Native SAML 2.0 and OpenID Connect for WordPress. Bridge your Enterprise IdP to your user table with zero-latency role mapping.
Full implementation of SAML 2.0 and OIDC. Connect to Okta, Azure AD, Google Workspace, or Ping Identity in minutes.
Automatically create and update WordPress users on the fly. Sync metadata attributes and custom fields from your IdP.
Every login attempt, attribute sync, and configuration change is logged with actor metadata and SHA-256 integrity checks.
The README flow is explicit about what happens on every login: protect break-glass accounts first, bind identities by immutable IDs, clean up legacy credentials on first link, and only then issue access.
The domain router returns local for users without an SSO binding even when their email domain maps to an IdP, which preserves password or passkey access for intentionally local accounts.
After first link, accounts are matched by OIDC sub or SAML NameID rather than email alone. A mismatched UID blocks login instead of silently relinking the account.
When a local user becomes IdP-managed, the plugin revokes local passwords, application passwords, and active sessions before finishing the binding.
On Multisite, an existing network user can be attached to the current site instead of duplicated. If no user exists, Enterprise IAM creates one, applies role mapping, and then completes login.
* mapping can act as a default role when no explicit group match exists.editor, preventing IdP configuration mistakes from escalating privileges.Enterprise IAM does more than start a session. The governance layer in the README keeps SSO-managed users aligned with upstream identity policy while exempting break-glass administrators.
Password login and password reset are blocked for SSO-managed users, which closes off a local bypass path around MFA and other upstream IdP controls.
SSO-bound users cannot change their email from the profile screen or REST API, keeping account identity anchored to the provider-managed address.
Last-used IdP cookies are stored per site so expired sessions can send users straight back to the correct IdP instead of dropping them on the WordPress login form.
Per-IdP re-authentication can bypass cached IdP sessions with SAML ForceAuthn or OIDC prompt=login when a stricter sign-in posture is required.
The plugin exposes SCIM 2.0 endpoints for lifecycle management and layers in Multisite-safe tenant isolation so identity state does not bleed across shared networks.
List or create users, with Multisite-aware attach behavior when a matching network user already exists.
Replace or partially update users, including active: false suspension flows that remove roles and block login.
Deprovision locally or with ?scope=network on Multisite after reassignment and protection checks pass.
Expose WordPress roles as SCIM groups and reuse the same role mapping engine that powers SAML and OIDC provisioning.
The SCIM admin UI shows the plaintext token once, stores only a bcrypt hash in WordPress options, and never exposes the original token again.
Deletes require a valid content steward or eligible fallback administrator. If authored content cannot be reassigned safely, the request fails with HTTP 409.
Identity bindings, cookies, and transient state are blog-scoped, and existing network users can be attached to a site rather than recreated globally.
ea_identity_event fires on successful SSO login and SCIM lifecycle actions so downstream SIEM, logging, or compliance pipelines can ingest the trail.
Protocol-native authentication, deterministic role mapping, and traceable access events so WordPress stays in sync with your IdP without adding a middleware tier.
Resolve WordPress roles from incoming claims and attributes at login so access stays aligned with upstream identity policy.
Support SAML 2.0 and OpenID Connect flows without forcing identity traffic through an external cloud broker.
Track login attempts, attribute sync activity, and configuration changes with enough context to investigate access behavior.
Repository docs cover installation, IdP configuration, release notes, and the current plugin package.