I want to use WordPress Auth0 as SSO. What's next?

  1. I have WordPress auth0 login with SSO enabled: Log in | Mollyverse | metaverse talks | molly.com | m.ly
    I want this page to be the centralized login page for all of my other sites:

  2. I have a forum that also wants to use the same SSO login: http://minecraftly.com
    I try to setup SSO login so that it checks the WordPress login page’s cookie. It doesn’t work.

Can you guys please help guide me through how to do it properly?

Sharing a session cookie for authentication implies that the web applications are within the same parent domain and would also imply that all the web applications are able to understand the format/contents of said cookie.

Trying to reuse a Wordpress specific login artifact in another application is probably not the best approach.

I noticed that you’re using login with Google, Facebook and Microsoft so this implies that the user is already being redirected to Auth0 and then to the identity provider he chose. Given the user is redirected to Auth0 an authenticated session can be established during this redirect and that same session can be reused by other applications.

It should be something like this:

  • You individually configure WordPress and your other client applications in Auth0. In the client settings you enable the Use Auth0 instead of the IdP to do Single Sign On toggle.
  • The user logins into one of the applications using Google, Facebook or Microsoft; during the redirect process a session is established at Auth0
  • The user access another application; since he already has a session in Auth0 that application can leverage that to automatically log the user in.

The way each client application implements this may slightly vary depending on the exact characteristics of the client application as each may use different libraries, but the typical custom web application could make use of silent authentication to detect and reuse that existing session and as such achieve SSO. The important point is that each client application is independent and they don’t try to check anything specific to another client application; they only reuse when available an authenticated session.

Given you’re using social authentication be sure to also read this section of the docs: