=== SSO & SAML Login — Azure AD / Entra ID ===
Contributors: karolismerit, meritstory
Tags: saml, sso, microsoft, azure-ad, openid-connect
Requires at least: 6.3
Tested up to: 6.9
Requires PHP: 8.0
Stable tag: 1.0.4
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Log in to WordPress with Microsoft Azure AD / Entra ID using SAML 2.0 or OpenID Connect (OIDC). Simple setup, enterprise-grade security.

== Description ==

**Microsoft Login for WordPress** lets your users sign in to WordPress using their Microsoft Azure AD / Entra ID credentials - no separate password needed. Choose between SAML 2.0 and OpenID Connect (OIDC) to match your organization's configuration.

= Why this plugin? =

* **Microsoft-focused.** Built specifically for Azure AD / Entra ID.
* **Simple setup.** Import SAML metadata or use OIDC discovery to auto-fill endpoints.
* **Clean admin UX.** One settings area with guided setup and test tools.
* **Security-first.** SAML uses `onelogin/php-saml`; OIDC validates RS256 tokens against JWKS.

= Free Features =

* SAML 2.0 SP login flow (Azure AD / Entra ID as IdP)
* OpenID Connect Authorization Code + PKCE login flow
* Auto-create WordPress users on first login (JIT provisioning)
* Configurable default role for new users
* SP metadata download and SAML metadata URL import
* OIDC tenant discovery and endpoint validation tools
* Emergency admin bypass URL for lockout recovery
* WP-CLI commands (`wp saml status`, `wp saml import-metadata`, `wp saml regen-cert`, `wp saml test`)

= Pro Features (separate plugin) =

* Role mapping (map Azure AD roles/groups to WordPress roles)
* SSO enforcement by WordPress role, with per-user bypass exceptions
* Attribute sync on login (first name, last name, display name)
* Audit log (login success/failure, user creation, role mapping, SSO enforcement, logout)
* Audit log CSV export and retention settings
* Microsoft Graph user sync and import tools:
* App-only Graph connection test
* Group member preview/import
* Daily background sync via WP-Cron
* Optional deprovisioning (remove role when user is disabled/removed)

= Requirements =

* PHP 8.0 or higher
* PHP extensions: `openssl`, `dom`, `zlib`
* WordPress 6.3 or higher
* A Microsoft Azure AD / Entra ID tenant

= Setup Overview =

**SAML:**

1. Install and activate the plugin.
2. Go to **Settings -> SSO & SAML Login**.
3. Copy the **SP Entity ID** and **ACS URL** from the SP Information tab.
4. Create a new Enterprise Application in Azure AD (non-gallery app, enable SAML SSO).
5. Paste your **App Federation Metadata URL** into the plugin and click **Import Metadata**.
6. Save settings. Your Microsoft login button appears on `wp-login.php`.

**OIDC:**

1. Create an App Registration in Azure and add your site's `/saml/oidc-callback` as Redirect URI.
2. In plugin settings, select **OpenID Connect**, enter Tenant ID, click **Fetch Discovery**.
3. Enter **Client ID** and **Client Secret**, then save.

= Privacy =

This plugin does not send data to third parties except as described in the External services section below. SSO and audit data are stored in your own WordPress database.

== External services ==

This plugin connects to external services to provide authentication and optional paid features. No data is sent to any external service except as described below.

**1) Microsoft Azure AD / Entra ID (required for SSO login)**

Used for SAML 2.0 and OpenID Connect authentication.

Data sent and when:

* On SSO login start, the browser is redirected to Microsoft with Azure app/protocol parameters (tenant endpoint, app/client ID, redirect URI, state, scopes, SAML request/relay state as applicable).
* On OIDC callback, the site sends the one-time authorization code (and PKCE verifier) to Microsoft's token endpoint.
* On SAML setup import/test actions, the site fetches your tenant's federation metadata URL.
* On logout (if SLO/end-session is enabled), the browser is redirected to Microsoft's logout endpoint.

Returned identity claims (email, name, subject/object ID, roles/groups) are used to authenticate/provision users and stored in your WordPress database.

* Service: https://login.microsoftonline.com/
* Privacy Policy: https://privacy.microsoft.com/en-us/privacystatement
* Terms of Service: https://www.microsoft.com/en-us/servicesagreement

**2) Microsoft Graph API (Pro only; when configured by the site admin)**

Used to sync users and groups from Microsoft Entra ID into WordPress.

