SSOPress
Get free versionBuy Pro

Roadmap

What we're building next.

The features we've committed to, the ones we're planning, and the ones we're thinking about. No dates, because shipping dates are for liars. Email us if any of these would unblock you, it helps us prioritise.

Next

Committed and actively being built. Ships in the next one or two releases.

  • REST API auth via OAuth tokens

    Let headless WordPress apps validate incoming OAuth access tokens against the configured provider, so clients can hit the WP REST API with the same identity they use on the site.

  • Audit log export (CSV / JSON)

    Pro

    Download the full audit log or a filtered subset for compliance reviews, ticket evidence, and offline analysis. One-click from the Logs page.

  • Advanced role mapping

    Pro

    Regex matching, wildcard patterns, and array-membership rules for OAuth attribute values. Useful for complex group hierarchies where exact-match is too rigid.

  • Rate limiting per user, not just per IP

    Defends against distributed brute-force attacks where bot traffic is spread across many IPs. Configurable per-user, per-hour limit.

Planned

On the roadmap. Design work has started but the scope isn't locked.

  • Multiple OAuth providers per site

    Agency

    Configure several OAuth providers on a single install and let users pick at login time. The real use case: mixed-identity organisations where staff use Azure AD and students use Google Workspace. A v2.0 feature because the settings UI and callback handler need to restructure around a list of configs.

  • WordPress multisite network support

    Agency

    Per-site and network-wide provider configuration, with licence activation across subsites. Target the networks where every subsite needs the same SSO.

  • SAML 2.0 support

    Pro

    Native SAML alongside OAuth / OIDC, without running a separate plugin. Doubles the enterprise addressable market. Same settings model, new protocol module.

  • Backchannel logout (OIDC)

    Pro

    When the identity provider revokes a session, WP force-logs the user on the next page load. Implements the OpenID Connect Back-Channel Logout spec. Important for security-conscious buyers.

Exploring

Ideas we're considering. Tell us if any of these matter to you.

  • WooCommerce customer auto-create on OAuth login

    Auto-create a WooCommerce customer record the first time a user logs in via OAuth, so their order history starts from the right place. Opens the WooCommerce SSO use case.

  • Optional 2FA layer after OAuth

    A TOTP step required after the OAuth round-trip, for admins who want belt-and-braces auth even when the provider is trusted.

  • Webhook on user events

    POST a payload to a configured URL when a user logs in, is created, or fails auth. Unlocks external sync to CRMs, analytics, and audit systems without a custom plugin.

  • Custom claim transformations

    PHP filters or a simple expression language to remap OAuth userinfo responses before WP sees them. For providers that return unusual shapes that dot-notation can't express.

  • Admin dashboard login stats widget

    A small widget on the WP dashboard showing login attempts, successes, and failures over the last 7 days. Makes the plugin feel active to admins who otherwise forget it's there.

  • Bulk user pre-provisioning

    Agency

    Create WP accounts for an entire OAuth group before users first log in, so admins can assign capabilities and meta ahead of time.

Something missing?
We want to hear about it.

If one of these items would unblock a real project for you, or if there's something here that isn't on the list at all, the best thing you can do is email us. Concrete use cases move things up the priority list faster than anything else.

Email us about a feature