v1.8.1 · STABLE RELEASE

Identity management
without the middleware.

Native SAML 2.0 and OpenID Connect for WordPress. Bridge your Enterprise IdP to your user table with zero-latency role mapping.

iam_manager / active_connections
System Healthy
Okta Enterprise SAML 2.0
Connected
Azure AD / Entra ID OIDC
Connected
SSO

Standard Protocol Support

Full implementation of SAML 2.0 and OIDC. Connect to Okta, Azure AD, Google Workspace, or Ping Identity in minutes.

JIT

Just-In-Time Provisioning

Automatically create and update WordPress users on the fly. Sync metadata attributes and custom fields from your IdP.

LOG

Immutable Audit Trails

Every login attempt, attribute sync, and configuration change is logged with actor metadata and SHA-256 integrity checks.

FIDO

Passkeys & WebAuthn

Passwordless login on wp-login.php with employee self-enrollment, attestation policy, and device-bound enforcement for legacy synced credentials.

NET

Multisite Network Defaults

Network-managed defaults with per-setting site override policy, tenant-isolated bindings, and blog-scoped re-auth cookies and transient state.

CLI

Operator WP-CLI Surface

Read-only wp enterprise-auth ... commands for providers, sites, users, routing, passkeys, settings, and SCIM posture.

Passkeys & WebAuthn

Phishing-resistant sign-in, governed end to end.

Passkeys are a first-class authenticator next to SAML and OIDC. Employees enroll themselves, administrators see provenance and compliance, and high-risk IAM mutations require a fresh assertion.

Employee self-enrollment

Logged-in users register passkeys from Profile → Passkeys. Admins keep a dedicated settings SPA for fleet management.

Attestation & device-bound policy

Optional strict device-bound mode with controlled migration and step-up for legacy synced credentials.

Fresh step-up for IAM actions

High-risk human IAM REST mutations require a recent passkey assertion via the step-up controller and retry middleware.

Credential inventory & audit

Read-only admin surface for compliance status, registration origin, last-used tracking, and masked provenance metadata.

Provisioning Behaviour

Route, bind, and provision without guesswork.

The README flow is explicit about what happens on every login: protect break-glass accounts first, bind identities by immutable IDs, clean up legacy credentials on first link, and only then issue access.

01

Keep local paths local

The domain router returns local for users without an SSO binding even when their email domain maps to an IdP, which preserves password or passkey access for intentionally local accounts.

02

Bind on immutable IdP UID

After first link, accounts are matched by OIDC sub or SAML NameID rather than email alone. A mismatched UID blocks login instead of silently relinking the account.

03

Clean first-link handoff

When a local user becomes IdP-managed, the plugin revokes local passwords, application passwords, and active sessions before finishing the binding.

04

Attach or create, then map

On Multisite, an existing network user can be attached to the current site instead of duplicated. If no user exists, Enterprise IAM creates one, applies role mapping, and then completes login.

Role mapping guardrails
Engineering -> editor Marketing -> author * -> subscriber
Case-insensitive exact matchingShared group-to-role mapping works across SAML and OIDC with predictable exact matches.
Wildcard fallbackThe * mapping can act as a default role when no explicit group match exists.
Role ceiling by policyThe maximum assignable role defaults to editor, preventing IdP configuration mistakes from escalating privileges.
Capability-aware blockingPrivileged custom roles are filtered by capability exposure, not just by role name.
Identity Governance

Controls for SSO-bound accounts after login succeeds.

Enterprise IAM does more than start a session. The governance layer in the README keeps SSO-managed users aligned with upstream identity policy while exempting break-glass administrators.

SSO-only account lockdown

Password login and password reset are blocked for SSO-managed users, which closes off a local bypass path around MFA and other upstream IdP controls.

Email change protection

SSO-bound users cannot change their email from the profile screen or REST API, keeping account identity anchored to the provider-managed address.

