Single sign-on is a mechanism that allows you to authenticate users in your systems, and subsequently tell Thought Industries that the user has been authenticated. The user is then allowed access to Thought Industries without being prompted to enter separate login credentials.
At the core of single sign-on is a security mechanism that allows Thought Industries to trust the login requests it gets from your systems. We only grant access to the users that have been authenticated by you.
Below you will find the information for configuring your SSO settings including the redirection of log in, log out, and account links. For information on provisioning access, please see our Provisioning Access Through SSO article.
SSO is one of the more complicated integration options available on Thought Industries. For a more thorough review, please see our Integrations course in Academy.
Where do I find this?
Settings > Integrations > SSO
How do I do this?
- From your homepage, select Settings.
- From the left menu, select Integrations and then SSO.
- Populate the applicable fields for your SSO settings.
- Toggle "Enable Logging" to "Yes" if you want SSO requests/responses to be temporarily logged and viewable.
Tip
When debugging your SSO set up, we always recommend starting by collecting SSO logs.
- SSO Subscription
- Whatever you choose here will give all learners access to that subscription when they are signed in via SSO.
- External Login URL
- This is an optional URL you can fill in if you want all learners to log in via SSO. Filling this in will redirect the login page to the URL you specify. It is expected the user will log in on the external page, and then you will send the information back to Thought Industries as part of an SSO process, at which point the user will be signed in.
- Account Logout URL
- Similar to the Login URL, if you would like all learners to log out via SSO, fill in this URL field.
- External Register URL
- This is an optional URL you can fill in if you want all learners to register externally. Filling this in will redirect both the registration page and the checkout page, if the user is signed out. It is expected that the user will register or log in on the external page, and then you will send the information back to Thought Industries as part of an SSO process, at which point the user will be signed in.
- Account Settings Redirect Link
- This is an optional URL you can fill in if you want all learners to update their email address, name, and other profile information externally. If you do allow email address updates externally, you will want to also provide an externalCustomerId during checkout as described in our SSO implementation documentation. If you do not specify an externalCustomerId, then two accounts will be created after the student updates their email address outside of Thought Industries.
- CAS Settings
- These settings only apply if you are using CAS SSO.
- The Server Validate URL field is where you would specify the URL to the CAS server.
- CAS 3.0 may return additional learner attributes. Each field can correspond to an attribute returned by the CAS server upon successful authentication.
- These settings only apply if you are using CAS SSO.
- SAML 2.0 Settings
- These settings only apply if you are using SAML SSO.
- SAML 2.0 may return additional learner attributes. Each field can correspond to an attribute returned by the SAML Identity Provider (IdP) upon successful authentication.
- These settings only apply if you are using SAML SSO.
- Toggle "Enable Logging" to "Yes" if you want SSO requests/responses to be temporarily logged and viewable.
- Click Save.
What else do I need to know?
- Thought Industries supports four different types of Single sign-on: JWT SSO, CAS SSO, SAML SSO, and OpenID Connect SSO.
- If using Panorama, this is set at the client level by going to Panorama > Actions > Edit > Settings > SSO. If left blank in the client's settings, the global settings will be picked up for all learners.
What does this look like?
Admin View:
