<div class="wp-block-smartcloud-ai-kit-feature"></div>
Sign In

Solution · SSO

WordPress SSO with AWS Cognito

A Cognito-centered SSO pattern for WordPress sites that need more than a local WordPress username and password.

Short answer: WordPress SSO with AWS Cognito uses Cognito as the identity broker between WordPress, social providers and enterprise identity systems. WP Suite Gatey brings that SSO layer into WordPress pages through Gutenberg blocks, frontend UI, conditional layouts and authenticated API patterns.

Explore Gatey
Compare SSO approaches

Why this matters

SSO is rarely only a login screen. It affects account lifecycle, MFA, social login, enterprise federation, authorization and audit expectations.

Many WordPress SSO plugins focus on connecting WordPress to an IdP while WordPress remains the runtime center. For AWS-native projects, Cognito often belongs at the center instead.

A Cognito-centered approach is especially useful when the same identity must protect static pages, APIs, forms, workflows and external AWS services.

Architecture and data flow

User / browser
        ↓
Gatey Authenticator in WordPress
        ↓
Amazon Cognito User Pool / Hosted UI / federation
        ↓
Social provider or enterprise IdP
        ↓
Tokens returned to browser
        ↓
WordPress UI + authenticated API calls

Capability map

Cognito User Pool and App Client

Use Cognito as the identity hub, with an app client configured for frontend/static-friendly authorization-code flows and no client secret in WordPress.

Deployment wizard for Cognito

Use a guided wizard to collect the few required stack decisions and generate a prefilled CloudFormation Create stack review link for the Cognito infrastructure.

Hosted UI and callback domains

Configure the Cognito Hosted UI domain, callback URLs, sign-out URLs and scopes so social and enterprise logins return cleanly to the WordPress sign-in route.

Social provider federation

Connect Google, Apple, Facebook, Amazon and other supported providers through Cognito, then expose the resulting buttons through Gatey on WordPress pages.

Enterprise OIDC and SAML

Use Cognito as the broker for Azure AD, Okta, Auth0, Keycloak, Ping or other OIDC/SAML identity providers instead of hard-coding each IdP into WordPress.

Attribute and group mapping

Plan email, given_name, family_name and stable identifier mapping, then use groups and claims for role mapping, visibility rules and API authorization.

Static-friendly frontend SSO

Gatey talks to Cognito from the browser, so the public site can be exported and served statically when the configured endpoints and redirect URLs remain reachable.

Identity Pool and secure API access

For AWS-backed runtime features, combine Cognito tokens with Identity Pools or JWT validation so signed-in visitors can call API Gateway/Lambda or protected services safely.

Guided SSO deployment and WordPress wiring

The Cognito side of WordPress SSO has many parameters, but most sites only need a guided path: choose the login model, deploy the Cognito stack, copy the outputs, and then configure Gatey in WordPress. This keeps deployment repeatable across client sites without hiding the AWS ownership model.

Gatey / Cognito deployment wizard
        ↓
Choose login model: local users, social login, enterprise SSO, MFA/email mode
        ↓
Prefilled CloudFormation Create stack review URL
        ↓
Customer-owned AWS account deploys Cognito infrastructure
        ↓
Stack outputs: User Pool ID, App Client ID, Region, Hosted UI domain
        ↓
WordPress → SmartCloud → Gatey Settings → User Pools / General / Providers

Decision table

Mode / dimensionBest forData path / approachTrade-off
Social loginConsumer or community sign-inCognito federation → providerProvider setup and callback domains must be correct
Enterprise SSOClient portals and B2B sitesCognito → SAML/OIDC IdPRequires identity-provider coordination
Static SSOStatic WordPress with loginBrowser → CognitoNo WordPress PHP session needed for the frontend flow
API authorizationAuthenticated app featuresToken/IAM → API backendAPI must validate identity claims

How this differs from the usual approach

Dashboard-only SSO

Good for admin access, but does not necessarily solve frontend portals.

Traditional WordPress SSO plugin

Useful inside dynamic WordPress, but may be tightly coupled to PHP runtime assumptions.

Gatey + Cognito

Better when Cognito is the identity source for frontend pages, static delivery and AWS APIs.

When this is a good fit

  • Sites that already use AWS or Cognito.
  • Agencies serving clients with SSO requirements.
  • Static WordPress portals that need login and API calls.
  • Projects where identity must extend beyond WordPress itself.

When not to use this

  • A basic blog where local WordPress login is enough.
  • A project where the IdP must create local WordPress user records for every interaction.
  • Teams without access to configure Cognito, callbacks and IdP settings.

Implementation path

A credible SSO implementation should separate infrastructure deployment from identity-provider onboarding and WordPress UI wiring.

  1. Choose the SSO model: consumer social login, enterprise SAML/OIDC, internal Cognito users, or a mixed pool.
  2. Use the Gatey/Cognito deployment wizard or an existing Cognito environment to prepare the User Pool, app client, Hosted UI domain and email/MFA behavior.
  3. Confirm the app client has no client secret when the site relies on frontend/static-friendly browser flows.
  4. Configure callback URLs, sign-out URLs and scopes including openid, email and profile; add aws.cognito.signin.user.admin only when API/IAM use cases require it.
  5. Connect social providers and enterprise IdPs in Cognito, test via Hosted UI, and inspect token claims before configuring WordPress.
  6. Paste User Pool ID, App Client ID, region, OAuth domain and scopes into Gatey User Pool settings.
  7. Configure Gatey General settings, provider buttons, custom enterprise provider labels/icons, sign-in page and optional WordPress login replacement.
  8. For protected APIs, design token validation or Identity Pool/IAM roles before exposing API actions in the browser.
  9. Document lifecycle operations: signup, invite flow, MFA, password reset, group/role mapping, offboarding and static export tests.

Gatey

Cognito login, SSO, MFA and browser-side authentication

Cognito-Protected Static WordPress

protected static delivery architecture

Gatey vs WordPress SSO plugins

SSO decision support

Docs

shortcodes, blocks, CSS variables and JavaScript API

WordPress Cognito Login

login-focused companion page

FAQ

What is WordPress SSO with AWS Cognito?

WordPress SSO with AWS Cognito means using Cognito as the federation layer for social login, enterprise SAML/OIDC providers, MFA and account lifecycle flows, while WordPress remains the content and page experience layer. Gatey renders that frontend authentication experience inside WordPress and can keep working after static export.

Does this replace WordPress?

No. The recommended model keeps WordPress as the editorial and management layer. WP Suite adds cloud-native runtime capabilities around it rather than forcing a CMS migration.

Can this work with static WordPress?

Yes, when the required browser-side and API endpoints are reachable after export. Static publishing changes where the public HTML is served from; it does not prevent JavaScript components from calling configured APIs.

Is this only for large enterprise projects?

No, but it is most valuable when identity, security, AI, forms, workflows, protected APIs or repeatable AWS deployment patterns matter. For a simple brochure site, it may be unnecessary.

Can Cognito connect WordPress to Google or enterprise SSO?

Cognito supports social and enterprise federation patterns, and Gatey brings the resulting login flow to WordPress frontend pages.

Is Gatey only for the WordPress admin?

No. Gatey is aimed at frontend WordPress login and account-aware experiences, including static-site-friendly use cases.

Can one Cognito user pool protect APIs too?

Yes, if your API validates the Cognito tokens or IAM identity correctly. The page UI and backend authorization should be designed together.

Is this overkill for a small membership site?

Often yes. A simple WordPress membership plugin may be enough when AWS identity, SSO, static delivery or protected APIs are not required.

Connect WordPress to social and enterprise SSO through Cognito

Use Amazon Cognito as a WordPress SSO layer for social login, enterprise federation, MFA and static-friendly frontend authentication.

Explore Gatey
Compare SSO approaches