Session expiry auto re-auth

Last-used IdP cookies are stored per site so expired sessions can send users straight back to the correct IdP instead of dropping them on the WordPress login form.

Force Sign-In Mode

Per-IdP re-authentication can bypass cached IdP sessions with SAML ForceAuthn or OIDC prompt=login when a stricter sign-in posture is required.

SCIM 2.0 + Multisite

Provision the full identity lifecycle, not just first login.

The plugin exposes SCIM 2.0 endpoints for lifecycle management and layers in Multisite-safe tenant isolation so identity state does not bleed across shared networks.

Main SCIM endpoints
GET|POST
/scim/v2/Users

List or create users, with Multisite-aware attach behavior when a matching network user already exists.

PUT|PATCH
/scim/v2/Users/{id}

Replace or partially update users, including active: false suspension flows that remove roles and block login.

DELETE
/scim/v2/Users/{id}

Deprovision locally or with ?scope=network on Multisite after reassignment and protection checks pass.

GET|POST|PATCH
/scim/v2/Groups

Expose WordPress roles as SCIM groups and reuse the same role mapping engine that powers SAML and OIDC provisioning.

Bearer token auth, bcrypt-hashed token storage, 300 requests per minute rate limiting, and no plugin-managed PHP session dependency for callback verification.

One-time token issuance

The SCIM admin UI shows the plaintext token once, stores only a bcrypt hash in WordPress options, and never exposes the original token again.

Fail-closed deprovision

Deletes require a valid content steward or eligible fallback administrator. If authored content cannot be reassigned safely, the request fails with HTTP 409.

Tenant isolation on Multisite

Identity bindings, cookies, and transient state are blog-scoped, and existing network users can be attached to a site rather than recreated globally.

Audit-ready events

ea_identity_event fires on successful SSO login and SCIM lifecycle actions so downstream SIEM, logging, or compliance pipelines can ingest the trail.

Operations & Posture

Visibility, audit, and operator tooling out of the box.

A posture dashboard, durable audit log, REST hardening, and an operator CLI keep day-two identity work inside WordPress instead of a separate console.

IAM posture dashboard

Identity source mix, passkey coverage, settings posture, findings, and site rollups across the network — with an optional network scope view.

Durable audit log

{prefix}enterprise_auth_audit_events records SSO/SCIM lifecycle, passkey enrollment, step-up outcomes, and high-risk mutations with secret redaction.

OIDC Discovery & readiness

OIDC Discovery and readiness checks for safer provider setup, plus stored End Session Endpoint for logout-aware and re-authentication flows.

Federation flow hardening

Browser-bound, short-lived, single-use SAML/OIDC state, HTTPS transport enforcement, and SCIM pre-auth failed-attempt throttling.

REST cache-control hardening

All enterprise-auth/ REST responses return Cache-Control: no-store, no-cache, must-revalidate, private to defeat web cache deception and poisoning.

Private content login gate

Site-scoped login gating for private posts and pages that preserves redirect_to without forcing whole-site authentication.

Custom attribute mapping

Per-IdP attribute mapping with one-click presets for Azure AD / Entra ID, Okta, Shibboleth, and more.

User IAM visibility in wp-admin

Read-only identity source, provider binding, passkey posture, and suspension state surfaced on Users and Profile screens.

Security Controls

Enterprise sign-in with clear guardrails.

Protocol-native authentication, deterministic role mapping, and traceable access events so WordPress stays in sync with your IdP without adding a middleware tier.

Mapped access

Resolve WordPress roles from incoming claims and attributes at login so access stays aligned with upstream identity policy.

Protocol coverage

Support SAML 2.0 and OpenID Connect flows without forcing identity traffic through an external cloud broker.

Auditable events

Track login attempts, attribute sync activity, and configuration changes with enough context to investigate access behavior.

Documentation and setup

Repository docs cover installation, IdP configuration, release notes, and the current plugin package.

Open documentation

Ready to secure your stack?

Open source. GPLv2. Built for the modern enterprise.

View on GitHub