diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index c3fa47f3..bbba4a79 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -183,6 +183,15 @@ jobs:
 
           echo "✅ All checkout tests passed!"
 
+      - name: Run SSO Redirect Loop Tests (After Setup)
+        id: sso-tests
+        run: |
+          echo "=== Starting SSO Redirect Loop Tests ==="
+          npx cypress run \
+            --config-file cypress.config.test.js \
+            --spec "tests/e2e/cypress/integration/065-sso-redirect-loop.spec.js" \
+            --browser ${{ matrix.browser }}
+
       - name: Run Stripe Tests (After Setup)
         id: stripe-tests
         env:
diff --git a/assets/js/sso.js b/assets/js/sso.js
index 16c1d599..492b0b64 100644
--- a/assets/js/sso.js
+++ b/assets/js/sso.js
@@ -1,46 +1,27 @@
-/* global wu_create_cookie, wu_sso_config, wu_read_cookie, detectIncognito */
+/* global wu_create_cookie, wu_sso_config, wu_read_cookie */
 (function(o) {
 
-  window.wu = window.wu || {};
+	window.wu = window.wu || {};
 
-  window.is_incognito = false;
+	window.wu.sso_denied = function() {
 
-  window.wu.sso_denied = function() {
+		wu_create_cookie('wu_sso_denied', 1, o.expiration_in_days);
 
-    wu_create_cookie('wu_sso_denied', 1, o.expiration_in_days);
+	};
 
-  };
+	const w = document.createElement('script');
 
-  window.wu.check_for_incognito_window = function() {
+	w.type = 'text/javascript';
 
-    try {
+	w.async = true;
 
-      detectIncognito(results => window.is_incognito = results.isPrivate);
+	w.defer = true;
 
-    } catch (e) {
+	w.src = o.server_url + '?_jsonp=1';
 
-      // If detectIncognito fails, assume not incognito
-      window.is_incognito = false;
+	const denied = wu_read_cookie('wu_sso_denied');
 
-    }
-
-  }
-
-  window.wu.check_for_incognito_window();
-
-  const w = document.createElement('script');
-
-  w.type = 'text/javascript';
-
-  w.async = true;
-
-  w.defer = true;
-
-  w.src = o.server_url + '?_jsonp=1';
-
-  const denied = wu_read_cookie('wu_sso_denied');
-
-  document.head.insertAdjacentHTML('beforeend', `
+	document.head.insertAdjacentHTML('beforeend', `
     <style>
       @keyframes fade_in {
         from { opacity: 0; }
@@ -78,83 +59,73 @@
     </style>
   `);
 
-  if (! o.is_user_logged_in && ! denied) {
+	if (! o.is_user_logged_in && ! denied) {
 
-    const s = document.getElementsByTagName('script')[0];
+		const s = document.getElementsByTagName('script')[ 0 ];
 
-    s.parentNode.insertBefore(w, s);
+		s.parentNode.insertBefore(w, s);
 
-    document.body.insertAdjacentHTML('beforeend', '<div class="sso-overlay">&nbsp;</div>');
+		document.body.insertAdjacentHTML('beforeend', '<div class="sso-overlay">&nbsp;</div>');
 
-  }
+	}
 
-  window.wu.sso = function(payload) {
+	window.wu.sso = function(payload) {
 
-    const encodedLocation = encodeURIComponent(window.location.href);
+		const encodedLocation = encodeURIComponent(window.location.href);
 
-    if (payload.code === 200) {
+		if (payload.code === 200) {
 
-      if (o.use_overlay) {
+			if (o.use_overlay) {
 
-        document.body.classList.add('sso-loading');
+				document.body.classList.add('sso-loading');
 
-      }
-
-      /**
-       * In case we're dealing with http (without ssl),
-       * we force a redirect to bypass browser cookie
-       * limitations.
-       *
-       * Otherwise, on the else block,
-       * we redirect with the verification code attached,
-       * to perform a regular SSO flow.
-       */
-      if (payload.verify === 'must-redirect') {
-
-        window.location.replace(`${ o.server_url }?return_url=${ encodedLocation }`);
-
-      } else {
-        window.location.replace(`${ o.server_url }?sso_verify=${ payload.verify }&return_url=${ encodedLocation }`);
-      }
-
-    } else {
+			}
 
-      /**
-       * If we are in a incognito window,
-       * we give it another try with a full redirect,
-       * as chrome settings might be blocking
-       * cookies from being sent anyways.
-       */
-      if (window.is_incognito) {
+			/**
+			 * In case we're dealing with http (without ssl),
+			 * we force a redirect to bypass browser cookie
+			 * limitations.
+			 *
+			 * Otherwise, on the else block,
+			 * we redirect with the verification code attached,
+			 * to perform a regular SSO flow.
+			 */
+			if (payload.verify === 'must-redirect') {
 
-        if (o.use_overlay) {
+				window.location.replace(`${ o.server_url }?return_url=${ encodedLocation }`);
 
-          document.body.classList.add('sso-loading');
+			} else {
+				window.location.replace(`${ o.server_url }?sso_verify=${ payload.verify }&return_url=${ encodedLocation }`);
+			}
 
-        }
-
-        window.location.replace(`${o.server_url}?return_url=${ encodedLocation }`);
-
-        return;
-
-      }
+		} else {
 
-      window.wu.sso_denied();
+			/**
+			 * SSO failed (user not logged in on main site).
+			 * Set the denied cookie so we don't try again for 5 minutes,
+			 * and remove the loading overlay.
+			 *
+			 * Previously, incognito windows would attempt a full redirect
+			 * as a fallback, but this caused an infinite redirect loop:
+			 * redirect -> sso_verify=invalid -> redirect -> repeat.
+			 * The denied cookie now prevents re-entry in all cases.
+			 */
+			window.wu.sso_denied();
 
-      document.body.classList.remove('sso-loading');
+			document.body.classList.remove('sso-loading');
 
-    }
+		}
 
-  };
+	};
 
-  (function clean_up_query_args() {
+	(function clean_up_query_args() {
 
-    if (window.history.replaceState) {
+		if (window.history.replaceState) {
 
-      window.history.replaceState(null, null, o.filtered_url + window.location.hash);
+			window.history.replaceState(null, null, o.filtered_url + window.location.hash);
 
-    }
+		}
 
-  }());
+	}());
 
 }(wu_sso_config));
diff --git a/assets/js/sso.min.js b/assets/js/sso.min.js
index f096812a..52070300 100644
--- a/assets/js/sso.min.js
+++ b/assets/js/sso.min.js
@@ -1,4 +1,4 @@
-(n=>{window.wu=window.wu||{},window.is_incognito=!1,window.wu.sso_denied=function(){wu_create_cookie("wu_sso_denied",1,n.expiration_in_days)},window.wu.check_for_incognito_window=function(){try{detectIncognito(o=>window.is_incognito=o.isPrivate)}catch(o){window.is_incognito=!1}},window.wu.check_for_incognito_window();var o=document.createElement("script"),e=(o.type="text/javascript",o.async=!0,o.defer=!0,o.src=n.server_url+"?_jsonp=1",wu_read_cookie("wu_sso_denied"));document.head.insertAdjacentHTML("beforeend",`
+(n=>{window.wu=window.wu||{},window.wu.sso_denied=function(){wu_create_cookie("wu_sso_denied",1,n.expiration_in_days)};var e=document.createElement("script"),o=(e.type="text/javascript",e.async=!0,e.defer=!0,e.src=n.server_url+"?_jsonp=1",wu_read_cookie("wu_sso_denied"));document.head.insertAdjacentHTML("beforeend",`
     <style>
       @keyframes fade_in {
         from { opacity: 0; }
@@ -34,4 +34,4 @@
         background-size: 20px 20px;
       }
     </style>
-  `),n.is_user_logged_in||e||((e=document.getElementsByTagName("script")[0]).parentNode.insertBefore(o,e),document.body.insertAdjacentHTML("beforeend",'<div class="sso-overlay">&nbsp;</div>')),window.wu.sso=function(o){var e=encodeURIComponent(window.location.href);200===o.code?(n.use_overlay&&document.body.classList.add("sso-loading"),"must-redirect"===o.verify?window.location.replace(n.server_url+"?return_url="+e):window.location.replace(`${n.server_url}?sso_verify=${o.verify}&return_url=`+e)):window.is_incognito?(n.use_overlay&&document.body.classList.add("sso-loading"),window.location.replace(n.server_url+"?return_url="+e)):(window.wu.sso_denied(),document.body.classList.remove("sso-loading"))},window.history.replaceState&&window.history.replaceState(null,null,n.filtered_url+window.location.hash)})(wu_sso_config);
\ No newline at end of file
+  `),n.is_user_logged_in||o||((o=document.getElementsByTagName("script")[0]).parentNode.insertBefore(e,o),document.body.insertAdjacentHTML("beforeend",'<div class="sso-overlay">&nbsp;</div>')),window.wu.sso=function(e){var o=encodeURIComponent(window.location.href);200===e.code?(n.use_overlay&&document.body.classList.add("sso-loading"),"must-redirect"===e.verify?window.location.replace(n.server_url+"?return_url="+o):window.location.replace(`${n.server_url}?sso_verify=${e.verify}&return_url=`+o)):(window.wu.sso_denied(),document.body.classList.remove("sso-loading"))},window.history.replaceState&&window.history.replaceState(null,null,n.filtered_url+window.location.hash)})(wu_sso_config);
\ No newline at end of file
diff --git a/inc/sso/class-sso.php b/inc/sso/class-sso.php
index 333c4ea6..33acb98b 100644
--- a/inc/sso/class-sso.php
+++ b/inc/sso/class-sso.php
@@ -543,22 +543,41 @@ public function handle_broker($response_type = 'redirect'): void {
 
 		// Attach through redirect if the client isn't attached yet.
 		if ( ! $broker->isAttached()) {
-			$return_url = $this->get_current_url();
-
-			if ( 'jsonp' === $response_type) {
-				$attach_url = $broker->getAttachUrl(
-					[
-						'_jsonp' => '1',
-					]
-				);
-			} else {
-				$attach_url = $broker->getAttachUrl(
-					[
-						'return_url' => $return_url,
-					]
+			/*
+			 * For JSONP requests (initiated by a <script> tag), we must NOT
+			 * redirect — the browser follows 302s transparently for script
+			 * tags, but the final response from the server will be a redirect
+			 * (not JavaScript), so the wu.sso() callback never fires.
+			 * Instead, return a JSONP error so the JS can handle it gracefully
+			 * and set the wu_sso_denied cookie to prevent further attempts.
+			 */
+			if ('jsonp' === $response_type) {
+				header('Content-Type: application/javascript; charset=utf-8');
+
+				printf(
+					'wu.sso(%s, %d);',
+					wp_json_encode(
+						[
+							'code'    => 0,
+							'message' => 'Broker not attached',
+						]
+					),
+					200
 				);
+
+				status_header(200);
+
+				exit;
 			}
 
+			$return_url = $this->get_current_url();
+
+			$attach_url = $broker->getAttachUrl(
+				[
+					'return_url' => $return_url,
+				]
+			);
+
 			wp_safe_redirect($attach_url, 302, 'WP-Ultimo-SSO');
 
 			exit();
@@ -743,9 +762,7 @@ public function enqueue_script(): void {
 			return;
 		}
 
-		wp_register_script('wu-detect-incognito', wu_get_asset('detectincognito.js', 'js/lib'), false, wu_get_version(), true);
-
-		wp_register_script('wu-sso', wu_get_asset('sso.js', 'js'), ['wu-cookie-helpers', 'wu-detect-incognito'], wu_get_version(), true);
+		wp_register_script('wu-sso', wu_get_asset('sso.js', 'js'), ['wu-cookie-helpers'], wu_get_version(), true);
 
 		$sso_path = $this->get_url_path();
 
diff --git a/tests/WP_Ultimo/SSO/SSO_Test.php b/tests/WP_Ultimo/SSO/SSO_Test.php
index 85bf6bdb..3b2bc40f 100644
--- a/tests/WP_Ultimo/SSO/SSO_Test.php
+++ b/tests/WP_Ultimo/SSO/SSO_Test.php
@@ -1,4 +1,9 @@
 <?php
+/**
+ * SSO unit tests.
+ *
+ * @package WP_Ultimo\SSO
+ */
 
 namespace WP_Ultimo\SSO;
 
@@ -10,6 +15,9 @@
  */
 class SSO_Test extends \WP_UnitTestCase {
 
+	/**
+	 * Set up test fixtures.
+	 */
 	protected function setUp(): void {
 		parent::setUp();
 
@@ -23,6 +31,9 @@ function () {
 		);
 	}
 
+	/**
+	 * Tear down test fixtures.
+	 */
 	protected function tearDown(): void {
 		remove_all_filters('wu_sso_enabled');
 		remove_all_filters('wu_sso_salt');
@@ -42,12 +53,18 @@ protected function tearDown(): void {
 	// is_enabled
 	// ------------------------------------------------------------------
 
+	/**
+	 * Test is_enabled returns true when the filter returns true.
+	 */
 	public function test_is_enabled_returns_true_when_filter_returns_true(): void {
 		$sso = SSO::get_instance();
 
 		$this->assertTrue($sso->is_enabled());
 	}
 
+	/**
+	 * Test is_enabled returns false when the filter returns false.
+	 */
 	public function test_is_enabled_returns_false_when_filter_returns_false(): void {
 		remove_all_filters('wu_sso_enabled');
 		add_filter('wu_sso_enabled', '__return_false');
@@ -61,6 +78,9 @@ public function test_is_enabled_returns_false_when_filter_returns_false(): void
 	// force_secure_login_cookie
 	// ------------------------------------------------------------------
 
+	/**
+	 * Test force_secure_login_cookie returns a boolean value.
+	 */
 	public function test_force_secure_login_cookie_returns_boolean(): void {
 		$sso    = SSO::get_instance();
 		$result = $sso->force_secure_login_cookie();
@@ -72,12 +92,18 @@ public function test_force_secure_login_cookie_returns_boolean(): void {
 	// get_url_path
 	// ------------------------------------------------------------------
 
+	/**
+	 * Test get_url_path defaults to 'sso'.
+	 */
 	public function test_get_url_path_defaults_to_sso(): void {
 		$sso = SSO::get_instance();
 
 		$this->assertSame('sso', $sso->get_url_path());
 	}
 
+	/**
+	 * Test get_url_path appends the action suffix.
+	 */
 	public function test_get_url_path_appends_action(): void {
 		$sso = SSO::get_instance();
 
@@ -85,6 +111,9 @@ public function test_get_url_path_appends_action(): void {
 		$this->assertSame('sso-login', $sso->get_url_path('login'));
 	}
 
+	/**
+	 * Test get_url_path respects the wu_sso_get_url_path filter.
+	 */
 	public function test_get_url_path_respects_filter(): void {
 		add_filter(
 			'wu_sso_get_url_path',
@@ -103,6 +132,9 @@ function () {
 	// encode / decode
 	// ------------------------------------------------------------------
 
+	/**
+	 * Test encode returns a non-numeric string.
+	 */
 	public function test_encode_returns_non_numeric_string(): void {
 		$sso     = SSO::get_instance();
 		$encoded = $sso->encode(42, $sso->salt());
@@ -111,6 +143,9 @@ public function test_encode_returns_non_numeric_string(): void {
 		$this->assertNotSame('42', $encoded);
 	}
 
+	/**
+	 * Test decode returns the original value after encoding.
+	 */
 	public function test_decode_returns_original_value(): void {
 		$sso     = SSO::get_instance();
 		$salt    = $sso->salt();
@@ -120,6 +155,9 @@ public function test_decode_returns_original_value(): void {
 		$this->assertSame(999, $decoded);
 	}
 
+	/**
+	 * Test different salts produce different encoded values.
+	 */
 	public function test_different_salts_produce_different_encodings(): void {
 		$sso = SSO::get_instance();
 
@@ -133,6 +171,9 @@ public function test_different_salts_produce_different_encodings(): void {
 	// get_strategy
 	// ------------------------------------------------------------------
 
+	/**
+	 * Test get_strategy returns a valid strategy string.
+	 */
 	public function test_get_strategy_returns_string(): void {
 		$sso = SSO::get_instance();
 
@@ -141,6 +182,9 @@ public function test_get_strategy_returns_string(): void {
 		$this->assertContains($strategy, ['ajax', 'redirect']);
 	}
 
+	/**
+	 * Test get_strategy respects the wu_sso_get_strategy filter.
+	 */
 	public function test_get_strategy_respects_filter(): void {
 		add_filter(
 			'wu_sso_get_strategy',
@@ -158,6 +202,9 @@ function () {
 	// get_return_type
 	// ------------------------------------------------------------------
 
+	/**
+	 * Test get_return_type defaults to 'redirect' when no request param is set.
+	 */
 	public function test_get_return_type_defaults_to_redirect(): void {
 		unset($_REQUEST['return_type']);
 
@@ -166,6 +213,9 @@ public function test_get_return_type_defaults_to_redirect(): void {
 		$this->assertSame('redirect', $sso->get_return_type());
 	}
 
+	/**
+	 * Test get_return_type accepts 'jsonp' as a valid return type.
+	 */
 	public function test_get_return_type_accepts_jsonp(): void {
 		$_REQUEST['return_type'] = 'jsonp';
 
@@ -174,6 +224,9 @@ public function test_get_return_type_accepts_jsonp(): void {
 		$this->assertSame('jsonp', $sso->get_return_type());
 	}
 
+	/**
+	 * Test get_return_type accepts 'json' as a valid return type.
+	 */
 	public function test_get_return_type_accepts_json(): void {
 		$_REQUEST['return_type'] = 'json';
 
@@ -182,6 +235,9 @@ public function test_get_return_type_accepts_json(): void {
 		$this->assertSame('json', $sso->get_return_type());
 	}
 
+	/**
+	 * Test get_return_type rejects invalid values and defaults to 'redirect'.
+	 */
 	public function test_get_return_type_rejects_invalid_and_defaults_to_redirect(): void {
 		$_REQUEST['return_type'] = 'xml';
 
@@ -194,6 +250,9 @@ public function test_get_return_type_rejects_invalid_and_defaults_to_redirect():
 	// add_sso_removable_query_args
 	// ------------------------------------------------------------------
 
+	/**
+	 * Test add_sso_removable_query_args adds the SSO path to the list.
+	 */
 	public function test_add_sso_removable_query_args_adds_sso_path(): void {
 		$sso  = SSO::get_instance();
 		$args = $sso->add_sso_removable_query_args([]);
@@ -201,6 +260,9 @@ public function test_add_sso_removable_query_args_adds_sso_path(): void {
 		$this->assertContains('sso', $args);
 	}
 
+	/**
+	 * Test add_sso_removable_query_args preserves existing arguments.
+	 */
 	public function test_add_sso_removable_query_args_preserves_existing(): void {
 		$sso  = SSO::get_instance();
 		$args = $sso->add_sso_removable_query_args(['existing_arg']);
@@ -213,6 +275,9 @@ public function test_add_sso_removable_query_args_preserves_existing(): void {
 	// target_user_id
 	// ------------------------------------------------------------------
 
+	/**
+	 * Test set_target_user_id and get_target_user_id round-trip.
+	 */
 	public function test_set_and_get_target_user_id(): void {
 		$sso = SSO::get_instance();
 
@@ -229,6 +294,9 @@ public function test_set_and_get_target_user_id(): void {
 	// calculate_secret_from_date
 	// ------------------------------------------------------------------
 
+	/**
+	 * Test calculate_secret_from_date produces consistent hashes.
+	 */
 	public function test_calculate_secret_produces_consistent_hash(): void {
 		$sso = SSO::get_instance();
 
@@ -238,6 +306,9 @@ public function test_calculate_secret_produces_consistent_hash(): void {
 		$this->assertSame($secret_a, $secret_b);
 	}
 
+	/**
+	 * Test calculate_secret_from_date differs for different dates.
+	 */
 	public function test_calculate_secret_differs_for_different_dates(): void {
 		$sso = SSO::get_instance();
 
@@ -247,6 +318,9 @@ public function test_calculate_secret_differs_for_different_dates(): void {
 		$this->assertNotSame($secret_a, $secret_b);
 	}
 
+	/**
+	 * Test calculate_secret_from_date throws on invalid date input.
+	 */
 	public function test_calculate_secret_throws_on_invalid_date(): void {
 		$sso = SSO::get_instance();
 
@@ -259,6 +333,9 @@ public function test_calculate_secret_throws_on_invalid_date(): void {
 	// with_sso (static)
 	// ------------------------------------------------------------------
 
+	/**
+	 * Test with_sso adds the sso=login query parameter.
+	 */
 	public function test_with_sso_adds_sso_login_param(): void {
 		$url    = 'https://example.com/checkout';
 		$result = SSO::with_sso($url);
@@ -266,6 +343,9 @@ public function test_with_sso_adds_sso_login_param(): void {
 		$this->assertStringContainsString('sso=login', $result);
 	}
 
+	/**
+	 * Test with_sso preserves existing query parameters.
+	 */
 	public function test_with_sso_preserves_existing_query_params(): void {
 		$url    = 'https://example.com/checkout?plan=pro';
 		$result = SSO::with_sso($url);
@@ -274,6 +354,9 @@ public function test_with_sso_preserves_existing_query_params(): void {
 		$this->assertStringContainsString('sso=login', $result);
 	}
 
+	/**
+	 * Test with_sso returns the original URL when SSO is disabled.
+	 */
 	public function test_with_sso_returns_original_url_when_disabled(): void {
 		remove_all_filters('wu_sso_enabled');
 		add_filter('wu_sso_enabled', '__return_false');
@@ -288,6 +371,9 @@ public function test_with_sso_returns_original_url_when_disabled(): void {
 	// get_final_return_url
 	// ------------------------------------------------------------------
 
+	/**
+	 * Test get_final_return_url includes sso=done and wp-login.php.
+	 */
 	public function test_get_final_return_url_includes_done_and_wp_login(): void {
 		$sso = SSO::get_instance();
 		$url = 'https://example.com/sso?redirect_to=https%3A%2F%2Fexample.com%2Fdashboard';
@@ -299,6 +385,9 @@ public function test_get_final_return_url_includes_done_and_wp_login(): void {
 		$this->assertStringContainsString('redirect_to=', $final);
 	}
 
+	/**
+	 * Test get_final_return_url strips the SSO path from the URL.
+	 */
 	public function test_get_final_return_url_strips_sso_path_from_url_path(): void {
 		$sso   = SSO::get_instance();
 		$url   = 'https://sub.example.com/sso';
@@ -313,12 +402,18 @@ public function test_get_final_return_url_strips_sso_path_from_url_path(): void
 	// get_broker_by_id
 	// ------------------------------------------------------------------
 
+	/**
+	 * Test get_broker_by_id returns null for an invalid ID.
+	 */
 	public function test_get_broker_by_id_returns_null_for_invalid_id(): void {
 		$sso = SSO::get_instance();
 
 		$this->assertNull($sso->get_broker_by_id('completely-invalid'));
 	}
 
+	/**
+	 * Test get_broker_by_id returns an array for a valid site.
+	 */
 	public function test_get_broker_by_id_returns_array_for_valid_site(): void {
 		$blog_id = get_current_blog_id();
 
@@ -337,6 +432,9 @@ public function test_get_broker_by_id_returns_array_for_valid_site(): void {
 	// handle_broker early returns
 	// ------------------------------------------------------------------
 
+	/**
+	 * Test handle_broker returns early on the main site.
+	 */
 	public function test_handle_broker_returns_early_on_main_site(): void {
 		// On the main site, handle_broker should return without doing anything.
 		$this->assertTrue(is_main_site(), 'Test expects to run on main site');
@@ -406,10 +504,54 @@ public function test_handle_broker_source_redirects_to_return_url_on_invalid_ver
 		);
 	}
 
+	// ------------------------------------------------------------------
+	// handle_broker JSONP returns error instead of redirect for unattached broker
+	// ------------------------------------------------------------------
+
+	/**
+	 * Verify that when the broker is not attached and the response type is JSONP,
+	 * handle_broker returns a JSONP error response instead of redirecting.
+	 * Redirecting a script tag request breaks the wu.sso() callback and
+	 * causes an infinite redirect loop.
+	 */
+	public function test_handle_broker_source_returns_jsonp_error_for_unattached_broker(): void {
+		$source = file_get_contents(
+			dirname(__DIR__, 3) . '/inc/sso/class-sso.php'
+		);
+
+		// The unattached broker JSONP branch must call wu.sso() with an error, not wp_safe_redirect.
+		$pattern = "/isAttached\(\).*?'jsonp'\s*===\s*\\\$response_type.*?wu\.sso\(/s";
+		$this->assertMatchesRegularExpression(
+			$pattern,
+			$source,
+			'handle_broker must return JSONP error (not redirect) when broker is unattached and response type is jsonp'
+		);
+	}
+
+	/**
+	 * Verify that the SSO JS does not redirect in incognito mode.
+	 * The incognito redirect caused an infinite loop:
+	 * redirect -> sso_verify=invalid -> redirect -> repeat.
+	 */
+	public function test_sso_js_does_not_contain_incognito_redirect(): void {
+		$source = file_get_contents(
+			dirname(__DIR__, 3) . '/assets/js/sso.js'
+		);
+
+		$this->assertStringNotContainsString(
+			'is_incognito',
+			$source,
+			'SSO JS should not contain incognito detection — the incognito redirect path caused infinite loops'
+		);
+	}
+
 	// ------------------------------------------------------------------
 	// handle_requests early return
 	// ------------------------------------------------------------------
 
+	/**
+	 * Test handle_requests returns early without SSO action params.
+	 */
 	public function test_handle_requests_returns_early_without_sso_action(): void {
 		// With no SSO-related request params, handle_requests should return immediately.
 		$sso = SSO::get_instance();
@@ -424,6 +566,9 @@ public function test_handle_requests_returns_early_without_sso_action(): void {
 	// Session handler
 	// ------------------------------------------------------------------
 
+	/**
+	 * Test session handler isActive returns false by default.
+	 */
 	public function test_session_handler_is_active_returns_false(): void {
 		$sso     = SSO::get_instance();
 		$handler = new SSO_Session_Handler($sso);
@@ -431,6 +576,9 @@ public function test_session_handler_is_active_returns_false(): void {
 		$this->assertFalse($handler->isActive());
 	}
 
+	/**
+	 * Test session handler getId reads the broker request parameter.
+	 */
 	public function test_session_handler_get_id_reads_broker_param(): void {
 		$_REQUEST['broker'] = 'test-broker-id';
 
@@ -440,6 +588,9 @@ public function test_session_handler_get_id_reads_broker_param(): void {
 		$this->assertSame('test-broker-id', $handler->getId());
 	}
 
+	/**
+	 * Test session handler start throws when user is not logged in.
+	 */
 	public function test_session_handler_start_throws_when_not_logged_in(): void {
 		wp_set_current_user(0);
 
@@ -452,13 +603,16 @@ public function test_session_handler_start_throws_when_not_logged_in(): void {
 		$handler->start();
 	}
 
+	/**
+	 * Test session handler resume sets target user ID from transient.
+	 */
 	public function test_session_handler_resume_sets_target_user_id_from_transient(): void {
 		$user_id = self::factory()->user->create();
 		$site_id = get_current_blog_id();
 
-		$sso     = SSO::get_instance();
-		$salt    = $sso->salt();
-		$broker  = $sso->encode($site_id, $salt);
+		$sso    = SSO::get_instance();
+		$salt   = $sso->salt();
+		$broker = $sso->encode($site_id, $salt);
 
 		set_site_transient("sso-{$broker}-{$site_id}", $user_id, 180);
 
@@ -472,6 +626,9 @@ public function test_session_handler_resume_sets_target_user_id_from_transient()
 		delete_site_transient("sso-{$broker}-{$site_id}");
 	}
 
+	/**
+	 * Test session handler resume does not set user when transient is missing.
+	 */
 	public function test_session_handler_resume_does_not_set_user_when_transient_missing(): void {
 		$sso  = SSO::get_instance();
 		$salt = $sso->salt();
@@ -491,6 +648,9 @@ public function test_session_handler_resume_does_not_set_user_when_transient_mis
 	// SSO Broker
 	// ------------------------------------------------------------------
 
+	/**
+	 * Test broker getAttachUrl includes required parameters.
+	 */
 	public function test_broker_get_attach_url_includes_required_params(): void {
 		$sso = SSO::get_instance();
 
@@ -514,6 +674,9 @@ public function test_broker_get_attach_url_includes_required_params(): void {
 		$this->assertSame('https://example.com/page', $query['return_url']);
 	}
 
+	/**
+	 * Test broker is_must_redirect_call returns false initially.
+	 */
 	public function test_broker_is_must_redirect_call_returns_false_initially(): void {
 		$sso = SSO::get_instance();
 
@@ -556,24 +719,29 @@ public function test_handle_server_source_sets_javascript_content_type_for_jsonp
 	}
 
 	/**
-	 * Verify that the JSONP branch in handle_broker also sets the
+	 * Verify that all JSONP branches set the
 	 * Content-Type: application/javascript header.
+	 *
+	 * There are three JSONP response paths:
+	 * 1. handle_server JSONP success/error response
+	 * 2. handle_broker JSONP error for unattached broker
+	 * 3. handle_broker JSONP "nothing to see here" for attached broker
 	 */
 	public function test_handle_broker_source_sets_javascript_content_type_for_jsonp(): void {
 		$source = file_get_contents(
 			dirname(__DIR__, 3) . '/inc/sso/class-sso.php'
 		);
 
-		// There should be two JSONP blocks with the header — count them.
+		// There should be three JSONP blocks with the header.
 		$count = preg_match_all(
 			"/header\(\s*'Content-Type:\s*application\/javascript;\s*charset=utf-8'\s*\)/",
 			$source
 		);
 
 		$this->assertSame(
-			2,
+			3,
 			$count,
-			'Both JSONP response paths (handle_server and handle_broker) must set the Content-Type header'
+			'All three JSONP response paths must set the Content-Type header'
 		);
 	}
 
@@ -581,6 +749,9 @@ public function test_handle_broker_source_sets_javascript_content_type_for_jsonp
 	// cache() returns PSR-16 cache
 	// ------------------------------------------------------------------
 
+	/**
+	 * Test cache returns a PSR-16 compatible instance.
+	 */
 	public function test_cache_returns_psr16_compatible_instance(): void {
 		$sso   = SSO::get_instance();
 		$cache = $sso->cache();
@@ -592,6 +763,9 @@ public function test_cache_returns_psr16_compatible_instance(): void {
 	// build_server_request
 	// ------------------------------------------------------------------
 
+	/**
+	 * Test build_server_request returns a PSR-7 instance.
+	 */
 	public function test_build_server_request_returns_psr7_instance(): void {
 		$sso     = SSO::get_instance();
 		$request = $sso->build_server_request('GET');
@@ -603,6 +777,9 @@ public function test_build_server_request_returns_psr7_instance(): void {
 	// get_server
 	// ------------------------------------------------------------------
 
+	/**
+	 * Test get_server returns a Jasny SSO Server instance.
+	 */
 	public function test_get_server_returns_server_instance(): void {
 		$sso    = SSO::get_instance();
 		$server = $sso->get_server();
@@ -614,6 +791,9 @@ public function test_get_server_returns_server_instance(): void {
 	// add_additional_origins
 	// ------------------------------------------------------------------
 
+	/**
+	 * Test add_additional_origins includes the main site domain.
+	 */
 	public function test_add_additional_origins_includes_main_site_domain(): void {
 		global $current_site;
 
@@ -624,6 +804,9 @@ public function test_add_additional_origins_includes_main_site_domain(): void {
 		$this->assertContains("https://{$current_site->domain}", $origins);
 	}
 
+	/**
+	 * Test add_additional_origins preserves existing origins.
+	 */
 	public function test_add_additional_origins_preserves_existing_origins(): void {
 		$sso     = SSO::get_instance();
 		$origins = $sso->add_additional_origins(['https://existing.com']);
diff --git a/tests/e2e/cypress/integration/065-sso-redirect-loop.spec.js b/tests/e2e/cypress/integration/065-sso-redirect-loop.spec.js
new file mode 100644
index 00000000..97125ebc
--- /dev/null
+++ b/tests/e2e/cypress/integration/065-sso-redirect-loop.spec.js
@@ -0,0 +1,226 @@
+/**
+ * SSO Redirect Loop Prevention E2E Tests
+ *
+ * Verifies that the SSO redirect loop bug is fixed: non-logged-in visitors
+ * on subsites must NOT get stuck in an infinite redirect loop with
+ * ?sso_verify=invalid;sso_error=User+not+logged+in.
+ *
+ * The bug had three root causes (all fixed):
+ * 1. JSONP unattached broker: handle_broker() redirected instead of returning
+ *    a JSONP error, so the wu.sso() JS callback never fired and the
+ *    wu_sso_denied cookie was never set.
+ * 2. Incognito JS redirect: sso.js detected incognito mode and redirected to
+ *    the server URL as a fallback, creating a redirect -> sso_verify=invalid
+ *    -> redirect loop.
+ * 3. Missing cookie: Without wu_sso_denied being set, the SSO script kept
+ *    re-triggering on every page load.
+ *
+ * Test environment: wp-env uses localhost:8889 (main site) and
+ * 127.0.0.1:8889 (mapped subsite domain) — two genuinely different hostnames
+ * with separate cookie jars, which naturally exercises cross-domain SSO.
+ */
+describe("SSO Redirect Loop Prevention", () => {
+  const mainSiteUrl = "http://localhost:8889";
+  const mappedDomainUrl = "http://127.0.0.1:8889";
+
+  before(() => {
+    // Ensure SSO test environment is set up (subsite + domain mapping + SSO enabled).
+    // This reuses the same fixture as 060-sso-cross-domain.spec.js.
+    cy.visit("/wp-login.php", { failOnStatusCode: false });
+
+    cy.wpCliFile("tests/e2e/cypress/fixtures/setup-sso-test.php", {
+      failOnNonZeroExit: false,
+    }).then((result) => {
+      const output = result.stdout.trim();
+      cy.log(`SSO setup output: ${output}`);
+      expect(output).to.contain("site_id");
+      expect(output).to.not.contain('"error"');
+    });
+  });
+
+  beforeEach(() => {
+    // Clear all cookies to simulate a fresh non-logged-in visitor.
+    cy.clearCookies();
+    cy.clearAllCookies();
+  });
+
+  // -----------------------------------------------------------------------
+  // Core redirect loop prevention
+  // -----------------------------------------------------------------------
+
+  it("Should load subsite front page without redirect loop for non-logged-in visitor", () => {
+    // This is the primary test for the bug fix.
+    // A non-logged-in visitor hits the subsite front page on the mapped domain.
+    // The SSO JS fires a JSONP request to the main site. Since the visitor is
+    // not logged in on the main site, the JSONP response should return an error
+    // (code: 0), the JS should set the wu_sso_denied cookie, and the page
+    // should load normally — NOT redirect.
+
+    // Visit the subsite front page on the mapped domain.
+    // Use cy.visit which will fail if there's an infinite redirect.
+    cy.visit(`${mappedDomainUrl}/`, {
+      failOnStatusCode: false,
+      // Cypress will automatically fail if the page doesn't load within
+      // pageLoadTimeout (60s default, 90s in CI). An infinite redirect
+      // would cause this timeout.
+    });
+
+    // The page should have loaded successfully (not stuck in a redirect loop).
+    // Check that we're on a real page, not a redirect error.
+    cy.get("body").should("exist");
+
+    // The URL should NOT contain sso_verify=invalid (the redirect loop marker).
+    cy.url().should("not.include", "sso_verify=invalid");
+    cy.url().should("not.include", "sso_error=");
+  });
+
+  it("Should not redirect loop when visiting subsite with SSO query params already present", () => {
+    // Simulate the scenario where a visitor lands on the subsite with
+    // sso_verify=invalid already in the URL (e.g., from a bookmark or
+    // a previous failed SSO attempt). The fix should set the wu_sso_denied
+    // cookie and redirect to the clean URL — NOT loop.
+
+    cy.request({
+      url: `${mappedDomainUrl}/?sso_verify=invalid&return_url=${encodeURIComponent(mappedDomainUrl + "/")}`,
+      followRedirect: false,
+      failOnStatusCode: false,
+    }).then((response) => {
+      // The server should respond with a 302 redirect to the clean return_url
+      // (with wu_sso_denied cookie set), NOT another sso_verify=invalid URL.
+      if (response.status === 302) {
+        const location = response.headers.location || response.headers.Location || "";
+        expect(location).to.not.include("sso_verify=invalid");
+
+        // The response should set the wu_sso_denied cookie.
+        const setCookieHeader = response.headers["set-cookie"];
+        if (setCookieHeader) {
+          const cookies = Array.isArray(setCookieHeader)
+            ? setCookieHeader.join("; ")
+            : setCookieHeader;
+          expect(cookies).to.include("wu_sso_denied");
+        }
+      } else {
+        // If it's a 200, that's also acceptable (page loaded directly).
+        expect(response.status).to.be.oneOf([200, 302]);
+      }
+    });
+  });
+
+  // -----------------------------------------------------------------------
+  // JSONP endpoint behaviour (the primary fix)
+  // -----------------------------------------------------------------------
+
+  it("Should return JSONP error response (not redirect) for non-logged-in JSONP request", () => {
+    // This tests the core fix: when a non-logged-in visitor's browser makes
+    // a JSONP request (via <script> tag) to the subsite's SSO endpoint,
+    // the server must return a JavaScript response calling wu.sso() with
+    // an error code — NOT a 302 redirect.
+    //
+    // Before the fix, the server returned a 302 redirect for JSONP requests
+    // when the broker was unattached. The browser follows 302s transparently
+    // for <script> tags, but the final response was another redirect (not JS),
+    // so wu.sso() never fired and wu_sso_denied was never set.
+
+    cy.request({
+      url: `${mappedDomainUrl}/sso?_jsonp=1&return_type=jsonp`,
+      followRedirect: false,
+      failOnStatusCode: false,
+    }).then((response) => {
+      if (response.status === 200) {
+        // The response should be JavaScript calling wu.sso() with an error.
+        const body = response.body;
+        expect(body).to.include("wu.sso(");
+
+        // The Content-Type should be application/javascript.
+        const contentType = response.headers["content-type"] || "";
+        expect(contentType).to.include("javascript");
+      } else if (response.status === 302) {
+        // If we get a redirect, it should be the attach URL (first-time broker
+        // setup), not a loop. The redirect should NOT point back to /sso.
+        const location = response.headers.location || "";
+        // The attach URL goes to the main site's sso-grant endpoint.
+        // It should NOT redirect back to the same /sso endpoint.
+        cy.log(`Got redirect to: ${location}`);
+      }
+    });
+  });
+
+  // -----------------------------------------------------------------------
+  // SSO JS does not contain incognito redirect code
+  // -----------------------------------------------------------------------
+
+  it("Should not contain incognito detection in the SSO JavaScript", () => {
+    // The incognito redirect path in sso.js was one of the redirect loop
+    // causes. Verify the served JS file does not contain incognito detection.
+
+    // First, visit the subsite to ensure the SSO JS is enqueued.
+    cy.visit(`${mappedDomainUrl}/`, {
+      failOnStatusCode: false,
+    });
+
+    // Check that the page source does not contain incognito detection code.
+    // The wu_sso_config object is inlined by wp_localize_script, and sso.js
+    // is loaded as a separate script file.
+    cy.get("body").should("exist");
+
+    // Verify no incognito-related code in the page.
+    cy.document().then((doc) => {
+      const html = doc.documentElement.outerHTML;
+      expect(html).to.not.include("detectIncognito");
+      expect(html).to.not.include("is_incognito");
+    });
+  });
+
+  // -----------------------------------------------------------------------
+  // wu_sso_denied cookie prevents re-triggering
+  // -----------------------------------------------------------------------
+
+  it("Should not trigger SSO when wu_sso_denied cookie is already set", () => {
+    // When the wu_sso_denied cookie is set, the SSO script should not fire
+    // the JSONP request at all. This prevents any possibility of a loop.
+
+    // Set the wu_sso_denied cookie on the mapped domain.
+    cy.setCookie("wu_sso_denied", "1", {
+      domain: "127.0.0.1",
+      path: "/",
+    });
+
+    // Intercept any requests to the SSO endpoint to verify none are made.
+    cy.intercept(`${mappedDomainUrl}/sso*`).as("ssoRequest");
+
+    cy.visit(`${mappedDomainUrl}/`, {
+      failOnStatusCode: false,
+    });
+
+    // The page should load normally.
+    cy.get("body").should("exist");
+    cy.url().should("not.include", "sso_verify");
+
+    // Verify no SSO JSONP request was made (the script should have skipped it).
+    // Wait briefly to ensure no late requests fire.
+    cy.wait(2000);
+    cy.get("@ssoRequest.all").should("have.length", 0);
+  });
+
+  // -----------------------------------------------------------------------
+  // Multiple page loads don't cause accumulating redirects
+  // -----------------------------------------------------------------------
+
+  it("Should handle multiple page loads without accumulating redirect params", () => {
+    // Simulate a user navigating multiple pages on the subsite.
+    // Each page load should work cleanly without SSO params accumulating.
+
+    const pages = ["/", "/?page_id=2", "/?p=1"];
+
+    pages.forEach((page) => {
+      cy.visit(`${mappedDomainUrl}${page}`, {
+        failOnStatusCode: false,
+      });
+
+      cy.get("body").should("exist");
+      cy.url().should("not.include", "sso_verify=invalid");
+      cy.url().should("not.include", "sso_error=");
+    });
+  });
+
+});