Single sign-on (SSO) is a mechanism that allows you to authenticate users in your systems, and subsequently tell Thought Industries that the user has been authenticated. The learner is then allowed access to Thought Industries without being prompted to enter separate login credentials.
At the core of SSO is a security mechanism that allows Thought Industries to trust the login requests it gets from your systems. We only grant access to the users that have been authenticated by you.
Below you will find the steps for provisioning access through SSO. For more information on configuring your single sign-on settings, including the redirection of log in and log out, please see our Configuring SSO Settings article.
How do I do this?
SSO implementation is primarily done outside of the Thought Industries learning site, with the exception of the settings/redirects and certain attributes depending on your implementation preference.
What you need to provision access through SSO:
API Key
To provision access, you will first need your API Key. You can find this at Settings > Security in the Passwords & Keys section.
Path: Settings > Security
Provisioning Information
Collect provisioning details like courseSlugs, bundleSlugs, or licenseIds from the site using the paths in the list of options for provisioning access later in this article.
Admin Access
The team member responsible for implementing SSO will need admin access to retrieve the provisioning information and finish the implementation process.
Options for provisioning access to content items (a la carte):
You can provision your learners access to one or more pieces of content, bundles, and/or learning paths. You have a few options depending on whether all learners will receive access to the same or different content.
Courses and courseSlugs
This is the unique slug identifier of the content item the learner has access to. In many cases, provisioning access to individual content works well.
This applies to webinars, courses, articles, and videos.
Path: Content > Actions > Settings > Advanced
From within the Catalog tab, scroll to the bottom of the page and click Advanced to see the complete URL. The final portion of the URL, in bold, is the content slug that would be passed.
Tip
You can choose to pass one or more field value for any given learner by using an array. Arrays can be used for any of the options in this list.
Subscriptions and bundleSlugs
This is the unique slug identifier of the subscription the learner has access to. Subscriptions work well when you need to provision access to multiple content items and when that content might change over time.
You can set up a subscription in eCommerce, update the subscription (add or remove content items) at any time, and anyone with access to that subscription will be updated automatically.
Path: Ecommerce > Ecommerce Items > Actions > View
View the URL in the address bar. The final portion of the URL is the bundleSlug that would be passed.
Tip
If you plan to offer the same content to all learners, you can select a specific subscription from the drop-down menu in Settings > Integrations > SSO.
Note
We recommend using bundleSlugs (below) instead of courseSlugs because you can easily add content to a subscription and that addition will reflect on all previous SSO learners and all new SSO learners, without any SSO integration changes.
Learning Paths and learningPathSlugs
This is the unique slug identifier of the learning path the learner has access to. Learning Paths work well when you have a multitude of content the learner should complete, and in a specific order.
Path: Content > Actions > View
View the URL in the address bar. The final portion of the URL is the slug that would be passed.
replaceCourseAccess
Setting this to true will revoke access to any courses not specified in 'courseSlugs'. For example, if you send 'courseSlugs' over as ['a', 'b', 'c'], we will grant access to those three courses. Afterwards, if you send 'courseSlugs' over as ['a','b'] for the same learner, we will revoke access to course 'c'.
By default, the value is false and we will add onto any existing access based on the values in the field options listed above.
Warning
You should not use this option if you are using TI-managed subscriptions. We will also revoke all access if 'replaceCourseAccess' is set to true and 'courseSlugs' is omitted or an empty array.
Options for provisioning access to Panorama:
Tip
When provisioning access through SSO, it's best to choose either content items OR panorama. This is because users will get access to content via the panorama.
Client Fields
- clientId
This is the UUID of the client the user should belong to.
Path - clientId: Panorama > Actions > Edit
View the URL in the address bar. The final portion of the URL is the ID that would be passed.
- clientSlug
This is the slug of the client the user should belong to.
Path - clientSlug: Panorama > Actions > View Landing Page
View the URL in the address bar. The final portion of the URL is the slug that would be passed.
- clientSku
This is the SKU of the client the user should belong to.
Path - clientSku: Panorama > Actions > Edit > Settings > Primary
The Client SKU field is displayed on the Primary Settings page in the Panorama.
Student Licenses
- studentLicenseIds
This is the UUID of the license(s) the learner should have access to as a student.
Path: Panorama > Actions > Edit > Sublicenses > Edit Sublicense
The License ID field is displayed on the page to edit a sublicense.
- studentLicenseSkus
This is the SKU(s) of the license(s) the learner should have access to as a student.
This attribute must be specified alongside either clientId, clientSlug, or clientSku.
Path: Panorama > Actions > Edit > Sublicenses > Edit Sublicense
The License SKU field is displayed on the page to edit a sublicense.
Tip
You can specify license IDs and we will determine the client automatically. For SKUs, you must specify a Client Field.
Note
The list of licenses passed can only belong to one client.
Manager Licenses
- managerLicenseIds
This is the UUID of the license(s) the learner should have access to as a manager. This attribute only applies if the user is a client manager and should have management access to these licenses.
Path: Panorama > Actions > Edit > Sublicenses > Edit Sublicense
The License ID field is displayed on the page to edit a sublicense.
- managerLicenseSkus
This is the SKU(s) of the license(s) the learner should have access to as a manager. This attribute only applies if the user is a client manager and should have management access to these licenses.
This attribute must be specified alongside either clientId, clientSlug, or clientSku.
Path: Panorama > Actions > Edit > Sublicenses > Edit Sublicense
The License SKU field is displayed on the page to edit a sublicense.
Note
The previous licenseIds attribute has been deprecated in favor of these attributes.
replaceLicenseAccess
Setting this to true will revoke access to any licenses not specified in 'studentLicenseSkus' or 'managerLicenseSkus'. For example, if you send 'studentLicenseSkus' over as ['a', 'b', 'c'], we will grant access to those three licenses. Afterwards, if you send 'studentLicenseSkus' over as ['a','b'] for the same learner, we will revoke access to license 'c'.
By default, the value is false and we will add onto any existing access based on the values in the field options listed above.
Warning
We will also revoke all access if 'replaceLicenseAccess' is set to true and 'studentLicenseSkus' or 'managerLicenseSkus' is an empty array and there is not clientId/clientSlug/clientSku specified.
Other Attributes:
The following attributes can be used to store additional information about the user.
ref1 - ref10
Any arbitrary information to be stored on the user. Can be used for any arbitrary information, e.g. student ID, company name, etc.
These fields are optional. There is a character limit of 32.
role
The role of the user, e.g. "admin", "student", "client-manager", etc. Can be a built-in Thought Industries role or a custom role.
Similar to slugs, the role specified here should be a version of the role name with spaces replaced by dashes and all lowercase.
What else do I need to know?
- Thought Industries supports three different types of single sign-on: JWT SSO, CAS SSO, SAML SSO, and OpenID Connect SSO.
Tip
If your learner is being prompted for a first name, last name, or email address, or if your learner does not have access to the correct content items or is not part of the correct client/license(s), that means the attributes are not being sent correctly to Thought Industries. For SAML, you will want to double check the attributes are being sent from your IdP and ensure they exactly match the SAML Attribute Mappings configured in Thought Industries. These are case-sensitive, so "firstName" is different than “firstname".
What does this look like?
Admin View - SSO Settings:
Admin View (courseSlug):
Admin View (bundleSlugs):
Admin View (learningPathSlugs):
Admin View (clientIds):
Admin View (clientSlugs):
Admin View (clientSkus):
Admin View (studentLicenseIds/managerLicenseIds):
Admin View (studentLicenseSkus/managerLicenseSkus):
Common flows for implementing SSO:
Note that there may be other flows outside of these, so please reach out to your Customer Success Manager to discuss further.
1) Learners browse content, register and complete purchases from client site and are sent to Thought Industries via SSO to access content. In this particular case, learners simply access their dashboard and content on Thought Industries.
2) Learners browse content on Thought Industries, are redirected to client site for registration and sent back to Thought Industries via SSO to purchase and access content.
3) Learners browse content on Thought Industries, are redirected to client site to register and purchase content and are sent back to Thought Industries via SSO to access content.
