Hey everyone,
I'm trying to understand the best possible way to implement a cost effective SSO that supports the following structure.
We have a set of WordPress based websites, where each user (i.e. the client) have a unique login, and then there a set of third-party services (like newsletter, support system etc.) that these clients will also have access to.
At this moment, the users need to maintain separate login credentials to access all the services (i.e. WordPress website, newsletter, support system). We are looking to implement a single sign-on option which will allow the users to use single login details across these services.
I'm going through various resources but I'm still somewhat confused (esp. with all the different terms being used on different service providers) about choosing the correct path. The list of options that I'm looking at for now is Auth0, OneLogin, Firebase/GIP, Clerk, Supertokens etc.
Let's say there are 50 unique WordPress websites, is it possible to have a single IdP database, while still allows a specific user to only access their own WordPress website and the shared third-party services? I'm struggling to understand this part specifically.
I have created a rough diagram of the structure we are looking to achieve. There is no public sign-up option, all the users are created manually.
Global users (our team) will have access to everything. App (i.e. WordPress website) users will only have access to that specific app/website **and** a **selective** list of those users (usually just one per site) will also have access to the third-party services.
For WordPress there are a couple of OAuth or SAML plugins that are able to connect to Auth0 (or other providers). The third-party services does allow us to configure a SAML based login. Is there a need to host our own login page? Or can providers like Auth0, OneLogin etc. handle that as well?
Can anyone please recommend which provider will work best for our case? Or if you have any other suggestions please share.
Side note: When testing WordPress plugins, miniOrange came up, and I'm trying to understand what additional value does it's paid service brings in on top of using an IdP like Auth0, i.e. is there any benefit of paying them instead of using Auth0 (or any other provider) directly with WordPress?
Thanks.
Implementing Single Sign-On (SSO) for your WordPress-based websites and third-party services can be a bit challenging, especially with so many options available. Let’s break down your requirements and explore how to achieve them effectively.
Key Requirements:
1. Single Login for Multiple Services**: Users should be able to use one set of credentials to access all services (WordPress websites, newsletter, support system).
2. Access Control: Each user should only have access to their specific WordPress website and a select few third-party services.
3. **Global Admin Access**: A group of global users (your team) should have access to everything.
4. **No Public Sign-Up**: Users are created manually.
### Providers:
You mentioned several providers (Auth0, OneLogin, Firebase/GIP, Clerk, Supertokens). Here’s a breakdown of what they offer and how they might fit your needs:
1. **Auth0**:
– Supports OAuth2, OpenID Connect, and SAML.
– Provides customizable login pages.
– Good integration with WordPress via plugins.
– Robust user management and roles.
– Can act as an Identity Provider (IdP) for third-party services.
2. **OneLogin**:
– Similar to Auth0 in terms of features.
– Strong focus on enterprise solutions.
– Provides SAML-based SSO which can integrate with WordPress and other services.
– Customizable login experience.
3. **Firebase Authentication**:
– Simple to use and integrate.
– Supports OAuth providers.
– Not as feature-rich as Auth0 or OneLogin for SSO purposes.
– More developer-centric, requiring more custom development.
4. **Clerk**:
– Focuses on modern web apps.
– Provides user management and authentication.
– Less mature ecosystem compared to Auth0 or OneLogin.
5. **Supertokens**:
– Open-source and cost-effective.
– Provides SSO capabilities.
– Requires more custom implementation.
### Implementation Steps:
1. **Choose an IdP**:
– Based on the features and ease of integration, Auth0 or OneLogin are strong candidates.
2. **Configure IdP**:
– Set up your IdP (e.g., Auth0) with user roles and access controls.
– Create roles for “Global Admin” and “App Users”.
– Configure the IdP to allow manual user creation.
3. **Integrate with WordPress**:
– Use SSO plugins for WordPress (like miniOrange or others) to connect with your IdP.
– Configure the plugins to use OAuth2 or SAML with your chosen IdP.
– Ensure each WordPress site can authenticate users via the IdP.
4. **Integrate Third-Party Services**:
– Configure third-party services (newsletter, support system) to authenticate using the IdP via SAML or OAuth2.
– Ensure access controls in these services are in place to restrict access based on roles defined in the IdP.
5. **Custom Login Page**:
– Providers like Auth0 and OneLogin offer customizable login pages that can be hosted by them.
– You don’t need to host your own login page unless you require specific customizations.
### Additional Considerations:
– **Role-Based Access Control (RBAC)**: Ensure your IdP supports RBAC to define what resources each user role can access.
– **User Provisioning**: Automate user provisioning and deprovisioning to sync users between your IdP and services.
– **Security**: Implement strong security measures, including multi-factor authentication (MFA) for sensitive access.
### miniOrange vs Direct IdP Integration:
– **miniOrange**: Provides a layer of abstraction and additional features like more straightforward configuration, better support, and potentially more advanced SSO features specific to WordPress.
– **Direct IdP Integration**: More control and potentially lower cost if you configure everything directly with an IdP like Auth0 or OneLogin.
For your specific needs, **Auth0** seems to be the most suitable option due to its flexibility, robust feature set, and extensive documentation and support for integrating with WordPress and other third-party services. It simplifies managing SSO and user roles across multiple services and websites.