2019)
- Updates
onelogin/php-saml to v3.3.1 [#172].
0.7.2 (October 30, 2019)
- Fixes issue where an empty required settings field would throw load Exception [#170].
0.7.1 (September 26, 2019)
- Fixes typo on the settings page [#163].
0.7.0 (September 16, 2019)
- Updates
onelogin/php-saml to v3.3.0 [#160].
0.6.0 (May 14, 2019)
- Adds a settings page for configuring WP SAML Auth [#151].
- Fixes issue when processing SimpleSAMLphp response [#145].
0.5.2 (April 8, 2019)
- Updates
onelogin/php-saml to v3.1.1 for PHP 7.3 support [#139].
0.5.1 (November 15, 2018)
- Introduces a
wp_saml_auth_attributes filter to permit modifying SAML response attributes before they’re processed by WordPress [#136].
0.5.0 (November 7, 2018)
- Updates
onelogin/php-saml to v3.0.0 for PHP 7.2 support [#133].
0.4.0 (September 5, 2018)
- Updates
onelogin/php-saml from v2.13.0 to v2.14.0 [#127].
0.3.11 (July 18, 2018)
- Provides an error message explicitly for when SAML response attributes are missing [#125].
0.3.10 (June 28, 2018)
- Ensures
redirect_to URLs don’t lose query parameters by encoding with rawurlencode() [#124].
- Adds French localization.
0.3.9 (March 29, 2018)
- Fixes PHP notice by using namespaced SimpleSAMLphp class if available [#118].
- Updates
onelogin/php-saml from v2.12.0 to v2.13.0
0.3.8 (February 26, 2018)
- Redirects to
action=wp-saml-auth when redirect_to is persisted, to ensure authentication is handled [#115].
0.3.7 (February 13, 2018)
- Persists
redirect_to value in a more accurate manner, as a follow up to the change in v0.3.6 [#113].
0.3.6 (February 7, 2018)
- Prevents WordPress from dropping authentication cookie when user is redirected to login from
/wp-admin/ URLs [#112].
0.3.5 (January 19, 2018)
- Substitutes
wp-login.php string with parse_url( wp_login_url(), PHP_URL_PATH ) for compatibility with plugins and functions that alter the standard login url [#109].
0.3.4 (December 22, 2017)
- Permits
internal connection type to be used without signout URL, for integration with Google Apps [#106].
0.3.3 (November 28, 2017)
- Forwards ‘redirect_to’ parameter to SAML Authentication to enable deep links [#103].
0.3.2 (November 9, 2017)
- Updates
onelogin/php-saml dependency from v2.10.7 to v2.12.0 [#90, #99].
0.3.1 (July 12, 2017)
- Passes
$attributes to wp_saml_auth_insert_user filter, so user creation behavior can be modified based on SAML response.
0.3.0 (June 29, 2017)
- Includes OneLogin’s PHP SAML library for SAML auth without SimpleSAMLphp. See “Installation” for configuration instructions.
- Fixes handling of SAMLResponse when
permit_wp_login=true.
0.2.2 (May 24, 2017)
- Introduces a
wp_saml_auth_login_strings filter to permit login text strings to be filterable.
- Introduces a
wp_saml_auth_pre_authentication filter to allow authentication behavior to be adapted based on SAML response.
- Improves error message when required SAML response attribute is missing.
- Corrects project name in
composer.json.
0.2.1 (March 22, 2017)
- Introduces
wp_saml_auth_new_user_authenticated and wp_saml_auth_existing_user_authenticated actions to permit themes / plugins to run a callback post-authentication.
- Runs Behat test suite against latest stable SimpleSAMLphp, instead of a pinned version.
0.2.0 (March 7, 2017)
- Introduces
wp saml-auth scaffold-config, a WP-CLI command to scaffold a configuration filter to customize WP SAML Auth usage.
- Redirects back to WordPress after SimpleSAMLPHP authentication.
- Variety of test suite improvements.
0.1.0 (April 18, 2016)
