Skip to Content
WordPressSingle Sign-On

Single Sign-On

ClubMS supports bidirectional single sign-on with WordPress. Members who sign into one are automatically signed into the other.

Direction 1: WordPress → ClubMS

Users can log into ClubMS from your WordPress site:

  1. User clicks Login with ClubMS on the WordPress site.
  2. The WordPress plugin collects the user’s email and password.
  3. The plugin sends the request, signed with your license key, to ClubMS.
  4. ClubMS verifies the request comes from your registered WordPress site and authenticates the user.
  5. ClubMS returns a session token.
  6. The user is now signed into both platforms.

Direction 2: ClubMS → WordPress

Users can sign in on ClubMS and be redirected to WordPress already signed in:

  1. The user starts the WordPress sign-in from the ClubMS dashboard.
  2. ClubMS generates a one-time signed callback URL.
  3. The user is redirected to the WordPress callback endpoint.
  4. The plugin verifies the signature and signs the user into WordPress, creating their account on first login.

Security

The integration is protected by multiple independent layers, including:

  • License key validated on every request
  • Site URL check — requests must originate from your registered WordPress site
  • Signed requests to prevent tampering in transit
  • Rate limiting on sign-in endpoints
  • Cloudflare Turnstile bot protection on login forms
  • Email OTP verification for new SSO users
  • WordPress nonce CSRF protection on plugin AJAX calls
  • Account lockout after repeated failed attempts
  • Audit logging of all sign-in events
  • Short-lived session tokens issued by ClubMS

Embed Mode

The plugin supports an embed mode where ClubMS pages are displayed inside an iframe on your WordPress site. The user’s session is shared between the two so they don’t need to sign in again inside the embed.

Last updated on
Plugin InstallationShortcodes