Single Sign on for multiple domains on MU

Cross domain single sign on has been a nightmare for us—we’ve had dozens of highly experienced Wordpress programmers try to do it for us with no success.

Your own support forum highlights the difficulty:

We would like to know if your domain mapping plugin has recently solved this problem, or if you mean something different by “cross domain cookie syncing.”

We have 500+ domains (not subdomains)....,, etc. All using a single multisite installation. Our requirement is to allow users to go from one domain to another, and only have to log in once in the beginning. We've been successful with SSO only with subdomains of a single domain, but not multiple domains.

We explored this with you 2 years ago rather intensely, and ultimately concluded there was a serious scaling problem, and had to use the Wordpress domain mapping plugin instead.

Many thanks!

  • alberti


    In one of your forums, one of your users writes:

    Network single sign on does not work with the WPMU DEV domain mapping plugin. Cookie syncing is only for that one subsite to ensure that they user is logged into both the mapped and non-mapped domain for that subsite only.

    This is a very important issue for us, we really would appreciate if you can check with the creator of the plugin. We spent a great deal of money developing using the WPMU dev plugin but had to abandon it 2 years ago.


  • Timothy Bowers

    Hey Alberti.

    Within the network admin there is an option:

    Cross-domain autologin

    Would you like for your members to be logged into all sites within your network regardless of domain name

    Screenshot attached.

    When you log in from the mapped domain, you're logged into all network sites using sub domains.

    But whilst testing, if I logged into the main site, I'm not also logged into the mapped domains.

    I'm going to flag out developer on this to get his input, and to see if there is anything we can do here, or if we need to fix that wording.


  • Eugene Manuilov

    Hi guys!

    I have been thinking about it today for a while and invent one *VERY* clever approach how to do implement CDSSO without any kind of scaling problems and low level of resources spending.

    I am going to implement it tomorrow. If i am lucky to do it, then I will replace current SSO implementation, which is not perfect btw.

    So finger cross you will have something special on Monday :smiley:


  • Eugene Manuilov

    Ok, let me explain how it works right now and where is our bottleneck.

    Lets assume we have a network user who owns 10 sites and mapped 10 domains (1 site - 1 domain). And currently if SSO is enabled we add 10 links for each page which this user visits. It looks like similar to this:

    <link href="" rel="stylesheet" type="text/css" media="all">
    <link href="" rel="stylesheet" type="text/css" media="all">
    <link href="" rel="stylesheet" type="text/css" media="all">
    <link href="" rel="stylesheet" type="text/css" media="all">
    <link href="" rel="stylesheet" type="text/css" media="all">

    This http://.../some/special/path/ is processed by domain mapping plugin. The plugin sets auth cookies and returns empty stylesheet response. By doing it we achieve single sign on for all mapped domains. But in the same time we have to repeat adding all this links per each request an user makes.

    Where is the bottleneck? As you can find out when an user makes one requests, the plugin does 10 additional requests to a server. It means that if your server has 1000 page views a day, then your server processes ~10,000 requests in fact. What will be if we have 1,000,000 page views a month? Yeah...

    To be continued...

  • Eugene Manuilov

    Today I have developed another approach for CDSSO. This approach looks similar OpenID but adjusted to WordPress realities.

    Assume we have the same situation. We have a network user which has 10 sites with unique domains mapped to each site. This user hasn't logged in yet and visits first site. It is obvious that he views this site as a guest, but when he logs in into this site we add special link once he will be redirected after success login. This special link will log in this user at the root site of the network. Pay attention that we won't add this link each time this user views a page, only after success login and only to login him at root site of the network.

    Ok, at this step we have an user who logged in into first site and auto logged in into root site. No more extra requests, no more extra links will be added.

    After it, if this user opens another site owned by him, he will be auto redirected to root site and then redirected back to entered site with proper credentials. So this user won't even see any redirects, he will be just logged in automatically. Once again, no extra requests, no extra links, no extra bull...

    In case when user comes to his site and he is not logged in at root site, a special cookie will be set to not redirect him to the root for permissions check. This cookie will leave while that session won't be finished.

    If this user loged out from one site, he will log out from the root site as well. And won't auto login when visit next site.


    So this it the approach which I have implemented today in the domain mapping plugin. The RC1 version is in attach to this message. So you can download it and test it on your network. Let me know if you have any questions or issues.

    P.S.: my explanation looks a bit muddled, but hope you can understand the idea behind it.


  • alberti

    Thanks for the progress Eugenius!

    I see the scaling problem there. But we have a different configuration, perhaps you can explain how your solution applies to our situation.

    We don't have any users who "own" sites. We have 700+ sites, that we put together all on a single Multisite install. These are NOT sub-sites, they are fully grown sites, e.g.,, etc. All users share all sites. It's like a public park where anyone who is a member can create content at any site.

    Does this mean that each user gets mapped to 700 sites? And does this create an even larger bottleneck?

  • alberti

    Hi Eugene,

    I'm not a coder but an idea / question came to me. The only solutions we know of are SimpleSAMLphp or OpenAM. They need some sort of reverse proxy setup. But this is all Wordpress, I'm wondering if you can model these other 2 solutions and offload some of the requirements to the Wordpress configuration files outside of the plugin. In other words, not expect your plugin alone to do all the work. We'd certainly be willing to make some changes to wpconfig or other files on our server, or install additional files, if this would help.

    Just a thought,

  • alberti

    Hi Eugene,

    1 multisite install, 1 server, 1 database.

    All users have access to all domains, as editors or contributors. We might consider your Pro Sites or Membership plugin later.

    A combination of domains and subdomains.,,,..,,,...

    We currently have installed 35 domains for testing purposes but plan to scale quickly to 700. This 700 is NOT counting subdomains. We use the WP domain mapping plugin because it is highly scalable and robust. The only downside is it does not to SSO.


  • alberti

    If it helps any to conceptualize, these domains are not live, but here's what we have:

    all connected on one multisite install. depending on the mood of the user, he can go to the domain he wants to create content and get support, while staying logged in.

    this would be an awesome testimonial for WPMUDEV if we can get it up and running!

  • alberti

    Plugin does not work in 3 ways.

    First, the subdomains do not resolve for visitors. You must be logged in to see the subdomains.

    Second, subdomains can be created only from the root domain, not from other fully grown domains. We can create, but we can't create

    Third, the mapping of fully grown domains, e.g.,, does not resolve. We can't do any cross domain mapping.

  • Eugene Manuilov

    Hi @alberti

    Plugin does not work in 3 ways.

    First, the subdomains do not resolve for visitors. You must be logged in to see the subdomains.

    Second, subdomains can be created only from the root domain, not from other fully grown domains. We can create, but we can't create

    Third, the mapping of fully grown domains, e.g.,, does not resolve. We can't do any cross domain mapping.

    Can you give me real example of what you trying to do? I got confused with all this and else stuff.

    Our root domain for the multisite install is When we map, it made disappear.

    Currently it redirects users to mapped domains at front end. I can add an option to the settings which will disable this behavior and let users see domain which they enter.

    Then, per attached, we only saw option to map one domain. There did not appear to be an option to map multiple domains.

    If you want to allow the ability to map multiple domains to one site, then add following line to your wp-config.php file:

    define( 'DOMAINMAPPING_ALLOWMULTI', true );

    Finally, could you send me credentials to your test network admin dashboard + FTP access? Send it on *contact[at]wpmudev[dot]org* with subject "ATTN: Eugene". I will pick it up and take a look at it.


  • alberti

    I sent you the credentials via email, thanks.

    We have a multisite install as follows (these are the real domain names):


    Then we use multisite to add these domains:,, .... [scaling to 700 domains]

    All users have access to all domains. So user1 logins in and creates content at Then he goes to and creates content there. Then he goes to and creates content there. This is a single, shared public platform.

    A user does not "own" a domain with us. A user does not create his own domain or subdomain. Users do not "map" their own domains. Only the Superadmin does domain mapping, and this domain mapping applies to all users, who are treated equally.

    Is all this clear?

  • alberti

    I created a new VPS account with

    Unfortunately this has turned into a nightmare here... The plugin is not at all functional and causes the site to crash, and I get 3 errors in succession:

    Warning: Cannot modify header information - headers already sent by (output started at /home/compassi/public_html/wp-admin/includes/template.php:1706) in /home/compassi/public_html/wp-content/plugins/domain-mapping/classes/Domainmap/Module/Cdsso.php on line 158

    then line 159, then line 160

  • alberti

    Thanks to Eugene's extraordinary efforts, we now have a working prototype of CDSSO. I have seen the promised land and am ready to ascend now to heaven. This is a technical problem that has irked many Wordpress users for many years and a solution appears on the horizon.

    However, we remain cautious because we have only done a brief test and now must put it into a real, working environment, with real users. So we will keep you all posted. But thanks for the progress and joining us in this journey!


  • alberti

    Not working yet.

    We gathered a bunch of people to do a demo and mysteriously it didn't work. We had not done anything between the time it worked and the time of our demo. I'm wondering Eugene, there was a slight change you made at the end of our session that might have disrupted our success -- you wrote:

    "i will make disable_cdsso cookie living not whole session, but just a couple of minutes"

    I'm wondering if this caused the breakdown? Because after you made this change we didn't test.

    We created a new install on a new server for our demo, so I am sending you the credentials.

    Thank you.

  • Tore

    I'm having the same problem, but I found a workaround.

    I was about to download the beta plugin from this thread when i thought to cycle the checkbox where you tell domain mapping to keep folks logged in across all domains in multisite network, save the changes. I then re-checked that checkbox and saved the settings again.

    I tested all the domains and sub/folder sites and they are keeping me logged in, once i log in.

    I am guessing that the setting will need to be reset each time new domains are mapped because until the domain name is mapped, my experience was that the matching sub/folder site was keeping me logged into those same matching sites until I mapped the new domain to point to it, and then something broke and i could no longer hit the sub/folder site because it instantly redirects to the mapped domain, nor could I remain logged in when going to the domain pointing to that sub/folder site. Going through that reset is a non-issue for smaller networks, but by the time you have 700 sites sharing the login and you add one new mapped domain, then go through that reset, i figure that it is going to have the effect of logging out everybody online on all of the previously mapped domains and force them all to log in again.

    If that happens, i'm not sure what happens to their marketpress shopping carts or if they are in the process of checking out when the reset occurs.

    This could be a pointer as to where the problem is, but this is a workaround for now I think, at least for smaller, test networks.