Plugins DatabasePlugins Database logo
Back to plugins
WordPress

Actions

DownloadAuthor pageSee on WordPress

Plugin info

Total downloads: 91
Active installs: 0
Total reviews: 0
Average rating: 0
Support threads opened: 0
Support threads resolved: 0 (0%)
Available in: 1 language(s)
Contributors: 1
Last updated: 10/22/2025 (71 days ago)
Added to WordPress: 10/21/2025 (0 years old)
Minimum WordPress version: 5.8
Tested up to WordPress version: 6.8.4
Minimum PHP version: 8.0

Maintenance & Compatibility

Maintenance score

Actively maintained • Last updated 71 days ago

59/100

Is Twelve Legs Marketing SSO abandoned?

Likely maintained (last update 71 days ago).

Compatibility

Requires WordPress: 5.8
Tested up to: 6.8.4
Requires PHP: 8.0

Ratings

0
0
0
0
0See all reviews

Developers

jeremyjsimmons1

Languages

Similar & Alternatives

Explore plugins with similar tags, and compare key metrics like downloads, ratings, updates, support, and WP/PHP compatibility.

JWT Single Sign On
Rating 4.0/5 (1 reviews)Active installs 20
Compare
TokenLink SSO Login for Zendesk
Rating 0.0/5 (0 reviews)Active installs 0
Compare
WP Login and Register using JWT
Rating 5.0/5 (4 reviews)Active installs 200
Compare
JWT Authentication for WP REST API
Rating 4.4/5 (51 reviews)Active installs 60,000
Compare
REST API Authentication for WP – JWT Auth and more
Rating 4.4/5 (71 reviews)Active installs 20,000
Compare
JWT Auth – WordPress JSON Web Token Authentication
Rating 5.0/5 (22 reviews)Active installs 6,000
Compare
See more alternatives to Twelve Legs Marketing SSO

Description

TWL SSO is a secure single sign-on plugin for WordPress that enables seamless authentication using RS256 JWT tokens from an external SSO application.
This plugin provides login security features and is designed for allowing Twelve Legs Marketing centralized authentication management.

Key Features

  • Single Sign In: Agency employees can log into websites they manage from a central dashboard.
  • Just-in-Time User Provisioning: Automatic user creation and role assignment
  • JWT Validation: Full RS256 signature verification with JWKS endpoint integration
  • Key Rotation: Support key rotation through JWKS endpoint
  • Role Management: Flexible role assignment from JWT claims
  • Referrer Validation: Enhanced security through referrer validation
  • Audience Validation: Ensures tokens are valid for the specific WordPress site
  • Token Expiration: Built-in token expiration and clock skew tolerance
  • Email Validation: Comprehensive email validation with optional allowlist
  • Caching: JWKS caching for improved performance

Security Features

  • Referrer validation to prevent unauthorized access
  • JWT signature verification using public key cryptography
  • Issuer validation to ensure tokens come from trusted sources
  • Audience validation to prevent token reuse across sites
  • Token expiration validation with configurable leeway
  • Email format validation and filtering via hook

Use Cases

  • WordPress installations managed centrally by agency
  • Organization using Google for external identity provider

Usage

Authentication Flow

  1. User clicks login link from SSO application sso.twelvelegsmarketing.com
  2. SSO application redirects to WordPress with JWT token: /wp-login.php?action=twl_sso&token=JWT_TOKEN
  3. Plugin validates the JWT token signature and claims
  4. Plugin extracts user information from JWT claims
  5. Plugin creates or retrieves WordPress user
  6. Plugin assigns appropriate role based on JWT claims
  7. User is logged into WordPress

JWT Claims

The plugin expects the following JWT claims:

  • email or sub: User’s email address
  • iss: Issuer (must match allowed issuers)
  • aud: Audience (must match WordPress site URL)
  • exp: Expiration time
  • nbf: Not before time (optional)
  • wp_role: WordPress role to assign (optional)
  • name: User’s display name (optional)
  • given_name: User’s first name (optional)
  • family_name: User’s last name (optional)

Configuration

The plugin automatically configures itself based on the WordPress environment:

  • Production: Only allows https://sso.twelvelegsmarketing.com as issuer
  • Development/Staging: Also allows https://localhost:8443 as issuer

Customization

You can customize the plugin behavior using WordPress filters:

  • twl_sso_allow_email: Filter to control which email addresses are allowed
  • twl_sso_allowed_roles: Filter to control which roles can be assigned
  • twl_sso_allowed_issuers: Filter to control which issuers are allowed

Support

For support, please contact Twelve Legs Marketing at https://twelvelegsmarketing.com

Privacy Policy

This plugin does not collect, store, or transmit any personal data. All authentication is handled through secure JWT tokens from your configured SSO provider.

Installation

  1. Upload the plugin files to the /wp-content/plugins/twelve-legs-marketing-sso/ directory, or install the plugin through the WordPress plugins screen directly.
  2. Activate the plugin through the ‘Plugins’ screen in WordPress

Manual Installation

  1. Download the plugin files
  2. Extract the files to your /wp-content/plugins/twelve-legs-marketing-sso/ directory

Frequently Asked Questions

How does this plugin work?

The plugin intercepts login requests with a special action parameter and JWT token. It validates the JWT signature using public keys from a JWKS endpoint, extracts user information from the token claims, and creates or updates the WordPress user accordingly.

What JWT algorithm does this plugin support?

This plugin supports RS256 (RSA with SHA-256) JWT signatures only. This provides strong security through public key cryptography.

Can I use this with any SSO provider?

The plugin is designed to work with any SSO provider that can issue RS256 JWTs and provide a JWKS endpoint. You’ll need to configure your SSO provider to issue tokens with the correct audience and claims.

How do I configure the allowed issuers?

The plugin automatically configures allowed issuers based on the WordPress environment. In production, only https://sso.twelvelegsmarketing.com is allowed. In development/staging, https://localhost:8443 is also allowed.

What happens if a user doesn’t exist?

The plugin will automatically create a new WordPress user with the information from the JWT claims. The username is generated from the email address, and a random password is assigned.

How are user roles assigned?

User roles can be assigned in two ways:
1. Through the wp_role claim in the JWT token
2. Using the WordPress default role if no role is specified in the token

Is this plugin secure?

Yes, the plugin implements multiple security layers including JWT signature verification, referrer validation, issuer validation, audience validation, and token expiration checking.

Review feed

No reviews available

Screenshots

No screenshots available

Changelog

1.0.2

  • Version bump to sync plugin file with readme.txt

1.0.1

  • Update install instructions
  • Updated Required versions

1.0

  • Initial release
  • JWT validation with RS256 signature verification
  • JWKS endpoint integration
  • Environment-based issuer validation
  • Just-in-time user provisioning
  • Role assignment from JWT claims
  • Referrer validation for security
  • Comprehensive test suite with 39 tests
Back to plugins