Are you considering setting up Single Sign-On (SSO) login on multiple WordPress sites? If you still have some doubts, keep reading. We’ll answer the most basic questions about the process.
What is Single Sign On (SSO)?
Single sign-on (SSO) is an authentication scheme that enables users to log into multiple websites or software applications using a single ID and password. In this architecture, one site is designated as primary and others as the client. The primary site is where the user sessions are managed as well as cookie information that is required by the browser.
How does Single Sign-On (SSO) Work on multiple WordPress sites?
Before we jump into the details, it is important to understand how the WordPress login process works.
When a user logins to WordPress, a session for the logged-in user is created on the server, allowing the user to move freely on the site, and visit pages without having to log in again.
A session will usually last until the user logs out, closes all related browser tabs or if the session has been idle for a set amount of time. The session information is contained in three cookies. Cookies are small data files stored on computers by web browsers. The browser can read, update and delete cookies using the JavaScript language. When a user initially logs in, the cookie wordpress_[hash] is set to store your login credentials. This cookie allows access to everything in the /wp-admin/ folder. So in short cookies store the logged-in user’s session information.
In SSO architecture the primary site is the one that manages user sessions, including cookie information that the browsers need. If a user tries to log in to a client site, that client will need to pass that information to the primary site for authentication and wait to receive back authenticated user session data allowing the user to log in. So in order for the SSO to work login and session data must be passed and processed between the different sites. This all needs to work securely and seamlessly.
There are three industry-standard techniques for transferring authentication data between a client and a server for enabling Single Sign-On in WordPress.
- SAML
- OAuth
- OpenID
Below we’ll look into all three of them.
Security Assertion Markup Language or SAML
SAML is an open XML-based standard that enables the communication between identity providers (IdP) and service providers (SP). An identity provider “Identity Provider (IdP).” is the one that authenticates a user after he enters his credentials, The XML data structure is used by SAML to exchange information. SAML’s XML language allows for a superior definition of data.
OAuth
OAuth grants clients “secure delegated access” to server resources. It’s a newer standard that Google and Twitter collaborated on to make online logins easier. You’ve most likely utilized OAuth without even realizing it. OAuth is used in the background when a website asks you to log in with your Google or Facebook ID.OAuth works best for client apps when the authorizing person isn’t always present.
OpenID
OpenID is a framework for installing Single Sign-On for multiple WordPress sites that makes use of OAuth2. The current version is called “OpenID Connect.”
Relying Party: The service that necessitates an ID check
It lets you select an identity provider (such as Google) to serve as your OpenID identity provider. If a site supports OpenID, you can now log in with your nominated identity provider’s credentials, which means you just have to remember one set of security credentials. You only disclose your password to your OpenID provider, who then verifies that you are who you say you are to the websites you visit.
SSO For Multiple WordPress Sites
There are a number of plugins available that will allow the users to create Single Sign On on multiple sites, but here we will focus on the “WP Remote Users Sync”
WP Remote Users Sync allows for safely syncing users across various sites. This plugin supports the OAuth2 protocol. The plugin “listens” for changes affecting WordPress users and sends outbound “User Actions” to remote sites that have been registered. The registered remote sites with WP Remote Users Sync installed subsequently catch and respond to incoming Actions. These Actions include (Login, Logout, Create, Update, Delete, Password, Role, and Metadata).
In a simple sense, if the user logs in to the site installed with WP Remote Users Sync, they will be also logged in to other sites. One of the main features of the plugin is that there is no central authority or “Master Website”: each site operates autonomously, firing and receiving actions based on its setting.
Security and SSO
Security is one of the major aspects of SSO setup which the site owner cannot and should not overlook. WP Remote Users Sync is the only plugin available that allows users to be synchronized with strong layers of security in place. All communications are OpenSSL AES-256-CBC encrypted, HMAC SHA256 signed, token-validated, and IP-validated.
Advantages and Disadvantages of SSO
Now that we have a basic understanding of what single sign-on is and how we can set it up for multiple WordPress sites, the next biggest question is whether it is really worth it. Are the advantages of the SSO far more than its drawbacks? Let’s have a look at some of the main Pros and Cons of the Single Sign On.
Pros of Single Sign-On
1. SSO streamlines the management of credentials. When a user deactivates his/her account or cancels a membership on one site, the membership or account deactivates on all other sites as well unless the admin disallows it.
2. With SSO, site admins have more control over their sites. They can implement strong password requirements on one site and have them implemented on all the rest. They can also remove or update users on all their sites from a single place, drastically saving time.
3. Most of the users use the same password for different site logins. Imagine users need to update their passwords on a different website within the same organizational umbrella. In this case, SSO reduces the fatigue of changing or updating the password on multiple sites, allowing the user to edit their data a single time and have their information updated across the board.
4. Single Sign-On eliminates the need for multiple passwords, meaning fewer attacks. This means less risk for your affiliates (partners and customers). Plus, admins can easily view and change the access levels of all the users from one single dashboard.
Cons Of Single Sign-On
1. You will require very strong passwords. If one set of SSO credentials leaks, it potentially leads to a number of other site breaches under that user’s name.
2. If SSO goes down, access to all connected services halts. It is one of the most important reasons for choosing a good and reliable SSO solution.
Single Sign On for WordPress
Single Sign-on between multiple WordPress sites is becoming common practice for websites such as memberships and online learning portals. For membership setups and online learning portals, OAuth is a good starting pathway for implementing SSO. In case organizations are looking for bespoken functionality and security features then SAML method for SSO is the one organization should be investing in.
Need help setting up a single sing-on? Our WordPress ninjas have helped several of our clients set this feature up with minimal stress and maximum security. Reach out and tell us about your project.
