Skip to main content
For our new friends:

Logto is an Auth0 alternative designed for modern apps and SaaS products. It offers both Cloud and Open-source services to help you quickly launch your identity and management (IAM) system. Enjoy authentication, authorization, and multi-tenant management all in one.

We recommend starting with a free development tenant on Logto Cloud. This allows you to explore all the features easily.

In this article, we will go through the steps to quickly build the Okta enterprise SSO sign-in experience (user authentication) with WordPress plugin and Logto.

Prerequisites

Create an application in Logto​

Logto is based on OpenID Connect (OIDC) authentication and OAuth 2.0 authorization. It supports federated identity management across multiple applications, commonly called Single Sign-On (SSO).

To create your Traditional web application, simply follow these steps:

  1. Open the Logto Console. In the "Get started" section, click the "View all" link to open the application frameworks list. Alternatively, you can navigate to Logto Console > Applications, and click the "Create application" button. Get started
  2. In the opening modal, click the "Traditional web" section or filter all the available "Traditional web" frameworks using the quick filter checkboxes on the left. Click the "WordPress" framework card to start creating your application. Frameworks
  3. Enter the application name, e.g., "Bookstore," and click "Create application".

πŸŽ‰ Ta-da! You just created your first application in Logto. You'll see a congrats page which includes a detailed integration guide. Follow the guide to see what the experience will be in your application.

Integrate WordPress with Logto​

Install the plugin​

info:

At the moment, our plugin is still under review and not available in the WordPress plugin directory. We'll update this page once it's available.

  1. Download the Logto WordPress plugin from one of the following links:
    • Latest release: Download the file which name in the format of logto-plugin-<version>.zip.
  2. Download the plugin ZIP file.
  3. Go to Plugins > Add New in your WordPress admin panel.
  4. Click Upload Plugin.
  5. Select the downloaded ZIP file and click Install Now.
  6. Click Activate.

Configure the plugin​

Now you should be able to see the Logto menu in your WordPress admin panel sidebar. Click Logto > Settings to configure the plugin.

note:

You should have a traditional web application created in Logto Console before configuring the plugin. If you haven't created one, please refer to Integrate Logto into your application for more information.

The minimum configuration to get started for the plugin is:

  • Logto endpoint: The endpoint of your Logto tenant.
  • App ID: The app ID of your Logto application.
  • App secret: One of the valid app secrets of your Logto application.

All values can be found on the application details page in Logto Console.

After filling in the values, click Save Changes (scroll down to the bottom of the page if you can't find the button).

Configure redirect URI​

The redirect URI is the URL to which Logto will redirect users after they have authenticated; and the post sign-out redirect URI is the URL to which Logto will redirect users after they have logged out.

Here's a non-normative sequence diagram to illustrate the sign-in flow:

Here's how the sign-out flow looks like in a non-normative sequence diagram:

To learn more about why redirect is needed, see Sign-in experience explained.

In our case, we need to configure both redirect URIs in your Logto Console. To find the redirect URI, go to the Logto > Settings page in your WordPress admin panel. You'll see the Redirect URI and Post sign-out redirect URI fields.

  1. Copy the Redirect URI and Post sign-out redirect URI values and paste them into the Redirect URIs and Post sign-out redirect URIs fields in your Logto Console.
  2. Click Save changes in Logto Console.

Checkpoint: Test your WordPress website​

Now you can test your Logto integration in your WordPress website:

  1. Open an incognito browser window if needed.
  2. Visit your WordPress website and click the Log in link if applicable; or directly visit the login page (e.g., https://example.com/wp-login.php).
  3. The page should redirect you to the Logto sign-in page.
  4. Complete the sign-in or sign-up process.
  5. After successful authentication, you should be redirected back to your WordPress website and logged in automatically.
  6. Click the Log out link to log out of your WordPress website.
  7. You should be redirected to the Logto sign-out page, then back to your WordPress website.
  8. You should be logged out of your WordPress website.

To learn more about the WordPress plugin settings, see WordPress quick start.

Add Okta enterprise SSO connector​

To simplify access management and gain enterprise-level safeguards for your big clients, connect with WordPress as a federated identity provider. The Logto enterprise SSO connector helps you establish this connection in minutes by allowing several parameter inputs.

