Single sign-on is a mechanism that allows you to authenticate users in your systems, and subsequently tell Thought Industries that the user has been authenticated. The user is then allowed access to Thought Industries without being prompted to enter separate login credentials.
At the core of single sign-on is a security mechanism that allows Thought Industries to trust the login requests it gets from your systems. We only grant access to the users that have been authenticated by you.
Below you will find the information for configuring your SSO settings including the redirection of log in, log out, and account links. For information on provisioning access, please see our Provisioning Access Through SSO article.
SSO is one of the more complicated integration options available on Thought Industries. For a more thorough review, please see our Integrations course in Academy.
Where do I find this?
Settings > Integrations > SSO
How do I do this?
- From your homepage, select Settings.
- From the left menu, select Integrations and then SSO.
- Populate the applicable fields for your SSO settings.
Tip
When debugging your SSO set up, we always recommend starting by reviewing SSO logs.
Logs are always on. We display the past 7 days of activity or the last ~600 responses depending on the frequency of SSO logins.
- SSO Subscription
- Whatever you choose here will give all learners access to that subscription when they are signed in via SSO.
- External Login URL
- This is an optional URL you can fill in if you want all learners to log in via SSO. Filling this in will redirect the login page to the URL you specify. It is expected the user will log in on the external page, and then you will send the information back to Thought Industries as part of an SSO process, at which point the user will be signed in.
- Account Logout URL
- Similar to the Login URL, if you would like all learners to log out via SSO, fill in this URL field.
- External Register URL
- This is an optional URL you can fill in if you want all learners to register externally. Filling this in will redirect both the registration page and the checkout page, if the user is signed out. It is expected that the user will register or log in on the external page, and then you will send the information back to Thought Industries as part of an SSO process, at which point the user will be signed in.
- Account Settings Redirect Link
- This is an optional URL you can fill in if you want all learners to update their email address, name, and other profile information externally. If you do allow email address updates externally, we recommend including External Customer IDs in your SSO configuration as described in our SSO implementation documentation. This will allow learners to change their email address and generally facilitate account management via SSO.
Warning
Management of external IDs is the sole responsibility of your IDP administrator. These values must be unique to users in your IDP (e.g. employee ID) and will be passed in the payload for all learners. It is not recommended to use email as the external ID as emails can change. All users must have their own unique External Customer ID to ensure access to that user's account.
- This is an optional URL you can fill in if you want all learners to update their email address, name, and other profile information externally. If you do allow email address updates externally, we recommend including External Customer IDs in your SSO configuration as described in our SSO implementation documentation. This will allow learners to change their email address and generally facilitate account management via SSO.
- CAS Settings
- These settings only apply if you are using CAS SSO.
- The Server Validate URL field is where you would specify the URL to the CAS server.
- CAS 3.0 may return additional learner attributes. Each field can correspond to an attribute returned by the CAS server upon successful authentication.
- These settings only apply if you are using CAS SSO.
- SAML 2.0 Settings
- These settings only apply if you are using SAML SSO.
- SAML 2.0 may return additional learner attributes. Each field can correspond to an attribute returned by the SAML Identity Provider (IdP) upon successful authentication.
- These settings only apply if you are using SAML SSO.
- SSO Subscription
- Click Save.
What else do I need to know?
- Thought Industries supports four different types of Single sign-on: JWT SSO, CAS SSO, SAML SSO, and OpenID Connect SSO.
- If using Panorama, this is set at the client level by going to Panorama > Actions > Edit > Settings > SSO. If left blank in the client's settings, the global settings will be picked up for all learners.
What does this look like?
Admin View:
