Skip to Content
WordPressSingle Sign-On

Single Sign-On

ClubMS supports bidirectional SSO with WordPress.

Direction 1: WordPress β†’ ClubMS

Users can log into ClubMS from a WordPress site:

  1. User clicks β€œLogin with ClubMS” on WordPress
  2. WordPress plugin collects email + password
  3. Plugin sends credentials + license key + HMAC signature to ClubMS
  4. ClubMS verifies license key, site URL, and HMAC
  5. ClubMS authenticates user and returns session token
  6. WordPress stores session in user meta
  7. User is logged in on both platforms

Direction 2: ClubMS β†’ WordPress

Users can log in from ClubMS and be redirected to WordPress:

  1. User initiates WP login from ClubMS dashboard
  2. ClubMS generates a signed callback URL with HMAC token
  3. User is redirected to WordPress callback endpoint
  4. WordPress plugin verifies the HMAC signature
  5. Plugin creates or updates the WordPress user
  6. User is logged into WordPress

Security Layers

The SSO integration is protected by 10 independent security layers:

  1. License key β€” HMAC-SHA256 validated on every request
  2. Site URL check β€” Origin must match registered wp_site_url
  3. HMAC signature β€” Request body signed to prevent tampering
  4. Rate limiting β€” Per-IP throttling on SSO endpoints
  5. Turnstile β€” Bot protection on login forms
  6. OTP verification β€” Email verification for new SSO users
  7. WordPress nonce β€” CSRF protection on AJAX calls
  8. Account lockout β€” 5 failed attempts β†’ 15 min lockout
  9. Audit logging β€” All SSO events logged
  10. JWT with short expiry β€” 15-minute access tokens

Embed Mode

The SSO plugin supports an embed mode where ClubMS pages are displayed within an iframe on the WordPress site. The session token is passed between frames securely.

Last updated on
Plugin InstallationShortcodes