To add an enterprise SSO connector, simply follow these steps:

  1. Navigate to Logto console > Enterprise SSO.
SSO page
  1. Click "Add enterprise connector" button and choose your SSO provider type. Choose from prebuilt connectors for Microsoft Entra ID (Azure AD), Google Workspace, and Okta, or create a custom SSO connection using the standard OpenID Connect (OIDC) or SAML protocol.
  2. Provide a unique name (e.g., SSO sign-in for Acme Company).
Select your SSO provider
  1. Configure the connection with your IdP in the "Connection" tab. Check the guides above for each connector types.
SSO connection
  1. Customize the SSO experience and enterprise’s email domain in the "Experience" tab. Users sign in with the SSO-enabled email domain will be redirected to SSO authentication.
SSO experience
  1. Save changes.

Set up OIDC application on Okta admin portal​

Step 1: Create an OIDC application on Okta admin portal {#step-1-create-an-oidc-application-on-okta-admin-portal}

  • Visit the Okta admin portal and sign in as an administrator.
  • Navigate to the Applications/Applications page using the side menu.
  • Click the Create App Integration button to create a new OIDC application.
  • Select the OIDC - OpenID Connect option as the Sign-in method.
  • Select the Web Application option as the Application type.
Okta create application

Click the Next button to continue.

Step 2: Configure the application settings​

  1. Provide an App integration name. It will be used as the identifier of your OIDC application.
  2. Add a new Sign-in redirect URIs using the Logto SSO connector's callback URL.

This is the URI that the Okta will redirect the user's browser after successful authentication. After a user successfully authenticates with the IdP, the IdP redirects the user's browser back to this designated URI along with an authorization code. Logto will complete the authentication process based on the authorization code received from this URI.

Okta application settings
  1. Assign users to the application.

Based on the Assignments settings, you can choose to assign the application to all users or specific users/groups.

Okta assign users

Click the Save button to save the application settings.

Step 3: Set up Logto connector with the client credentials​

After successfully creating the OIDC application, you will be redirected to the application details page.

Okta client credentials

Copy the client ID and client secret and fill in the corresponding fields on the Logto SSO connector Connection tab.

Use your Okta domain as the issuer. Example: https://dev-12345678.okta.com. Once you have filled in all the fields, click the Save button to save the connector settings.

If the issuer link you provided is valid, you will see a parsed full list of Okta IdP configurations shown below the issuer field.

Step 4: Additional Scopes (Optional)​

Use the Scope field to add additional scopes to your OAuth request. This will allow you to request more information from the Okta OAuth server. Please refer to the Okta documentation for more details about the available scopes.

Regardless of the custom scope settings, Logto will always send the openid, profile, and email scopes to the IdP. This is to ensure that Logto can retrieve the user's identity information and email address properly.

Step 5: Set email domains and enable the SSO connector​

Provide the email domains of your organization on Logto’s connector SSO experience tab. This will enable the SSO connector as an authentication method for those users.

Users with email addresses in the specified domains will be redirected to use your SSO connector as their only authentication method.

For more details about creating OIDC integration with Okta, please check Create OIDC App Integrations.

Save your configuration​

Double check you have filled out necessary values in the Logto connector configuration area. Click "Save and Done" (or "Save changes") and the Okta enterprise SSO connector should be available now.

Enable Okta enterprise SSO connector in Sign-in Experience​

You don’t need to configure enterprise connectors individually, Logto simplifies SSO integration into your applications with just one click.

  1. Navigate to: Console > Sign-in experience > Sign-up and sign-in.
  2. Enable the "Enterprise SSO" toggle.
  3. Save changes.

Once enabled, a "Single Sign-On" button will appear on your sign-in page. Enterprise users with SSO-enabled email domains can access your services using their enterprise identity providers (IdPs).

Auto detect SSO sign-in via email domain Navigate to SSO sign-in via manually click link button

To learn more about the SSO user experience, including SP-initiated SSO and IdP-initiated SSO, refer to User flows: Enterprise SSO.

Testing and Validation​

Return to your WordPress plugin app. You should now be able to sign in with Okta enterprise SSO. Enjoy!

Further readings​

End-user flows: Logto provides a out-of-the-box authentication flows including MFA and enterprise SSO, along with powerful APIs for flexible implementation of account settings, security verification, and multi-tenant experience.

Authorization: Authorization defines the actions a user can do or resources they can access after being authenticated. Explore how to protect your API for native and single-page applications and implement Role-based Access Control (RBAC).

Organizations: Particularly effective in multi-tenant SaaS and B2B apps, the organization feature enable tenant creation, member management, organization-level RBAC, and just-in-time-provisioning.

Customer IAM series Our serial blog posts about Customer (or Consumer) Identity and Access Management, from 101 to advanced topics and beyond.