Organizations using WordPress as content management software (CMS) can take advantage of all security features implemented to Azure AD such as conditional access when logging into WordPress. This way access to WordPress could be limited to trusted devices only.

Implementing SSO is easy as there are various OpenID plugins available. I am using a plugin called “OpenID Connect Generic client” that is both open sourced and free for commercial use.

First get plugin installed on you WordPress installation.

Go to plugin settings and copy Redirect URI. You will need this during app registration in Azure AD.

Next create new application registration on Entra ID/Azure AD. Open Azure Active Directory trough portal.azure.com.

Navigate to App registrations -> New Registration

Give Application a name. Select redirect URI type as Web and paste URL you copied from plugin settings.

Copy Application (Client) ID, Directory (Tenant) ID, V1 Authorization and token endpoints to plugin settings.

All settings needed for Azure AD OpenID (Replace with copied values/tenant-id replaced):

Client ID: Application (Client) ID copied from Azure Application
Client Secret Key: Secret created for Azure Application
OpenID Scope: email profile openid
Login Endpoint: https://login.microsoftonline.com/{tenant-id}/oauth2/authorize
Userinfo Endpoint: https://login.microsoftonline.com/{tenant-id}/openid/userinfo
Token Validation Endpoint URL: https://login.microsoftonline.com/{tenant-id}/oauth2/token
End Session Endpoint URL: https://login.microsoftonline.com/{tenant-id}/oauth2/logout
Identity Key: unique_name
Nickname Key: name
Email Formatting: {unique_name}
Display Name Formatting: {name}

After testing change:

Login Type: Auto Login – SSO

Go to certificates & secrets under app registrations and add new client secret. When created trough UI lifetime is maximum of 2 years. To generate secrets with longer expiration date use PowerShell to do so.

Go to permissions under enterprise applications and grant admin consent for the application.

Go to properties and set Assignment required to Yes unless you want to have everyone from your Azure AD to have possibility to login.

Assign users or groups to application under users and groups.

Test SSO settings and set Login Type: Auto Login – SSO from plugin settings once tested. Remember to assign at least one admin role to Azure SSO user within WordPress before enforcing SSO.