Data sent and when:

* When an admin runs a Graph test, import, or sync (manual or scheduled), the site sends requests to Microsoft Graph using app-only access tokens.
* Requests include query parameters for the configured sync operations (group/member lookups, account status checks, etc.).

Returned directory fields (user principal name, email, display name, object IDs, group membership, account status) are used to create, update, or deprovision WordPress users per plugin settings.

* Service: https://graph.microsoft.com/
* Privacy Policy: https://privacy.microsoft.com/en-us/privacystatement
* Terms of Service: https://www.microsoft.com/en-us/servicesagreement

**3) Freemius (optional; only when admin opts in or activates a paid license)**

Used for licensing, upgrade flow, and optional analytics.

Data sent and when:

* On activation, an opt-in prompt is shown; no data is sent unless the admin consents.
* On license activation/validation, the site exchanges license, account, and site information with Freemius servers.
* If telemetry opt-in is accepted, usage and diagnostic events may be sent per Freemius configuration.

* Service: https://freemius.com/
* Privacy Policy: https://freemius.com/privacy/
* Terms of Service: https://freemius.com/terms/

== Installation ==

= Automatic Installation =

1. In WordPress admin, go to **Plugins -> Add New**.
2. Search for **Microsoft Login for WordPress**.
3. Click **Install Now**, then **Activate**.

= Manual Installation =

1. Download the plugin ZIP.
2. Go to **Plugins -> Add New -> Upload Plugin**.
3. Upload the ZIP and activate.
4. Go to **Settings -> SSO & SAML Login**.

== Frequently Asked Questions ==

= Does this work with Microsoft Entra ID (formerly Azure Active Directory)? =

Yes. Azure AD was renamed to Entra ID. This plugin supports both naming conventions.

= Do I need external software? =

No. SAML parsing is handled by bundled `onelogin/php-saml`. OIDC validation uses built-in PHP OpenSSL.

= SAML or OIDC - which should I choose? =

For most teams, OIDC is simpler to configure. Choose SAML if your organization already standardizes on SAML or requires SAML-specific controls.

= Can users still log in with WordPress passwords? =

Yes by default. If Pro SSO enforcement is enabled for selected roles, password login is blocked for those roles.

= What happens on first login? =

If auto-create is enabled, a new WordPress account is created from IdP identity data and assigned your configured default role.

= I am locked out. How do I recover? =

Use the emergency bypass URL shown in **Settings -> SSO & SAML Login -> Misc / Reset**.

= What is the difference between Free and Pro? =

**Free** includes core SAML/OIDC login and provisioning for unlimited users.

**Pro** (a separate plugin) adds role mapping, SSO enforcement, attribute sync, audit log (with CSV export/retention), and Microsoft Graph import/sync/deprovision features.

= How do I upgrade from Free to Pro? =

Use the **Upgrade to Pro** links inside plugin settings or the account/upgrade entry in the plugin UI.

= What developer hooks are available? =

**Available in all plans**

`ssosamlentra_login_success`
Fires after a successful SSO login.

`ssosamlentra_login_failed`
Fires when an SSO login attempt fails.

`ssosamlentra_after_provision_user`
Fires after JIT provisioning completes.

**Pro-only hooks (active with valid Pro license)**

`ssosamlentra_user_attributes` *(filter)*
Filter normalized attributes before provisioning.

`ssosamlentra_pre_role_mapping` *(filter)*
Filter resolved WordPress role before applying role mapping.

`ssosamlentra_role_mapped`
Fires after mapped role is applied.

`ssosamlentra_sso_enforced`
Fires when password login is blocked due to SSO enforcement.

`ssosamlentra_graph_sync_user` *(filter)*
Filter whether an individual Graph user should be synced.

== Screenshots ==

1. SP Information tab with Entity ID, ACS URL, and metadata/certificate data.
2. Configuration tab for SAML or OIDC setup and connection tests.
3. WordPress login page with Microsoft sign-in button.

== Changelog ==

= 1.0.1 =
* Documentation and compliance updates.

= 1.0.0 =
* Initial release.
* SAML 2.0 SP flow using `onelogin/php-saml`.
* OIDC + PKCE flow with RS256 JWT validation.
* JIT user provisioning and default role assignment.
* Metadata import/discovery tools.
* Pro features (separate plugin): role mapping, SSO enforcement, attribute sync, audit log, and Graph user sync.
* WP-CLI commands and emergency bypass URL.

== Upgrade Notice ==

= 1.0.1 =
Readme and compliance updates. No manual migration steps required.
